I managed to solve this Assessment after few hours of digging…
so, for the last part, use evil-winrm from your kali/parrot machine to perform pass the hash with Administrator 
and for me, I only used chisel (for tunneling) for this assessment, you dont need anything more.
Thank you very much!
1 Like
hello guys, stuck with the dc01 hash. I have a psexec session on MS01 via chisel, but cannot impersonate t***** user, Start-Process in powershell as other user wont work. Any hints?
got it, read the mimikatz docs
It´s more easy than it looks, just RDP with the user who can RDP and when you get windows session, open a new powershell window as the other user who can not RDP but can DcSync. (No need to use complicated programs, or powershell scripts. Just “open as other user” directly from windows menu…). After that you will have the impersonation done 
Ah okay didn’t think of RDP
Thank you though, I solved it the complicated way 
There are a few things you can do and check. First, try wrapping the password in quotes. Second, do a port scan on that IP to see if RDP is open. Third is checking your username and creds just in case.
1 Like
I followed the steps and was able to RDP to MS01. I would just like to understand a bit better, are we assuming that MS01 already has the registry key set to allow RDP and is listening on port 3389? Is there prior verifications to know this will be allowed or is this a spray and pray approach hoping RDP is enabled?
Hey,
So I mange to find all password for user tp**** and the hash of Administrator,
Made a Chisel tunneling and scanned DC01 with nmap which confirm that tunneling is ok.
Could not pass the hash for Administrator or Crack it through hashcat\john,
Could not loggin with user tp**** and his password, (Not evilwinrm - Not RDP – Not internal RDP)
Could not loggin through Enter-PSSession -ComputerName DC01 -Credential $cred (attempted multiple $creds)
Please I need help in the last question:
- 1 Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01
I dont understand and know what to do next how to connect to the DC after having the hash for administrator and password for pt**** user… please help.
bro. could u tell me how to crack the hash? i used rockyou but it doesn’t work
bro,could you tell me how to find the tptty’s password?i found the ntlm but can’t crack it
I am stuck on the clear text password for user t*****. I got the NTLM hash and tried to use hashcat with rockyou.txt. Couldn’t get the password?? Any hints would be appreciated.
More progress after some help in Discord:
I have the tpetty password now (if anyone needs help with this, send me a PM and I can help). Stuck on the last question. I am using mimikatz within a powershell started using the tpetty creds. I think I am doing the steps correctly but when I try to read the flag, I keep getting access denied / the path doesn’t exist…
Hi
I am completely lost, I have done everything and answered every question except question no 7.
This one has me going in circles.
Thank you.
hi. i have got both the krbtgt and the administrator user hashes. how do i proceed to connect to DC01 ?
For future fellas searching the user’s password, I would suggest to try to dump the LSA secrets of different servers in the network. And se what you get.
The modules questions guide you to the steps you need to follow to achieve access to DC01 (domain compromise). I gues you are now to the point that you need to “Find cleartext credentials for another domain user”. With your current pwned creds you can enumerate the available servers on the network (e.g. using “crackmapexec”).
thanks man i have already solved it.