Vulnlab — Push
<p>Push, a hard rated active directory chain, involved obtaining credentials from FTP, having write access to smb share, placing the configuration and DLL file for abusing <code>clickonce</code> application to gain a shell on <code>MS01</code>, enumerating the domain to find about SCCM agent deployed on system, coercing authentication through client push installation and gaining <code>sccadmin</code> account which is a local admin on the system. As MS01 was a CA server as well, this lead to Golden Certificate to escalate privileges on the domain.</p>
<p><a href="https://arz101.medium.com/vulnlab-push-13d1e89878ae"><strong>Click Here</strong></a></p>