Enumeration

Nmap

Initial nmap scan revealed common DC ports were open.

00 - nmap

Exploitation

Kerbrute user enumeration

I tried different methods at first but non of them worked. Then I tried kerberos user enumeration with kerbrute and found info user.

01 - kerbrute to find info

Default Credentials

Later, I tried info:info credentials and it worked. I could access some of the shares.

02 - info info share

I also applied RID brute forcing to create a user list.

03 - rid brute

Kerberoasting

Later, I applied kerberoasting attack using impacket-GetUserSPNs and obtained 2 kerberos tickets.

04 - kerberoasting

I was able to crack discovery user’s hash.

05 - hashcat cracked

MSSQL Impersonation

Later, I logged in to MSSQL server.

06 - mssql

I had no privileges but I could impersonate a service user. So I applied necessary steps and impersonated the user.

# check who you can impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';

# execute as
EXECUTE AS LOGIN '<USER>';

07 - impersonate

GenericWrite - Targeted Kerberoasting

Hrapp-service user had genericWrite permissions over hazel.green user.

08 - generic write

So I applied targeted kerberoasting and cracked her password.

09 - targetedkerberoast

10 - cracked

ForceChangePassword

Hazel.green could force change molly.smith’s password.

11 - force change password

So I updated her password. And found out she had RDP privileges.

12 - gg

Then simply logged in to RDP session and read user flag.

13 - local flag

Privilege Escalation

Server Operator

molly.smith was Tier 1 admin. So I could execute cmd as administrator. However, she was not in local administrators group.

I opened and administrator cmd and checked groups and privileges. Server Operator group seemed exploitable.

14 - 0 server operator

So at first I checked a service that runs with SYSTEM privileges.

sc.exe qc AppReadiness

14 - sc qc appreadiness

Then checked if Server Operator group had privileges using PsService.exe (https://learn.microsoft.com/en-us/sysinternals/downloads/psservice)

15 - server operator all

After learning that Server Operator can modify it, I modified AppReadiness service to add molly.smith to local administrators group and started the service.

16 - admin

I simply obtained administrator flag.

17 - admin flag

<
Previous Post
SPX - Proving Grounds Practice
>
Next Post
BitForge - Proving Grounds Practice