Active Directory - Skills Assessment I

Sorry about the stupid question but: I can’t get a better shell. All my tryes give me shells that doesn’t allow me to run mimikatz or Enter-PSSession. wich one did you use?

Hi, I am stuck on Skills Assessment Part I to find tpetty password. The question is: Submit this user’s cleartext password.
I have tried mimikatz, crackmapexec, rubeus, dumping lsa, connecting with smb but nothing works. I tried from Kali and Windows. I have uploaded tools on Windows to try from there. With this command C:\Rubeus.exe kerberoast /outfiles:hashes.txt [/user:tpetty] [/domain:INLANEFREIGHT.LOCAL] [/dc:DC01.INLANEFREIGHT.LOCAL] I saw 7 hashes but there isnt tpetty name. Mimikatz found only admin account. Can someone write steps to find cleartext password?

Edit: I have found NTLM hash of tpetty but hashcat was unable to crack it. Anyone knows how to crack it?

I know researching is the best practise to be a good hacker, but here is my grain of sand.
For those who are stucked in the cleartext password and you are not able to dump lsass with mimikatz:
From new(relatively) versions, microsoft add a secure conf to the wdigest reg to prevent its dump using mimikatz.
Just go to cmd and change the value of REG_DWORD to 1:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
and after that, force the update:
gpupdate /force

Now dump it again and there it is…

This doesn’t show clear-text password for me, after changing the registry and dumping with mimikatz it shows (null) under wdigest

Dump de lsass with mimi

Could’t succeed with your suggestion, it doesn’t work with Mimikatz, but I succeeded with dumping SAM files, with secretsdump I found cleartext password…

I did it that way

To anyone having issues with pivoting to DC. You would get a hint from the Bloodhound to escalate the privs from t*****. Do the Attack mentioned in Bloodhound correctly with impersonation. Read the Mimikatz docs in detail.