Machine Synopsis

Phantom is a medium difficulty `Windows` machine which highlights AD exploitation. Initial enumeration reveals a publicly accessible `SMB Share` containing an `email file` with a base64 encoded `PDF` attachment that leaks a domain password. After enumerating domain users and performing a `password spray`, valid credentials are discovered for the `ibryant` account. Further enumeration of network shares uncovers a `VeraCrypt` container, which, after cracking, discloses a `VyOS router backup` holding credentials. These credentials provide access to the `lstanley` account, which has sufficient rights to configure `Resource-Based Constrained Delegation (RBCD)`. By abusing RBCD and leveraging `S4U2Self/S4U2Proxy` Kerberos delegation, we impersonate a `Domain Admin` and achieve full domain compromise.