On the 11th of May, 2023, we launched our Red Team Capstone Challenge Network, which marks TryHackMe's biggest release yet! As a milestone challenge, there were 20 flags to collect, spread across 10 different phases, with 6912 possible path combinations!
This time, we're sharing the joint-third winning write-up submission from Kesaya, a TryHackMe user that has worked in a SOC team for the past 12 months after only recently joining the field of cyber security!
Congratulations, Kesaya! Check out Kesaya's write-up submission, or scroll down to discover their attack paths.
Kesaya's Attack Paths
After performing OSINT and discovering the three main web applications exposed on the perimeter, Kesaya leveraged the discovered information to gain access through the corporate VPN and gain remote code execution on the server! Since the VPN service was linked to Active Directory, this also provided the initial compromise of the corporate workstations.
Kesaya performed privileged escalation on the workstation leveraging a misconfigured service before performing a Kerberoasting attack to compromise the corporate server range!
Kesaya leveraged a misconfigured Group Policy Object to deploy a malicious service to the domain controller to gain full administrative access to the entire corporate domain.
Leveraging a golden ticket attack, Kesaya took full control of the Parent domain, thus fully compromising the entire TheReserve AD forest!
To show impact, Kesaya has to facilitate a SWIFT payment. To compromise a payment capturer, Kesaya enumerated the workstations of employees with capturer access to discover insecurely stored credentials. To compromise payment approver, Kesaya recovered an approver’s credentials from their browser. With both capturer and approver compromised, Kesaya could make the payment transfer!
Ben Spring