Hokkaido 🔸

Enumeration

Using kerbrute discover users

Checking info/info

We find a password inside sysvol

Spraying it we find

discovery:Start123!

Connect to the db

Show impersionations and activate it to see the database

So we have hrapp-service:Untimed$Runny

Using bloodhound python we can now see the AD

This user has genericwrite over hazel.green so we can execute a targeted kerberoast from hrapp-service

Using hashcat

So hazel.green:haze1988

We can see that hazel belongs to tier2-admins and this group can forcechangepassword of molly smith who can rdp to the dc machine.

Initial Access

RDP to the machine with molly

Get the flag

Privilege Escalation

Open powershell as administrator

We are backup operator so get sam and system (as we are in a DC, sam could contain domain admin hash mirrored from ntdist)

Post Exploitation

Get the flag