Objective:

• IP Address 172.25.90.35 (Domain Controller)
• IP Address 172.25.90.36 (Domain Client) —This is the initial target
• The domain is ace.icsi

Objectives:

• Gain Initial Access
• Identify ACL misconfigurations that allow us to move laterally from one user to the next.
• Obtain control of the ‘Domain Admins’ group
• The flag is in the Administrators desktop on the Domain Controller.

Important Notes:

• After working through this challenge, let Mr. Beck know so he can revert the machines to their original state.
• Only one student should work through this one at a time. Once you are logged in as the initial user, check to see if anyone else is logged in with this PowerShell/CMD command

qwinsta

Initial Access

• After initial nmap scans of both the client and domain controller, you’ll turn up a list of usernames on the webpage hosted at 172.25.90.35
  • Add this list to a text called users.txt

On Kali, clone the impacket tool suite and navigate to the examples folder that contains the file GetNPUsers.py

• Create a text file in this directory called users.txt and paste in the found users list

We’ll do a sweep for users who do not have ‘Pre-Authentication’ required within their account properties.