Could not find another thread for part 2 of the AD enumereation and attacks skill assessment so decided to make one so people can ask questions and discuss it.
Right now im on question 6. if anyone happens to have a nudge on that.
" Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? "
Just started this question so havent done extensive enumeration yet though I have logged on to the SQL01 machine and enumerated sql server so far and hadnt had any luck.
Hey there!
Well, you should have creds for a user (the ones for the question 4/5). You can check the permissions and groups of that user via bloodhound and see that this user is a member of one particular group which points you on where to look for the answer for question 6. If you still be stuck feel free to PM me, I’ve done that module not so long ago
i’m lost at Q4. Can anyone help me? Must i look at the user from q1 rdp or from our htb-student box? The user at Q1 don’t have local admin rights. in which module/part can i find the answer?
Q7. Just wondering if this requires working through mssql to solve as I’ve tried multiple things through xp_cmdshell, writing to the filesystem, look for remote servers etc. but can’t seem to find what I’m after. Just wondering if this is the intended way or wasting my time here?
Thank you
Appreciate the hint. I think I’m my own worst enemy when it comes to attention, if I had put the right IP in it would have made so much difference… On to Q8!!
Ok, stuck again…
Q8. this time. I’ve tried enumerating from the start but seem to be missing something obvious. Can obviously get onto MS01 as a low priv user but don’t see anything. I’ve even managed to answer Q9 and Q10 through review of my previous enumeration. Anyone able to provide a nudge?
Many Thanks
Try to login to that machine with user creds you gathered (i.e. try using creds you’ve got from another machine).
Don’t forget to do something like whoami /priv to check if the current user has anything interesting allowed
Checked privs on the two users I can log into MS01 with (Third user can’t connect) and nothing stands out other than the group that allowed to access a share previously. I’ve managed to exploit to nt system on SQ01 without issue, I feel that I jump to the hardest/most complicated method or don’t read correctly…
Truthreaper,
I am on the final 2 questions. I can’t seem to figure out how to access the DC? I have all the creds for CT** and MSS**, don’t know which angle to take from here?
Hi, I’m at the same point and don’t really know what else I can do, alls pirveleges of both users seem normal, and also nt system on SQ01 doesen’t really help.
Can you please give some hint?
Users, there are quite a lot of them which you have toget, don’t think too early that you got all of them, more specifically:
User1 + password
User2 + password
Service User + service password + reverse shell
Srevice User + NTLM Hash
User3 + password
User4 (how can access DC) + password you give him
There are 3 hosts
The question 7 was most challenging, think about the Srevice User + NTLM Hash and then PrintSpoofer attack.
For the last few questions think about user enumeration + password changing + evil-winrm to connect
Again, if you need some more tips dm me, and thank you @frogman267@truthreaper@M00th for helping me, I was quite challenging for me, but i really like the community which always can help
Please help me. Im loosing my mind. I have incredible problems with Q8. Ive been trying to solve that for 2 weeks now. How possibly could you get the flag. I really have no idea. I bet it has sth in common with CT*** user. I see that in Bloodhound. So actually I should ask: ‘how to get ct***’?
