Bruno is a Windows Active Directory box. I’ll start by finding a .NET sample scanning application on FTP, and after reverse engineering it, discover a ZipSlip vulnerability in how it handles zip archives. Combining that with a DLL hijack, I’ll get a shell as the service account that runs the scanner. For privilege escalation, I’ll exploit the lack of LDAP signing by performing a Kerberos relay attack, setting up resource-based constrained delegation to impersonate the Administrator.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox machine 'Bruno', a Windows Active Directory domain controller. The attack chain starts with anonymous FTP access to download a .NET scanning application, which is reverse-engineered to discover a ZipSlip vulnerability in its zip extraction logic. This is exploited to drop a malicious DLL into the application directory, achieving a DLL hijack that yields a shell as the svc_scan service account (whose credentials were first obtained via AS-REP roasting). Privilege escalation to Administrator is accomplished by exploiting the absence of LDAP signing: a Kerberos relay attack via DCOM OXID coercion is used to configure resource-based constrained delegation (RBCD), then S4U2Self/S4U2Proxy are used to impersonate the Administrator and gain full control.

HTB: Bruno