Machine

Early situational awareness with Bloodhound reveals common ACEs throughout multiple users and navigating through them gets the user flag. After enumerating the target machine, there is an empty OU but also a tombstoned object which is a privileged user in the OU that has access to enumerate vulnerable certificates and discovering it was ESC15. Thus, gaining DA

Starting with Situational Awareness, navigate through common ACEs misconfigurations, cracking a Keepass database file then escalating privileges by extracting credentials from Windows DPAPI revealing another ACE misconfiguration route that grants Domain Admin

Enumerating SMB shares from given credentials reveals a hint about CVE-2025-24071 which leaks an NTLM hash then using that credential to map out ACE misconfigurations in Bloodhound which shows that the user has 'GenericAll' permission on 'Service Accounts' group. Using Shadow Credentials technique to gather NT hashes for Service Accounts then discovering that the CA issued a ceritificate vulnerable to ESC16. Thus, gaining Domain Admin.

Anonymous SMB access is allowed which leads to a password leak and also to RID Bruteforcing that reveals available users. Enumerating those again reveals a Powershell script with credentials enabling user access. The current user has SeBackupPrivilege enabled which allows for dumping NTLM hashes including Domain Admin's.

Discovered SNMP service on UDP port which reveals a daloRADIUS server web app with default credentials. Gained user access by credentials leak in the dashboard. User was allowed to run mosh-server with sudo permissions which enabled us to start a mosh-client and gain root access.