Can you help me please? I’m in HTB DACLs I module, I’m in Password Abuse section, I’m stuck on the last part, abusing Marcos’ account to get the gMSA of the htb-svc$ account to get the contents of the flag.txt file, I already have the hash of the htb account, I tried to connect with pth-winexe, with psexec, winrm, crackmapexec, and others, but it refuses the connection, then I try to do pth with mimikatz but to run it I need to access as administrator, but I don’t have those credentials. What should I do to get that flag, or what am I doing wrong? Thanks for your help.
You can use smbclient with --pw-nt-hash to connect it.
1 Like
thnx Meiyeh, thnx very munch!!!
how are you? Can you please help me with the DACL I Attacks module, the Granting Rights and Ownership section, the last point: " Use the Managers group privileges to abuse the company’s CEO’s account chap, and gain access to the shared folder \DC01\CEO, without changing the CEO’s password. Submit the contents of flag.txt as the answer. " I have the Managers group privileges, but I don’t understand how I can take advantage of it to overcome the challenge, I thank you for your help!
You should edit chap’s owner, and get control privilege. Then you would know how to get chap’s hash.