Active Directory - Skills Assessment I

Yes. I am busy right now, but if you send me your email address, gmail preferred, i will share my google drive folder with all my HTB module notes.


Thank you,
I think you helped me with pivot skill assessment too xD. Thank you for saving my life again

I managed to solve this Assessment after few hours of digging…
so, for the last part, use evil-winrm from your kali/parrot machine to perform pass the hash with Administrator :slight_smile:

and for me, I only used chisel (for tunneling) for this assessment, you dont need anything more.

Thank you very much!

1 Like

hello guys, stuck with the dc01 hash. I have a psexec session on MS01 via chisel, but cannot impersonate t***** user, Start-Process in powershell as other user wont work. Any hints?

got it, read the mimikatz docs

Just wanted to add my solution to the mix, because I solved the last bit differently from most other posters as far as I can see. I stayed on the Windows hosts the whole time haha :slight_smile:

The broad steps are:

  1. Either RDP or reverse shell into the WEB host, by using the web shell. One of the other commenters already posted how to enable RDP through registry keys. For a reverse shell it’s good to use msfvenom & msfconsole so you get a Meterpreter shell that can be used as a proxy for later.

  2. At this point you kerberoast the next required user’s creds and can pivot to the next host.

  3. Get MS01’s ip with nslookup. If you don’t use chisel or a Meterpreter-session as a proxy, then use netsh to create a tunnel to MS01.

  4. Once you have a connection and creds, you can get into the next host. Either RDP and copy-paste your tool of choice (probably Mimikatz) or evil-winrm your way in. I’ve only tried the first method for this step, so can’t guarantee the second would work :slight_smile:.

  5. Once here you can run mimikatz.exe and do a dump as others have already instructed. This will get you the next required user’s creds.

  6. Use these creds in memory to open a Powershell session on the same host. In this Powershell session you can run Mimikatz and do a DCSync attack, getting you a Golden Ticket.
    6.1 Generating the creds

$SecPassword = ConvertTo-SecureString 'user_pw' -AsPlainText -Force 
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\username_here', $SecPassword)
Start-Process powershell.exe -Credential $Cred

6.2 The new PS window might be unresponsive, but you can keep going back to the old one and executing
Enter-PSSession -ComputerName localhost -Credential $Cred which should give you some seconds of being able to type and run commands in the new window.

6.3 Get the hash
lsadump::dcsync /user:INLANEFREIGHT\krbtgt /csv

6.4 Get the golden ticket
kerberos::golden /user:new_user /domain:INLANEFREIGHT.LOCAL /krbtgt:some_hash /sid:some_sid /ticket:evil.tck /ptt

  1. Exit Mimikatz, but don’t close the Poweshell window, and using the ticket that has been inserted into the session’s memory read the flag on the DC01 host’s admin user desktop folder.
    type \\DC01\C$\Users\Administrator\Desktop\flag.txt

It´s more easy than it looks, just RDP with the user who can RDP and when you get windows session, open a new powershell window as the other user who can not RDP but can DcSync. (No need to use complicated programs, or powershell scripts. Just “open as other user” directly from windows menu…). After that you will have the impersonation done :wink:

Ah okay didn’t think of RDP :wink:
Thank you though, I solved it the complicated way :smiley: