Basic AD attack for lateral… Enumerate AD Objects ACLs
anyone willing to drop a nudge or 2 for me? I’m not quite sure what to do with the JWT now that I’ve got it. I’m fumbling my way through but it’s starting to feel like I’m going down a rabbit hole…
Once downloaded, use a debugger (like dnSpy, ilSpy…)
To anyone asking about how to use JWT: if you reverse the dll, you will find where to use it.
This web app is confusing me. I’ve got in as Super Admin, seen the notice about interacting with the DB. Now what? I’ve install Burp’s Blazor Traffic Processor, but don’t seem to have got anything useful from scrolling through requests…
SQLI 
This machine milked me dry:(
So I’ve picked up on the “Check duplicate Category Names” endpoint seems to have a SELECT WHERE statement we can inject into. Appending abc' OR 1=1-- seems to prove this. Just unsure how to exploit this?
The characters that break the query have a nuance.
It’s an intermediate level SQLI in my opinion. I wouldn’t have came with it definitely.
Basically, you have to break que query, check if xp_cmdshell is enabled, declare a variable and pass the command to it, and call xp_cmdshell with it
1 Like
I just sat down to work on it, did basic enum, realized what I have to do for foothold, and I’m considering just throwing in the towel ■■■■
2 Likes
This box was definitely mislabeled. I really think Axlle shoulda been Medium and this one hard for sure.
1 Like
This should help for the SQLi
Check here the: [MSSQL Command execution]
1 Like
I fought a little bit with the VM, AvalonianILSPy and disk space.
Had to remove and reinstall dotnet.
It was a pain to get the DLL disassembler to work.
Rooted. This box was harder, than I hoped it would be, felt stupid all through the steps.
Had to restart the box a couple of times, the more time it works, the slower it becomes for some reason.
For the hints:
- Fuzzing and check everything you see
- A bit of reversing will be needed for all those dynamic links
- Token is your friend, use it in found at step 1 domain
- some injections for shell, check how to enable subsystem and run shell in one line
- some interesting privs via bloodhound will be shown, get the thing and you’ll get pass
- get a shell again, preferably fully interactive and search for some pathes that can be abused
- do you like katz?
2 Likes
Found Privesc easier than user, but then again, I’ve been through a couple of AD academy modules lately.
Some of the stuff in the box weren’t working or had to be pretty specific, which I think is why root blood took long time…
Fun box related to AD though.
Thanks @FroggieDrinks for the SQLI and @SpiritWolf for the parameter correction.
2 Likes
I was stucked 3 hours because I was unable to run SharpHound or AdPeas.ps1 because the machine was bugged. If this happens to you, just restart it 
1 Like
Finally! Felt nice to refresh AD stuff - really liked the box 
1 Like