Machine Synopsis

`Sendai` is a medium-difficulty Windows `Active Directory` machine focused on weak account hygiene, `GMSA` abuse, and `ADCS` misconfigurations. Initial access is gained through `anonymous SMB` enumeration, revealing files that hint at expired accounts with weak passwords. RID brute-forcing identifies users, and login attempts highlight accounts in a forced password reset state. By resetting `thomas.powell`’s password, the attacker obtains a domain foothold. `BloodHound` analysis shows that Powell’s group membership can be leveraged to compromise the `MGTSVC$ GMSA` account, enabling remote code execution on the domain controller. Further local enumeration uncovers inline credentials for `clifford.davey`, whose `CA-OPERATORS` group membership grants `GenericAll` rights over a certificate template. Abusing `ESC4/ESC1` conditions with Certipy, the attacker forges a certificate for the administrator account, retrieves its NT hash, and authenticates via `WinRM`, achieving full domain compromise.