AD Enumeration & Attacks - Skills Assessment Part II 2

got it

Someone can help me for “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host” question?

Hello! I am lost in Q4: “Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain”.

I already know the password for Q5.
I enumerated the users with jsmith.txt and got 57 valid users.

However, none of those seems to work. I tried all the methods in the Password Spraying sections. I also tried enumerating further with the credentials obtained in questions 1 & 2, but with no luck.

Can anyone help me, please? Am I missing something very obvious?

Thanks a lot in advance! :slight_smile:

Hello! Can you please give me some tips on Q4 of AD Enumeration and Attacks? I made a post with specific details on AD Enumeration & Attacks - Skills Assessment Part II 2 - #91 by xlandrexl1. Thanks a lot in advance!

Just to comment, in the module there is a section on how to hide your transaction using Chrome as an agent.

I overthought this as much as you. Sometimes enumerating with the first username/password can do you good. Try several tools shown in the module, especially W*. Then see the list and you’ll see something funny about few usernames.

1 Like

Thanks a lot. Solved :slight_smile:

I’m struggling with Q6 'Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? ’ I’ve seen what group BR* is a member of using bloodhound but I can’t figure out what permissions come with that group. I’ve enumerated the shares that user has access to but can’t find anything interesting. And I can’t get a shell using any of the methods mentioned on the three hosts nor can I access mssql using mssqlclient.py.

Some help would be much appreciated.

It is indeed in an SMB share, just try enumerating different machines with different user creds.

1 Like

Hi, iI am really frustrated. I can’t get the user and hash for the Q4/Q5. I started Inveigh but noting comes trough (also tried it from the linux machine in the same enviroment)… any advice? what am I missing?

Enumerate users using crackmapexec and then go back over ‘Internal Password Spraying - from Linux’.

1 Like

ou mann… I was so stupid, the whole time. :roll_eyes:
thanks a lot!

youre the best bro thank you so much for your help!

Use msfvenom to create an exe payload for open a meterpreter session on metasploit and it is easy to get the system :wink: For upload i used python http.server + certutil

Could anyone pleeease give me a hint for Q7 Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

I have enabled xp_cmdshell on the host and just sent a Powershell # base64 shell (revshells.com) back to the linux host (not my attack host. When I try to run PrintSpoofer it seems to be working but I don’t get a new session with SYSTEM privs.

I’m guessing it’s because my shell is lacking but I can’t seem to find a way to get a rev-shell om my attack host.

Any hints?

take a look at some of the PrintSpoofer examples, specifically the reverse shell information. I was also a bit stumped when it came to this one but there is at least one example you can take inspiration from and it’ll work.

Edit: Forgot to include the github link

1 Like

Someone can help me step by step for NIX05. I did everything but I think missing something.

Thank you so much for the tip! Only tried to spawn shell in same terminal…

Right now I have a SYSTEM shell for SQL01 on the foothold, can’t seem to get SSH port forwarding to work back to my attackhost… (not sure I need, would just be nice)