Access from Proving Grounds Practice is an intermediate rated Windows Active Directory (AD) machine, in which we first get a shell through a file upload vulnerability in a web application running in the context of a low privileged domain user svc_apache. Within that shell we perform a kerberoasting attack using Rubeus and obtain the credentials of the user svc_mssql. In order to get a shell as svc_mssql, we make use of a tool called RunasCs. Read more

Active from HackTheBox is an easy Windows box, in which we first find AD credentials in Group Policy Preferences and subsequently do a kerberoasting attack to get domain administrator. Port Scanning The open TCP ports indicate that we’re dealing with an AD domain controller running Windows Server 2008 R2: PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6. Read more