hey folks,
Looking for a nudge on the AD skills assessment I.
I’ve gotten all of the questions except for the last one - gaining a shell on the DC. Here’s what I’ve done so far:
- used the web shell to get a more stable reverse shell with nc.exe
- kerberoasted first user
- used Enter-PSSession and nc.exe to gain a stable shell on the second box
- used mimikatz to dump cached creds on the second box
- obtained creds for second user with dcsync rights
the creds i’ve obtained are valid but the user doesnt have remoting rights…things Ive tried that dont work
- psexec.exe from box1 and box 2 to DC (unauthorized)
- PSSession from box2 (unauthorized)
- PTH from box2 using mimikatz (not working - i think it’s because its done through a reverse shell)
- OPTH from box2 using mimikatz (not working, cant turn the ntlm hash into a kerberos ticket, or its not caching)
- dcsync attack through mimikatz (not working from box2)
things I havent tried yet:
- secretsdump.exe
- PTT
Looking for a nudge on what would be the right technique to gain access to the DC