In this box, we use RPC and LDAP to collect valid AD usernames. This allows us to perform ASREPRoasting, which yields a TGS that can be cracked. With these credentials, we can winRM into the machine. From the output of BloodHound, we learn that we can run ourselves into Exchange Windows Permissions, which has WriteDACL over the domain object. We grant ourselves full control over the domain and perform DCSync on the machine. Like this, we get an admin shell.
The OSTicket web application will provide an email account in its domain when a support ticket is raised. We can use this email address to log into Mattermost. In Mattermost, we find an exposed credentials, which can be used to SSH into the server. In the server, we can use credential hunting to get the password of root in the database or brute force with sucrack.
Using the provided credentials, we can log in via WinRM. Then, we collect information for Bloodhound. With this information, we change the password of Micheal user, then the password of benjamin. Benjamin is able to access the FTP service and retrieve a psafe3 file. After cracking the hash, we retrieve the credentials of Emily. Emily is able to perform targeted kerberoasting on Ethan. As Ethan, we can perform DCSync and retrieve the Administrator hash. Finally, we pop a SYSTEM shell via psexec.
In this box, we take advantage of exposed GPP. With the creds, perform kerberoasting. We are able to crack the TGS we kerberoasted, which is an administrator account. Using ps-exec, we can get a SYSTEM shell.
This blog post contains writeups for PHP-Redis (SSRF) and AJAX Amsterdam (Broken Access Control)
