Try Hack Me: Enterprise
Today we will be looking at the Enterprise machine on Try Hack Me which can be found here:
Starting off with a RustScan we see the following ports:
We can see that this is a domain controller, trying some easy wins before moving on to different ports we will try and look at SMB:
Looks like we have a bitbucket user, so we should be looking at github and see if there is anything there. First we need the domain name:
Now that we have some credentials lets look for other users on the machine with lookupsid:
Now lets clean this up:
Now lets also try to request a ticket since we knew we have bitbucket user which may be a service:
Cracking this ticket we get the following:
Now lets try and login with remmina:
Now lets utilize PowerUp.ps1 to see if there is anything we can use to increase out privs with a quick win:
We have an unquoted service path, lets exploit that and restart the zerotieroneservice:
And we get a callback:
That was more of an easier room if you have done AD hacking before. Hopefully you were still able to learn something throughout this room.