I am currently stuck at the question “Perform the ExtraSids attack to compromise the parent domain… obtain the NTLM hash for the Domain Admin user bross.”
I used Mimikatz to dump NTLM hashes once I received a shell on the Domain Controller. However, I could not find anything related to bross, just a local Administrator. Is there any different route to receive that particular NTLM hash?
I instead used the hash of “administrator” that comes out when running “raiseChild.py” and used it with “secretsdump.py” to do a DCSync and get the hash of the user “bross”. There are many ways to do it I think.
Wow I way over complicated it. I used raisechild.py at the end of the module and tried stuff from lolbins to copy and read the NTDS.dit file using a couple of different methods. Never got it to work on this but I have used it before. Good knowledge to have in case anyone wants to see how you could it the “living off the land” way using ntdsutil.exe. Link here → Dumping Domain Controller Hashes Locally and Remotely - Red Team Notes