enumerate and explore shares on the domain controller. Spidering with crackmapexec will make it obvious which file it is, but you’ll run into a permissions snag if you try to get it with SMB Client. Instead, RDP into MS01 with the second set of credentials and then just navigate to the file using cd and dir.
I have a question about part two of the skills assessment as well. I have found the SQL connection string and used those credentials with mssqlclient.py to connect and use xp_cmdshell. However, I am stuck on what to do next. I know that the sql service account has _____ privileges that can be exploited for privilege escalation, but what I’m stuck on is that any attempt to use the xp_cmdshell to transfer tools/exploits or open a reverse shell throws up some weird syntax errors. I’m also confused because whoami /groups says its a high integrity shell, but I can’t read the /Users/Administrator/ directory. Any pointers on what’s next after getting the xp_cmdshell?
Check the correct way to use synthax escape / quotation in the xmp_cmdshell. Also figure out a location with read / write access. Then you should be good to go!