infraProhard
Пространство (Expanse)
hackerlab
Task: hard Windows AD domain controller (codeby.cdb / EXPANSE). Solution: LDAP anonymous bind for user enumeration, AS-REP roast + crack, harvest base64 creds from an SMB share script, abuse Account Operators to add self to a custom LAPS ReadOnly group, read ms-Mcs-AdmPwd to get local/domain admin, read flags over SMB C$.
$ ls tags/ techniques/
privilege_escalationwindowsbase64_credentialsactive_directoryas_rep_roastingkerberosdomain_controllerldap_anonymous_bindsmb_enumerationaccount_operatorslapsms_mcs_admpwd
as_rep_roastingldap_anonymous_user_enumerationkrb5asrep_hash_crackingsmb_share_credential_harvestingaccount_operators_group_abuselaps_password_disclosuresmb_cdollar_flag_retrieval
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [infra][Pro]Революция (Revolution)— hackerlab
- [infra][Pro]Грань (Fringe/Edge)— hackerlab
- [infra][Pro]Основа (Foundation)— hackerlab
- [infra][Pro]Потерянный (Lost)— hackerlab
- [pentest][Pro]Наследие (Legacy)— hackerlab