Objective 5: AD Privilege Discovery

Difficulty: 3/5
Using the data set contained in this SANS Slingshot Linux image (https://download.holidayhackchallenge.com/HHC2018-DomainHack_2018-12-19.ova), find a reliable path from a Kerberoastable user to the Domain Admins group. What's the user's logon name?

Remember to avoid RDP as a control path as it depends on separate local privilege escalation flaws. For hints on achieving this objective, please visit Holly Evergreen and help her with the CURLing Master Cranberry Pi terminal challenge.
Note: Holly Evergreen is found on Ground floor in the left exit from the main entrance hall

Hints given:
https://github.com/BloodHoundAD/BloodHound
https://youtu.be/gOpsLiJFI1o


The objective is accessed via the file 'HHC2018-DomainHack_2018-12-19.ova' through either VMWare Player version 15 as is, or through VirtualBox after changing the 32-bit setting of the imported virtual machine to 64-bit.


Unzip "HHC2018-DomainHack_2018-12-19.ova"

Download VMWare player and install it:
https://download3.vmware.com/software/player/file/VMware-player-15.0.2-10952284.exe

Start"BloodHound"
Click the hamburger menu in the top left
Click 'Queries tab'
Click 'Shortest Paths to Domain Admins from Kerberoastable Users'
Click 'DOMAIN ADMINS@AD.KRINGLECASTLE.COM'

The user "LDUBEJ00320@AD.KRINGLECASTLE.COM"
is a member of IT_00332@AD.KRINGLECASTLE.COM
which can AdminTo COMP00185.AD.KRINGLECASTLE.COM
which HasSession to JBETAK00084@AD.KRINGLECASTLE.COM
who is a member of DOMAIN ADMINS@AD.KRINGLECASTLE.COM

A user with a reliable path to the Domain Admins group is:
LDUBEJ00320@AD.KRINGLECASTLE.COM