Read my writeup to Search machine on
slide_5.jpg with the password of the user
Hope.Sharp, Using that we found SPN of
web_svc user, The cracked password of
web_svc is the same password of
Edgar.Jacobs user, By enumerating on
Edgar.Jacobs we found Excel called
Phishing_Attempt.xlsx with protected sheet, Removing the protected sheet and we get the password of
Sierra.Frye and we get the user flag.
Root: We have two methods, Method 1: Running python bloodhound, found
ReadGMSAPassword permission to
BIR-ADFS-GMSA user with
Generic All permission to user
Tristan.Davies which is member of Domain Admins, Using
Generic All permission we reset the password of
Tristan.Davies user and we get the root flag.