ADCS

This is a Hard Active Directory Box. Kerbrute reaveals a user that has weak credentials and is able to enumerate more users. One of those users has his password on the Description field and hash access to an SMB Share. It contains .wim files that are extracted into SAM files. Dumping the SAM gives a foothold as Simon.Watson, that can exploit an active RDP session of Nigel.Mills to get his NTLM hash. Nigel.Mills has ADCS privileges and can exploit ESC1, gaining access as Domain Administrator. ...

This is an Easy Active Directory box, where CVE-2025-24071 is exploited giving access to another account. ADCS ESC16 will be exploited, allowing for domain compromise. Recon The nmap scan shows several ports open, these are related to Windows AD. $ sudo nmap -sS 10.10.11.69 -o allPorts [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-28 16:36 WEST Nmap scan report for 10.10.11.69 Host is up (0.039s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds The service scan gives us the domain name and the hostname of the Domain Controller (DC01). ...