# AD Set wk01.exam.com

.100 .101 .102 

## Three machines - Workstation (Wks) - App/DB/etc Server (Srv) - DC Server (DC) 
 
The Wks is accessible from your machine, the Srv and DC are in subnets not accessible.
You have to get a shell on it and then pivot to Srv and then to DC. 
The Wks has a Web App with PHP that allows uploads but blocks PHP extensions.

 ## Wks:
1. Use this to bypass: https://book.hacktricks.xyz/pentesting-web/file-upload.
2. Upload a PHP shell. 
3. Set up an netcat listener.
4. Run netcat through the PHP shell.
5. Get the flag from administrator's desktop.
 
 ## Srv:
1. Upload a Kerberoasting tool to Wks (e.g. Rubeus) OR create a Tunnel (e.g. socat, chisel etc.) and use impacket from Kali. 
2. Get a TGT ticket. Use this: https://book.hacktricks.xyz/windows/active-directory-methodology/kerberoast.
3. Use hashcat and rockyou list to crack the password.
4. Use psexec/smbexec etc. through the Tunnel or RDP is it is enabled, to connect to Srv.
5. Get the flag from administrator's desktop.
 
 ## DC:
1. Use MSF and a meterpreter shell. 
2. Dump stored and cached credentials with kiwi. 
3. Create a second Tunnel (e.g. socat, chisel etc.) over the first one or RDP to DC if it is enabled.
4. Get the flag from administrator's desktop.
