ATTACKING ENTERPRISE NETWORKS - Active Directory Compromise

Question: After obtaining Domain Admin rights, authenticate to the domain controller and submit the contents of the flag.txt file on the Administrator Desktop.
How can authentication in the domain controller? I have found the credential for ttimmons user

hey! did you solve it? I am also stuck

Yes, see the next section to show a suggestion.

4 Likes

Anyone getting a skew error when attempting kerberos ( GetUserSPNs.py) in this module?

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Tried rdate, ntpdate, and manually setting the time to match the target hosts, all fail.

Other tips? Thanks.

You can use faketime, you dont need to change the time on your machine.
Maybe this link helps: HTB: Anubis | 0xdf hacks stuff

1 Like

i dont know hwo to use fake time to fix the issue, could you help with the command ?

You’d have to add faketime -f +1h between proxychains and GetUserSPNs, similar to what 0xdf does in his HTB Anubis write up as mentioned by @taponplaza.