Let’s dive in and start with a port scan.
From the initial scan we can notice the domain (vulnnet-rst.local).
I used kerbrute to enumerate available users. Guest and Administrator users are found.
Null session can be leveraged to access SMB.
VulnNet-Business-Anonymous folder can be accessed but we can’t pull any data from it, however, VulnNet-Enterprise-Anonymous can be accessed and data from it can be pulled.
We can use crackmapexec to bruteforce the RIDs using the guest account.
Using those accounts we just found try requesting a kerberos tickets.
Crack the hash.
Check for SPNs.
That is a rabbit hole probably. Doing a little bit more enumeration we can use the t-skid account to access Netlogon SMB share and a VBS file is discovered.
Using SMBMap download the file.
Taking a look inside the VBS script a username & password is discovered.
Using the newly found account we can connect to the machine using WinRM.
By checking the user’s privileges we notice we are part of the Domain Admins group.
Since we are in the Domain Admins group we should be able to reset the Administrator account password.
Access to the machine as Administrator should be granted now.
You can grab the flags now :).