Hi j4l3n, I had success using nmap through proxychains, check the output for unusual latency times which might show you the right IP.
If you’re really stuck, you’ll need to first use a proxy of your choice to work between the external target (the 10.129.X.X) and your attacker (remember to change your proxychains.conf file!), keep both of those windows open, and then try running a proxychains nmap scan on a subnet range. Hope that clears things up a little for you.
If someone has problems with last question, please refer to the section titled “Mimikatz - PowerShell Remoting with Pass the Ticket.” Keep in mind that we have two users available for testing purposes: “s****” (user from the 2nd question) and “t****” (user from the 5th question). Consequently, make sure to experiment with both of these user accounts. Additionally, if any specific tools are required, you can easily copy and paste them into the RDP session using Ctrl+C and Ctrl+V.
I appreciate your prompt response! I had previously attempted it using both proxychains and nmap with the “-sn” parameter. Thank you for your quick assistance!
Hi guys, it might be a stupid question but I do not know how to Kerberoast an account without an account that is able to authorize against DC. once I log into the web shell I get the meterpreter reverse shell on my machine. i have made the copies of sam, security and system and got the hash for administrator but it looks like he can only authenticate into MS01 but not DC so any kerberoasting goes out the window. I also tried kebrute but completely did not work for some reason. How did you guys find the first user and their password?
I Have same problem…
Could not solve last question I have administrator hash and username with password nothing works after tunneling chisel which works with Nmap, but could not pass the hash or connect with multiple methods to DC01…
I am somewhat baffled re: Question 5, cleartext to me implies WDIGEST or ms-DS-Password-Reversible-Encryption-Enabled. Even when I turn on WDIGEST by force, I get the MS01 password but t**** is still null 
(and unless he’s magically going to re-auth that makes sense).
Tried multiple versions of mimikatz using it with procdump.
EDIT: Forgot the most important lesson from the OSCP! If it doesn’t work reboot the machine!
Hmm, would you mind giving me another hint on how to get the cleartext password?
I tried different versions of mimikatz, the pypykatz method, winPEAS even dumping and examining SAM cause i ran out of ideas… Also cracking the NTLM hash was not successfull.
I did reboot the machine 3 times and think that this should not be the cause of why i am not able to get the cleartext password of user t*****.
Am i not seeing something obvious? Credman, wdigest etc return nothing, password is always shown as (null). Only password field with a value is the one of user MS01.
Thank you very much in advance!
I advise you to zip the tool you want to upload via webshell. I did it and it works. After gaining the rev shell through nc, you can unzip using this command : Expand-Archive -LiteralPath “.\chisel.exe.zip”
For those having troubles to transfer files between your attack box and MS01, there is an easy way to do that by adding the argument “/drive” when using xfreerdp to log into MS01.
example:
proxychains xfreerdp /v: /u: /p: /drive:linux,/path/to/folder/
Then just go to C:\ and you will see your local attack box folder there, which you can use to copy files from one host to another
hey i need some help. i have the hash of t… userso i dcsynced and got hash of administrator and finished this module but i could get the clear text password of t**** user i got nothing on mimikatz sekurlsa module. any hint would be helpfull
Hey, so i used chisel to tunnel the connection between the web-shell and my attack host and the tunnel was created and connected successfully but when i run nmap or any tool like fping or so i get no response even after editing the proxychains.conf file and im really stuck and don’t know what to do
so any help would be appreciated, thank you.
Did you manage to find the clear text i havent find it at all and dumping hashes did not find anything for any user
Dam!n, After 12 hours of play finally i am Done with the Assessment Part I, To Drop Some tips,
on the 1st You can use Reverse Shell and NC rather that direct the webshell.
Then You will need to Pivot to MS01 and WEB-Win01 as Pivot host. To Transfer Your Tools You can use SMBservers(check File Transfer Module For that)
Here You can RDP to The MS01, From here u can use RDP File Access Features(I think it was covered on password Attacks)
Then Transfer Mimikatz and You can Do all the Things with it(Clear password and hash Dump For this You will need to Impersonate like tpetty, mimikatz has this Feature try to google. But to get the Clear password Look For Some Default Passwords,
Finally, DC01 doesnt have RDP but it has Win-RM So you can use administrators hash and evil-winrm from kali machine or Invoke-TheHash.psd1
I hope Now you wont take 12 hours like me
Hello @hnathan26 For the Q3, I uploaded Powerview.ps1 on the target machine but I couldn’t import it as a module. Although it seems Import-Module cmdlet works, it doesn’t recognize any Powerview cmdlet. I also got a reverse shell using nc. It doesn’t work either. Built-in setspn.exe command to request for Kerberos tickets didn’t work as well. I think Add-Type -AssemblyName System.IdentityModel command is not working as it says “A positional parameter cannot be found that accepts argument IdentityModel.Tokens.KerberosRequestorSecurityToken” Could you have any idea why they don’t work? Or can you give me an idea other than Powerview and setspn.exe? Thanks.
To make it a little more clear for anyone struggling to get the Admin hash, the hash returned from secretsdump.py that says Administrator is NOT the hash for DC01. For that one you will need to use the attack answer from the previous question. To do so make sure you are using the CORRECT user for which you just retrieved creds for like in the dcsync section. Make sure to check who you are and runas may not work 
Hello guys! I am really frustrated as I couldn’t find a way to get the cleartext password of user t… Could you please give me a hint where to look for or the tool that I need for it? Thanks.
use --lsa flag with crackmapexec
proxychains netexec smb 172.16.6.XX -u <user> -p <pass> --lsa
The Cleartext pass for p**** gave me an headache 
lol
hello
you can upload chisel using the /drive option in xfreerdp
For example
xfreerdp /drive:/home/user/Documents,Z: