got it
Someone can help me for āSubmit the contents of the flag.txt file on the Administrator Desktop on the MS01 hostā question?
Hello! I am lost in Q4: āUse a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtainā.
I already know the password for Q5.
I enumerated the users with jsmith.txt and got 57 valid users.
However, none of those seems to work. I tried all the methods in the Password Spraying sections. I also tried enumerating further with the credentials obtained in questions 1 & 2, but with no luck.
Can anyone help me, please? Am I missing something very obvious?
Thanks a lot in advance! 
Hello! Can you please give me some tips on Q4 of AD Enumeration and Attacks? I made a post with specific details on AD Enumeration & Attacks - Skills Assessment Part II 2 - #91 by xlandrexl1. Thanks a lot in advance!
Just to comment, in the module there is a section on how to hide your transaction using Chrome as an agent.
I overthought this as much as you. Sometimes enumerating with the first username/password can do you good. Try several tools shown in the module, especially W*. Then see the list and youāll see something funny about few usernames.
1 Like
Thanks a lot. Solved
Iām struggling with Q6 'Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? ā Iāve seen what group BR* is a member of using bloodhound but I canāt figure out what permissions come with that group. Iāve enumerated the shares that user has access to but canāt find anything interesting. And I canāt get a shell using any of the methods mentioned on the three hosts nor can I access mssql using mssqlclient.py.
Some help would be much appreciated.
It is indeed in an SMB share, just try enumerating different machines with different user creds.
1 Like
Hi, iI am really frustrated. I canāt get the user and hash for the Q4/Q5. I started Inveigh but noting comes trough (also tried it from the linux machine in the same enviroment)ā¦ any advice? what am I missing?
Enumerate users using crackmapexec and then go back over āInternal Password Spraying - from Linuxā.
1 Like
ou mannā¦ I was so stupid, the whole time. 
thanks a lot!
youre the best bro thank you so much for your help!
Use msfvenom to create an exe payload for open a meterpreter session on metasploit and it is easy to get the system 
For upload i used python http.server + certutil
Could anyone pleeease give me a hint for Q7 Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
I have enabled xp_cmdshell on the host and just sent a Powershell # base64 shell (revshells.com) back to the linux host (not my attack host. When I try to run PrintSpoofer it seems to be working but I donāt get a new session with SYSTEM privs.
Iām guessing itās because my shell is lacking but I canāt seem to find a way to get a rev-shell om my attack host.
Any hints?
take a look at some of the PrintSpoofer examples, specifically the reverse shell information. I was also a bit stumped when it came to this one but there is at least one example you can take inspiration from and itāll work.
Edit: Forgot to include the github link
1 Like
Someone can help me step by step for NIX05. I did everything but I think missing something.
Thank you so much for the tip! Only tried to spawn shell in same terminalā¦
Right now I have a SYSTEM shell for SQL01 on the foothold, canāt seem to get SSH port forwarding to work back to my attackhostā¦ (not sure I need, would just be nice)