Skip to content

Nagoya 🔺

Enumeration

Web server has a landing page

The Team tab shows all the users

We can make a list and use kerbrute to check if there are valid users

Now make a wordlist, using 2023 as the web and the image metadata is from 2023 and use seasons like Summer.

We have Fiona.Clark:Summer2023 and Craig.Carr:Spring2023

SVC_HELPDESK is kerberoastable, having that account we can compromise christopher.lewis, then connect to the machine and then dcsync the domain.

We can't crack svc_helpdesk password but either fiona or craig have genericall over the account so

Now to christopher.lewis who can ps remote

Initial Access

Get the flag

Privilege Escalation

MSSql service is running locally so we transfer chisel and make a port forward

Now we forge a kerberos silver ticket and connect to that port

Transfer printspoofer and escalate privileges

Post Exploitation

Get the flag