HackTheBox - Cascade
Cascade was a cool 30 point box created by VbScrub. It started out with some LDAP enumeration that allowed you to find a Base64 encoded password which you then use to log into SMB, after that you discover a VNC encrypted password which you can crack using an interactive ruby shell and then use to login via WinRM to get user. After that you have to decrypt a password from an audit database file utilising some C#, you then login and discover you have the AD Recycle Bin group privileges allowing you to recover a temporary administrator password. You then login as admin and get root.
Sauna was a fun 20 point box created by egotisticalSW. It started out with some username enumeration which allows you to AS-REP roast and dump a hash, you then crack it and login via WinRM to get user. You then stumble across some autologon credentials which have DCSync privileges which then allows you to use secretsdump.py, login with the admin hash, and get root.
Collection of random snippets including my .vimrc and commands for file/string manipulation in Vim.
Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.
Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.