Machine Name: Manager IP: 10.10.11.236 Difficulty: Medium
Summary
Manager is a medium difficulty machine that starts with enumerating usernames and password spraying them to login to MSSQL shell. The MSSQL shell was used to fetch a configuration file containing user credentials that were used to obtain the user shell. Privilege Escalation consisted of abusing the Active Directory Certificate Services (AD CS) misconfiguration to issue an administrator certificate that was used to obtain the TGT hash and authenticate as administrator.
Machine Name: Scrambled IP: 10.10.11.168 Difficulty: Medium
Summary
Scrambled is a medium machine that requires an understanding of how Kerberos works. It includes enumerating users using Kerberos’ authentication protocol’s error message and password spraying to obtain valid credentials of the found users. The obtained credentials are used to get a TGT through which the SPN and TGS are obtained. The TGS was cracked and new credentials were obtained. The new credentials did not work when logging into MsSQL Client. The TGT ticket was used to enumerate the SMB share where a PDF with information about imposed access controls was found. Only administrator accounts can access the SQL database. A Silver ticket attack was performed in order to gain access to the database where more credentials were found and a shell could be obtained. After gaining the user shell, a DLL file found was decompiled and analysed. A serialization method was being called which was exploited by crafting a payload using ysoserial to gain a administrator shell.
Machine Name: Noter IP: 10.10.11.140 Difficulty: Medium
Summary
Noter is a machine that expects basic enumeration to lead to session cookies, JWT secrets, and credentials to servers. It teaches code review, and identification of code injections. Privilege Escalation was fairly simple as it was achieved with a public exploit that required credentials obtained during enumeration. The exploit allowed command execution as root through MySQL to gain a root shell.
