#AD DC02

.100 .101 .102 dc02.exam.com 

#Three machines WEB01 - CLIENT01 - DC02

Every machine is accessible directly.

#Client01(.102)
1)The WEB01(.101) has a web server at port 80. There you have to find a directory "ResearchRepo", which will prompt you to a login page. 
2)That login page is vulnerable to SQL injection and you can bypass the login with payload username="admin" and password="' or 1=1 -- -".
3)There is a URL field in homepage. There you have to submit a url. Create your shell with ".hta" extension using msfvenom. Open your listener and also open a local http server to trasnfer the file using one of the following ports (53,80,443). 
4)Submit your url (Your IP and filename) to the field. After some time you will receive a shell from the .102 machine.
5)Having shell from the previous machine we get priv esc using SpoolFool exploit. (https://github.com/ly4k/SpoolFool). Transfer all files of Spoolfool exploit with a zip and unzip it in the windows machine.
6)Generate a dll reverse shell using msfvenom and trasnfer the dll to the victim machine too. Open a listener to ur machine using the port of the dll shell you generated. 
7)After that use SpoolFool with your dll shell and you should get system shell to 102.

#WEB01(.101)
1) Run mimikatz on .102 and get ted's hash.
2) Ted belongs to Group DocEditors and that group has RDP access to .101 machine.
3) Break ted's hash with john and find his password which is "avatar123".
4) Use xfreerdp /u:ted /d:exam.com /v:<IP>.101 and enter the password "avatar123"/
5) For privesc there is an unquoted service which is in program files. C:\Program Files\zen\zen services\zen.exe
6) Generate a reverse shell with msfvenom and name it zen.exe.
7) Put the zen.exe file in the folder C:\Program Files\zen\zen.exe.
8) Open your listener and restart the pc with shutdown /r /t 0.
9) You should get a reverse shell.

#DC02(.100)
1) Run mimikatz.exe on .101.
2) You should dump zensvc hash. Zensvc is a DomainAdmin :).
3) Use wmiexec with zensvc hash to get shell on .100 as a domain admin.