This a Medium Active Directory Box. A public SMB share contains a base64 encoded PDF that contains a password for domain users. A password spraying attack reveals a user using that pasword. This user has access to another SMB share that contains an encrypted VeraCrypt volume. Its password can be bruteforced and the mounted volume contains a backup archive for a Linux filesystem. Inside a configuration file there is a password for another domain user. This user can change the password of wsilva, which has AddAllowedToAct over the Domain Controller. Although new machine accounts can’t be added, Resource-Based Contrained Delegation is still possible even without an SPN account. This is exploited and full Domain control is achieved. ...

This is a Medium Linux Box. It revolves around AWS and an S3 instance. The HTML source code of the main site reveals an S3 instance subdomain. It allows for unauthenticated file upload, so it’s possible to get code execution via PHP. With a foothold, there is a config file that references DynamoDB. This database contains credentials for another user on the box. That user has Read access to the source code of a web app running as root. The web app consults the DynamoDB to generate a PDF, and it’s possible to create an entry in a table to read arbitrary files into the generated PDF. That is used to read root’s SSH key and login to the machine. ...

This is a Hard Active Directory Box. Kerbrute reaveals a user that has weak credentials and is able to enumerate more users. One of those users has his password on the Description field and hash access to an SMB Share. It contains .wim files that are extracted into SAM files. Dumping the SAM gives a foothold as Simon.Watson, that can exploit an active RDP session of Nigel.Mills to get his NTLM hash. Nigel.Mills has ADCS privileges and can exploit ESC1, gaining access as Domain Administrator. ...

This is a Medium Linux box that hosts an rsync directory containing credentials for a Gitea intance. It is possible to change a file that is part of the Jenkins pipeline and will execute code of our choice. With code execution inside a Docker container, a file informs that users from a certain hostname can login to the box through rlogin. A database instance is accessible that contains a database related to a DNS server, which can be altered to associate the attacker’s IP to the allowed hostname, giving access to the main machine as root. ...

This is a Medium Active Directory box where the disclosure of usernames in an open SMB share together with a weak password leads to domain access. From there, a login script is changed to execute malicious code ias another user. That user has permissive DACL rights and can create a scheduled task on a GPO that runs as NT Authority \System. ...

This is a Medium Active Directory box, where the usage of insecure credentials leads to the compromise of a user. From there it is possible to obtain the NTLM hash for a service account. Then there are two paths to full system compromise: creating a Silver Ticket to MSSQL using credentials in a config file and then abusing SeImpersonatePrivilege; or by getting credentials for a user that can abuse ADCS ESC4. ...

This is an Easy Active Directory box, where CVE-2025-24071 is exploited giving access to another account. ADCS ESC16 will be exploited, allowing for domain compromise. Recon The nmap scan shows several ports open, these are related to Windows AD. $ sudo nmap -sS 10.10.11.69 -o allPorts [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-28 16:36 WEST Nmap scan report for 10.10.11.69 Host is up (0.039s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds The service scan gives us the domain name and the hostname of the Domain Controller (DC01). ...