yep. I was able to evil-winrm with that hash and get the flag on the admin’s desktop. No I’n trying to get the users clear text password. I had the hash before, now I can’t seem to get it. I have a meterpreter shell as the MS01\Administrator, I’ve loaded kiwi and dump secrets, hashdumps, etc. But I cannot get the dcsync to run. According to chatgpt with the privs I have I should be able to run it.
now that you can evil-winrm into MS01 with the admin user, you should be able to remove the restrictions on the admin account by manipulating the registry, then xfreerdp into MS01 with the admin account (you’ll see that you won’t be able to if you don’t do the registry step first), then drop your tools on MS01 (mainly Inveigh.exe - this is where I got mine from, since you said you could not find it: Releases · Kevin-Robertson/Inveigh · GitHub (selecte the one for windows 64)) and get the hash that way
I just finished. I was eventually able to upload and run Inveigh, captured the users hash, and the rest was history. Thanks for ur help! much apprectiated!!
1 Like
How did you RDP into SQL01 with " /u:‘inlanefreight.local\mssqlsvc’ /p:‘Sup3r…’ /cert:ignore"? The port is not even open. I tried opening it, and manipulating several reg keys to let me rdp into it like you suggested, but when I was finally able (using the hash for mssqlsvc, not the password), mimikatz would not produce any results…
Did you do anything while on the reverse shell to be able to rdp as inlanefreight.local\mssqlsvc using the password?
no, I rdp’d into ms01 with the mssqlsvc user; Then you should be able to do everything u need to do. hmu, if ur still having problems
2 Likes
lol, You helped me. Naw, if I said sql01 I meant ms01. I had a meterpreter reverse shell, and a sql xp_cmdshell shell on sql01.
1 Like
I’ll try that out this weekend! For some reason I thought for sure you rdp’d into sql01! Thank you
I had to xfreerdp into the linux attack box and then use remmina from there to rdp (could not do it with proxychains or with xfreerdp from the linux attack box), but it finally worked lol
Thank you for the help!
yeah my bad. I meant to tell you that. It’s kind of like when you add the ssh -X for x11. I guess when you rdp into the parrot os it gives you the gui tools and all you need for getting into others with rdp.
All good! I am just glad to finally be done with this box lol
Can someone give me a hint on the initial foothold? Ive tried CME to enum users via SMB. I have obtained a ton of users through Kerbrute but havent been able to bruteforce any of them. I feel like ive done everything but I have to be overlooking something. What am I missing here?
Try listening 
Im guessing you mean responder…I tried that too. Got nothing but DNS requests. No hashes at all.
Something appears to be seriously broken about SQL01.
While you can get a basic rev-shell easily enough, there seems to be some file size limitation of <2KB, meaning that you can’t upload any meterpreter shells to get a firmer hold on the system (sessions -u throws an “incompatible OS” error). I’ve tried the Juicy/RottenPotato]exploit to priv esc to SYSTEM, but it wasn’t working for me despite the fact that it very clearly seems to be the exploit we are supposed to use.
I somehow ONCE got a meterpreter rev-shell open and was able to use the getsystem command to get an easy system shell, but I wasn’t able to successfully exfill the bloodhound results (apparently curl -o doesn’t work for ZIPs, which I only realized the next day).
I have been working for days to try and get back to where I was, but I can’t get a meterpreter shell for the system access. Even trying to copy/paste the meterpreter shell into the basic rev-shell just hangs the system like it does for file transfers >=2KB.
Either I’m missing something stupidly obvious, or something has rendered the lab nigh-unbeatable.
try printspoofer. it works for me
That seems to have worked, thanks.
Also, the odd >2Kb limitation when trying to curl stuff onto SQL01 is no longer present, so I think the lab got updated to fix that issue.
1 Like
I’m on Q9. Have the user of the previous question (mssq**** and pass Sup3****…). I have 2 problems:
- I cant Connect vía rdp: $display variable error. I tried all on internet and cant use rdp.
- Alternative, if i Connect to 172.16.7.50 via wimrm, inveigh and sharphound give me errors.
I dont know how to do for the questions. Any tips, advices or help? Thanks!
Are you at the user who has GenericAll?
Try uploading a payload using msfvenom and powercat to get a reverse shell from the MS01 host
Try dumping the SAM database from SQL01