hey folks,

Looking for a nudge on the AD skills assessment I.

I’ve gotten all of the questions except for the last one - gaining a shell on the DC. Here’s what I’ve done so far:

• used the web shell to get a more stable reverse shell with nc.exe
• kerberoasted first user
• used Enter-PSSession and nc.exe to gain a stable shell on the second box
• used mimikatz to dump cached creds on the second box
• obtained creds for second user with dcsync rights

the creds i’ve obtained are valid but the user doesnt have remoting rights…things Ive tried that dont work

• psexec.exe from box1 and box 2 to DC (unauthorized)
• PSSession from box2 (unauthorized)
• PTH from box2 using mimikatz (not working - i think it’s because its done through a reverse shell)
• OPTH from box2 using mimikatz (not working, cant turn the ntlm hash into a kerberos ticket, or its not caching)
• dcsync attack through mimikatz (not working from box2)

things I havent tried yet:

• secretsdump.exe
• PTT

Looking for a nudge on what would be the right technique to gain access to the DC

I can’t get either of these to work on the second box. The Enter-PSSession works but gives me a very disfunctional session. Can’t get nc.exe to run on second box properly at all…

What I usually do once I have the unstable shell with Enter-PSSession is I upload nc.exe to the first box, then download nc.exe into the second box from the first box through that unstable shell, then pop a more solid shell through a different port from box2 to box1. Kind of schlep but it gets me through.

Couldn’t get that to work…had to use a different method…but I’m at the trying to DCSync the DC now…

Hi, did you got any result? I’m at the same point, I can’t make that creepy shell works to download nc.exe

what other method did you use? I think my methodology is kind of clunky here and I’m starting to overthink it / go in other directions not covered in the lessons…hmmmm

@sirius3000 @PaoloCMP I figured it out! send me a PM if you need a nudge. I was definitely overthinking it.