Skip to content

Krovs' Writeups

Hokkaido

Metadata
- April 27, 2025
- in Proving Grounds, Active Directory
- 3 min read

Hokkaido 🔸

Enumeration

Using kerbrute, discover users.

Checking info/info.

We find a password inside sysvol.

Spraying it, we find:

discovery:Start123!

Connect to the db.

Show impersonations and activate it to see the database.

So we have hrapp-service:Untimed$Runny

Using bloodhound-python, we can now see the AD.

This user has GenericWrite over hazel.green, so we can execute a targeted kerberoast from hrapp-service.

Using hashcat:

So hazel.green:haze1988

We can see that hazel belongs to tier2-admins and this group can forcechangepassword of molly smith who can rdp to the DC machine.

Initial Access

RDP to the machine with molly.

Get the flag.

Privilege Escalation

Open powershell as administrator.

We are backup operator, so get sam and system (as we are in a DC, sam could contain domain admin hash mirrored from ntds.dit).

Post Exploitation

Get the flag.