Fun machine, not sure how others ended it, pth or ptt? I used the former, after about a day trying the latter via linux. If anyone did the ptt method using kali, DM me pls. I would like to know how you did it. Machine is actually fairly easy if you have experience working in an AD environment, but like was mentioned, its better to do some things on a Windows box if your attacking another Windows machine.
FYI, its marked as easy because you don’t need any special tricks to get root, you just need a fair amount of AD knowledge, so maybe NOT a beginner box, but not medium or hard where you have to RE binaries.
Some tips:
All you need is impacket, powershell-empire and B*****nd + its ingestor S*******nd
For user read through the impacket scripts used for recon in their github repository for “examples”. One of them will get you started. Getting a shell from here should be self explanatory, just look at the higher ports.
After you “Release the Hounds”, here is some reading material that will help, in case you have to do the next few steps manually
After you get the “permission slips” you need then you do an attack that exploits how the domain controller talks with other dcs.
Then use the tried and tested methods of abusing window’s hashbrowns. Or get something golden. golden method didn’t work for me, but hashbrown method did
Eazy Peezy, GL!