HackSmarter Labs

Scenario: Sysco is a Managed Service Provider that has tasked you to perform an external penetration testing on their active directory domain. You must obtain initial foothold, move laterally and escalate privileges while evading Antivirus detection to obtain administrator privileges. It is a medium-difficulty Active Directory machine on HackSmarter Labs. Nmap At first, we will scan the exposed services using Nmap. nmap 10.1.100.1 -v -p- -oN nmap/ports_ Nmap scan report for 10.1.100.1 Host is up (0.032s latency). Not shown: 65516 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3389/tcp open ms-wbt-server 9389/tcp open adws 49664/tcp open unknown 49668/tcp open unknown 49681/tcp open unknown 49683/tcp open unknown 49743/tcp open unknown 49813/tcp open unknown nmap 10.1.100.1 -v -p 53,80,88,135,139,389,445,464,593,636,3268,3389,9389,49664,49668,49681,49683,49743,49813 -A -oN nmap/service_ Nmap scan report for 10.1.100.1 Host is up (0.027s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 |_http-title: Index - Sysco MSP |_http-favicon: Unknown favicon MD5: DD229045B1B32B2F2407609235A23238 | http-methods: | Supported Methods: OPTIONS HEAD GET POST TRACE |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-30 23:15:15Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SYSCO.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SYSCO.LOCAL0., Site: Default-First-Site-Name) 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=DC01.SYSCO.LOCAL | Issuer: commonName=DC01.SYSCO.LOCAL | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-10-17T05:14:51 | Not valid after: 2026-04-18T05:14:51 | MD5: fdbb:6553:3042:be9f:3c1d:15b2:60db:5e1f |_SHA-1: 017c:b073:a3a7:1843:0ffd:7a2b:184a:c07b:a830:c0a8 |_ssl-date: 2025-10-30T23:16:51+00:00; -2s from scanner time. | rdp-ntlm-info: | Target_Name: SYSCO | NetBIOS_Domain_Name: SYSCO | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: SYSCO.LOCAL | DNS_Computer_Name: DC01.SYSCO.LOCAL | Product_Version: 10.0.20348 |_ System_Time: 2025-10-30T23:16:11+00:00 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49681/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49683/tcp open msrpc Microsoft Windows RPC 49743/tcp open msrpc Microsoft Windows RPC 49813/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Uptime guess: 0.012 days (since Fri Oct 31 00:00:08 2025) Network Distance: 3 hops TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Along with the port scan, I also like to use Netexec to see if NTLM auth is allowed or only Kerberoast protocol is allowed to connect to the Active Directory (AD). ...