Tag: Active Directory
-
Timelapse – HackTheBox
Timelapse was a relatively easy ‘Easy’ machine that required exploiting misconfigured SMB that led to a shell as a normal user where a service account password was discovered in powershell history. That account was configured to be allowed to read the LAPS password, which let us get administrative access on the machine. Scanning From the…
-
Mantis – HackTheBox
Mantis was a hard machine that focused on good enumeration and discovering an older vulnerability in the way kerberos authenticates regular users. We’ll first discover a mssql credentials, access the mssql server, and extract a domain user’s credentials. From there we will find the version of Windows Server is vulnerable to MS14-068 which allows for…
-
Active Directory Takeover Pt II – User to Domain Persistence
In the last post, we discussed some specific enumeration methods for gaining entry into a machine in an Active Directory environment. Today, we’ll get a system shell in a few ways. Note this machine only had a brief glimpse into what’s possible beyond the initial shell, and we’ll be dealing with many other interesting methods…
-
Forest – HackTheBox
Forest is a much-hyped retired “Easy” Windows machine that deals with a wide variety of common AD attack vectors, both for initial entry and privilege escalation. Initially, I was able to leverage RPC to dump usernames from the domain, then ASRep-roast a service account. This was used to gain entry into the system, where I…
A Cyber Journey 