S3ntinl

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed. After enumeration, BloodHound reveals that a user has the DS-Replication-Get-Changes-All extended right, which allows to perform a DCSync attack.

Forest in an easy difficulty Windows Domain Controller, for a domain in which Exchange Server has been installed. The foothoold can be obtained via AS-REP Roasting. The service account is found to be a member of the Account Operators group, which can be used to add users to later exploit DCSync privileges.

Quick explanation on how to get BloodHound up and running in a few minutes! This post include a step by step installation guide of BloodHound, as well as downloading SharpHound and uploading it to a machine in order to map out an Active Directory Network.