Objective:

• IP Address 172.25.90.83 (Domain Controller)
• IP Address 172.25.90.84 (Domain Client) —This is the initial target
• The domain is vuln.icsi

Objectives:

• Escalate to the local administrator on the domain client.
• Escalate to Domain Admin next.
• The Flag is on the Administrator user’s desktop on the DC

Initial Credentials

• Although I could make you enumerate to find the initial credentials for this box, this lesson/challenge is about privilege escalation. No enumeration is necessary!
• Initial Credentials
  • User: vuln.icsi/mary
  • Password: Student123!

Bloodhound Scan

You’ll have to Google for ‘set up bloodhound Kali Linux.’ There are a few steps that have to be taken. (Very easily referenced!)

Once initial access is gained to an Active Directory network, Bloodhound is usually run early as it gives solid output. Everything Bloodhound tells us can also be obtained via PowerShell manually, but Bloodhound does a great job of performing basic enumeration and presenting the data visually.

There are several ways to run a bloodhound scan.

• SharpCollector.exe (Directly on Windows)
• bloodhound-python on Kali
  • Note: Running SharpCollector.exe on the target Windows VM will work, but there can be compatibility issues with the Bloodhound interface on Kali.
  • For this reason, I’ll run bloodhound-python on Kali and point it at the domain client using Mary’s credentials.

bloodhound-python -c all -u 'mary' -p 'Student123!' -ns 172.25.90.83 -d vuln.icsi --zip

• Once the Bloodhound client is running on Kali, click the ‘upload’ icon and select the .zip file created in the last step.