this is a htb.forest machine, and that's the very first machine i tried when i joined hackthebox. i could say that i spent months struggling on it since i've no idea on how to start pentesting it during that time.
when an AD user is a member of "Exchange Windows Permissions", the attacker might abuse the writeDacl on giving the attacker granting any rights to them. Here's how i abuse writeDacl to grant my new AD user DCSync Rights which will be used to dump all NTLM hash including the Administrator hash all from an normal AD user of that's not under member of Domain Admin to Administrator user and owned the whole system.
Ещё видео!