Objective:
- IP Address 172.25.90.35 (Domain Controller)
- IP Address 172.25.90.36 (Domain Client) —This is the initial target
- The domain is ace.icsi
Objectives:
- Gain Initial Access
- Identify ACL misconfigurations that allow us to move laterally from one user to the next.
- Obtain control of the ‘Domain Admins’ group
- The flag is in the Administrators desktop on the Domain Controller.
Important Notes:
- After working through this challenge, let Mr. Beck know so he can revert the machines to their original state.
- Only one student should work through this one at a time. Once you are logged in as the initial user, check to see if anyone else is logged in with this PowerShell/CMD command
qwinsta
Initial Access
- After initial nmap scans of both the client and domain controller, you’ll turn up a list of usernames on the webpage hosted at 172.25.90.35
- Add this list to a text called users.txt

On Kali, clone the impacket tool suite and navigate to the examples folder that contains the file GetNPUsers.py
- Create a text file in this directory called users.txt and paste in the found users list

We’ll do a sweep for users who do not have ‘Pre-Authentication’ required within their account properties.