Active Directory - Skills Assessment II

easydor · July 25, 2022, 10:39am

Stuck on Q10.
I got user who as “GenericAll” rights. Any hint to get his hash?

TheB3an · July 25, 2022, 6:43pm

I’m stuck here as well, if you find anything please share!

Rapunzel3000 · July 26, 2022, 11:51am

Apply the hint from question 9!

easydor · July 26, 2022, 6:28pm

yes, same technique… but different OS! I used Inveigh.ps1

t0mu · August 1, 2022, 2:11pm

I got the user and the password from Q10, i and i know ho to exploit the GenericAll rights against DC01, but i can’t evil-winrm or rdp to user (even if bloodhound tells me that this user is in “Domain Users” and that group can rdp to ms01) , so what is going wrong?

Rapunzel3000 · August 1, 2022, 7:10pm

There are still different methods to perform remote access on DC01 from MS01.

t0mu · August 2, 2022, 7:50am

yes, and get the tunneling too, for me worked ssh tunneling instead of chisel

PaoloCMP · August 5, 2022, 2:20pm

Did you solve it?

lordsoahc · August 16, 2022, 8:40pm

For question number 10 I am running inveigh.ps1 on MsO1 and I got no hash can someone help me to get this last hash pls.

so now i am trying to get the hash for the CT*** user. I RDP onto MS01 and rand inveigh.ps1 but i was not able to get any hashes. i also uploaded Inveigh to SQL01 and again i got no hashes for CT***.

any clues?

lordsoahc · August 16, 2022, 10:51pm

NVM i got it was using the right tool in the wrong place!

Jackintosh · August 28, 2022, 9:57pm

I have the same problem, how did you solve it?

Jackintosh · August 28, 2022, 9:58pm

I tried but i found nothing… where should i search?

EternalBlue · October 13, 2022, 5:53pm

Oh guys…
Can anyone PM me to give a tip?
Im stuck on Q8. “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.”
I just get SYSTEM in MSQL01 host, and I dont know how to connect in MS01 with SYSTEM.
I already tryed: find creds, kerboroasting, ACL, groups, Inveigh, Rubeus, SharpHound. Cant find the way

Rapunzel3000 · October 13, 2022, 7:42pm

If you obtained an elevated shell on the SQL server, you can use Mimikatz to get logon passwords for another service account. You can use these credentials for logging into MS01 using python.

EternalBlue · October 14, 2022, 12:42pm

Thank you man!

EternalBlue · October 14, 2022, 1:42pm

And so it went like this… After getting this password I did password spraying, but for some reason crackmapexec didn’t work… Took me two days to learn it

19delta4u · October 21, 2022, 10:53pm

I cannot RDP to MS01 from SKILLS-PAR01 using Remmina or xfreerdp. I am getting a DISPLAY error.

I can use evil-winrm to access MS01 with the AB920 user account, but it’s very difficult to operate from evil-winrm in terms of escalating privileges or running Responder/Inveigh.

p.s. The DC is vulnerable to zerologon, but I’m trying to finish this module step-by-step.

Any recommendations would be helpful!

I basically need help figuring out questions 4 and 5.

THX

19delta4u · October 23, 2022, 5:32am

Did anybody help you?

19delta4u · October 23, 2022, 8:36am

How did you RDP? I have the AB920 user creds, but I cannot RDP. I get a DISPLAY error in Parrot.

Rapunzel3000 · October 24, 2022, 12:33pm

Evil-Winrm does not cut it for extended AD enumeration.
Your issues with RDP-connectivity are most likely VPN-related (also in Pwnbox).
Renew you VPN to a different region, clear your browser and give it another try!