VeraCrypt

This a Medium Active Directory Box. A public SMB share contains a base64 encoded PDF that contains a password for domain users. A password spraying attack reveals a user using that pasword. This user has access to another SMB share that contains an encrypted VeraCrypt volume. Its password can be bruteforced and the mounted volume contains a backup archive for a Linux filesystem. Inside a configuration file there is a password for another domain user. This user can change the password of wsilva, which has AddAllowedToAct over the Domain Controller. Although new machine accounts can’t be added, Resource-Based Contrained Delegation is still possible even without an SPN account. This is exploited and full Domain control is achieved. ...