SMB

This a Medium Active Directory Box. A public SMB share contains a base64 encoded PDF that contains a password for domain users. A password spraying attack reveals a user using that pasword. This user has access to another SMB share that contains an encrypted VeraCrypt volume. Its password can be bruteforced and the mounted volume contains a backup archive for a Linux filesystem. Inside a configuration file there is a password for another domain user. This user can change the password of wsilva, which has AddAllowedToAct over the Domain Controller. Although new machine accounts can’t be added, Resource-Based Contrained Delegation is still possible even without an SPN account. This is exploited and full Domain control is achieved. ...

This is a Hard Active Directory Box. Kerbrute reaveals a user that has weak credentials and is able to enumerate more users. One of those users has his password on the Description field and hash access to an SMB Share. It contains .wim files that are extracted into SAM files. Dumping the SAM gives a foothold as Simon.Watson, that can exploit an active RDP session of Nigel.Mills to get his NTLM hash. Nigel.Mills has ADCS privileges and can exploit ESC1, gaining access as Domain Administrator. ...

This is a Medium Active Directory box where the disclosure of usernames in an open SMB share together with a weak password leads to domain access. From there, a login script is changed to execute malicious code ias another user. That user has permissive DACL rights and can create a scheduled task on a GPO that runs as NT Authority \System. ...