Posts for: #Active-Directory

When Every Relay Fails: Breaking Through with CVE-2025-33073

#active-directory  #ntlm-relay  #rbcd  #cve-2025-33073  #internal-pentest 

The Setup That Looked Easy

Internal pentest. Low-privileged domain credentials provided by the client. Standard assumed-breach scenario.

Initial recon painted a promising picture:

nxc smb 10.10.10.0/24 -u testuser -p 'Provided2025!' --gen-relay-list relay.txt

Both Domain Controllers — SMB signing disabled. Coercion scan confirmed every flavor was on the menu:

nxc smb 10.10.10.11 -u testuser -p 'Provided2025!' -M coerce_plus
SMB  10.10.10.11  445  DC02  VULNERABLE, DFSCoerce
SMB  10.10.10.11  445  DC02  VULNERABLE, PetitPotam
SMB  10.10.10.11  445  DC02  VULNERABLE, PrinterBug
SMB  10.10.10.11  445  DC02  VULNERABLE, MSEven

SMB signing off on DCs + every coercion technique working = textbook relay scenario. Should be straightforward. Right?

[]

HTB: Reel

#htb  #hard  #windows  #active-directory  #phishing  #rtf  #cve-2017-0199  #pscredential  #writeowner  #writedacl  #acl-abuse 
ターゲット // Reel
PlatformHTB
OSWindows
DifficultyHard
IP10.129.50.115

Enumeration

Nmap

▶ Nmap output
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
593/tcp open  http-rpc-epmap

FTP + SMTP on a Windows AD box – this screams phishing.

[]

HTB: Resolute

#htb  #medium  #windows  #active-directory  #smb-null-session  #password-spray  #hidden-files  #dnsadmins  #dnscmd 
ターゲット // Resolute
PlatformHTB
OSWindows
DifficultyMedium
IP10.129.96.155

Enumeration

Nmap

▶ Nmap output
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm

Domain: megabank.local, Windows Server 2016.

[]

HTB: Blackfield

#htb  #hard  #windows  #active-directory  #as-rep-roasting  #bloodhound  #force-change-password  #lsass-dump  #sebackupprivilege  #diskshadow  #ntds 
ターゲット // Blackfield
PlatformHTB
OSWindows
DifficultyHard
IP10.129.229.17

Enumeration

Nmap

▶ Nmap output
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
389/tcp  open  ldap
445/tcp  open  microsoft-ds
593/tcp  open  ncacn_http
3268/tcp open  ldap
5985/tcp open  http

Domain: BLACKFIELD.LOCAL, DC01.

[]

HTB: Sauna

#htb  #easy  #windows  #active-directory  #as-rep-roasting  #dcsync  #bloodhound  #ldap  #autologon 
ターゲット // Sauna
PlatformHTB
OSWindows
DifficultyEasy
IP10.129.93.188

Enumeration

Nmap

▶ Nmap output
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws

Classic AD box – Kerberos, LDAP, SMB, WinRM all present. Domain: EGOTISTICAL-BANK.LOCAL.

[]

HTB: Forest

#htb  #easy  #windows  #as-rep-roasting  #bloodhound  #dcsync  #writedacl  #active-directory 
ターゲット // Forest
PlatformHTB
OSWindows
DifficultyEasy
IP10.129.157.109

Recon

Standard AD box – DNS, Kerberos, LDAP, SMB all present. Domain: htb.local.

Enumeration

Nmap

▶ Nmap output
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm

OS: Windows Server 2016 Standard 14393 x64

[]

PG: Hutch

#offsec  #proving-grounds  #medium  #windows  #ldap  #webdav  #laps  #printspoofer  #active-directory 
ターゲット // Hutch
PlatformOffSec Proving Grounds
OSWindows
DifficultyMedium
IP192.168.160.122

Recon

Nmap

▶ Full nmap output
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0.)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0.)
3269/tcp open  tcpwrapped

This is a Windows Server 2019 domain controller (hutch.offsec).

[]