not sure if you solved it but the question is poorly written as usual … when they say NTLM hash they usually are referring to NT part of the hash only
It actually failed a few times, I exited out, did some enumeration of the accounts rights etc to make sure I wasn’t going crazy (a Domain Admin should be able to DCSync!), and it just worked. The exact same command as before, run from the same PowerShell session (although I had exited Mimikatz and gone back in).
So for anyone reading this: It seems like just a transitory error, but secretsdump is probably quicker.
I met mimikatz error in the windows version of this section.
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
However, the cause of this problem is simple. The current user just does not have enough privileges.
In this questions, you can elevate your privileges by right-clicking.
FROM WINDOWS HOST
To get the flag.txt located in the ExtraSids folder you have to do as following
ls \\academy-ea-dc01.inlanefreight.local\c$\ExtraSids
And then cat it out! You know how to do it
Now from where I found this? Actually I tried many combination such as c\ExtraSids, c\ExtraSids$, etc manually and at last got hit on it.
I’m stuck here as well. Can you help can the shell but not able to get NTLM hash for bross
You should ask yourself what to do how to get the NTLM hash for any user.
Hint : use DCSync Attack
- How to run secretdump.py with no pass? with flag -k , because we already export the ticket.
- You must specify “LOGISTICS.INLANEFREIGHT.LOCAL/USERNAME@academy-ea-dc01.inlanefreight.local” and domain controller ip (-target-ip 172.16.5.5) to run secretdump.py succesfully
raiseChild.py has everything you need. Try using the -h flag to examine further.
you just saved the day
secretsdump.py -hashes [Hash NTLM] INLANEFREIGHT.LOCAL/administrator@172.16.5.5 -just-dc-user bross
In the Linux section, the password for the htb-student_adm user is the one given in the previous exercise, in the Windows section.
What Linux host are you guys doing this from? I tried to pivot and do it from my attack box but I get errors because Im not part of the domain.
Nevermind. I thought you guys were saying you had a Linux attack box on the windows questions,
Concept to is have the golden ticket in the current session of powershell and then cat the flag from ExtraSids. You can do this with Rubes
or mimikatz
For mimikatz
privilege::debug
kerberos::golden ...
use the SID for the previous question
then exit the mimikatz BUUTTT do not close powershell session. From there continue as below
ls \\academy-ea-dc01.inlanefreight.local\c$\ExtraSids
Then the just replace ls with cat and add the flag at the end of the command
I used rubues it is ok now
It’s worked! Thanks
This does not work for me. When I run this command with the administrator’s NTLM hash, I get a ValueError: not enough values to unpack (expected 2, got 1)
After running secretsdump.py hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-ntlm -just-dc-user bross
, I’m getting this error: Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database
. When I run klist
, I get Default principal: hacker@LOGISTICS.INLANEFREIGHT.LOCAL
. I’m stuck on this for over a week now
-hashes LMHASH:NTHASH