Note: Machine Information As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Summary

1. found juicy file in SMB share
2. extracted passwords from unzipped xlsx file
3. reverse shell as sql_svc using mssql and xp_cmdshell
4. password spray to find credential reuse
5. writeowner abuse using impacket
6. ADCS-ESC4 using certipy

Initial Enumeration

Port scanning

As always I start off with a port scan. first a full port scan followed by a detailed targetted port scan.

Note: As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

Summary

1. AD Enumeration using netexec and bloodhound
2. abuse WriteOwner permissions to become member of Management Group
3. ShadowCredential attack to get hash for management_svc
4. Lateral Movement to CA_Operator by changing password
5. ADCS-ESC9 to become Administrator

Initial Enumeration

As usual I start with a simple full port scan followed by a more detailed targetted port scan