Certified - Hack The Box
Enumeration
Nmap
Initial Nmap scan revealed SMB, LDAP, Kerberos and WinRM ports open, which indicates target is Domain Controller.
User Enumeration
A user was given to us initially, so using given credentials I applied rid brute forcing and created a user list.
Trying AS-REP Roasting
Using the user list, I tried ASREP Roasting which did not reveal anything.
Trying Kerberoasting
Then tried kerberoasting attack and got a ticket for the management_svc user, but it was not crackable.
LDAP Search
Did an LDAP search and checked description fields, which also did not reveal anything useful.
BloodHound
Then ran bloodhound and found a way to get a shell.
Exploitation
WriteOwner
Current user judith had WriteOwner permissions over Management group. So simply following the steps, I added judith to Management group.
GenericWrite (Shadow Credentials)
Management group had generic write over management_svc. So we could either do targeted kerberoasting (which I tried at the beginning and could not crack the ticket) or we can apply Shadow Credentials attack.
So I followed steps to apply shadow credentials attack.
Got The User
Privilege Escalation
GenericAll
management_svc user had generic all permissions over CA_OPERATOR.
So I could force change CA_OPERATOR’s password.
ADCS - ESC9
Using CA_OPERATOR, I enumerated for vulnerable certificate templates, and found a template that is vulnerable to ESC9.
So the scenario was simple, management_svc user had generic all permissions over CA_OPERATOR and CA_OPERATOR has vulnerable certificate template.
I can exploit ESC9 by updating CA_OPERATOR’s upn to Administrator using management_svc credentials. I followed this steps to do that and get the Administrator hash.
Got The Shell
Then I got the administrator shell using psexec.
Pwned
The machine was fully compromised.