11/2020

Description:

Target IP: 10.10.10.161

The target machine is a Domain Controller that uses Kerberos. Foothold gained by exploiting a misconfiguration for an account in *Privileged IT Accounts* group to get a credential for the foothold. Run SharpHound shell script on the target machine to discover privilege escalation path. PowerView kit extends the command in the initial shell to grant *svc-alfresco* account DCSync privilege. Then dumping system account credentials with a custom python script to get *Administrator* account.

Difficulty:

easy

Flags:

User: e5e4e47ae7022664cda6eb013fb0d9ed

Root: f048153f202bbb2f82622b04d79129cc

Enumeration

Nmap port scan result.

! Discovered services:

• DNS (53), Kerberos Auth (88)
• RPC (135)
• NetBIOS session service (139)
• Lightweight Directory Access protocol - LDAP (389)
• SMB (445)
• Kerberos passwords change handler (464)
• RPC over HTTP (593)
• LDAP (3268)