Windows

Escape is a Windows Machine. I utilise techniques such as MSSQL Relay Attack, plain-text credential search, misconfigured Active Directory Certificate Services exploit and pass-the-hash attack to gain root to this system. Initial Foothold The standard nmap scan reveals that this is another Domain Controller of an Active Directory. My methodology leads me to check the SMB network share. I quickly found that there is a folder named Public that contains a manual for the MSSQL server on the machine. ...

In this machine, I had to perform ASREPRoast, abuse WriteDACL privileges and finally gain root with the DCSync technique. Initial Foothold The nmap scan revealed a very standard Active Directory Domain Controller setup. Using the intuition I gained from previous machines, I started by drilling into SMB and LDAP. nmap 10.129.95.210 -sC -sV Both protocol returned some information about the AD but could not be exploited further. I extracted the user list from crackmapexec and used the sed command to only keep the usernames in a txt file for ease of use. ...

This box was pretty rough for me. Enjoy the ride! Initial Foothold As usual, I started my recon with the usual nmap scan. The scan mistakenly states that the host is down. I added a -Pn flag following the nmap suggestion - the flag is an option that tells nmap to skip the discovery stage and do scanning as if the target IP is online. The starting Nmap scan clearly shows that the target this time is a Windows Active Directory box from the services available. ...

Windows and especially Active Directory(AD) is a big part of OSCP and no practice will be too much practice. Initial Foothold The target is a Windows Machine. I quickly did a Nmap scan to understand what services are available. nmap -sC -sV <ip-address> -oA active The open 3268 port and LDAP service suggest that I am dealing with an AD Domain Controller. Without any clue about credentials and users, I started by attempting an anonymous SMB login using enum4linux. ...