AD Enumeration & Attacks - Skills Assessment Part II 2

I’m stuck here as well. Were you able to get pass it?

Finally, after 2 days of immeasurable pain, I finished it. If someone needs help, just DM!

You’ll encounter account restrictions preventing a certain user from signing in, when attempting to establish an RDP session. You must disable Restricted Admin Mode in the Windows registry to get around this.

Prior to doing this you can use evil-winrm, perform privilege escalation, and then you’ll be able to disable the restrictions.

Just completed this module finally. Some of this was ■■■■. When you get access to new users, re-enumerate everything if you get stuck. Take the time to go back and review what ports/services are open for each system if need be. Don’t forget to ensure you’re enumerating at the highest level of privilege you have access to. Lastly, take the time review capabilities of the tools you have. I learned a mountain of sub-features on this 2 part exercise.

1 Like

one thing : mssqlclient.py and mimikatz

Could anyone managed to privesc manually on SQL01? Metasploit returns system shell in one click using getsystem “Named Pipe Impersonation (PrintSpooler variant)”.
Current service account has SeImpersonate and SeAssignPrimaryToken privs.
I tried to privesc manually using PrintSpoofer64.exe and nc64.exe but no success here.
Trying from xp_cmdshell resulted in CreateProcessAsUser() Failed. Error: 5.
Trying from powershell (revshell from xp_cmdshell) resulted in CreateProcessAsUser() Failed. Error: 2.

Hi can you help me out with exploiting the SQL01, ive logged in via mssqlclient.py but whenever i try to access the Administrator im accessed denied with xp_cmdshell

You need to escalate privileges first to able to read the files of the Administrator.

Did you review the privileges the account has?

Looking for some help - I’ve been banging my head for days now. I’m on Q8 of pt 2 “Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.”

I have successfully elevated to admin on SQL01 and have captured the NTLM hash using mimikatz. However, I cannot for the life of me pass this hash. I’ve tried evil-winrm, rdp, crackmapexec, etc. What in the world am I missing?

Also stuck on Q8, I was able to get meterpreter running on SQL01, elevated to nt/authority, ran mimikatz and cannot seem to be able to use those hashes on MS01 (mine starts with 136b). Will keep looking.

edit: Ok after looking longer, I figured it out too. there is an account you need to steal between running xp_cmdshell and pth for admin on MS01, if you look at the medium post it skips a step (I think).

Any chance you can send a hint my way on what you did to solve the problem you were having with Q8?? What do you mean by “there is an account you need to steal between running xp_cmdshell and pth for admin on MS01”.

Thank you in advance

I think to get the ct users hash we have to run inveigh and capture hashes similar to running responder. Because everyone says to use the same process as we did to get the pw for . I haven’t seen the .exe version like the post has. I’ve tried uploading and running the .ps1 version but without any luck. from what I’ve foundon the errors I’m getting is that inveigh uses a gui, and the meterpreter shell isn’t quite letting it run right. At least that’s kind of the gist I’m getting from chat gpt. I may be totally wrong on that. I went and made sure x11 forwarding was enabled in the ssh config file. That didn’t seem to work either. But chatgpt will tell u some BS too, so.

well at least that’s the conclusion I’ve come to after running responder from the parrot os, even though I have admin shell on sql01 and a user on ms01 I still only get 's hash. Man this has got me stumped. SMH

Not sure about Inveigh.exe, but did you get the correct hash for the admin user for MS01? After I got the reverse shell on SQL01 and dumped the hash for the admin user there, I can use that hash to login to SQL01 using evil-winrm, but that same hash won’t work on MS01… Did you get to the point where you were able to login to MS01 with admin rights?

Nope that’s where I am. I can evil-winrm into sql01 using pth with the admin hash I was able to dump. But like u say I can’t get into ms01 with that hash. In jocKKy’s write up when he ran mimikatz he got a different hash. I’m not sure why. Or if I should even be stuck on that, if there’s another way. But in the writeup he appears to run mimikatz, and dump the hashes and then pth with that hash into the ms01 machine as the administrator. I still don’t get it.

Yep, same here, but based on what @slothlord said in the comment above, it seems like the writeup missed a step, and that (using @slothlord’s words) “there is an account you need to steal between running xp_cmdshell and pth for admin on MS01”, but I have no idea what he is talking about… I found the creds for another account in SQL01 using mimikatz (sekurlsa::logonpasswords) with a name that starts with mss*****, and I have a clear password for it, but I can’t use it anywhere, so I don’t think it’s useful…

Are you talking about the one that starts with Sup3r?

Yes.
I tried using it to: login into the sql server, enumerate users with it, login into other machines, use with crack, etc… nothing worked

xfreerdp and use /u:‘inlanefreight.local\mssqlsvc’ /p:‘Sup3r…’ /cert:ignore

1 Like

Nice. Did you get a different hash going in that way and running minikatz from there?