Repository Overview

This repository documents my ongoing journey in red teaming, penetration testing, and Active Directory security assessment. It functions as both a structured learning record and a technical reference, capturing practical experience gained through labs, simulated enterprise environments, and real-world attack scenarios.

The notes emphasize methodical exploitation workflows, progressing from reconnaissance and initial access to lateral movement, privilege escalation, and ultimately full domain or system compromise. Alongside detailed write-ups, the repository consolidates foundational theory, attack techniques, tooling practices, and operational tradecraft across Windows, web applications, and enterprise networks.

Summary of concepts covered

• Comprehensive AD basics

  • Covers AD structure (domains, forests, trusts, OUs, objects),
  • terminology (SID, DN, GUID, SPN, PAC, SYSVOL, NTDS.DIT),
  • core protocols (Kerberos flow, LDAP, MSRPC, NTLM, DNS),
  • trusts (transitive/non-transitive, parent-child, external, forest),
  • local privileges (SeDebug, SeImpersonate, SeBackup),
  • red team targets (LSASS dumps, PAC manipulation, NTDS extraction).

• Deep dive on Kerberos delegation

  • Kerberos delegation overview
    Basics: TGT/TGS, KDC.
    Types & attacks:
  • Unconstrained (KUD): TrustedForDelegation flag enabled → can request tickets for any service on behalf of authenticated users Enum: PowerView, Get-ADComputer, impacket findDelegation.py.
  • Constrained (KCD): Limited delegation to specific services defined in msDS-AllowedToDelegateTo. Uses S4U2Self (get user ticket without password) + S4U2Proxy (request service ticket).
  • Resource-Based (RBCD): Delegation controlled on the target resource via msDS-AllowedToActOnBehalfOfOtherIdentity. If attacker can modify a computer object’s ACL, they can grant their own machine delegation rights → impersonate any user to that host via S4U

• Roasting

  • Time Roasting: Exploit MS-SNTP to extract machine account password hashes
  • Kerberoasting: Request & crack service account TGS tickets
  • AS-REP Roasting: Target pre-auth disabled accounts

• DPAPI Exploitation — Practical DPAPI abuse steps
  Decrypt user master keys and credential blobs using password + SID.
  Steps:

  • Locate/copy master keys (C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<SID>) and credential blobs (\Credentials).
  • Impacket SMB server for exfil.
  • Decrypt master key: impacket-dpapi masterkey -file <blob> -password '<pass>' -sid <SID>.
  • Use decrypted key for credential blobs (partial command).
    Targets: Chrome/Edge creds, Wi-Fi profiles, etc.

• Windows Registry — Basic structure & hives
  Hierarchical DB for configs (users, apps, hardware).
  Hives: HKCR, HKCU (current user), HKLM (machine-wide), HKU (all users), HKCC.
  HKCU points to current user's SID in HKU.

• COM and DCOM overview
  Covers Component Object Model (COM) and Distributed COM (DCOM) internals for Windows red teaming.

  • COM Basics: Binary standard for reusable components/interfaces (CLSID/IID), in-process/out-of-process servers, activation via COM server DLLs.

  • DCOM: Remote COM execution over MS-RPC (port 135 + dynamic high ports), auth levels (None → Packet Privacy), credential flow (NTLM/Kerberos).

  • Attacks & Exploitation:

    • DCOM Lateral Movement: Remote execution via CLSIDs (e.g., MMC20.Application ShellExecute, ShellWindows)
    • Privilege Escalation: Potato family exploits (JuicyPotato, PrintSpoofer, RogueWinStation) abuse SeImpersonate/SeAssignPrimaryToken via DCOM coercion
    • COM Hijacking: Abuse weak registry permissions on InprocServer32/OutOfProcServer32 CLSID keys → replace DLL path with malicious payload for persistence or privilege escalation (e.g., hijack common CLSIDs like {00021401-0000-0000-C000-000000000046} for ShellItem).
      • Technique: Modify HKCR\CLSID{target}\InprocServer32 → point to attacker DLL; trigger via app that loads the CLSID.
      • Risks: Persistence, code execution in high-integrity processes.

  • OLE Weaponization: Embedded objects/monikers in docs → Scriptlet Moniker (scrobj.dll) for remote script execution, DDE attacks in Office files.

  • Tools: impacket-dcomexec, Rubeus (for related Kerberos), JuicyPotato/PrintSpoofer variants, reg.exe/PowerShell for registry hijacks.

Core Knowledge & Tools Covered Across Write-ups

These notes emphasize practical red teaming skills rather than one-off exploits.
Common themes include chained attacks (web → credential capture → AD relay/cert abuse → DCSync/root), creative credential harvesting (XSS exfil, NATS logs, .library-ms), Active Directory misconfiguration abuse (DNS, delegation, certificates, gMSA, dMSA), and turning small footholds into full domain compromise or root access.

1. Reconnaissance & Enumeration

• nmap (version detection, script scanning, timing tweaks)
  Almost every machine begins with nmap scans (-Pn -sCV -p- --min-rate 2000-5000 -T2-T4) to map all open ports, detect service versions, and run default scripts. This consistently reveals AD ports (53,88,135,139,389,445,464,636,3268-3269,5985-5986), MSSQL (1433), NATS (4222), HTTP on non-standard ports (8000), and IKE (500/4500).

• Service fingerprinting (HTTP headers, AD ports: 53/88/135/389/445/1433/ etc.)
  Beyond nmap, read HTTP titles/headers, use Wappalyzer, and add discovered domains (mirage.htb, nanocorp.htb, etc.) to /etc/hosts for proper name resolution in browsers and tools.

• ike-scan (IPsec/IKE PSK leaks)
  Used to enumerate and extract crackable PSK hashes from IPsec endpoints in aggressive mode (ike-scan -A -M -P).

• kerbrute, nxc / NetExec (SMB, Kerberos, RID brute-forcing, share spidering)
  kerbrute enumerates valid domain users via Kerberos AS-REQ.
  NetExec (nxc) is the central AD toolused for : credential spraying, RID brute-forcing (--rid-brute 10000), share enumeration (--shares), file metadata spidering (-M spider_plus), password policy checks, and Kerberos configuration file generation (--generate-krb5-file <FILE>).

• BloodHound / RustHound (AD attack path graphing)
  Collect AD data (RustHound-CE or SharpHound) and analyze graphs for shortest paths to Domain Admin — especially delegation, group rights, and writable attributes.

2. Web & Application Exploitation

• Sandbox escapes (js2py CVE)
  Exploit js2py sandbox escape (CVE-2024-28397) by prototype pollution and walking Python object chain to reach subprocess → execute reverse shell commands directly from JS input.

• Injection flaws: XSLT injection, LDAP injection, SQL injection (PostgreSQL COPY RCE)
  XSLT injection writes arbitrary files (exslt:document) into cron directories for code execution.
  LDAP injection uses wildcards/closures (*)(uid=*) to bypass authentication filters.
  PostgreSQL SQLi allows COPY FROM PROGRAM to run OS commands as the database user.

• Auth bypass & token manipulation (Roundcube XSS, CrushFTP CVE, Flask session forgery)
  Roundcube XSS (CVE-2024-42009) exfiltrates emails/tokens via malicious HTML + JavaScript fetch.
  CrushFTP auth bypass (CVE-2025-31161) creates admin users via PoC script.
  Flask session forgery cracks weak secret keys with flask-unsign + rockyou to forge admin cookies.

• File upload/write abuses leading to reverse shells
  Upload malicious ZIPs containing .library-ms files that force NTLM auth to Responder listener when opened.

• NTLM relay/capture (malicious .library-ms files, Responder)
  Capture NetNTLMv2 hashes with Responder → crack with hashcat or relay with ntlmrelayx to LDAP/AD CS.

3. Credential Attacks

• Hash cracking (MD5 via hashcat/crackstation, NTLM via hashcat)
  Crack MD5 from SQLite DBs (crackstation or hashcat -m 0), NetNTLMv2 (-m 5600), Kerberos TGS (-m 13100), and PSK hashes (psk-crack).

• Kerberoasting / AS-REP roasting potential
  Use impacket-GetUserSPNs to request and crack service account TGS tickets; AS-REP roasting implied for pre-auth disabled accounts.

• Plaintext leaks from logs/databases/emails
  Extract creds from NATS JetStream logs, PostgreSQL .env, email bodies (XSS exfil), decrypted backups, and application configs.

4. Active Directory Exploitation

• DNS spoofing/poisoning
  nsupdate adds A records (update add nats-svc... A <attacker IP>) → redirect services for credential capture.

• NATS / message broker introspection
  use nats CLI to read JetStream streams (nats stream view, nats sub ">") → reads auth_logs for creds.

• Delegation & group abuse Abuse Resource-Based Constrained Delegation, writable msDS-AllowedToDelegateTo, force-password-change rights, and gMSA passwords (bloodyAD get object msDS-ManagedPassword).

• Time skew fixes (faketime)
  faketime -f '+7hrs' wraps nxc, impacket, bloodyAD, certipy-ad, evil-winrm to fix Kerberos clock issues.

• Trustworthy DB escalation (MSSQL msdb)
  Leverage is_trustworthy_on=1 on msdb database to enable EXECUTE AS OWNER chains toward sysadmin.

• Certificate abuse (AD CS)
  Exploit weak certificate templates (ESC-style), UPN spoofing, weak enrollment policies → request certs with certipy-ad, forge silver tickets (impacket-ticketer), or extract NT hashes (certipy-ad auth).

• Relay attacks
  Relay captured NTLM hashes (ntlmrelayx) to LDAP/AD CS → add shadow credentials, request certs, or perform DCSync.
  Coerce authentication with printerbug.py or similar primitives.

5. Privilege Escalation & Post-Exploitation

• sudo misconfigurations (config injection/abuse: npbackup-cli, needrestart)
  npbackup-cli: craft custom config to backup /root and dump flag via --dump.
  needrestart: inject exec "/bin/sh","-p"; into malicious config file and run with sudo.
  sudo 1.9.17 CVE-2025-32462/32463 bypass via -h option abuse.

• Cron job hijacking

• Container escapes (pgAdmin)

• Tunneling & port forwarding (chisel/ligolo/sshuttle/proxychains)
  Use chisel for reverse tunnels (server on attacker, client on target) to expose internal services; combine with SSH -D dynamic proxy or socat redirects.

• WinRM / evil-winrm
  evil-winrm -i -r or evil_winrmexec.py -k (Kerberos) for interactive shells post-lateral movement.