Active Directory - Skills Assessment II

Stuck on Q10.
I got user who as “GenericAll” rights. Any hint to get his hash?

I’m stuck here as well, if you find anything please share!

Apply the hint from question 9!

yes, same technique… but different OS! I used Inveigh.ps1

I got the user and the password from Q10, i and i know ho to exploit the GenericAll rights against DC01, but i can’t evil-winrm or rdp to user (even if bloodhound tells me that this user is in “Domain Users” and that group can rdp to ms01) , so what is going wrong?

1 Like

There are still different methods to perform remote access on DC01 from MS01.

yes, and get the tunneling too, for me worked ssh tunneling instead of chisel

1 Like

Did you solve it?

For question number 10 I am running inveigh.ps1 on MsO1 and I got no hash can someone help me to get this last hash pls.

so now i am trying to get the hash for the CT*** user. I RDP onto MS01 and rand inveigh.ps1 but i was not able to get any hashes. i also uploaded Inveigh to SQL01 and again i got no hashes for CT***.

any clues?

NVM i got it was using the right tool in the wrong place!

I have the same problem, how did you solve it?

I tried but i found nothing… where should i search?

Oh guys…
Can anyone PM me to give a tip?
Im stuck on Q8. “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.”
I just get SYSTEM in MSQL01 host, and I dont know how to connect in MS01 with SYSTEM.
I already tryed: find creds, kerboroasting, ACL, groups, Inveigh, Rubeus, SharpHound. Cant find the way :cake:

If you obtained an elevated shell on the SQL server, you can use Mimikatz to get logon passwords for another service account. You can use these credentials for logging into MS01 using python.


Thank you man!

And so it went like this… After getting this password I did password spraying, but for some reason crackmapexec didn’t work… Took me two days to learn it :smiley:

Attention! It turns out that the password should have been given in quotes…

I cannot RDP to MS01 from SKILLS-PAR01 using Remmina or xfreerdp. I am getting a DISPLAY error.

I can use evil-winrm to access MS01 with the AB920 user account, but it’s very difficult to operate from evil-winrm in terms of escalating privileges or running Responder/Inveigh.

p.s. The DC is vulnerable to zerologon, but I’m trying to finish this module step-by-step.

Any recommendations would be helpful!

I basically need help figuring out questions 4 and 5.


Did anybody help you?

How did you RDP? I have the AB920 user creds, but I cannot RDP. I get a DISPLAY error in Parrot.