Active Directory - Skills Assessment I

Yes, it’s true I’m sorry :sweat_smile:

HAHA, If I work on Skill-Assessment-II later and find the solution, I will share it.

1 Like

How? I think I tried every methods to connect to ms01

Hi All, for the last question “Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01”. I tried to ran mimikatz to perform DCSync attack with User tXXXX Cred on second box but fail.

Any hints on the last question?

mimikatz doesnt work too well with reverse shells :wink: what other way can you enable your access to MS01 (box2) that will let you then use mimikatz to get an admin shell on DC01 with your current access? think of what the compromised user can do (replicate), then target someone else with logon access to the DC?

you get tXXX user from MS** right ? just with mimikatz impersonate with hash and do dcsync

Hi All, Im finally finished all Skills-Assessment I questions. Thank you you guys support me. Cant finish it without your help. :yum:

3 Likes

Hey guys, I’m having trouble with “Submit the contents of the flag.txt file on the Administrator desktop on MS01” I can’t get a shell to this box with the steps that were described in the module. What tool did y’all use for this? Any help would be appreciated.

So I used mimikatz with “lsadump::dcsync” and the NTLM hash for user TB**** to pull of the DCSync attack on MS01 via Powershell remoting. However, I am getting an RPC error message:

"ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)"

Also powerview does not work in the PS remoting session. I am able to import the module on MS01 after copying it over
Invoke-Command -session $session -scriptblock {c:\PowerView.ps1}
but any functions from that module are not recognized. How can I do a proper enumeration under these circumstances?

Look, it’s been a long time since I made this module and I wrote very little.

but I remember using Invoke-Command -computername MS01 -credential $cred -ScriptBlock and downloaded a netcat and opened a reverse connection. and inside mimikatz with the user hash I needed to use impersonate to be able to do the dcsync attack:

Sorry i confirm here i only have notes to Assessment II

I followed you suggestion and started a scond reverse shell from MS01 → Webwin01 using Netcat and tried local execution of Mimikatz with NTLM hash on that second shell. Still getting the same RPC error, however…

I have received another recommendation to perform the DCSync-Attack using Impacket (wmiexec.py and secretsdump.py). However, the 10.X.X.X network of our Kali Box can only reach out to the Winweb Server that served us as entry point into the network. MS01 and Domain Controller are located in 172.X.X.X. Is there any other way to reach out to the DC from Linux?

I have tried Impacket’s

  • secretsdump
  • wmiexec
  • psexec
  • evil-winrm

against the winweb-server without any success.

I finally was able to pull it off by connecting my local kali machine to the 172.16.6.X AD network using Metasploit’s Autoroute plus Proxychains on Kali.
My recommencation is to first have a look at the Tunelling & Port Forwarding Module before attempting this task. Then you can invoke Impacket Modules on MS01 and DC01 directly through Proxychains.
Any attempt using PS-remoting from the Webwin foothold machine was not successful.

1 Like

I can’t run DCSync. I can’t answer last question of this module.
I am using “Invoke-Command” from foothold machine.
My ScriptBlock is:
{ .\greattool.exe "priXXX::debug" "sekXXXXX::pth /user:t**** /domain:inlanefreight.local /ntlm:XXXXXXXXXXXXXXXXXXXXXXXXXX" "lsadXXX::dcXXX" exit }

I get error:

ERROR kuhl_m_lsadump_dcsync ; Missing user or guid argument

any suggestion?
thankyou!!

sorry, I just figured that my previous command was incomplete.
I missed “/domain:inlanefreight.local /user:INLANEFREIGHT.LOCAL\administrator”
anyway… i get error:

ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)

any suggestion to solve this?

Ok so i am on question 3 i found the user s**_**l and was able to use powerview to get the kerberoast ticket and the Rc4_HMAC_MD5 hash.

I used hashcat with -m 13100 and rockyou.txt but it was not able to give me clear text password. Can i get a nudge here been on this for 2 days now!!

Hi, just to check how did you transfer the hash that you acquired from PowerView? Did you copied directly from the console after executing Get-DomainUser -Identity s**_**l | Get-DomainSPNTicket -Format Hashcat and pasted into a file? Or did you export it to a CSV file Get-DomainUser -Identity s**_**l | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation and copied the hash from the CSV output? The hash should be a ‘one liner’. Just wondering if that was the case.

Ah yes that was the case…the format was incorect needed to be one line. Once that was fixed i was able to get it thaks!!

1 Like

For accessing seond box:

I am trying to use Enter-Pssession

$username=“INLANEFREIGHT.LOCAL***_sql”
$password=ConvertTo-SecureString “*****7” -AsPlainText -Force
$Cred=New-Object System.Management.Automation.PSCredential (“username”, $password)
Enter-PSSession -ComputerName MS01 -Credential $Cred

no mater what i change $username to i.e “svc_sql”, “MS01\svc_sql” i can not get this to work…can realy use a nudge in the right correction.

Hi, I did not assign the username s**_**l to the variable $username. Maybe you can try to use the $username in this line $Cred=New-Object System.Management.Automation.PSCredential ($username, $password)?
or use this without the variable $Cred=New-Object System.Management.Automation.PSCredential (s**_**l, $password)?
I did add a port into the last line though Enter-PSSession -ComputerName MS01 -Port 5989 -Credential $Cred.
However you should try Rapunzel3000’s method Active Directory - Skills Assessment I - #34 by Rapunzel3000 on using Tunelling & Port Forwarding.