Resourced Proving Grounds Write-Up
SUMMARY
This write-up covers the Resourced machine from Offsec’s Proving Grounds, an Active Directory environment where an oversight in domain user management led to full domain compromise.
Initial enumeration with rpcclient without credentials revealed a domain user whose description field contained a cleartext password. After validating the credentials, SMB share enumeration uncovered a share named “Password Audit” containing an NTDS.dit file along with the SYSTEM hive. Dumping the ntds.dit locally with secretsdump extracted all domain user hashes, and a password spray confirmed that L.Livingstone was reusing one of them. This user had WinRM access, providing an interactive shell and the user flag.
BloodHound analysis revealed that L.Livingstone held GenericAll over the RESOURCEDDC$ computer account, enabling a Resource-Based Constrained Delegation (RBCD) attack. A new machine account was added to the domain, delegation was configured using rbcd.py, and a service ticket impersonating the Administrator was requested with getST. The resulting ticket was used to dump the Administrator’s NTLM hash and authenticate as domain Administrator.
PATH TO FOLLOW
- Reconnaissance & Unauthenticated RPC Enumeration
- Cleartext Credential Discovery in User Description Field
- SMB Share Enumeration & NTDS.dit Discovery
- Offline Hash Dump via
secretsdump - Password Spray & WinRM Access as
L.Livingstone - BloodHound Analysis — GenericAll over Domain Controller
- Resource-Based Constrained Delegation (RBCD) Attack
- Service Ticket Impersonation & Administrator Hash Dump
- Shell as Domain Administrator
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.