Posts

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed. After enumeration, BloodHound reveals that a user has the DS-Replication-Get-Changes-All extended right, which allows to perform a DCSync attack.

Quick explanation on how to get BloodHound up and running in a few minutes! This post include a step by step installation guide of BloodHound, as well as downloading SharpHound and uploading it to a machine in order to map out an Active Directory Network.

Forest in an easy difficulty Windows Domain Controller, for a domain in which Exchange Server has been installed. The foothoold can be obtained via AS-REP Roasting. The service account is found to be a member of the Account Operators group, which can be used to add users to later exploit DCSync privileges.

Busqueda is an Easy Difficulty Linux machine that involves exploiting a command injection vulnerability present in a Python module to gain user-level access to the machine. To escalate privileges to root, we discover credentials within a Git config file, allowing us to log into a local Gitea service.

Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment. This machine teaches us about Group Policy Preferences Passwords from Windows and how to abuse them.