Active
Enumeration
First of all, we can start by running an nmap scan:
The nmap scan doesn’t give much clue on what to do now, but there is an SMB share. Let’s have a look:
As we can see, we have access to a Replication share. Let’s get its content:
As we can see, we have three folders. There is nothing interesting in DfsrPrivate and in scripts, but we can find a Group.xml file in the Policies folder.
We can download it locally:
We now have a username and a ciphered password. This kind of password is a Group Policy Preferences (GPP) Passwords. We have a command that can get its clear text value:
User.txt
Now that we have a user, we can try accessing other shares:
As we can see, we have now access to the Users share. Let’s have a look:
It looks like a classic Windows Users folder. We can try going into the SVC_TGS desktop folder:
We get here the user flag:
Privilege Escalation
We can now use the script GetUserSPNs.py (of Impacket) to see if we can get any user information:
As we can see, there is the Administrator user, we can try recovering its kerberos TGS ticket:
We can now try to crack it using Hashcat:
Root.txt
Now that we have the Administrator credentials, we can connect to the SMB using them to get the files located in the Users share.
Now we can go to the desktop of the Administrator and… Voilà. We have the root.txt file that just waits for us to download it: