Walkthrough of My Vulnerable AD Set


I think there are some issues with default Windows Installer, so a user cannot successfully install an msi package without GUI (RDP/VNC). The following steps are workaround to resolve this. I also enable PPL to add one more layer of protection.


Warm Reminder: I plan to upload VMs to tryhackme and apply to make it public. So if you want to wait for the approval of my vulnerable AD set on tryhackme and play with it by youself without spoilers, you can stop here : D

External network -> web01

1: Use nmap to scan web01, it opens multiple ports: 22, 25, 80, 110, 139, 143, 445, 993, 995, 5601.

web01 -> file01

17: mason is a local linux user on web01, while alex.mason is a domain user, so Mason could reuse his password.

file01 -> client01

23: Check bloodhound, we find helen.park is a domain user. So we can reuse Helen’s password.

client01 -> srv01

26: Take a look at Helen’s desktop, and I find Recycle Bin contains something.

srv01 -> srv02

43: Invoke PowerUp, and we find jason.hudson’s plaintext password: jason.hudson:jkhnrjk2020!

srv02 -> dc

58: SRV02 is set unconstrained delegation, we can abuse printerbug to get DC$’s TGT.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gustav Shen

Gustav Shen

Penetration Tester, Offensive Security Professional