Certified is a Windows machine having misconfigured ACL in Active Directory environment where initial access for a low-privileged user judith.mader is provided. Exploitation of the Active Directory Certificate Service (ADCS) is required to get access to the management_svc, ca_operator and Administrator account by abusing shadow credentials and ESC9.
Legacy is a relatively easy box which has SMB running on Windows XP(2000) OS. We find the exploit with metasploit and get access to priviledged user NT AUTHORITY\SYSTEM directly.
Love is a fun box where we find a hidden subdomain that helps us retrieve Forbidden pages, where admin credentials are leaked of another service. The access to the admin dashboard has a file upload, through which we get a reverse shell. The box then has AlwaysInstallElevated that allows a regular user to install a Microsoft Windows Installer Package (MSI) with system privileges, which helps us get the Administrator access.