Hi all, I’ve stuck in this module’s lab for a long time.
Question2:
Replicate the Unmanaged PowerShell attack described in this section and provide the SHA256 hash of clrjit.dll that spoolsv.exe will load as your answer. “C:\Tools\Sysmon” and “C:\Tools\PSInject” on the spawned target contain everything you need.
As the bellow picture, I have followed all the commands, but the spoolsv.exe didn’t change “managed”.
Is there something I missed?
Hey Yvonneyeyeye, not sure if you figured this one out, I ran into the same thing, ended up closing the Process Hacker window, re-running the commands in CMD Prompt, and it changed after I tried that
when I did this lab, closing the process hacker and running it again did the thing…
but the issue i’m getting is that there is no log entry in Sysmon in event viewer
Hi Everyone , in the nesxt Q3) Replicate the Credential Dumping attack described in this section and provide the NTLM hash of the Administrator user as your answer. “C:\Tools\Sysmon” and “C:\Tools\Mimikatz” on the spawned target contain everything you need.
I try do Mimikatz the file minikatz.exe does not exist, there is AgentEXE.exe and i run this file do the same coomand line and passwd it work but when i go to event view there is no event Id 10, try find by the name of AgentEXE.exe not found any id 10.
i did the sysmon step also to double check. but also the same thing no found any event id 10.
how can i find it
For those requiring assistance with the Import-Module process, it is necessary to navigate to the directory containing the “Invoke-PSInject.ps1” file, or alternatively, specify the full path in your command. The provided code assumes that users are within the correct directory. If you are using the HTB machine, the file was located at “C:\Tools\PSInject.” Ensure that you are in this specific directory or adjust your command to include the full path to execute the import successfully!
how did do it ? i still can’t, when i run mimikatz.exe while being in the “/Tools/Mimikatz” it says: C:\Tools\Mimikatz> mimikatz.exe
‘mimikatz.exe’ is not recognized as an internal or external command,
operable program or batch file.
solved it finally , but yeah there is a problem with mimikatz.exe command , but as the user/myfriend “Alharbi1080” said use AgentEXE.exe and then follow the steps from the course material and goodluck
so the issue with this lab is they have alot of things mislabeled.
for q3 youll have to use the command
.\AgentEXE.exe to pop up Mimikatz its because the system is trying to protect itself this bypasses that
after that use privilege::debug to move on to the next step
Good Luck:))
i used windows powershell since it allows linux commands as well