Skip to content

Nagoya 🔺

Enumeration

Web server has a landing page.

The Team tab shows all the users.

We can make a list and use kerbrute to check if there are valid users.

Now make a wordlist, using 2023 as the web and the image metadata is from 2023 and use seasons like Summer.

We have Fiona.Clark:Summer2023 and Craig.Carr:Spring2023.

SVC_HELPDESK is kerberoastable. Having that account, we can compromise christopher.lewis, then connect to the machine and then dcsync the domain.

We can't crack svc_helpdesk password, but either fiona or craig have GenericAll over the account, so...

Now to christopher.lewis who can psremote.

Initial Access

Get the flag.

Privilege Escalation

MSSQL service is running locally, so we transfer chisel and make a port forward.

Now we forge a Kerberos silver ticket and connect to that port.

Transfer printspoofer and escalate privileges.

Post Exploitation

Get the flag.