AD Enumeration & Attacks - Skills Assessment Part I

HTB Content Academy
, ,
26

Hello Everyone,

I wanted to connect via RDP to the machine, instead of staying on the webshell.
I ran this command to enable RDP on the machine: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name 'fDenyTSConnections' -value 0, but I cannot connect to it.

xfreerdp tells me the connection fails (not even speaking about authenticating).

I know it is not mandatory for this box but I just wanted to know if it was possible, and if yes, how :confused:

Thank you in advance for your help!

27

you can use https://www.revshells.com/ to generate a reverse shell with a powershell base64 listening with nc

1 Like
28

I found tpetty credentials but cant get access with the account, someone can help me? I’m stuck in the 7 question

29

check secret in lsa

1 Like
30

at what level ?

31

I got it, but now I’m stuck trying to get to the DC01 domain but I got some nt hashes from the administrator but don’t know how to connect to the dc01, at the question “Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01”

33

Thank you!

34

How can I pass the hash to DC01 with only powershell? I’m in the last exercise. I have the admin hash and the tpetty password!

35

Any idea on how to get the tpetty MS01 users password

36

mkevin,
I have the NTL of the administrator just stuck on how to execute the PTH to DC01, I use mimikatz and I get a new window when I use the admins ntlm but I still cant access the DC, any hints?

37

do a pass the hash on the DC01 + command execution With CME option -X ‘command’

1 Like
38

Mike,
I am at that point and now am stuck on how I get access to the DC? I tried doing the PTH attack with admin user but it seems it is not working, I feel like I am missing one small step.
Thank you for your time.

39

Hint on accessing the DC01?
I am using chisel for my proxy tunnel, I am authenticating with the DC via crackmapexec however I cant find the flag.
Thank you

40

I got rdp connection but I have no tools (like powerView) on MS01 to do some further enumeration, do we need them and if yes, how can we bring files from our attacker’s machine to MS01? (I know that we had “File transfer” module, but I’m not sure how to do it with proxy connection to the target :thinking:)

41

Within Skills assessment 1, tools like powerview are blocked, that being said you need to use crackmapexec to access the DC01. I used the tool raiseChild.py via impacket to obtain the DC01 admin hash. Once I obtained the DC01 admin hash i then used CME, to enumerate the DC to find the flag on the Desktop. Think CME with the -x parameter.

1 Like
42

To copy tools over to MS01 from your attack host, you can literally copy past the tool over, or use certutil however in this assessment those ways are blocked.

1 Like
43

Thank you, it was really helpfull!

44

thank you everyone for your awesome tips they’re much appreciated i found myself referring back to older modules and getting back to the basics. i would refer to file transfer module, password attack module, and pivoting tunneling and porttforwarding module. best of luck to everyone. and thank you once again. :slight_smile:

3 Likes
49

why it is Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) ? i tried ntpdate again and again

50

try

sudo rdate -n <remote-ip>

If you try it from VM don’t forget to disable time synch with the host machine (or the time change will revert)