Newcomers
Welcome to Active Directory! This page is designed for beginners and those with limited experience in Active Directory environments - including individuals familiar with entry-level certifications like the OSCP.
A small installation guide is available here if you need help installing some essential tools.
Support
If you've read through this guide, and are facing an issue - feel free to reach out to anyone on the team at the conference!
We have @gatari (Zavier), @Sora (Jun Yu), @Gladiator (Cher Boon) and a couple of others physically on-site!
Connection
In contrast to our Off-By-One 2025 CTF, where participants simulated remote testing via SSH access to a networked physical device, this time you'll be on-site and directly connected to the environment through our access point.
The connection information is available at rules, once connected - you'll be able to access the first set of machines.
If you're ever having issues with clock skewing, run the following:
sudo timedatectl set-ntp false
sudo ntpdate PALACE-DC.jess.kingdom
Getting Started
To kick things off, we’ll start with basic enumeration and cover the initial steps you might take, regardless of the lab environment. The given scope is: 10.3.10.0/24 and 10.3.20.0/24. We can use nxc to fingerprint the hosts that are reachable. However, keep in mind that due to network segmentation and firewalls present in the environment, the results may not reflect all machines on the network.
nxc smb 10.3.10.0/24
SMB 10.3.10.21 445 ALCHEMIST-KEEP [*] Windows Server 2022 Build 20348 x64 (name:ALCHEMIST-KEEP) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.11 445 KNIGHT-HALL [*] Windows Server 2022 Build 20348 x64 (name:KNIGHT-HALL) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.31 445 MYSTIC-SANCTUM [*] Windows Server 2022 Build 20348 x64 (name:MYSTIC-SANCTUM) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.41 445 TABULARIUM [*] Windows Server 2022 Build 20348 x64 (name:TABULARIUM) (domain:jess.kingdom) (signing:False) (SMBv1:False)
nxc smb 10.3.20.0/24
SMB 10.3.20.31 445 PALACE-DC [*] Windows Server 2022 Build 20348 x64 (name:PALACE-DC) (domain:jess.kingdom) (signing:True) (SMBv1:False)
With the above results, we can create a hosts file to map the domain. If you are unsure about the importance of host files, do refer to this guide: here.
10.3.10.11 KNIGHT-HALL.jess.kingdom KNIGHT-HALL
10.3.10.31 MYSTIC-SANCTUM.jess.kingdom MYSTIC-SANCTUM
10.3.10.21 ALCHEMIST-KEEP.jess.kingdom ALCHEMIST-KEEP
10.3.10.41 TABULARIUM.jess.kingdom TABULARIUM
10.3.20.31 PALACE-DC.jess.kingdom jess.kingdom PALACE-DC
It’s also a good practice to maintain a targets.txt file containing all reachable hosts from your current foothold. This should be a newline-delimited list of IP addresses representing each accessible machine.
nxc smb targets.txt
SMB 10.3.10.21 445 ALCHEMIST-KEEP [*] Windows Server 2022 Build 20348 x64 (name:ALCHEMIST-KEEP) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.41 445 TABULARIUM [*] Windows Server 2022 Build 20348 x64 (name:TABULARIUM) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.31 445 MYSTIC-SANCTUM [*] Windows Server 2022 Build 20348 x64 (name:MYSTIC-SANCTUM) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.11 445 KNIGHT-HALL [*] Windows Server 2022 Build 20348 x64 (name:KNIGHT-HALL) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.20.31 445 PALACE-DC [*] Windows Server 2022 Build 20348 x64 (name:PALACE-DC) (domain:jess.kingdom) (signing:True) (SMBv1:False)
Running nxc against 5 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
The given scenario is an assumed breach, we can use the given credentials to enumerate shares on the domain:
nxc smb targets.txt -u 'Kael_Riven' -p 'reggina' --shares
SMB 10.3.10.11 445 KNIGHT-HALL [*] Windows Server 2022 Build 20348 x64 (name:KNIGHT-HALL) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.31 445 MYSTIC-SANCTUM [*] Windows Server 2022 Build 20348 x64 (name:MYSTIC-SANCTUM) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.20.31 445 PALACE-DC [*] Windows Server 2022 Build 20348 x64 (name:PALACE-DC) (domain:jess.kingdom) (signing:True) (SMBv1:False)
SMB 10.3.10.41 445 TABULARIUM [*] Windows Server 2022 Build 20348 x64 (name:TABULARIUM) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.21 445 ALCHEMIST-KEEP [*] Windows Server 2022 Build 20348 x64 (name:ALCHEMIST-KEEP) (domain:jess.kingdom) (signing:False) (SMBv1:False)
SMB 10.3.10.11 445 KNIGHT-HALL [+] jess.kingdom\Kael_Riven:reggina
SMB 10.3.10.11 445 KNIGHT-HALL [*] Enumerated shares
SMB 10.3.10.11 445 KNIGHT-HALL Share Permissions Remark
SMB 10.3.10.11 445 KNIGHT-HALL ----- ----------- ------
SMB 10.3.10.11 445 KNIGHT-HALL ADMIN$ Remote Admin
SMB 10.3.10.11 445 KNIGHT-HALL C$ Default share
SMB 10.3.10.11 445 KNIGHT-HALL IPC$ READ Remote IPC
SMB 10.3.10.31 445 MYSTIC-SANCTUM [+] jess.kingdom\Kael_Riven:reggina
SMB 10.3.20.31 445 PALACE-DC [+] jess.kingdom\Kael_Riven:reggina
SMB 10.3.10.31 445 MYSTIC-SANCTUM [*] Enumerated shares
SMB 10.3.10.31 445 MYSTIC-SANCTUM Share Permissions Remark
SMB 10.3.10.31 445 MYSTIC-SANCTUM ----- ----------- ------
SMB 10.3.10.31 445 MYSTIC-SANCTUM ADMIN$ Remote Admin
SMB 10.3.10.31 445 MYSTIC-SANCTUM C$ Default share
SMB 10.3.10.31 445 MYSTIC-SANCTUM IPC$ READ Remote IPC
SMB 10.3.10.41 445 TABULARIUM [+] jess.kingdom\Kael_Riven:reggina
SMB 10.3.10.41 445 TABULARIUM [*] Enumerated shares
SMB 10.3.10.41 445 TABULARIUM Share Permissions Remark
SMB 10.3.10.41 445 TABULARIUM ----- ----------- ------
SMB 10.3.10.41 445 TABULARIUM ADMIN$ Remote Admin
SMB 10.3.10.41 445 TABULARIUM C$ Default share
SMB 10.3.10.41 445 TABULARIUM IPC$ READ Remote IPC
SMB 10.3.10.21 445 ALCHEMIST-KEEP [+] jess.kingdom\Kael_Riven:reggina
SMB 10.3.20.31 445 PALACE-DC [*] Enumerated shares
SMB 10.3.20.31 445 PALACE-DC Share Permissions Remark
SMB 10.3.20.31 445 PALACE-DC ----- ----------- ------
SMB 10.3.20.31 445 PALACE-DC ADMIN$ Remote Admin
SMB 10.3.20.31 445 PALACE-DC C$ Default share
SMB 10.3.20.31 445 PALACE-DC CertEnroll READ Active Directory Certificate Services share
SMB 10.3.20.31 445 PALACE-DC IPC$ READ Remote IPC
SMB 10.3.20.31 445 PALACE-DC NETLOGON READ Logon server share
SMB 10.3.20.31 445 PALACE-DC SYSVOL READ Logon server share
SMB 10.3.10.21 445 ALCHEMIST-KEEP [*] Enumerated shares
SMB 10.3.10.21 445 ALCHEMIST-KEEP Share Permissions Remark
SMB 10.3.10.21 445 ALCHEMIST-KEEP ----- ----------- ------
SMB 10.3.10.21 445 ALCHEMIST-KEEP ADMIN$ Remote Admin
SMB 10.3.10.21 445 ALCHEMIST-KEEP C$ Default share
SMB 10.3.10.21 445 ALCHEMIST-KEEP ElixirVault ElixirVault
SMB 10.3.10.21 445 ALCHEMIST-KEEP IPC$ READ Remote IPC
Running nxc against 5 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Although we don't have privileged access to any shares, we can identify that there is a non-default share on ALCHEMIST-KEEP as well as the CertEnroll share on the DC. This suggests that Active Directory Certificate Services (ADCS) is installed and configured on the Domain Controller.
Kerberos Attacks
Another option that we can try is to look for users with the DoNotRequirePreAuth flag set, indicating that they are [asreproastable](https://blog.netwrix.com/2022/11/03/cracking_ad_password_with_as_rep_roasting/.
GetNPUsers.py 'jess.kingdom'/'Kael_Riven':'reggina'
Impacket v0.13.0.dev0+20250516.105908.a63c652 - Copyright Fortra, LLC and its affiliated companies
Name MemberOf PasswordLastSet LastLogon UAC
------------------ --------------------------------------------- -------------------------- --------- --------
Marcellus_OBSCURUS CN=PraetoriaUmbra,CN=Users,DC=jess,DC=kingdom 2025-05-21 02:20:57.493405 <never> 0x410200
Alternatively, we can check for users with registered Service Principal Names (SPNs) - as we can request for their Service Ticket (ST) and crack them offline. If they are manually managed (not using gMSA), they may be configured with a weak password.
GetUserSPNs.py 'jess.kingdom'/'Kael_Riven':'reggina'
Impacket v0.13.0.dev0+20250516.105908.a63c652 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ ------------- ------------------------------------------- -------------------------- --------- ----------
HTTP/eldric.jess.kingdom Eldric_SQUIRE CN=SilverLegion,CN=Users,DC=jess,DC=kingdom 2025-05-21 02:20:29.117040 <never>
With this initial information, you should be set to begin your journey toward capturing your first flag! For additional guidance, feel free to check out our earlier writeups, which might be helpful for tackling the first few flags.