Yea I ended up finding it, but I can’t get my payloads to work, I uploaded nc.exe in the dc. Cant seem to get any of the sliver payloads to work
So you have a session as NT Service\MSSQL$SQLEXPRESS in DC02 right!? This account has SeImpersonatePrivilege.
You can ‘execute-assembly /home/htb-ac-799850/GodPotato-NET4.exe -cmd “whoami”’ and it should get you SYSTEM
Thank you for you assistance. Im stuck with the last question. Can’t open the shell through the pivot, im just getting constant timeouts, altho the escalated DC connection is active. I ran bloodhound, but it shows no trusts. When listing info on bloodhound it may ask which domain info im looking for and there is inlanefreight.local, but the info for it is absent
“Access the other domain controller in the forest and submit the contents of the flag.txt file on the Administrator’s desktop”