Powershell-web-access

Enumeration led me to WordPress, and eventually a username & computer name to authenticate within a web powershell. Then for foothold, we get a web powershell to a reverse shell, privesc with a pivot to msedge.exe, then utilize sam & system hashes to get hive information, which will eventually lead me to root.

This was an Active Directory Windows machine, started by finding credentials in an image on the website, then dumped information with LDAP for the domain to find a kerberoastable user, then enumerating more shares with cme, find which accounts were active, and then get foothold. For root, we pfx2john, and find a GMSA exploit on powershell, to reset a higher privilege user's password so we can authenticate with our new credentials.