On the 11th of May, 2023, we launched our biggest release yet - the Red Team Capstone Challenge. As a milestone challenge, there were 20 flags to collect, spread across 10 different phases, with 6912 possible path combinations!
This time, we're sharing the second winning write-up submission from desterhuizen, a skilled Information Security Engineer who spends most of his time application testing and working to improve corporate security in his organisation.
Congratulations, desterhuizen! Check out his write-up submission, or scroll down to discover the attack paths desterhuizen took.
Desterhuizen's Attack Paths
After performing OSINT and discovering the three main web applications exposed on the perimeter, Desterhuizen leveraged the discovered information to gain access to the Corporate CMS backend! Together with a password attack on the located OSINT individuals, Active Directory credentials were recovered to gain access to the corporate workstations.
Desterhuizen performed privileged escalation on the workstation, leveraging a misconfigured service before performing a Kerberoasting attack to compromise the corporate server range!
Desterhuizen leveraged a misconfigured Group Policy Object to deploy a malicious service to the domain controller to gain full administrative access to the entire corporate domain.
Leveraging a golden ticket attack, Desterhuizen took complete control of the Parent domain, thus fully compromising the entire TheReserve AD forest!
To show impact, Desterhuizen has to facilitate a SWIFT payment. To compromise a payment capturer, Desterhuizen enumerated employees' workstations with capturer access to discover insecurely stored credentials. To compromise payment approver, Desterhuizen exploited a weak JWT signing secret to recreate a valid session as a payment approver. With both capturer and approver compromised, Desterhuizen could make the payment transfer!
Ben Spring