We can use the credentials provided by the challenge:
BloodHound extract:
User flag
There isn’t anything we can do from the rose user in BloodHound, but one of the SMB shares is readable:
2 files are present, which probably contain information about the accounts:
However, their data look corrupted:
I tried a quite trivial way to recover the ata, which worked and returned some passwords:
Now we can prepare a bruteforce attacks to get another account from the credentials we get:
We get the password for Oscar user:
We can also connect to MSSQL with one of the passwords:
We get a reverse shell thanks to xp_cmdshell:
I tried a few enumerations for Local Privilege Escalation, but it didn’t work. However, running Snaffler on the host returns a new password:
I then tried to enumerate some stuff with the sql_svc account, but it wasn’t very successful. Then, I tried password spraying again with the new password, and it worked:
This user can winrm on the server, and get the user flag:
Domain Escalation through ESC4
Ryan has WriteOwner over ca_svc:
Let’s abuse it. We start by setting ryan as owner of ca_svc:
Next, we can give ryan FullControl over ca_svc, and then change its password:
Next, we can enumerate ADCS (certipy find):
ESC4 is an easy way to get Domain Admin on the server. We start by saving the template, and making it vulnerable:
Then, we request a certificate with a custom SAN (Administrator):
We can finally WinRM on the server to get the root flag:
