Root dance yesterday! What a journey! This has been the longest path to root ever! I learned a ton of stuff and rooting this beast was not easy… So my hints and thanks are:
- foothold: find a way to bypass the WAF
- crack those hashes (thanks @Chr0x6eOs and @idomino for reminding me that yes, they are crackable, under 5 sec BTW)
- user 1: enumerate the AD. Thank you @APD1970 for sharing that article!
- user 1 to user 2: Thanks @phate890 and @nasri136TH for the nudges and @PwnAddict for sharing that article. This was new to me and I overcomplicated stuff a lot. A week break helped me to see this through. I used some of that pizza and I finally got it
- user 2 to user 3: Enumerate. To which folder you have access now? Anything that sticks out (filename and date)?
- user 3 to user 4: Send the dog out and google as handy scripts will be blocked
- user 4 to root: typical
So a big thanks to the creators!