The KeePass vault from the users post-exploit step revealed a service account credential.
Searching for this user in the Bloodhound data reveals an interesting ownership over a GPO. GPOs are saved in
SYSVOL directory when they are synchronized from the domain controller.
THMWRK1as standard domain user or T2 admin
svcServManas a network credential
Edit the GPO remotely on
RDP to THMWRK1:
xfreerdp /v:thmwrk1.za.tryhackme.loc /u:t2_alan.riley /p:'Password123'
Inject the Service Account Credentials (password = Sup3rStr0ngPass!@)
runas /netonly /user:za.tryhackme.loc\svcServMan cmd.exe mmc.exe
Modify the Group Policy Object:
Add Group -> Browse -> Search “IT Support” -> Click OK
Make group a member of “IT Support” Administrators and Remote Desktop Users on
This group policy applies to the path
za.tryhackme.loc/Servers/Management Servers, as specified in the GPO path.
Add the Active Directory Users and Computers snap-in to the
mmc.exesession, and inspect the OU.
Use the low-level user credential received from http://distributor.za.tryhackme.loc/creds. This user is a member of the IT Support group after we added the user in Exploiting permission delegation