Make sure you put quotes around your credentials with smbclient (-U ‘[domain][username]%password’) or you’ll get that error. You should then be able to get the file.
Just completed the module and found it a really fun challenge. To anyone struggling, it gets much easier towards the end. Just remember to enumerate and make sure you test what credentials you might have access to every time you own a new account or machine. And like others I found it much easier to RDP, or reverse shell out of evil-winrm, wherever I could.
One thing - I had problems throughout with executing ‘Import-Module activedirectory’ and also had fatal errors when I tried to use Powerview.ps1 (presumably because it depends on activedirectory features?). That made it really hard at points, particularly when I was trying to enumerate ACLs with new accounts. Bloodhound is fine, but it only goes so far.
I tried a few different ways (installing the activedirectory module with a whole bunch of different commands, and importing a version of the module DLL directly) but none of them worked. Was I missing something really obvious to get the activedirectory module loaded, or another way to get Powerview.ps1 to work without it? Feel like this will hold me back on future labs.
Found the service account using mimikatz but does not seem to show any creds. The only creds I received are for SQL01$ but I am thinking that is not correct.
Good shout! Just a warning to anyone, I’ve followed the Windows section guide and you might run into an error like this when trying to Import a specific module mentioned…:
\Users????\Desktop> ???-??? .????.???
At \Users????\Desktop????.???:261 char:21
Write-Host "$Message: Waiting for $($Seconds/60) minutes. $($ ...
~~~~~~~~~
Variable reference is not valid. ‘:’ was not followed by a valid variable name character. Consider using ${} to
delimit the name.
+ CategoryInfo : ParserError: ( , ParentContainsErrorRecordException
+ FullyQualifiedErrorId : InvalidVariableReferenceWithDrive
To fix the error, open in Notepad, edit go to line 261, literally just remove the colon char : save the file and re-import. There’s no other way to get the second username that I can see! HTB needs to check these work.
Thanks @Ezi0 for your help. I’m having trouble getting files onto SQL01 → seems every xp_cmd i’ doing i get access denied and can’t change directory! What did you try?
Can anyone DM me for how they are connecting to the MS01 from their Kali VM? Are you first going through Parrot as the pivot? The reason I ask is also because I have tried to RDP through Parrot and have nothing but issues. I have tried multiple regions and the connection is basically unusable through the RDP session. Thank you for any assistance you all can provide.
I have used the pwnbox, which does work, but I like to connect whenever possible from my Kali instance so that I get use to installing and using the tools from there. I was a bit confused with some of the comments that talked about connecting kali through the resolv.conf though. I was wondering if they were pivoting through the attack box using chisel or sshuttle.
Set your desired resolution using the /h: and /w: + /smart-sizing flags. You may need to play with them to get your desired layout.
Then, once you have your session to the Parrot Attack VM, use Remmina by selecting the Applications Menu in the upper left-hand corner > Internet > Remmina. Connect by using the Username, Password, and Domain: Inlanefreight.local
Once connected, adjust the screen and then in the left hand side bar, select: Toggle dynamic resolution update.
I hope this helps someone as I personally had issues with setting things up correctly. From here you should be good and able to get what you need done.
Thanks, I was initially running with sshuttle but it was just too slow during the enumeration of the Domain. Right now I’m trying to figure out how to PowerView to work. I’m nt authority\system on MS01 one, RDP’d from the Parrot box. I did a pth with mimikatz and still cannot get this tool to work. All I need to do is the last two questions and I have what I need provided by Bloodhound but without using PowerView, I’m not sure how to do this.
Your ahead of me, I just go onto SQL01 and I need to figure out admin on MS01 now. Just curios did you make sure to launch powershell as admin to try Powerview?
Yes, I used the MS01 machine. I RDP’d into it from the Attack Box. I tried doing it two ways. The first was to open PowerShell as admin. Then I used a PTH attack with Mimikatz to elevate to nt auhority/system, opening a PowerShell session as nt authority. Neither way worked for me. I just could not get PowerView to work. It keeps giving me the and error when trying to run Add-DomainGroupMember.
Can someone give me a nudge on what I should be looking for on SQL01 once got admin on it? I have been digging around but I think I am missing it… Thanks!
Try downloading PowerView from the internet and not from the provided .ps1 in the attack box.
Copy it and paste it into MS01, but wait a few minutes before executing any commands.
I’ve had this issue where PowerView wasn’t working for me but waiting a few minutes after copying and a few minutes after pasting worked for me for some reason.
Also, you dont need to have nt authority\system on MS01. All you need is user C****. You don’t even have to do any proxytunnel pivoting.
You can RDP as BR****, then right-click PowerShell > run as different user, as C****. From there, use PowerView to take advantage of the GenericAll ACL to change the password for a certain user.
Thank you for the info. I will attempt to complete it with your guidance and will let you know how it goes. Its funny because, I know what I need to do, but how to do it correctly is actually the most elusive part. For some reason, I have been having issues with lab stability which has added a degree of complexity (and frustration). I want to become as proficient as possible attacking AD and I think working through this a couple of times will help me gain the understanding and skills I’m after. I really appreciate you replying. Thank you again!
How do I go about figuring out what user has GeneriacAll ACL rights? I tried all the things I could think of including bloodhound. I am either missing something doing something wrong. Any pointers/hints you could give me? Thanks!
, ParentContainsErrorRecordException
There’s a plain text password for a service account that can be found with a tool we covered in the module.