Active Directory Enum & Attacks - Domain Trusts - Child -> Parent


what password did you use ?

not sure if you solved it but the question is poorly written as usual … when they say NTLM hash they usually are referring to NT part of the hash only

It actually failed a few times, I exited out, did some enumeration of the accounts rights etc to make sure I wasn’t going crazy (a Domain Admin should be able to DCSync!), and it just worked. The exact same command as before, run from the same PowerShell session (although I had exited Mimikatz and gone back in).

So for anyone reading this: It seems like just a transitory error, but secretsdump is probably quicker.

I met mimikatz error in the windows version of this section.

ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

However, the cause of this problem is simple. The current user just does not have enough privileges.
In this questions, you can elevate your privileges by right-clicking.

FROM WINDOWS HOST

To get the flag.txt located in the ExtraSids folder you have to do as following

ls \\academy-ea-dc01.inlanefreight.local\c$\ExtraSids

And then cat it out! You know how to do it :wink:

Now from where I found this? Actually I tried many combination such as c\ExtraSids, c\ExtraSids$, etc manually and at last got hit on it.

@Rapunzel3000

I’m stuck here as well. Can you help can the shell but not able to get NTLM hash for bross

You should ask yourself what to do how to get the NTLM hash for any user.
Hint : use DCSync Attack

  1. How to run secretdump.py with no pass? with flag -k , because we already export the ticket.
  2. You must specify “LOGISTICS.INLANEFREIGHT.LOCAL/USERNAME@academy-ea-dc01.inlanefreight.local” and domain controller ip (-target-ip 172.16.5.5) to run secretdump.py succesfully

raiseChild.py has everything you need. Try using the -h flag to examine further.

1 Like

you just saved the day :ok_hand:

secretsdump.py -hashes [Hash NTLM] INLANEFREIGHT.LOCAL/administrator@172.16.5.5 -just-dc-user bross

1 Like

In the Linux section, the password for the htb-student_adm user is the one given in the previous exercise, in the Windows section.

1 Like

What Linux host are you guys doing this from? I tried to pivot and do it from my attack box but I get errors because Im not part of the domain.

Nevermind. I thought you guys were saying you had a Linux attack box on the windows questions,


Hello. Please canyou help. I tried all combination but nothing seems to work

Concept to is have the golden ticket in the current session of powershell and then cat the flag from ExtraSids. You can do this with Rubes or mimikatz
For mimikatz
privilege::debug
kerberos::golden ... use the SID for the previous question
then exit the mimikatz BUUTTT do not close powershell session. From there continue as below
ls \\academy-ea-dc01.inlanefreight.local\c$\ExtraSids
Then the just replace ls with cat and add the flag at the end of the command

I used rubues it is ok now

It’s worked! Thanks

This does not work for me. When I run this command with the administrator’s NTLM hash, I get a ValueError: not enough values to unpack (expected 2, got 1)

After running secretsdump.py hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-ntlm -just-dc-user bross, I’m getting this error: Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database. When I run klist, I get Default principal: hacker@LOGISTICS.INLANEFREIGHT.LOCAL. I’m stuck on this for over a week now

-hashes LMHASH:NTHASH

1 Like