University
Windows
Insane
2.6
MACHINE RATING1399
USER OWNS1361
SYSTEM OWNS26/10/2024
RELEASEDMachine Synopsis
University is an Insane Windows Active Directory machine that starts with a university webpage. The web application allows exporting user profile pages to a PDF using `xhtml2pdf`, which is vulnerable to a Remote Code Execution vulnerability via [CVE-2023-33733](https://nvd.nist.gov/vuln/detail/CVE-2023-33733). This allows getting initial access to the machine. Subsequently, the account of a professor is compromised using a forged certificate. With the professor's account, a malicious archive file is uploaded to exploit [CVE-2023-36025](https://nvd.nist.gov/vuln/detail/CVE-2023-36025), which allows getting Remote Code Execution as the user who extracts the archive. A relay attack is then meticulously set up to perform an unconstrained delegation attack. On the newly compromised computer, the Kerberos ticket for a new user is extracted, enabling the reading of the password of a group-managed service account. This account can impersonate the domain Administrator, thus compromising the entire environment.
Machine Matrix
