Certifried
Overview
Certifried is a very easy Windows box. Initial enumeration targets SMB and
LDAP on an Active Directory host. While null-session LDAP authentication does
not succeed, unauthenticated SMB access exposes a readable share that leaks the
valid domain account steven.murray.
Note: The lab notes for this box are incomplete — they end after initial enumeration with a confirmed username but before any foothold or flag retrieval. The writeup reflects exactly what the notes document.
Enumeration
The target is an Active Directory domain controller. Screenshots capture the initial SMB and LDAP enumeration workflow.

Attempting a null session against SMB shows that a fully anonymous (null user, null password) connection is rejected, but connecting without specifying any credentials at all succeeds, providing access to a share:

Enumerating the accessible share surfaces useful information:

Reviewing the share contents identifies a valid domain account:

The valid account is steven.murray.
Takeaways
- Anonymous SMB access (even when strict null-session auth is blocked) can still expose readable shares that leak usernames and other sensitive data — lock down guest access and audit share ACLs.
- Enumerating valid usernames through SMB provides the foothold needed for further attacks such as password spraying, AS-REP Roasting, or certificate-based attacks.