In this OSINT challenge, the user owns a VulnLab instance and needs to perform reconnaissance on the lab’s Active Directory to identify users and gain credentials to access protected resources.
The user begins by running Nmap to identify accessible hosts and services and discovers an LDAP service allowing unauthenticated binding.
Using Impacket, the user is able to bind to the LDAP service and brute force user credentials, retrieving hashed passwords for many users, including ‘Rosie.Powell.’
The user then attempts to retrieve the hashed password for the user ‘Administrator,’ but misses the opportunity and accidentally provides ahashed password for ‘Shirley.West’ instead.
The user then moves on to perform privilege escalation on the domain controller, utilizing a tool called ‘bloodyAD.py’ to add a DNS record and subsequently compromise the KDC with a Golden Ticket, enabling the user to authenticate as ‘Rosie.Powell’ and gain access to the domain controller via SMB.
Overall, the user is able to successfully perform reconnaissance on the AD environment and elevate their privileges to that of an administrator.