This flag involves two machines that can be found at the following IP Addresses:

• 172.25.0.71: This is a domain client.
  • You’ll attack this machine first.
• 172.25.0.70
  • This is a Domain Controller

Objective: Gain initial access on the domain client and escalate your privileges so that you can log into the Domain Controller. The Flag is on one of the user Desktops on the domain controller in a file called Flag.txt.

Important Note:

• You’ll be changing settings on these machines. If you add any files or change any settings on either machine, once you are finished let the instructor know.
• These machines should be reverted to their original state each time someone solves the challenge because you’ll be adding and changing content. Please let Mr. Beck know if you make any changes to these machines so this lab can be reset

You’ll need Kali Linux to solve this challenge:

In the immortal words of IPPSEC, ‘Let’s start with an NMAP!’

nmap -sC -sV 172.25.0.71

We can see that this computer is a member of the delegate.local domain with a hostname of CORP-SERVER1. We don’t see too much here that stands out as unusual:

• Port 3389: Remote Desktop
  • We’ll use this at the very end of the lab once we recon and figure out who has RDP access.
• Standard NetBIOS/SMB ports
• WinRM on port 5985 won’t show up via a default nmap scan, but that too is active.

nmap 172.25.0.71 -p 5985
#Comment: This will show as open.

An early move a penetration tester will take given a machine like this would be to scan for shared folders. We don’t have any username or password information. Therefore, a check to see if any anonymous shares exist is a good call. There are a number of different tools available that will allow us to scan for anonymous/unauthenticated shared folders. Crackmapexec is always a good choice.

crackmapexec smb 172.25.0.71 -u '' -p '' --shares

• We are passing in null username and password fields here because we don’t have any credentials that are obvious.