Can someone please help me with the below challenge or point me to the correct the redirection?
What's the content of the file: \\DC01\Secret Share\flag.txt?
Can someone please help me with the below challenge or point me to the correct the redirection?
What's the content of the file: \\DC01\Secret Share\flag.txt?
I am monitoring the ticket with .\Rubeus.exe monitor /interval:5 /nowrap
on Server01$ (unconstrained delegation) but looks like I am missing something.
I could use help on this as well, not sure what I am missing here but I cannot figure out how to access the share. Thanks!
I got it… make sure to open your powershell as admin. And renew the ticket
Try using the command type \\DC01\Secret Share\flag.txt
at your computer’s command prompt to view the contents of the flag.txt file located in the Secret Share share on the DC01 server.
I am running rubeus and after rebooting several times there is a user called jake. Did you solve it using the jake user or was there an other user?
thanks
did you ever figure it out? the user jake is not a domain admin and i tried the printer bug, that didnt work either.
nothing works i even used ptt with mimikatz but they user jake.kirk doesnt have the proper permissions
Update: got the flag, it is a simple case of overcomplicating of my side.
Leaving the hints below for the future, and a non-technical one: don’t think privesc, think access.
Seems that I got stuck here as well:
Anyone knows what am I missing?
I am stuck on that last question. I have spent easily 10 hours trying to get that solved …
I have tried all techniques enumerated in this thread and none worked.
I tried importing mimikatz, SpoolSample, PowerView onto server01 but nothing helped. The machine comes with Rubeus so my assumption is that everything we need is already there.
The Printer Spooler is not even running on the DC01, so Printer bug is not the angle here.
Some hinted that we’d not try escalating privileges. I tried accessing the dc01 cifs service as SYSTEM, annette, or even jake, directly from server01, and access is denied for all…
The TGS is loaded into memory as confirmed by klist output.
Of note tho … trying to renew the TGS always produced an error. I was NEVER able to renew ANY TGST. I’d be curious to hear if anyone has the same problem. I don’t know what else I can do at that point.