Hello, I managed to get access to inlanefreight.ad domain and get the first flag. I am kind of stuck here.
Am I supposed to get DA on inlanefreight.ad to continue? Can anyone give me a hint 
1 Like
Hey, i feel completely stuck.
can’t even start the first question. i got a password from an xml file but doesn’t seem to work anywhere.
Any help would be appreciated.
Ty Vx
Finally cracked it.
If anyone need help. feel free to dm me
Enjoy
Vx
On the same boat.
Could add a user to a group in apexcargo.ad, but can’t exploit it since it’s cross forest.
Can’t think of anything. If someone could give a hand.
Hello,
I request some help also here 
I got the first flag.
Got access to the root domain and i’m able to browse apexcargo.ad
I have a good Bloodhound for both forest.
But cannot not find a path to second flag.
No asreproasting account
No kerberoasting account
Not even a group, computer or user has a sidhistory in Child, inlanefreight and apexcargo.
No additional computer in apexcargo to do the sid filter bypass with CVE-2020-0665
No foreign security principals group members in those 3 domains.
No printerbug, spoolsample doesn’t give a hash
No DACL including SID from foreign domain
I even tried to crack administrator password or brute-force T*m, no luck
I see a user T*m with a WriteDACL on a group than can DCSync … but unable to get a path to him
Thank you for any help
Golden Ticket with SID History Injection
Many thanks, I finally succeed with this lead.
I learnt lot of things with this skills assessment
I tried the SID History injection but it fails
i got the krbtgt hash + a group from ape*c**go.ad using mimikatz
Hello,
Anyone who would help with the first flag? Seems like can’t find a way to Admin on child DC
look at groups
Vx
1 Like
Hi All,
I was just wondering if anyone could help with the second flag, I have attempted the SID injection like suggested but I can’t see to get it to work.
Thanks!
Ope, nevermind, I got it…