Hi. can anyone help me? I managed to crack hashes of svc_qualys, backupagent and netmonitor. I also found the IP of the domain controller but when I try to login using those accounts, it just keeps denying. Please give me a nudge to the right direction, I am feeling like I am missing something
Hi. How did you crack the hashes for lab_adm and clusteragent?
You don’t have to, just use secretsdump.py 
Use hashcat and rockyou list.
I keep getting the exhausted output from hashcat. can you give me a nudge? I use “hashcat -m 5600 lab_adm.hash rockyou.txt” for the command
Did you check the hash? Should be this form admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030…
Here you have some hashes examples: example_hashes [hashcat wiki]
I discovered I could use a user I discovered through kerberoasting. Thank you for your answers though
please can u help me, i m very confuse
Thanks for your tips. My problem is, that I cannot find the application which is vulnerable to LFI. I found a backup file on http://172.16.5.127/files with vulnerable code, but where’s that actual application? Doesn’t seem like the one that’s running in server’s root. Other port? other hostname? localhost? Can you help me?
BTW, have you submitted your report to the team? They give you feedback?
I have the question 3, user svc_reporting password Re******! but i cant login with it via RDP or Winrm to execute PS and know de group.
If i access to the Bloodhound in the server, the svc_reporting user doesnt appear.
Any help? I need the las question. Thanks!
Edit: Solved. You can do with another admin user via cmd.
Second question its only use secretsdump.py and you get the info.
hmm i’m pretty stuck on 1st question, i have the hash for the admin, I cant crack the hash nor can i pass the hash. any ideas? I managed to crack the krb spn hash. but now i’ve hit a wall
hey, I have the admin hash for DC01, however i cannot crack nor pass the hash.
Im using svc_qualys to extract hashes and its worked for the krb hash. But cannot get to svc_reporting; im assuming only the admin can get this hash.
Thanks!
Thanks bro, I was able to solve the Lab finally. Its straight as per given in the “Components in the Report Page” with some changes.
Hi, I don’t know if I’m missing something but I tried to find local admins of DC01. It seems that every member of the Domain Admin groups is Admin to DC01 (so svc_qualys, solarwindsmonitor etc) I got passwords of two of them and tried to dump lsa and sam hashes with crackmapexec. I got sam for Administrator but didn’t succeed to crack it or pth with it. I found 7 lsa secrets but none of them seems to belong to a domain user.
Am I doing somthing wrong or missing something (wrong user/method) or should I use lsa secrets but how ? Any help is appreciated ! Thanks
Okay somebody helped me and I finished the assessement. The answer is that you can use the DC01$ account ntlm hashes to directly DCSync with secretsdump. Then with the first dcsync you should have the administrator account ntlm hashes to pth to the domain controller and re dcsync again to get every domain hashes(svc_reporting).
Just finished this assessment. Wow, what a journey. Took a long time to get my head around the number of findings and information overload but after much coffee it made sense. My advice echos what others have already said; gather the hashes from the various attacks and crack offline. One will grant privileged access to the DC via RDP. I used the Par01 host as a pivot point so was able to perform a DCSync using proxychains and secretsdump.py. It looks like there are multiple ways to complete the assessment, which is cool. I’m now going to write up the dummy report for practice then it’s onto AEN! Happy hacking guys
If you’re stuck, sometimes a fresh perspective helps.
Hi, Could you give me a liitle bit of hint how to start?
Hi, I cant decrypt in my hashcat of the svc_reporting hash
how did u do it?