Someone can help me for “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host” question?
Hello! I am lost in Q4: “Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain”.
I already know the password for Q5.
I enumerated the users with jsmith.txt and got 57 valid users.
However, none of those seems to work. I tried all the methods in the Password Spraying sections. I also tried enumerating further with the credentials obtained in questions 1 & 2, but with no luck.
Can anyone help me, please? Am I missing something very obvious?
Thanks a lot in advance!
Hello! Can you please give me some tips on Q4 of AD Enumeration and Attacks? I made a post with specific details on AD Enumeration & Attacks - Skills Assessment Part II 2 - #91 by xlandrexl1. Thanks a lot in advance!
Just to comment, in the module there is a section on how to hide your transaction using Chrome as an agent.
I overthought this as much as you. Sometimes enumerating with the first username/password can do you good. Try several tools shown in the module, especially W*. Then see the list and you’ll see something funny about few usernames.
Thanks a lot. Solved
I’m struggling with Q6 'Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? ’ I’ve seen what group BR* is a member of using bloodhound but I can’t figure out what permissions come with that group. I’ve enumerated the shares that user has access to but can’t find anything interesting. And I can’t get a shell using any of the methods mentioned on the three hosts nor can I access mssql using mssqlclient.py.
Some help would be much appreciated.
It is indeed in an SMB share, just try enumerating different machines with different user creds.
Hi, iI am really frustrated. I can’t get the user and hash for the Q4/Q5. I started Inveigh but noting comes trough (also tried it from the linux machine in the same enviroment)… any advice? what am I missing?
Enumerate users using crackmapexec and then go back over ‘Internal Password Spraying - from Linux’.
ou mann… I was so stupid, the whole time.
thanks a lot!
youre the best bro thank you so much for your help!
Use msfvenom to create an exe payload for open a meterpreter session on metasploit and it is easy to get the system For upload i used python http.server + certutil
Could anyone pleeease give me a hint for Q7 Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
I have enabled xp_cmdshell on the host and just sent a Powershell # base64 shell (revshells.com) back to the linux host (not my attack host. When I try to run PrintSpoofer it seems to be working but I don’t get a new session with SYSTEM privs.
I’m guessing it’s because my shell is lacking but I can’t seem to find a way to get a rev-shell om my attack host.
take a look at some of the PrintSpoofer examples, specifically the reverse shell information. I was also a bit stumped when it came to this one but there is at least one example you can take inspiration from and it’ll work.
Edit: Forgot to include the github link
Someone can help me step by step for NIX05. I did everything but I think missing something.
Thank you so much for the tip! Only tried to spawn shell in same terminal…
Right now I have a SYSTEM shell for SQL01 on the foothold, can’t seem to get SSH port forwarding to work back to my attackhost… (not sure I need, would just be nice)