Academy - Windows Privilege Escalation - Pillaging

I’m having some trouble with Question 5.

“Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer.”

I can easily restore the restic backups, but downloading the SAM and SYSTEM files to my Kali box and running samdump2 yields null passwords for all local users. I believe that samdump2 no longer works with modern Windows SAM/SYSTEM dumps.

Any help is appreciated.

I figured it out.

After downloading the SAM and SYSTEM files to my Kali, I used instead of samdump2 and I got the “real” hashes, not the “null” hashes! Boom!

1 Like

can you give a hint on how to find and download the cookie in the previous question in this section

" Log in as Grace and find the cookies for the website. Use the cookie to log in into from a browser within the RDP session and submit the flag."

having trouble finding firefox cookie database

1 Like

Hi, I got the hash using a tool, but I have no way to determine which one is mine
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
This is the hash I got, can you tell me the format of the answer? I did some obfuscation with this hash, it’s not the correct hash

1 Like

I’m stuck on the Pillaging and Miscellaneous Techniques modules of the Windows Privilege Escalation module, I have the administrator’s hashes etc. files, but I can’t get the answer

Can you show me your WIndows Privilege Escalation and ACTIVE DIRECTORY ENUMERATION & ATTACKS notes? I have been stuck in these two modules, I really want to get a little permission but there is no way to solve it, my Google mailbox is Thank you

OK Tannk you ,love you

1 Like


Just paying it back, because I had to ask for help many times!

I’m 78.27% done with the CPTS track, and it’s been ROUGH.


Solve this? I have 2 ADministrator hashes but both not working

Hi, Could you please share me the notes? Thanks in advance!

my email address:


Could you please share me the notes also? Thanks in advance :smiley:

ok , I’ve sent

1 Like

Thanks a lot :grin:

Hey I was able to get the hashes but I’m not sure what format the question wants for the hash. Could you help me out with that?
Edit: It just wants the nthash

How can I get the NT Hash? with samdump2 I get the LM Hash as well as the NTLM Hash but both of them are not working

You should have what you need already. Here’s a breakdown on the NTLM hash format

Thank you for the explanation link, unfortunatly this does not work for me:


I used this Part: 31d6cfe0d16ae931b73c59d7e0c089c0 but it doesnt accept the answer. The hash comes from a dump of SYSTEM & SAM files from a restore of the snapshots on E: -system SYSTEM -security SECURITY -sam SAM local

you will need these files.


Many thanks for yor help… I was not about to find the solution :slight_smile: Could you maybe send me dm or so and explain me quikly why the SECURITY File is needed and what the difference between secretsdump and samdump2 is?

Hi, I Sent you DM for hint about how can you backup the SAM and SYSTEM File.
I Already done login using jeff, and backup for c:\windows\system32\config and didnt found sam file inside

i also backup for htdocs and found admin credential but cant used to login as administrator. can you show the hint please ?