The description states:  "You had an engagement a while ago for Fusion Corp. They contacted you saying they've patched everything reported and you can start retesting."

Lately, my focus has been on Active Directory and when I came across this challenge, I found a privilege that I hadn't seen previously.  I don't want to get ahead of myself, so let's dig in:

We dig in and we have what appears to be a domain controller.  In order to enumerate this system, we need some domain information.  

Using ldapsearch, we are able to uncover the domain:  fusion.corp

We need to modify our hosts file and that will allow us to further enumeraate.  Using SecLists usernames and kerbrute, we brute usernames:

With a small list of usernames, we can now leverage Impacket in an attempt to get a hash:

This hash type is 18200 and for some reason, I have an issue with my particular graphics card that causes this crack attempt to fail.  In a previous post, I wrote about Colabcat.  Leveraging Colabcat:

I crack the hash:

In our Nmap scan, we noticed port 5985 open which means we can leverage Evil-WinRM:

With a shell, now we can investigate the other user we uncovered:

In the description field, we find their password.  Now using WinRM once more with our new user, we get our shell and find that our user has SeBackupPrivilege:

Basically, if we have a user we want to give permission to backup files without making them an admin, we can use this privilege.  That being said, with this privilege, they can make themselves an admin so I'm not sure I understand the actual point.  At this point, I want the shortest path to the flag.

I download the zip file to the system and I unzip it:

I import the modules and then I copy the flag from the admin desktop to my current working directory.  



Type flag.txt and it's game over.