@stellar If you want to pass tools to MS01 you can use xfreerdp with the option “/drive:linux,/tmp”. This was explained in previous modules. I guess there are several ways to transfer files that work for this machine. This one worked for me.
To see the password you are looking for do as a colleague said above, making use of mimikatz or using crackmapexec with the --lsa option. This comment I put above. Read carefully the output of the command.
thank you for the suggestions,colleague, i will try to apply this option. Afterwards, with mimikatz or lazagne on, it will be fast. Meanwhile tried the .ps1 scripts execution bypass ,but nothing neither 
I got the super duper secure tpetty password !!! with the xfreerdp , then copied the tools from tsclient to my svc_sql directory and ran mimikatz 
you boys are more logic but slowly I’ll learn!!whew 
I have a few questions… But Can I just start with this one? How once I get onto MS01 would I transfer a file back to my Kali VM? I ran SharpHound and I am trying to figure out to get that file back to my machine? Thanks for any help!
@CrazyHorse302 - If you think about it, you already have a web server that can “host” files.
You know the name of the shell file, so you can search for where it is being hosted.
dir -Path C:\ -Filter antak.aspx -Recurse | %{$_.FullName}
followed by
copy 20221202110824_BloodHound.zip C:\inetpub\wwwroot\uploads
*obviously change to your bloodhound file name.
Can download directly from browser then.
Thank you this is very good information. However, I am after doing this from MS01, this looks like how to do it from WEB-WIN01. I also was struggling with from WIN01 but found I can use the antak shell easy enough to accomplish this. Again, thank you for the response it is very helpful!
Do you know how I could get a file back from MS01 through the jump host (WEB-WIN01)? I think I am going down the wrong path but regardless it would be helpful to understand how to get files off it back to my VM. Thank you!
Okay… I have been trying to find tpetty’s password for a while, can someone give me a hint? I have failed to crack the NTLM hash I got from mimikatz for him as well 
Thank you!
Try different mimikatz modes and see if one of them gives you something more useful
I have tried just about everything I can think of for sekurlsa in mimikatz, I was hoping the logonpasswords would show something. I am pretty sure I got a password with lazagne but nothing so far is the right one. I am going to do some more reading on mimikatz to see what I am missing, thank you!
Cool, I learned a couple things.
Again thanks for the hint! Now onto figure out DC01
The other question I was hoping someone could clarify for me… I was able to get onto MS01 from the web machine easy enough. But before I did I spent ton of time trying to figure out how to know if the sxx_xxx user that was used to do this has rights to get into MS01. Ultimately I just gave it a shot. What am I missing/overlooking that would have been a command or tool I could run to verify that user has the rights to access MS01? Thanks for any help in advance!
To be honest, it’s a small environment and I just “tried it” and it work.
I have a pingcastle report and a Bloodhound map, didn’t even go as far as looking at that.
What I did do, to help with a stable shell add my discovered account to local admins on the WEB-WIN01 box.
Add-LocalGroupMember -Group 'Administrators' -Member “s**_**”
Turned on RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
And then used remmina to RDP to the WEB-WIN01 box, from here I had a stable domain authorized powershell.
You could also just used psexec.py too, that works but you land with System level access.
Struggling a bit with this one from skills assessment part I
“Find cleartext credentials for another domain user. Submit the username as your answer.”
Unless I am missing something?!?
GPP - Nothing
AD Description - Nothing
File level search from C:\ on MS01 and WEB-WIN01 - Nothing.
Mimikatz - Constant errors of `ERROR kuhl_m_sekurlsa_acquireLSA ; Key import’ with psexec.py or pssesions. 
used multiple versions. (debug rights confirmed AND used SYSTEM level acces).
Anybody able to point in the right direction?
Thanks.
Look at my post above on what I learned. I found it using two different methods. You can get it with mimikatz.
There must be many ways to get a stable shell here. I used https://www.revshells.com/ to generate a shell from the webshell we start at. Then used msfvenom and msfconsole to get a much more stable shell on WIN01
hi, 19delta4u, am either stuck on the same point, already finished AD2, tried both linux and windows way. Interesting in windows after golden ticket with executionbypass mimikatz I get 1. pushd \dc01.inlanefreight.local\admin$ The system cannot contact a domain controller to service the authentication.Secretsdump gave krbtgt ntlm, but still cannot get in. Would appreciate your help,caus it’s been like more thana week am on this question
Thanks, I persisted with mimikatz, I couldn’t get it to run at all in the environment but used another method to get the lsass dump, took it offline to another windows machine and it worked perfectly.
Lost a good day or two just trying to get mimikatz to run in the lab environment.
Got the password and moved onto the FINAL part of the assessment.
Part I 
I got an error similar to yours, turns out I hadn’t quote done it right.
I followed the above TO THE LETTER and bingo.
hello colleague,i was so close,finally!!! thanks a lot!!!if you need further help with AD2, pm me,stellar, on Discord
I could some a nudge on it… I am going to post a question on the AD2 thread.