Active Directory - Skills Assessment II

JackyLam · June 3, 2022, 2:53pm

Hi All,

I working on ACTIVE DIRECTORY ENUMERATION & ATTACKS - Skills Assessment Part II

Im stuck on Q8. “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.”

I tried to find any credential on machine S but failed.

Any idea u guys can share?

JackyLam · June 3, 2022, 4:28pm

Found a way to finish it

PaoloCMP · June 3, 2022, 5:31pm

Can I ask you a hint about Q3? I tried all methods I know

JackyLam · June 3, 2022, 5:34pm

Hi PaoloCMP,

u can try to use crackmapexec winrm to execute command

TuxedoNetcat · June 10, 2022, 10:01pm

@JackyLam hey there, any tips for question 6? i have the creds for the 2nd user but i dont know where to find the so called config file

binho1337 · June 11, 2022, 12:05am

Snaffler.exe to get

PaoloCMP · June 20, 2022, 1:16pm

Any hint about common method to obtain the second credentials?

Rapunzel3000 · July 12, 2022, 4:20pm

I was also unsuccessful in finding a “common method to obtain weak credentials for another user”. Any hints on that question?

binho1337 · July 12, 2022, 7:00pm

password spray

ewilkins98 · July 14, 2022, 7:57pm

RDP worked for me using the credentials gained in questions 1 and 2

ewilkins98 · July 14, 2022, 8:00pm

enumerate and explore shares on the domain controller. Spidering with crackmapexec will make it obvious which file it is, but you’ll run into a permissions snag if you try to get it with SMB Client. Instead, RDP into MS01 with the second set of credentials and then just navigate to the file using cd and dir.

ewilkins98 · July 14, 2022, 8:05pm

I have a question about part two of the skills assessment as well. I have found the SQL connection string and used those credentials with mssqlclient.py to connect and use xp_cmdshell. However, I am stuck on what to do next. I know that the sql service account has _____ privileges that can be exploited for privilege escalation, but what I’m stuck on is that any attempt to use the xp_cmdshell to transfer tools/exploits or open a reverse shell throws up some weird syntax errors. I’m also confused because whoami /groups says its a high integrity shell, but I can’t read the /Users/Administrator/ directory. Any pointers on what’s next after getting the xp_cmdshell?

TheB3an · July 21, 2022, 7:25pm

Any bump? I’m stuck on the same question - Question 8, flag on MS01 Administrator desktop.

Rapunzel3000 · July 22, 2022, 9:33am

Check the correct way to use synthax escape / quotation in the xmp_cmdshell. Also figure out a location with read / write access. Then you should be good to go!

t0mu · July 22, 2022, 11:48am

But in theory we only have 1 password for the first user, and it doesn’t work for de second user…

t0mu · July 22, 2022, 11:59am

Ok, just review again the course, part: Internal Password Spraying - from Linux

PaoloCMP · July 22, 2022, 4:49pm

Did you create a wordlist for users? If so, how?

Rapunzel3000 · July 22, 2022, 9:08pm

Just be a little bit creative…

easydor · July 24, 2022, 8:22am

I tried spraying this wordlist:

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/top-passwords-shortlist.txt

…should we use a longer one, or it is a totally wrong path? Thankyou!

PaoloCMP · July 24, 2022, 1:51pm

EDIT: I got SQL01.
I’m here too. Did you go through?

Now I’m on MS01