Windows

This a Medium Active Directory Box. A public SMB share contains a base64 encoded PDF that contains a password for domain users. A password spraying attack reveals a user using that pasword. This user has access to another SMB share that contains an encrypted VeraCrypt volume. Its password can be bruteforced and the mounted volume contains a backup archive for a Linux filesystem. Inside a configuration file there is a password for another domain user. This user can change the password of wsilva, which has AddAllowedToAct over the Domain Controller. Although new machine accounts can’t be added, Resource-Based Contrained Delegation is still possible even without an SPN account. This is exploited and full Domain control is achieved. ...

This is a Hard Active Directory Box. Kerbrute reaveals a user that has weak credentials and is able to enumerate more users. One of those users has his password on the Description field and hash access to an SMB Share. It contains .wim files that are extracted into SAM files. Dumping the SAM gives a foothold as Simon.Watson, that can exploit an active RDP session of Nigel.Mills to get his NTLM hash. Nigel.Mills has ADCS privileges and can exploit ESC1, gaining access as Domain Administrator. ...

This is a Medium Active Directory box where the disclosure of usernames in an open SMB share together with a weak password leads to domain access. From there, a login script is changed to execute malicious code ias another user. That user has permissive DACL rights and can create a scheduled task on a GPO that runs as NT Authority \System. ...

This is a Medium Active Directory box, where the usage of insecure credentials leads to the compromise of a user. From there it is possible to obtain the NTLM hash for a service account. Then there are two paths to full system compromise: creating a Silver Ticket to MSSQL using credentials in a config file and then abusing SeImpersonatePrivilege; or by getting credentials for a user that can abuse ADCS ESC4. ...

This is an Easy Active Directory box, where CVE-2025-24071 is exploited giving access to another account. ADCS ESC16 will be exploited, allowing for domain compromise. Recon The nmap scan shows several ports open, these are related to Windows AD. $ sudo nmap -sS 10.10.11.69 -o allPorts [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-28 16:36 WEST Nmap scan report for 10.10.11.69 Host is up (0.039s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds The service scan gives us the domain name and the hostname of the Domain Controller (DC01). ...