Last updated
Last updated
The administrator is a medium machine difficulty with the assume breach methodology, in which you start the machine with a low-privileged user.
Nmap Scan
Summary
hosts file
I'm in the habit of searching and using new tools released, So I will start my enumeration process this time with cicada-masterful
After collecting data with bloodhound and ldapdomaindump, I will enumerate the domain for possible Domain Escalation paths.
Looking at Bloodhound CE, User Olivia has GenericAll on Michael which means he can
Assign fake SPN and perform targeted Kerberoast attack
Reset the password of that user
Perform Shadow Credentials (Need PKINIT authentication)
And Michael Can ForceChangePassword of Benjamin
To perform this attack completely from Linux, I will use the following commands
Now, I have Benjamin account and he is a member in Share Moderators group
When I looked at the shares for juicy files, I didn't find anything useful
I will then move toftp with the two new accounts I have using FileZilla. Michael's account doesn't have any files but benjamin does
After downloading the file, it seems to be encrypted by the master password by default.
I used this tool to get the password hash of the database
Using john the ripper, I cracked this hash successfully
Then, I downloaded this program to my Windows machine to open it and exported all the passwords to .txt file
User Emily has GenericWrite on Ethan, So she can do the following
Targeted Kerberoast attack
Shadow Credentials
User Ethan has DCSync rights, So I can dump ntds database with this account
Abuse GenericWrite privileges
Dump administrator hash
Root Flag: b42e8a0a9a5c81e4b7f8xxxxxxxxxxxxx
