It doesn’t work properly, I have the next hash ***************a8f661248f364
1 Like
Could you please provide me a hint 
Could you please help me I have Admin access on SQL01, I tried to get the NTLM hash by using Crackmapexec then I don’t know how to reach the MS01 because my current NT hash is not working. I’ve seen a post on internet where the guy executed mimikatz to get a diferent NT hash but when I perform i cannot get the same hash i don’t know why. could you please give me a hint? I also have the mssq**** clear password and hash but im stuck
Did you manage to solve this, I too am stuck.
Try all creds that you got on mssql server. Maybe some will surprisingly work
Local Administrator hash could work, but that’s not the path. The actual walkthough is different from what’s on internet.
Think outside the box
This is for question: Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host
Can someone explain why we have to use another tool on windows to capture a hash of a user that we can’t capture using responder on our attacking machine , that part is confusing me a bit
Ok… Q4 needs to be changed… the password is nowhere mentioned/used/even in the top 100 of the most commonly used passwords. The only place it appears is in the module. Really?
For Q10, CT** Hash/Password
Inveigh.ps1 is NOT working, you will need Inveight.exe instead
Download from the Keven-Roberson github, extract, uploading the Inveigh.exe file to MS01
Then just run .\Inveigh.exe on powershell
Wait for a while then you will get the hash.
For those struggling with the last two flags (Q11 -Q12)
use CT** credential to change Administrator password per mention in " ACL Abuse Tactics" section.
Then use meterpreter psexec to DC01 with Administrator and Changed Password → get the flag on Desktop
For the last flag, using meterpreter just do “ps” migrate to process id of lsass
then do the hashdump and that’s it.
The Inveigh is the hardest part of this Skill Assessment
Were you able to manage it? I’m struggling trying to get the hash. Responder is not throwing any even though I tried diferent flags, got user list as well using kerbrute.
@slymer I totally looked it away. I enumerated privileges with whoami and SeImpersonate was there but I missed it Ja.
Hello!
I know this is not the right topic, but I’m not allowed to create topics, so here it is. I’ve been stuck on ACL Abuse Tactics for 3 days now. This lesson only has the one question: "Work through the examples in this section to gain a better understanding of ACL abuse and performing these skills hands-on. Set a fake SPN for the adunn account, Kerberoast the user, and crack the hash using Hashcat. Submit the account’s cleartext password as your answer. "
While I do know how to do this, I can’t do it because of permission issues. It clearly states in the materia I should log in as the wley user, and I did that, but this user does not have ResetPassword rights over the damundsen user. Even though, in the ACL Enumeration lesson we can clearly see that the wley user has ExtendedRights over the damundsen user. Is there something I’m missing, or is there a bug here? Any hint is greatly appreciated.
Thanks!