Myles Nieman
← All writeups

Certifried

Overview

Certifried is a very easy Windows box. Initial enumeration targets SMB and LDAP on an Active Directory host. While null-session LDAP authentication does not succeed, unauthenticated SMB access exposes a readable share that leaks the valid domain account steven.murray.

Note: The lab notes for this box are incomplete — they end after initial enumeration with a confirmed username but before any foothold or flag retrieval. The writeup reflects exactly what the notes document.

Enumeration

The target is an Active Directory domain controller. Screenshots capture the initial SMB and LDAP enumeration workflow.

Target overview — Active Directory host

Attempting a null session against SMB shows that a fully anonymous (null user, null password) connection is rejected, but connecting without specifying any credentials at all succeeds, providing access to a share:

Null session SMB attempt — null credentials rejected, but anonymous access works

Enumerating the accessible share surfaces useful information:

SMB share contents — files readable without authentication

Reviewing the share contents identifies a valid domain account:

Valid domain username steven.murray discovered

The valid account is steven.murray.

Takeaways

  • Anonymous SMB access (even when strict null-session auth is blocked) can still expose readable shares that leak usernames and other sensitive data — lock down guest access and audit share ACLs.
  • Enumerating valid usernames through SMB provides the foothold needed for further attacks such as password spraying, AS-REP Roasting, or certificate-based attacks.