AD Enumeration & Attacks - Skills Assessment Part II 2

yeaa bro thank you agaiin

at last completed the module a couple of days ago… would like to thanks @halfluke for his guidance … You are a best resource… and a very nice addition in HTB community…

Useful link for anyone who need some mind mapping of attacking AD


Care to give a hint ?
I have answered every question so far, but the last 2 are giving me a headache :slight_smile:

NVM, its OK.

The last 2 questions Q11 and Q12 could be quite challenging for knuckles heads like myself :sweat_smile:. You don’t need any tools. The user that have privileges on DC doesn’t have any rights on the machines. So you have to connect first with the user that have the admin rights, and then you can use a windows tool to run commands as another user.

1 Like

I’m on question 7 and was able to successfully get a reverse shell on SQL01 host as nt service\mssql$sqlexpress. I went to get the flag at Administrator\Desktop but the Desktop dir is missing WTF??? I checked all over the file system and found nothing. I find it hard to believe that this is intentional or even part of the engagement. I assumed it was just a normal error from the SQL01 host not starting properly but I tried resetting the lab and even decided to try another day later but got the same results. Did I get the reverse shell under the wrong user? I have all permissions I need with nt service\mssql$sqlexpress to read any files I want. Any ideas???

Are you sure that directory is missing ? Because for me it exists , maybe you are not the highest privileged user to read that directory ?

What user are you accessing that directory with? I got a rev shell under the nt service account so now Im working on priv esc since this account has the SeImpersonatePrivileges enabled.

The Administrator\Desktop dir is definitely not there under the nt service account.

Q7: BIG SIIIIIIIIIIIGH…man that was fun. Spent about 3 days doing some research on this one but finally got it. Trial and error for sure

was hoping for a nudge in the right direction on the skills assessment part 2 for AD enumeration im on question 8 looking for a way to escalate myself on MS01 im currently system on SQL01 and have tried just about all i can think of to find creds to escalate myself with on MS01

jsmith.txt is not the correct way to enumerate users. The user you need is not is jsmith.txt file. Try with crackmapexec


I did not really got the grasp on these 2 last questions…
Since we got credentials from the user with GenericAll rights on the “Domain Admins” group, I thought of using it to abuse ACL as in the “ACL Abuse Tactics” section… but I really couldn’t "connect to DC01, even though tcp port 5985 for winrm is opened…
The hounds showed me that MS01 is the only machine to which domain users could RDP to.
I thought of changing the domain user administrator’s password with GenericAll privilege from CT059 but I couldn’t execute commands to do it.

You hint is pointing towards something like xfreerdp ro MS01 and start a powershell session as CT059 and execute those commands or am I overthinking it? Even though I am pretty sure I tried it too but without results… And I couldn’t start any PSremoting to DC01 either from an evil-winrm session on MS01…

I have been struggling with Q11 & Q12… Any help on understanding what is missing from my approach would be very appreciated!


Nevermind, I finally got it !!!
Pretty tricky ending with this weird user who’s got GenericAll privilege…

Hey everyone, I’d like a nudge on solving question 7 of the ad-enumeration-attacks-skills-assessment-part-ii…I logged into the sql server as sqlexpress, I also tried exploiting the SEImpersonate privilege but juicypotato does not work for windows server 2019

Apart from the potatoes, you have another interesting exploit for this privilege.
I do not recall in which previous module of the CPTS it talks about it but you could also find it via google…
Use your access on the SQL01 in order to exploit this privilege and get SYSTEM, thus letting you read the SQL01 administrator’s flag.


Found it: it’s Privileged Access from this same AD module / Choosing enable_xp_cmdshell

Hey man I followed your suggesstion, and managed to get the flag…I’m currently on Q8, I tried rdping into MS01 using B****, and enumrating the user only to realise it wasn’t admin, following the hint I tried some credentialed enumeration while on the machine but got nothing…Can you or anybody reading this give me a nudge to solving this question

You actually need to re-enumerate as you get a foothold on a new host on a network, especially AD ones…
Just follow the hint which basically tells you to re-enumerate with this new foothold which is a new machine from which you could repeat what you did earlier on previous footholds you have encountered.
Parsing through this forum thread/topic I see this question 8 to be interesting since it shows you differences for some tools results depending on which foothold you may be.

Just a basic note for myself:

I relate the enumeration process as being very similar to getting a new item / spell or ability in an RPG game: just go to all the places you couldn’t reach before because you were lacking this new stuff and retry using it. It may “open new doors”…


Good Morning,

I need help completing the last 2 flags. I am out of ideas.

Please can you give me some hints on the last 2 Questions?

1 Like

I’ve just finidhed the Q7. For the benefit of the next forum user, a bit of guidance might be helpful:

1 Like