Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
The server had only port 22 with the credentials provided on vulnlab wiki as this chained machine is an assumed breach scenario `pentest:Heron123!`
<imgsrc="https://i.imgur.com/gZofAmS.png"/>
Checking for privileges, we can't use sudo as this user isn't in sudoers group
<imgsrc="https://i.imgur.com/XAq5Y6e.png"/>
From the user's directory, two users `svc-web-accounting` and `svc-web-accounting-d` belong to `heron.vl` , having only usernames there's only as-rep roasting we could try if these domain users have pre-authentication not required, this could give us the as-rep hash so we can try cracking to get the plain text password.
<imgsrc="https://i.imgur.com/BSzMIFD.png"/>
Checking the internal ports, there's only ssh here
<imgsrc="https://i.imgur.com/ucBGER1.png"/>
To proceed with as-rep roasting we need to perform pivoting as we directly cannot reach domain controller, this can be done with either chisel or ligolo-ng, I'll be using chisel since we only need to access one host, if it were a network then ligolog would have been a better option for that
```bash
chisel server --reverse -p 3000
chisel client 10.8.0.136:3000 R:socks
```
<imgsrc="https://i.imgur.com/Mko09nM.png"/>
With Get-NPUsers to check the pre-authentication not required, both of the users had that required
<imgsrc="https://i.imgur.com/ZfyeCbs.png"/>
Bruteforcing the SIDs with guest account was not possible too as that account was disabled
<imgsrc="https://i.imgur.com/9bZ82My.png"/>
Visiting the web page, we have a pager about heron corp with three more usernames at the bottom
<imgsrc="https://i.imgur.com/HZsCNou.png"/>
<imgsrc="https://i.imgur.com/z1lv529.png"/>
Trying to check pre-auth again with these users, we'll get samuel.davies's hash and cracking it with hashcat
<imgsrc="https://i.imgur.com/yJQTcib.png"/>
<imgsrc="https://i.imgur.com/Vy250Im.png"/>
Enumerating the shares, samuel had read access on `sysvol` , `home` and write on `transfer$` which seem to be only two interesting shares right now
<imgsrc="https://i.imgur.com/ieSOE6z.png"/>
Then transfer share was empty, home had bunch of user directories including samuel which was also didn't had anything
<imgsrc="https://i.imgur.com/BfxrUZf.png"/>
<imgsrc="https://i.imgur.com/Luo2ito.png"/>
<imgsrc="https://i.imgur.com/uSo0yIO.png"/>
However, from SYSVOL share in one of the policy directory, we can find encrypted password for svc-web-accounting
<imgsrc="https://i.imgur.com/PDBKC3P.png"/>
<imgsrc="https://i.imgur.com/ajCy3tX.png"/>
Decrypting this with GPP-decrypt python script
<imgsrc="https://i.imgur.com/dGxukR0.png"/>
GPP password can also be recovered through nxc/cme with `gpp_password` module
Since we have write access to web.config we can edit that and execute system commands through `AspNetCoreModule` but this method is destructive as it replaces the config file and can cause application to not function as in this scenario the application is working through the use of AccountingApp.dll in the config file
<imgsrc="https://i.imgur.com/dTVXLD7.png"/>
But before we attempt this we need to first figure out where config is being hosted as from the previous website we found it wasn't there, from the share name this hints us to use `accounting` as vhost
<imgsrc="https://i.imgur.com/bByZgdr.png"/>
This site will ask for credentials where svc-web-accounting-d's creds will work
<imgsrc="https://i.imgur.com/oroItJF.png"/>
The data here was being reflected from the dll which can be analyzed by either ILSpy or DNSpy
<imgsrc="https://i.imgur.com/OkfJX09.png"/>
<imgsrc="https://i.imgur.com/aWJhGak.png"/>
Following this article https://soroush.me/blog/tag/rce/, to replace the path with any which does not exist, changing the processpath to be powershell and in the arguments placing base64 encoded reverse shell to receive on jump server
But from bloodhound, it didn't showed any path leading to privilege escalation/lateral movement
<imgsrc="https://i.imgur.com/yUElxoT.png"/>
Enumerating C:\Windows, we'll find `scripts` folder which is unusal to be there, ssh. ps1 file
having creentials to` _local ` user
<imgsrc="https://i.imgur.com/GiXw3j2.png"/>
Switching to user and escalating privileges to root user
<imgsrc="https://i.imgur.com/Rsjmyvy.png"/>
From here we can only do much about reading the NThash of frajmp from /etc/krb5.keytab
<imgsrc="https://i.imgur.com/DFlX3c7.png"/>
Since we have password of ` _local`, we can try password spraying on domain users which will work on `Julian.Pratt`
<imgsrc="https://i.imgur.com/OY5Jk22.png"/>
We can't login directly on domain controller since it requires non admins to be in remote desktop group, home directory can be access through `home$` share
<imgsrc="https://i.imgur.com/LBQs4SY.png"/>
From here we can grab the shortcut files for putty sessions from where we'll get the password of `adm_prju`
<imgsrc="https://i.imgur.com/bb5nLeh.png"/>
Checking for paths for gaining domain, this user is in `Admins_T1` group which has `WriteAccountRestrictions` acl on domain controller, which essentially is similar to GenericWrite or WriteProperty that can allow to edit `msDS-AllowedToActOnBehalfOfOtherIdentity` adding a machine account for which we have password for abusing resource based delegaiton (RBCD)
<imgsrc="https://i.imgur.com/Yb1qjnq.png"/>
We can do this attack in two ways, since we have the NThash of frajmp, we can append that account in dc's property or we can utilize a user account without having any SPN by replacing the password with it's TGT session and combining S4U2Self and U2U protocols to abuse but this method is quite destructive and must be avoided only if there's a test account
Going with the machine account approach, by first editing the property
