Active Directory - Skills Assessment II

Hi All,

I working on ACTIVE DIRECTORY ENUMERATION & ATTACKS - Skills Assessment Part II

Im stuck on Q8. “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.”

I tried to find any credential on machine S but failed.

Any idea u guys can share?

Found a way to finish it

1 Like

Can I ask you a hint about Q3? I tried all methods I know

Hi PaoloCMP,

u can try to use crackmapexec winrm to execute command :grin:

@JackyLam hey there, any tips for question 6? i have the creds for the 2nd user but i dont know where to find the so called config file

Snaffler.exe to get

1 Like

Any hint about common method to obtain the second credentials?

I was also unsuccessful in finding a “common method to obtain weak credentials for another user”. Any hints on that question?

1 Like

password spray

RDP worked for me using the credentials gained in questions 1 and 2

1 Like

enumerate and explore shares on the domain controller. Spidering with crackmapexec will make it obvious which file it is, but you’ll run into a permissions snag if you try to get it with SMB Client. Instead, RDP into MS01 with the second set of credentials and then just navigate to the file using cd and dir.

I have a question about part two of the skills assessment as well. I have found the SQL connection string and used those credentials with mssqlclient.py to connect and use xp_cmdshell. However, I am stuck on what to do next. I know that the sql service account has _____ privileges that can be exploited for privilege escalation, but what I’m stuck on is that any attempt to use the xp_cmdshell to transfer tools/exploits or open a reverse shell throws up some weird syntax errors. I’m also confused because whoami /groups says its a high integrity shell, but I can’t read the /Users/Administrator/ directory. Any pointers on what’s next after getting the xp_cmdshell?

Any bump? I’m stuck on the same question - Question 8, flag on MS01 Administrator desktop.

Check the correct way to use synthax escape / quotation in the xmp_cmdshell. Also figure out a location with read / write access. Then you should be good to go!

But in theory we only have 1 password for the first user, and it doesn’t work for de second user…

Ok, just review again the course, part: Internal Password Spraying - from Linux

Did you create a wordlist for users? If so, how?

Just be a little bit creative…

1 Like

I tried spraying this wordlist:

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/top-passwords-shortlist.txt

…should we use a longer one, or it is a totally wrong path? Thankyou!

EDIT: I got SQL01.
I’m here too. Did you go through?

Now I’m on MS01