Hokkaido Proving Grounds Write-Up
SUMMARY
This write-up covers the Hokkaido machine from Offsec’s Proving Grounds, a multi-stage Active Directory environment hosted under the hokkaido-aerospace.com domain.
User enumeration with Kerbrute identified a valid account whose password matched the username. Enumerating SMB shares with those credentials uncovered a file containing cleartext credentials. A password spray against all domain users confirmed those credentials belonged to the discovery user. Port 1433 (MSSQL) was open, and after connecting as discovery, a user impersonation chain was leveraged to enumerate a restricted database containing the hrapp-service password in cleartext.
BloodHound revealed that hrapp-service held GenericWrite over hazel.green, enabling a targeted Kerberoasting attack. The resulting hash was cracked offline, yielding hazel.green’s credentials. As hazel.green, a password reset was performed on molly.smith, who had RDP access to the machine.
Once connected via RDP, molly.smith was found to be a local administrator of Tier 1. Spawning a shell with administrative privileges revealed the SeBackupPrivilege, which was abused to dump the SAM and SYSTEM hives. The Administrator’s NTLM hash was extracted with secretsdump and used to authenticate via Evil-WinRM.
PATH TO FOLLOW
- Reconnaissance & Port Scanning
- User Enumeration with Kerbrute & Credential Discovery
- SMB Enumeration & Cleartext Credential in Share
- Password Spraying & MSSQL Access
- MSSQL User Impersonation & Database Enumeration
- BloodHound Analysis & Targeted Kerberoasting via GenericWrite
- Hash Cracking & Lateral Movement to
hazel.green - Password Reset on
molly.smith& RDP Access - Abusing SeBackupPrivilege — SAM/SYSTEM Dump
- Administrator Hash Extraction & Shell via Evil-WinRM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions. I know, boring stuff.