Sorry about the stupid question but: I can’t get a better shell. All my tryes give me shells that doesn’t allow me to run mimikatz or Enter-PSSession. wich one did you use?
Hi, I am stuck on Skills Assessment Part I to find tpetty password. The question is: Submit this user’s cleartext password.
I have tried mimikatz, crackmapexec, rubeus, dumping lsa, connecting with smb but nothing works. I tried from Kali and Windows. I have uploaded tools on Windows to try from there. With this command C:\Rubeus.exe kerberoast /outfiles:hashes.txt [/user:tpetty] [/domain:INLANEFREIGHT.LOCAL] [/dc:DC01.INLANEFREIGHT.LOCAL] I saw 7 hashes but there isnt tpetty name. Mimikatz found only admin account. Can someone write steps to find cleartext password?
Edit: I have found NTLM hash of tpetty but hashcat was unable to crack it. Anyone knows how to crack it?
I know researching is the best practise to be a good hacker, but here is my grain of sand.
For those who are stucked in the cleartext password and you are not able to dump lsass with mimikatz:
From new(relatively) versions, microsoft add a secure conf to the wdigest reg to prevent its dump using mimikatz.
Just go to cmd and change the value of REG_DWORD to 1:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
and after that, force the update:
gpupdate /force
Now dump it again and there it is…
This doesn’t show clear-text password for me, after changing the registry and dumping with mimikatz it shows (null) under wdigest
Dump de lsass with mimi
Could’t succeed with your suggestion, it doesn’t work with Mimikatz, but I succeeded with dumping SAM files, with secretsdump I found cleartext password…
I did it that way
To anyone having issues with pivoting to DC. You would get a hint from the Bloodhound to escalate the privs from t*****. Do the Attack mentioned in Bloodhound correctly with impersonation. Read the Mimikatz docs in detail.
This one was difficult due to some items not really covered in the modules.
If you’re stuck on the DCSync follow this link and review the part that goes over a registry change. You’ll have to reboot the MS01 server for that change to apply. You should then be able to perform the DCSync attack.
For the final challenge (Domain Takeover) I suggest Googling PTH.
Hello guys!! I am really stuck with an error when I tried to use xfreerdp with proxychains. I used meterpreter tunnelling and pivoted the WEB01 machine to make xfreerdp to MS01. Although proxychains nmap command works, xfreedrp gives an error. It says “Please check that the $DISPLAY environment variable is properly set”. Actually it was working before, but I gave a break for a few weeks. And now I can’t make it work. You guys have any idea on what I am missing? Thanks.
Does anyone else having problems with the webshell? I can log into it just fine but cannot execute any commands nor upload anything. It’s just loading and after some time the connection is reset. Am I missing something here?
try doing /timeout:<time in ms> for xfreerdp and setting resolutoin /size: