Documentation & Reporting - Skills Assessment

Anyone here who already went through the AD Environment of “Documentation and Reporting” Module?
I am trying to get organized with the existing documentation and artifacts of the simulated “penetration test” and currently feel a bit overwhelmed how to move forward…

Any hints are much appreciated!

Me too. I can’t use any given infos

Hey there :wave: I just completed this module. How can I be of assistance?

Me too. stuck in the second question.

Someone can help me for the first question? I don’t undestand what I must to do after login in xfree service.

Can you help me out with this? I’m assuming it should be simple but I honestly have no idea how to move forward

1 Like

Hello i have the hash but i doesnt want to connect

1 Like

i know its a bit late, did u find a way?

you mean that ADMIN:“hash” ? thank you anyway, will try!

tried a 2nd time on this exercise but still stuck, can somebody dm me with a tip please? i tried PTH but no success

Although I’m seeing some comments that the hash is already there for you, I completed this lab with a different approach. Here is some guidance

  1. Read and reread through the findings carefully
  2. Recall that the steps for the lab include “Enumerate and exploit all 13 findings listed and gather evidence for the findings that don’t have any evidence recorded”. Why don’t we start at the top and work our way down? Might need to “dig in further”.
  3. Collect all of the users and passwords you have from the notes
  4. What ways can we collect more users and credentials (hashes included)
  5. Now that we have hashes, lets crack them too
  6. Now it comes down to trying each set of credentials to see which one gets us in the DC
  7. Now we’re in. Having trouble dumping hashes? Find a process that should have all the privileges necessary and try again!

This lab is overwhelming at first because there is alot to look at. Take your time, read through it, see what you have, and see what methods are provided for you to find more.

lmk if you have questions

What have you tried so far?

Very good comment! Leaving the admin hash aside, it is always a good stratefy to come up with a consistent methodology to approach AD targets:

look for anonymous logins → look for usernames (+ ASRep Roastable Users) → look for passwords/ hashes → try credentials across all services (+Kerberoast) → repeat

Also very helpful for this process:


This assessment is definitely tricky…@magic is right with the process and to start from the top and pick up where the author left off. I got stuck thinking the lead with the account description fields was solid, but it’s not and may be misleading. Best advice is to pick up at other spots and go from there.

Can’t find the way, any hint about the spot?..thanks!

Check the findings, the tester said they want to carry on with something but didnt


As soon as you successfully land on one of the machines, reiterate on the enumeration process. That involves searching for credentials, trying known credentials across all services and look if you can dump further hashes or logon- passwords from memory, from credential vault, lsass, ntdis.dit, etc…

Hello! I also have questions about the final task. I made points 1 and 4, I am on the DC. Additionally, I found a number of other accesses: librarian, HTB_…_r00t!@0, … But with "submit the NTLM hash of the KRBTGT account " I don’t understand how to do it, because I don’t see any way to run the necessary utilities. Maybe it’s simple, but I’m not familiar with AD. Regarding question 3 “Dump the NTDS file”, similarly, I don’t understand how to run the necessary software on the DC machine. Maybe there are more clues?

So I created a DRAFT report as recommended at the end of the skills assessment. Is anyone willing to do QA with me? Struggling to find anyone on discord(which is understandable). I feel like this stuff is pretty important, regardless of whether or not it’s exciting.

Someone can help me for the first question please?