Yes. I am busy right now, but if you send me your email address, gmail preferred, i will share my google drive folder with all my HTB module notes.
John
Thank you,
I think you helped me with pivot skill assessment too xD. Thank you for saving my life again
I managed to solve this Assessment after few hours of digging…
so, for the last part, use evil-winrm from your kali/parrot machine to perform pass the hash with Administrator 
and for me, I only used chisel (for tunneling) for this assessment, you dont need anything more.
Thank you very much!
1 Like
hello guys, stuck with the dc01 hash. I have a psexec session on MS01 via chisel, but cannot impersonate t***** user, Start-Process in powershell as other user wont work. Any hints?
got it, read the mimikatz docs
Just wanted to add my solution to the mix, because I solved the last bit differently from most other posters as far as I can see. I stayed on the Windows hosts the whole time haha
The broad steps are:
-
Either RDP or reverse shell into the WEB host, by using the web shell. One of the other commenters already posted how to enable RDP through registry keys. For a reverse shell it’s good to use
msfvenom&msfconsoleso you get a Meterpreter shell that can be used as a proxy for later. -
At this point you kerberoast the next required user’s creds and can pivot to the next host.
-
Get MS01’s ip with
nslookup. If you don’t usechiselor a Meterpreter-session as a proxy, then usenetshto create a tunnel to MS01. -
Once you have a connection and creds, you can get into the next host. Either RDP and copy-paste your tool of choice (probably Mimikatz) or
evil-winrmyour way in. I’ve only tried the first method for this step, so can’t guarantee the second would work. -
Once here you can run
mimikatz.exeand do a dump as others have already instructed. This will get you the next required user’s creds. -
Use these creds in memory to open a Powershell session on the same host. In this Powershell session you can run Mimikatz and do a DCSync attack, getting you a Golden Ticket.
6.1 Generating the creds
$SecPassword = ConvertTo-SecureString 'user_pw' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\username_here', $SecPassword)
Start-Process powershell.exe -Credential $Cred
6.2 The new PS window might be unresponsive, but you can keep going back to the old one and executing
Enter-PSSession -ComputerName localhost -Credential $Cred which should give you some seconds of being able to type and run commands in the new window.
6.3 Get the hash
lsadump::dcsync /user:INLANEFREIGHT\krbtgt /csv
6.4 Get the golden ticket
kerberos::golden /user:new_user /domain:INLANEFREIGHT.LOCAL /krbtgt:some_hash /sid:some_sid /ticket:evil.tck /ptt
- Exit Mimikatz, but don’t close the Poweshell window, and using the ticket that has been inserted into the session’s memory read the flag on the DC01 host’s admin user desktop folder.
type \\DC01\C$\Users\Administrator\Desktop\flag.txt
It´s more easy than it looks, just RDP with the user who can RDP and when you get windows session, open a new powershell window as the other user who can not RDP but can DcSync. (No need to use complicated programs, or powershell scripts. Just “open as other user” directly from windows menu…). After that you will have the impersonation done 
Ah okay didn’t think of RDP
Thank you though, I solved it the complicated way 