Note: Machine Information As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Summary

1. found juicy file in SMB share
2. extracted passwords from unzipped xlsx file
3. reverse shell as sql_svc using mssql and xp_cmdshell
4. password spray to find credential reuse
5. writeowner abuse using impacket
6. ADCS-ESC4 using certipy

Initial Enumeration

Port scanning

As always I start off with a port scan. first a full port scan followed by a detailed targetted port scan.