search
TryHackMeHackTheBoxLinkedIn

Lumon Industries

Challenge Lab (Medium) - by NoxLumens

LogoCourseStackwww.hacksmarter.orgchevron-right

The following post by 0xb0b is licensed under CC BY 4.0arrow-up-right

hashtag
Scenario

hashtag
Objective / Scope

Lumon Industries will soon be integrating a high-value employee into the organization. In accordance with internal security protocols, a comprehensive penetration test and internal access verification must be conducted prior to full onboarding.

For the purposes of this evaluation, you will be provided the assigned credentials and access permissions corresponding to the subject employee. Your objective is to assess the scope and boundaries of these permissions, ensuring compliance with all Lumon security standards and operational safeguards.

Starting Credentials

hashtag
Summary

chevron-rightSummaryhashtag

In Lumon we begin with domain credentials and assess internal access boundaries within the lumons.hacksmarter environment. Enumerating network hosts reveals an intranet web application and SMB shares accessible to the provided user. Leveraging write permissions on a shared folder, we weaponize a malicious .library-ms file to exploit CVE-2025-24054 and coerce NTLM authentication, capturing and cracking the credentials of harmonyc, an administrative user. Using these, we gain admin access on the web portal and trigger another NTLM leak via the admin interface, recovering the IntranetSvc service account. Enumeration in BloodHound shows this account can reset passwords for other users, allowing us to take over marks, a member of the LAPSAdmins group. By reading the LAPS-stored local administrator password, we gain full control of the Intranet host, elevate marks to a local Administrator, and extract credentials for hellye, a Domain Administrator. Cracking the recovered hash provides domain admin access on DC01.

hashtag
Recon

In our initial reconnaissance phase, we perform a port scan on every available machine and manually probe the services available.

hashtag
DC01

We use rustscan -b 500 -a 10.1.194.227 -- -sC -sV -Pn to enumerate all TCP ports on the DC01 machine, piping the discovered results into Nmap which runs default NSE scripts -sC, service and version detection -sV, and treats the host as online without ICMP echo -Pn.

A batch size of 500 trades speed for stability, the default 1500 balances both, while much larger sizes increase throughput but risk missed responses and instability.

DC01 is the domain controller with exposed services including DNS 53, Kerberos 88/464, multiple MSRPC endpoints 135, 593, 49664+, SMB 139/445, LDAP and LDAPS 389/636/3268/3269 tied to Active Directory, RDP 3389, and .NET Remoting 9389. This indicates a fully integrated Windows AD environment where LDAP/LDAPS and Kerberos provide authentication, SMB and RPC enable remote management, and RDP/WinRM serve as remote access points.

hashtag
SMB

Before we dive in with the provided credentials we try to authenticate as guest and anonymously against SMB, but without success. Nevertheless we generate the hosts file entry like the following:

We add the following to our /etc/hosts file. We could also directly append the entry to our hosts file by providing the path to /etc/hosts in the NetExec command.

We are able to authenticate as hellyr with the provided password against the DC, but we do not find any interesting shares.

hashtag
BloodHound

With the credentials, we then enumerate the AD using BloodHound.

We see that the user has no special permissions, but is in the MICRODATA REFINEMENT group.

We are able to identify hellye as one of the Domain Admins. For now, we will continue with the Intranet machine.

hashtag
Intranet

We use rustscan -b 500 -a 10.1.212.200 -- -sC -sV -Pn to enumerate all TCP ports on the Intranet machine, piping the discovered results into Nmap which runs default NSE scripts -sC, service and version detection -sV, and treats the host as online without ICMP echo -Pn.

A batch size of 500 trades speed for stability, the default 1500 balances both, while much larger sizes increase throughput but risk missed responses and instability.

The Intranet machine has a web server available on port 80 in addition to SMB, RDP, and the RPC ports as well as 5985 with Windows Remote Management. From this initial scan we can determine the acutal machine name and domain.

hashtag
SMB

Here, too, we first try too authenticate as guest and anonymously against SMB, but without success. Nevertheless we generate the hosts file entry like the following:

We add the following to our /etc/hosts file.

We enumerate the shares on Intranet as hellyr and are able to identify the MDRepo share where we have read and write access to.

We connect to the share using smbclient.py and find a .url and .pdf file. We download those files but do not find a lead in there.

chevron-rightHinthashtag

Since we have write access to that share we could try to steal the NTLM hash of the users who regularly accesses the share. But more on that later. We move on to the web service.

hashtag
WEB

We visit the site on port 80 and get redirected to the HTTPS service on port 443.

We try to log in as hellyr with the provided credentials.

We are able to log in, but do not find anything useful yet.

Next, we perform a directory scan using Feroxbuster and find a terminal and admin page, but we do not have access here as hellyr.

hashtag
Access as harmonyc

We recall out finding on the SMB shares, that we have write access to MDRepo and the idea to steal the hashes of users accessing the share.

The Greenwolf ntlm_theft tool may help us out here. With that we are able to create up to 21 files that can be used for NTLM hash theft.

LogoGitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHubchevron-right

We generate the files...

... spin up responder...

LogoGitHub - SpiderLabs/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHubchevron-right

... and put those files in the share but we do not receive any hashes.

Recalling a recent CVE - CVE-2025-24054 - a Windows vulnerability that allows to leak NTLM hashes by tricking users into interacting with a .library-ms file.

Windows automatically attempts NTLM authentication when accessing remote resources, often without clear user warning. This implicit trust in network locations allows to coerce the system into sending credential material.

LogoCVE-2025-24054, NTLM Exploit in the Wild - Check Point ResearchCheck Point Researchchevron-right

With a malicious .library-ms file depicted in the following resource it points to a remote SMB/WebDAV share under our control - in this case responder. The vulnerability could be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. Windows initiates an NTLM authentication request to that remote server, leaking the user's NTLM hash, which can then be relayed or cracked.

We use the following resource to generate the .library-ms file:

LogoGitHub - helidem/CVE-2025-24054_CVE-2025-24071-PoC: Proof of Concept for the NTLM Hash Leak via .library-ms CVE-2025-24054 / CVE-2025-24071GitHubchevron-right

We place the file into the share using smbclient.py.

After a short duration we receive the NTLMv2-SSP of harmonyc. The manager mentioned in the pdf.

We try to crack the hash and are successful.

We authenticate as harmonyc on the domain controller and are successfull.

We mark the user as owned in BloodHound. We see that the user is part of the custom group ADMINISTRATION.

hashtag
Access as IntranetSvc

We try to log in as harmonyc on the Intranet portal.

We are successful and have now the admin and terminal page accessible.

Next, we visit the admin page and have three options available. We are able to unlock other AD Accounts, ping servers and browse file shares.

While responder still running we provide our share like the following:

And we immediately get the hash of IntranetSvc.

We try to crack it, and are successfull.

We test the creentials using NetExec and are able to authenticate against SMB on DC01.

hashtag
Shell as marks

We mark the user IntranetSvc as owned in Bloodhound. The user IntranetSvs is member of the Web Admins group.

Besides Intranet also peterk is member of the web admins group.

We do have permissions to change the password of the user.

circle-info

One thing I didn't notice here is that the user is disabled, which could have been already identified in the BloodHound data, see the screenshot below. This part can be skipped to marks, as the user has the same permissions, is not disabled, and we can change the password of that user too.

This is interesting because peterk is also member of LAPSAdmins which could mean that the user can read the attribute that stores the local admin password.

We use bloodyad to change the password and try to authenticate against SMB but get a timeout like depcited in thehacker.recipes.

LogoForceChangePassword | The Hacker Recipeswww.thehacker.recipeschevron-right

With authenticating against LDAP we see why - the account is disabled. If we would have paid a bit more attention to our BloodHound data we would have saved a bit time.

We investigate the outbound object control of IntranetSvc, and see that we also could change the passwords of other users. One of them is marks.

That user is also member if the LAPSAdmin group and is not disabled.

We change the passsword of marks...

... and try to log in using evil-winrm and are able to connect. We find the user flag at C:\Users\MarkS\Desktop\user.txt.

hashtag
Access as localadmin on INTRANET

Since the account is not disabled and this user is part of LAPSAdmins, we can then try to read the LAPS password of the computer account i.e. the password of the computer's local administrator:

LogoReadLAPSPassword | The Hacker Recipeswww.thehacker.recipeschevron-right

We use NetExec for our attempt and are able to read the localadmin's password of the Intranet machine.

We test whether we can authenticate to SMB on Intranet using the discovered credentials, and the authentication is successful.

hashtag
Shell as marks (added to Domain Admins)

As low-hanging fruit, we try to dump SAM and LSA secrets on Intranet. This may allow us to find additional credentials.

After all, we have access as localadmin. Unfortunately, we are unable to authenticate ourselves cleanly as localadmin using secretsdump.py. NetExec modules such as nanodump or lsassy did not work, or tags such as --lsa and --sam also do not work (they at least require Domain Admin or Local Admin Priviledges on target Domain Controller).

We are also able to get a Remote Desktop session as localadmin.

As localadmin, we can now try to extend a domain user we control with local adminstration permissions by adding that user to Administrators in order to remotely use secretsdump.py to dump the SAM & LSA secrets on Intranet.

We open a CMD terminal as administrator and issue the following command to add marks to the local Administrators group.

If we now authenticate as marks on INTRANET via SMB using NetExec, we see we are now admin.

Next, we use secretsdump.py to dump the hashes and find the hash of hellye.

LogoSAM & LSA secrets | The Hacker Recipeswww.thehacker.recipeschevron-right

Recalling our BloodHound enumeration we know that hellye is a Domain Administrator.

As a low-hanging fruit, we try to crack the DCC2 hash. This takes a little more time but is successful with rockyou.txt.

We are now able to authenticate as hellye on DC01 as a Domain Administraor.

From there we are able to retrieve the final flag using smbclient.py...

... and connect to the domain controlller using RDP as the Domain Admin.

PreviousLabsNextTriathlon

Last updated

Was this helpful?