Salaheldin

March 14, 2019

AD Privilege Discovery

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

๐Ÿ“ SANS Slingshot Linux image.


solution-icon.png

1- Watch Bloodhound Demo : https://youtu.be/gOpsLiJFI1o

2- Download SANS Slingshot Linux image then start the image using VirtualBox or any similar software :
https://download.holidayhackchallenge.com/HHC2018-DomainHack_2018-12-19.ova

3- Run Bloodhound tool from desktop shortcut :

10-img-1.jpg

4- We are looking for a reliable path from a Kerberoastable user to the Domain Admins group with avoiding RDP as a control path:

  • Select Queries from search panel on the left
10-img-2.jpg

  • Scroll down until you find Shortest Paths to Domain Admins from Kerberoastable Users then click on it
10-img-3.jpg

10-img-4.jpg

  • To remove users with RDP as a control path ,Click on filter then unselect canRDP
10-img-5.jpg

10-img-6.jpg


๐Ÿ“Ÿ Go to your Badge > Objectives > Enter [email protected]