How to connect to DC1 Windows Attacks & Defence

I am trying to finish the kerberoasting chapter but I have abslutetly no idea how to " After performing the Kerberoasting attack, connect to DC1 (172.16.18.3) as ‘htb-student:HTB_@cademy_stdnt!’ and look at the logs in Event Viewer." How do I connect to this adress?

Hey I am sorry but I have another question to you. How did you manage to make ssh connection to Kali machine or smb connection to WS001? I couldn’t even do these. I only managed to connect User bob with xfreerdp and that’s all. Even though I found the hashes of the service accounts using rubeus.exe, smbclient command didn’t work and I couln’t get the spn.txt. Could you please tell me how you did it?

You can connect using the following command to connect to SMB from your attack machine.

smbclient \\TARGET_IP\Share -U eagle/USERNAME%PASSWORD

Then use get spn.txt to download the file.

RDP from the bob’s machine and use the given DC1 creds to connect.

2 Likes

Actually I tried the command written in the example (smbclient \\172.16.18.25\Share -U eagle/bob%Slavi123), however this is what it says “do_connect: Connection to 172.16.18.25 failed (Error NT_STATUS_IO_TIMEOUT)”

Secondly, the password “kali” doesn’t work for the ssh connection to attack machine kali.

You need to use the target IP address in the command, not the IP address of WS001.

I used xfreerdp for that and not ssh. It worked for me.

I SSH’d into the Kali box and then used crackmapexec to remotely execute the reg add command with crackmapexec’s -X flag

After reading the comments above I still struggled to connect to DC01, so here is what I did:

  • connect to the target as bob (as described for the first task)
  • go to ‘Start → Windows Accessiors → Remote Desktop’ and login with the creds from htb-student

Hint: the keyboard layout sucks so what I did is copying the ‘@’ from the password hashed and build up the htb-student password in the text editor to copy-paste it into the login dialog…

2 Likes

move spn.txt to ‘share’ file in windows and then run the command on parrot commandline

you can just copy the text file you got, then paste it in your kali linux. Example sudo vim example.txt then you paste it in here, then you run hashcat…

1 Like

Hint: Username and Password are in Question, RDP from :eyes: :eyes: somewhere new

After performing the Kerberoasting attack, connect to DC1 (172.16.18.3) as ‘htb-student:HTB_@cademy_stdnt!’ and look at the logs in Event Viewer. What is the ServiceSid of the webservice user?
Did anyone got the answer for this? i been trying for ages and cant crack it, pretty much tried all the ServiceSid that i find in the logs but no luck

Same problem

ohh dear, hope someone will crack it and drop a hint

Oh i got it now bro

You can track the timeline and after get answer

wow thats great, is it S-1- … format?

yes