AD Enumeration & Attacks - Skills Assessment Part II 2

xfreerdp and use /u:‘inlanefreight.local\mssqlsvc’ /p:‘Sup3r…’ /cert:ignore

1 Like

Nice. Did you get a different hash going in that way and running minikatz from there?

yep. I was able to evil-winrm with that hash and get the flag on the admin’s desktop. No I’n trying to get the users clear text password. I had the hash before, now I can’t seem to get it. I have a meterpreter shell as the MS01\Administrator, I’ve loaded kiwi and dump secrets, hashdumps, etc. But I cannot get the dcsync to run. According to chatgpt with the privs I have I should be able to run it.

now that you can evil-winrm into MS01 with the admin user, you should be able to remove the restrictions on the admin account by manipulating the registry, then xfreerdp into MS01 with the admin account (you’ll see that you won’t be able to if you don’t do the registry step first), then drop your tools on MS01 (mainly Inveigh.exe - this is where I got mine from, since you said you could not find it: Releases · Kevin-Robertson/Inveigh · GitHub (selecte the one for windows 64)) and get the hash that way

I just finished. I was eventually able to upload and run Inveigh, captured the users hash, and the rest was history. Thanks for ur help! much apprectiated!!

1 Like

How did you RDP into SQL01 with " /u:‘inlanefreight.local\mssqlsvc’ /p:‘Sup3r…’ /cert:ignore"? The port is not even open. I tried opening it, and manipulating several reg keys to let me rdp into it like you suggested, but when I was finally able (using the hash for mssqlsvc, not the password), mimikatz would not produce any results…
Did you do anything while on the reverse shell to be able to rdp as inlanefreight.local\mssqlsvc using the password?

no, I rdp’d into ms01 with the mssqlsvc user; Then you should be able to do everything u need to do. hmu, if ur still having problems

1 Like

lol, You helped me. Naw, if I said sql01 I meant ms01. I had a meterpreter reverse shell, and a sql xp_cmdshell shell on sql01.

1 Like

I’ll try that out this weekend! For some reason I thought for sure you rdp’d into sql01! Thank you

I had to xfreerdp into the linux attack box and then use remmina from there to rdp (could not do it with proxychains or with xfreerdp from the linux attack box), but it finally worked lol
Thank you for the help!

yeah my bad. I meant to tell you that. It’s kind of like when you add the ssh -X for x11. I guess when you rdp into the parrot os it gives you the gui tools and all you need for getting into others with rdp.

All good! I am just glad to finally be done with this box lol