AD Enumeration & Attacks - Skills Assessment Part II 2

Could not find another thread for part 2 of the AD enumereation and attacks skill assessment so decided to make one so people can ask questions and discuss it.

Right now im on question 6. if anyone happens to have a nudge on that.

" Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? "

Just started this question so havent done extensive enumeration yet though I have logged on to the SQL01 machine and enumerated sql server so far and hadnt had any luck.

Hey there! :smile:
Well, you should have creds for a user (the ones for the question 4/5). You can check the permissions and groups of that user via bloodhound and see that this user is a member of one particular group which points you on where to look for the answer for question 6. If you still be stuck feel free to PM me, I’ve done that module not so long ago :wink:

1 Like

i’m lost at Q4. Can anyone help me? Must i look at the user from q1 rdp or from our htb-student box? The user at Q1 don’t have local admin rights. in which module/part can i find the answer?

You need some password spraying for this one. Try repeating the things you’ve done in the Internal Password Spraying - from Linux part of the module


Q7. Just wondering if this requires working through mssql to solve as I’ve tried multiple things through xp_cmdshell, writing to the filesystem, look for remote servers etc. but can’t seem to find what I’m after. Just wondering if this is the intended way or wasting my time here?
Thank you

Get a shell, check out your privileges, google on how to use them for PE. If you are still stuck, feel free to pm me

1 Like

Appreciate the hint. I think I’m my own worst enemy when it comes to attention, if I had put the right IP in it would have made so much difference… On to Q8!!

1 Like

Ok, stuck again… :frowning:
Q8. this time. I’ve tried enumerating from the start but seem to be missing something obvious. Can obviously get onto MS01 as a low priv user but don’t see anything. I’ve even managed to answer Q9 and Q10 through review of my previous enumeration. Anyone able to provide a nudge?
Many Thanks

Try to login to that machine with user creds you gathered (i.e. try using creds you’ve got from another machine).
Don’t forget to do something like whoami /priv to check if the current user has anything interesting allowed

Checked privs on the two users I can log into MS01 with (Third user can’t connect) and nothing stands out other than the group that allowed to access a share previously. I’ve managed to exploit to nt system on SQ01 without issue, I feel that I jump to the hardest/most complicated method or don’t read correctly…

did you find the answer? I’m struggeling also

I did with the help from lim8en1.
What have you tried so far and with which users?

whew finally finished the module if anyone needs some help let me know.

1 Like

I am on the final 2 questions. I can’t seem to figure out how to access the DC? I have all the creds for CT** and MSS**, don’t know which angle to take from here?

thank you

Hi, I’m at the same point and don’t really know what else I can do, alls pirveleges of both users seem normal, and also nt system on SQ01 doesen’t really help.
Can you please give some hint?

Try log in with a user that can change the password of admin user.

Always good to try to enunerate privledges of users you get access too. THe CT** user has privledges to change the passwords of other users

So, as always some tipps to next generations:

  1. Users, there are quite a lot of them which you have toget, don’t think too early that you got all of them, more specifically:
    User1 + password
    User2 + password
    Service User + service password + reverse shell
    Srevice User + NTLM Hash
    User3 + password
    User4 (how can access DC) + password you give him
  1. There are 3 hosts
  1. The question 7 was most challenging, think about the Srevice User + NTLM Hash and then PrintSpoofer attack.
  2. For the last few questions think about user enumeration + password changing + evil-winrm to connect

Again, if you need some more tips dm me, and thank you @frogman267 @truthreaper @M00th for helping me, I was quite challenging for me, but i really like the community which always can help :heart:


Please help me. Im loosing my mind. I have incredible problems with Q8. Ive been trying to solve that for 2 weeks now. How possibly could you get the flag. I really have no idea. I bet it has sth in common with CT*** user. I see that in Bloodhound. So actually I should ask: ‘how to get ct***’?

If I’m not mistaken do the stuff you’ve done to get the creds for the 1st question but from one of the owned machines