# Initial Compromise of Active Directory

## Summary

Since both machines are accessible, we can select one to continue our progress within the network. Upon logging into the **WRK2** machine, we begin by inspecting the user profile to identify any available methods for privilege escalation. Notably, we find a **netcat** executable within the **Downloads** folder.

## Privilege Escalation

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FuFbYz4kNFdcZIWTkzQ6u%2Fimage.png?alt=media&#x26;token=1d0b689f-0def-4c3a-9477-80216874fe56" alt=""><figcaption></figcaption></figure>

We use the command:

```bash
schtasks /query /fo csv /v | findstr "SYSTEM" > tasks.csv
```

to create a CSV file that lists tasks running with administrative privileges (the \`/fo csv\` option outputs the data in CSV format).

Reviewing the file, we see that most tasks are located in the `Windows` directory, indicating they are likely well-configured. However, a closer look at the CSV file shows one specific task running from `C:\SYNC\sync.bat`.

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FyHHdBn67Dxwfvob44NUJ%2Fimage.png?alt=media&#x26;token=b8d48f11-9fd9-4bf8-8289-712c0361b8a6" alt=""><figcaption></figcaption></figure>

To verify the permissions of the file, we use the command:

```bash
icacls C:\SYNC\sync.bat
```

This confirms that our user has `(F) Full Access` to the file.

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FoxSIGOIJ4sY3Kym5z6cn%2Fimage.png?alt=media&#x26;token=4f01ba09-3d82-4e16-aeac-09ae19e01b31" alt=""><figcaption></figcaption></figure>

With this information, we can set up a listener using the previously found **`netcat`** executable. We then modify the task to connect back to our listener using **netcat** with administrative privileges, allowing us to receive an elevated reverse shell.

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FNfvkBBxgRVdb8YI5WiW7%2Fimage.png?alt=media&#x26;token=acc7acd0-9aeb-4450-8bfe-e178fabb5ddf" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FAO7XQ3224oH1OhoTjssX%2Fimage.png?alt=media&#x26;token=ffee50e9-003b-40b4-bdc6-122dde5c8357" alt=""><figcaption></figcaption></figure>

After a few minutes (no more than 5), we should receive our administrative reverse shell. Alternatively, we can trigger the task immediately by using the following command:

```bash
schtasks /run /tn FULLSYNC
```

This forces the reverse shell to initiate instantly.

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2F9VbUTkDCaFTFtS4eogi3%2Fimage.png?alt=media&#x26;token=92b5cdf6-b96d-4a9c-97b7-dc268ba4bbe0" alt=""><figcaption></figcaption></figure>

## Flag 4

{% hint style="info" %}
**NOTE**: We are now able to obtain the following flags by following the instructions on the e-citizen platform:

* **Flag 4**: Administrative access to Corporate Division Tier 2 Infrastructure
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bunring.gitbook.io/ctf-writeups/red-team-capstone-challenge-tryhackme/initial-compromise-of-active-directory.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.