Active Directory - Skills Assessment I

hey folks,

Looking for a nudge on the AD skills assessment I.

I’ve gotten all of the questions except for the last one - gaining a shell on the DC. Here’s what I’ve done so far:

  • used the web shell to get a more stable reverse shell with nc.exe
  • kerberoasted first user
  • used Enter-PSSession and nc.exe to gain a stable shell on the second box
  • used mimikatz to dump cached creds on the second box
  • obtained creds for second user with dcsync rights

the creds i’ve obtained are valid but the user doesnt have remoting rights…things Ive tried that dont work

  • psexec.exe from box1 and box 2 to DC (unauthorized)
  • PSSession from box2 (unauthorized)
  • PTH from box2 using mimikatz (not working - i think it’s because its done through a reverse shell)
  • OPTH from box2 using mimikatz (not working, cant turn the ntlm hash into a kerberos ticket, or its not caching)
  • dcsync attack through mimikatz (not working from box2)

things I havent tried yet:

  • secretsdump.exe
  • PTT

Looking for a nudge on what would be the right technique to gain access to the DC

I can’t get either of these to work on the second box. The Enter-PSSession works but gives me a very disfunctional session. Can’t get nc.exe to run on second box properly at all…

1 Like

What I usually do once I have the unstable shell with Enter-PSSession is I upload nc.exe to the first box, then download nc.exe into the second box from the first box through that unstable shell, then pop a more solid shell through a different port from box2 to box1. Kind of schlep but it gets me through.

Couldn’t get that to work…had to use a different method…but I’m at the trying to DCSync the DC now… :exploding_head: :exploding_head: :exploding_head:

Hi, did you got any result? I’m at the same point, I can’t make that creepy shell works to download nc.exe

what other method did you use? I think my methodology is kind of clunky here and I’m starting to overthink it / go in other directions not covered in the lessons…hmmmm

@sirius3000 @PaoloCMP I figured it out! send me a PM if you need a nudge. I was definitely overthinking it.