[ACADEMY] Windows Privilege Escalation Skills Assessment - Part I

One of the task in Skills Assessment - Part I is: “Find the password for the ldapadmin account somewhere on the system”. I searched around all the box with low privileged shell but I cannot find ldap admin password. I used all the techniques described in the module. Any clue?


Has anyone had luck here? I finished the rest of the skill assessment but I’m still stuck here too… any tips?


Hi All, I also stuck on this question for a long time and finally find the password today!!!
Question (“Find the password for the ldapadmin account somewhere on the system.”) itself already contain hint and please find and look file carefully with “nice” privileges account.


I tried with SYSTEM privileges and still had no luck

1 Like

Hey @SuprN0vaSc0t1a , just as you replied, I managed to pick the right CLSID, as it seems that was the main issue. But I do appreciate your assistance. I kind of had the exact same dilemmas as you, especially in regard to picking the listening port… :slight_smile:

And to answer the OPs question from all the way up, when searching for those two other things (files), it’s about having the right set of privileges so you can actually access things that you otherwise initially can’t.

I finished this module and took detailed notes, so if anyone needs help feel free to message me!



I am also stuck finding the password for “ldapadmin”.
I understand it is not a user on that system. However, I had no luck finding it using the Credential Hunting methodology shown in the module. I am still with my initial user privileges of the IIS-user. Is there anything I can do to get additional access to files or log data prior to privilege escalation?
Any hints are welcome!


I had the best luck after privilege escalation. You do not need that password for escalation, only for that question.

Hi, I did the escalation but I can’t find anywhere that damned password. Can you help me?


I am stuck at the same place. I rooted the box with JuicyPotato but for the love of me still cant find the “ldapadmin” password. I have tried everything, string search, config files search and even registry entries search. Still clueless… I finished the entire module but this question.

@jackyLam What do you mean by “nice” privileges? Administrator? I got admin via Juicy Potato but where is the dang file? LOL

I tried this command and many others and I still can’t reach the password of “ldapadmin”. I don’t know where to look anymore…
In the other side, I found that the exploitation part was much easier than finding this password lol what’s wrong ? If anyone can help me please I would appreciate

Found the password with the exact same command but ran it with Admin privileges, I don’t understand why this question is asked before the privesc…

1 Like

none of my payloads doesnt work, even simple ls. I dont know what part of request is vulnerable

Hello jarednexgent. I’m stuck on the first step of the Windows Privilege Escalation Skills Assessment - Part I. I don’t know which user to connect to the target as. I do an nmap and see open RDP port 3389. Even with the --script rdp-ntlm-info and rdp-enum-encryption I get more information, but I can’t find which user to use to connect to xfreerdp. Can someone help me please? thank you so much

Wondering if there is a way to escalate privileges with printspoofer instead of juicy potato…

For anyone that comes along and needs help on the LDAP question you can run something like:

Get-ChildItem -Recurse -Filter [filtype] | Select-String -Pattern [searchterm] -CaseSensitive:$false | Select-Object -Property Path

You will have to do some additional work to figure out how to get the file paths in the right format so you can get there though :slight_smile:

Am I supposed to RDP to the box or just working with the possible reverse shell and the web site command injection vulnerability? I can’t get JuicyPotato to work. I know what the task is running whose CLSID I should be using, but just to try it out, I tested all of the CLSID’s but got the same 10083 error for all of those…

Since we aren’t getting any credentials I was thinking that should I somehow find creds for one of the users on the box and then RDP.

1 Like

Ignore the question for the ldapadmin password until you get root. Once you have root, You could search for strings or try running some of the tools and techniques taught in the 3 credential-hunting modules.

I’m also stuck on getting the reverse shell. Would anyone be able to enlighten me via inbox? I’d be most grateful. :slight_smile: