Mist is an insane-level Windows box mostly focused on Active Directory attacks. It starts off with a simple file disclosure vulneraility in Pluck CMS that allows me to leak the admin password and upload a malicious Pluck module to get a foothold on the webserver. There’s a directory at the filesystem root with links in it, and by overwriting one, I get execution as a user on the host. I’ll find LDAP signing is off, and use PetitPotam to coerce the server to authenticate to my, and relay t...
