Attacking Common Services - Hard

Hi Everyone!

Who could help me with Attacking Common Services - Hard?

I stuck with getting a valid Administrators’ hash.

I have files downloaded from SMB share.
Among them, there was a user credentials pair I can access RDP and MSSQL but no admin access with. I can see that Administrator user does exist via Windows explorer however I have no access to it Desktop.
I can impersonalize second user but he has not admins’ role as well as the first one hasn’t. However, now I can see local server WINSRV02\SQLEXPRESS name and its domain LOCAL.TEST.LINKED.SRV and testadmin user.
Crackmapexec mssql for administrator and testadmin have no success.

Forcing Authentication Attacks using XP_SUBDIRS Hash Stealing with impacket I have got the following message like:
] User WIN-HARD\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa

1 Like