Note: Machine Information As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Summary

1. found juicy file in SMB share
2. extracted passwords from unzipped xlsx file
3. reverse shell as sql_svc using mssql and xp_cmdshell
4. password spray to find credential reuse
5. writeowner abuse using impacket
6. ADCS-ESC4 using certipy

Initial Enumeration

Port scanning

As always I start off with a port scan. first a full port scan followed by a detailed targetted port scan.

Note: As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

Summary

1. AD Enumeration using netexec and bloodhound
2. abuse WriteOwner permissions to become member of Management Group
3. ShadowCredential attack to get hash for management_svc
4. Lateral Movement to CA_Operator by changing password
5. ADCS-ESC9 to become Administrator

Initial Enumeration

As usual I start with a simple full port scan followed by a more detailed targetted port scan

Security is an arms race

In the world of Cyber Security, we are always one step behind as defenders, and this makes total sense. In the past I’ve learned you have 2 kinds of people, ones that will do first, think later and then do again or the ones that think first, then do and then think again. In both cases there is a reflective moment. In a perfect world, where no crime nor malicious intent exists, we wouldn’t need security. Let’s look at this from another perspective.