I managed to solve this Assessment after few hours of digging…
so, for the last part, use evil-winrm from your kali/parrot machine to perform pass the hash with Administrator 
and for me, I only used chisel (for tunneling) for this assessment, you dont need anything more.
Thank you very much!
1 Like
hello guys, stuck with the dc01 hash. I have a psexec session on MS01 via chisel, but cannot impersonate t***** user, Start-Process in powershell as other user wont work. Any hints?
got it, read the mimikatz docs
Just wanted to add my solution to the mix, because I solved the last bit differently from most other posters as far as I can see. I stayed on the Windows hosts the whole time haha
The broad steps are:
-
Either RDP or reverse shell into the WEB host, by using the web shell. One of the other commenters already posted how to enable RDP through registry keys. For a reverse shell it’s good to use
msfvenom&msfconsoleso you get a Meterpreter shell that can be used as a proxy for later. -
At this point you kerberoast the next required user’s creds and can pivot to the next host.
-
Get MS01’s ip with
nslookup. If you don’t usechiselor a Meterpreter-session as a proxy, then usenetshto create a tunnel to MS01. -
Once you have a connection and creds, you can get into the next host. Either RDP and copy-paste your tool of choice (probably Mimikatz) or
evil-winrmyour way in. I’ve only tried the first method for this step, so can’t guarantee the second would work. -
Once here you can run
mimikatz.exeand do a dump as others have already instructed. This will get you the next required user’s creds. -
Use these creds in memory to open a Powershell session on the same host. In this Powershell session you can run Mimikatz and do a DCSync attack, getting you a Golden Ticket.
6.1 Generating the creds
$SecPassword = ConvertTo-SecureString 'user_pw' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\username_here', $SecPassword)
Start-Process powershell.exe -Credential $Cred
6.2 The new PS window might be unresponsive, but you can keep going back to the old one and executing
Enter-PSSession -ComputerName localhost -Credential $Cred which should give you some seconds of being able to type and run commands in the new window.
6.3 Get the hash
lsadump::dcsync /user:INLANEFREIGHT\krbtgt /csv
6.4 Get the golden ticket
kerberos::golden /user:new_user /domain:INLANEFREIGHT.LOCAL /krbtgt:some_hash /sid:some_sid /ticket:evil.tck /ptt
- Exit Mimikatz, but don’t close the Poweshell window, and using the ticket that has been inserted into the session’s memory read the flag on the DC01 host’s admin user desktop folder.
type \\DC01\C$\Users\Administrator\Desktop\flag.txt
It´s more easy than it looks, just RDP with the user who can RDP and when you get windows session, open a new powershell window as the other user who can not RDP but can DcSync. (No need to use complicated programs, or powershell scripts. Just “open as other user” directly from windows menu…). After that you will have the impersonation done 
Ah okay didn’t think of RDP
Thank you though, I solved it the complicated way 
There are a few things you can do and check. First, try wrapping the password in quotes. Second, do a port scan on that IP to see if RDP is open. Third is checking your username and creds just in case.
1 Like
I followed the steps and was able to RDP to MS01. I would just like to understand a bit better, are we assuming that MS01 already has the registry key set to allow RDP and is listening on port 3389? Is there prior verifications to know this will be allowed or is this a spray and pray approach hoping RDP is enabled?
Hey,
So I mange to find all password for user tp**** and the hash of Administrator,
Made a Chisel tunneling and scanned DC01 with nmap which confirm that tunneling is ok.
Could not pass the hash for Administrator or Crack it through hashcat\john,
Could not loggin with user tp**** and his password, (Not evilwinrm - Not RDP – Not internal RDP)
Could not loggin through Enter-PSSession -ComputerName DC01 -Credential $cred (attempted multiple $creds)
Please I need help in the last question:
- 1 Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01
I dont understand and know what to do next how to connect to the DC after having the hash for administrator and password for pt**** user… please help.
How did you find cleartext of tpetty user? I stucked and can not find anything. I also dumped lsa. There is ntlm hashes, but can not cracked
bro. could u tell me how to crack the hash? i used rockyou but it doesn’t work
bro,could you tell me how to find the tptty’s password?i found the ntlm but can’t crack it