How to connect to DC1 Windows Attacks & Defence

I am trying to finish the kerberoasting chapter but I have abslutetly no idea how to " After performing the Kerberoasting attack, connect to DC1 ( as ‘htb-student:HTB_@cademy_stdnt!’ and look at the logs in Event Viewer." How do I connect to this adress?

Hey I am sorry but I have another question to you. How did you manage to make ssh connection to Kali machine or smb connection to WS001? I couldn’t even do these. I only managed to connect User bob with xfreerdp and that’s all. Even though I found the hashes of the service accounts using rubeus.exe, smbclient command didn’t work and I couln’t get the spn.txt. Could you please tell me how you did it?

You can connect using the following command to connect to SMB from your attack machine.

smbclient \\TARGET_IP\Share -U eagle/USERNAME%PASSWORD

Then use get spn.txt to download the file.

RDP from the bob’s machine and use the given DC1 creds to connect.

Actually I tried the command written in the example (smbclient \\\Share -U eagle/bob%Slavi123), however this is what it says “do_connect: Connection to failed (Error NT_STATUS_IO_TIMEOUT)”

Secondly, the password “kali” doesn’t work for the ssh connection to attack machine kali.

You need to use the target IP address in the command, not the IP address of WS001.

I used xfreerdp for that and not ssh. It worked for me.

I SSH’d into the Kali box and then used crackmapexec to remotely execute the reg add command with crackmapexec’s -X flag

After reading the comments above I still struggled to connect to DC01, so here is what I did:

  • connect to the target as bob (as described for the first task)
  • go to ‘Start → Windows Accessiors → Remote Desktop’ and login with the creds from htb-student

Hint: the keyboard layout sucks so what I did is copying the ‘@’ from the password hashed and build up the htb-student password in the text editor to copy-paste it into the login dialog…