Note: As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

Summary

1. AD Enumeration using netexec and bloodhound
2. abuse WriteOwner permissions to become member of Management Group
3. ShadowCredential attack to get hash for management_svc
4. Lateral Movement to CA_Operator by changing password
5. ADCS-ESC9 to become Administrator

Initial Enumeration

As usual I start with a simple full port scan followed by a more detailed targetted port scan