Note: Machine Information As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Summary

1. found juicy file in SMB share
2. extracted passwords from unzipped xlsx file
3. reverse shell as sql_svc using mssql and xp_cmdshell
4. password spray to find credential reuse
5. writeowner abuse using impacket
6. ADCS-ESC4 using certipy

Initial Enumeration

Port scanning

As always I start off with a port scan. first a full port scan followed by a detailed targetted port scan.

Summary

1. use anonymous sessions to find txt in HR share
2. use RID-bruteforcing to find usernames
3. password spray password on found user to find valid credentials
4. read AD user info using rpcclient and find new password
5. winrm into the box with new credentials (user)
6. abuse SeBackupPrivilege to escalate to Administrator (root)

Initial Enumeration

As always I start with a port scan using nmap to find running services.

First I find all open ports using a simple port scan: