AD Enumeration & Attacks - Skills Assessment Part II 2

Wow incredible i got this. It’s mind-boggling evil-winrm changed everything. I have so many privs compared to what RDP showed. But why? it’s just remote connection. I guess it is cuz user can have different rights over different services even when it’s remote connection. ehh… lesson learned.

Thank you, lim8en1 for help. Now I see what I should do next.


I can’t get that user (answer for 4/5) to be able to log in anywhere? Is this expected?

Try enumerating SMB once more. Remember that different users have different permissions

1 Like

Oh wow - I feel a bit silly now. Thank you :slight_smile:

1 Like

Very much stuck on trying to get a hash / creds for the ct**** user - any hints would be welcome. Seems my tools on MS01 aren’t doing the trick.

1 Like

Again you have unblocked me! Muchos Gracias!

1 Like

Stuck with Q4 “Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain”, any help would be appreciated.

Try to use a common password like Password123, Pa$$word1 or Welcome01 or Welcome1 to spray the smb

Thanks a lot! The ‘Welcome1’ part doesn’t really make sense to me though lol.

You can find it in top 200 passwords used in USA i believe
It’s on 180-something place but still.
The idea for password spraying is to use passwords from such lists (because that are the most widely used passwords) so you can check only a few most probable choices instead of brute forcing through all of them (and consider possible account locks as well)

At first, I wanted to use rockyou.txt, but given the number of users, I don’t think it makes sense to use it. Even though ‘Welcome1’ is on the 40399th line, perhaps this question is intended to ensure that every student reads or completes that particular section

1 Like

Well, yeah, basically you have to repeat steps from the password spraying section of the module

I am stuck on the 1st Q I got a valid userslist but cant get a hash for any users with any technique

I have a medium blog i explained the solutions. If you want i can share.

share it plz

Can someone here give me a nudge? I’ve gotten a foothold and did a LSASS dump from SQL01 and got the Administrator hash. However, when I try a pass-the-hash to MS01 with that hash it doesn’t authenticate. I’m a bit confused on how I get a foothold on MS01. Thanks!

I think that’s the local administrator account. Try running lazagne or something like that.

im having problems using bloodhound-python in this module. Any hints?

Nevermind, i got it working. Turns out that when i tried exfiltrating the zip file from the windows machine it got corrupted