KERBEROS ATTACKS - Unconstrained Delegation - Users

Anyone able to spawn the lab for this exercise successfully [KERBEROS ATTACKS - Unconstrained Delegation - Users]? Thanks!

I was able to spawn the lab. Have you contacted tech support?

@therogue1 What command you are using to connect to machine?

I have tried below command but receiving an error.

└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:‘jasmine’
└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:jasmine

└─# xfreerdp /v:10.129.205.35 /u:carole.rose /p:jasmine
[12:26:14:453] [4964:4965] [WARN][com.freerdp.crypto] - Certificate verification failure ‘self signed certificate (18)’ at stack position 0
[12:26:14:453] [4964:4965] [WARN][com.freerdp.crypto] - CN = DC01.INLANEFREIGHT.LOCAL
[12:26:15:762] [4964:4965] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:26:15:762] [4964:4965] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[12:26:17:781] [4964:4965] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:26:17:781] [4964:4965] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[12:26:17:782] [4964:4965] [ERROR][com.freerdp.core] - freerdp_post_connect failed

└─# ping 10.129.205.35
PING 10.129.205.35 (10.129.205.35) 56(84) bytes of data.
64 bytes from 10.129.205.35: icmp_seq=1 ttl=127 time=131 ms
64 bytes from 10.129.205.35: icmp_seq=2 ttl=127 time=131 ms
64 bytes from 10.129.205.35: icmp_seq=3 ttl=127 time=135 ms
^C
— 10.129.205.35 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 130.534/132.064/134.932/2.029 ms

So you shouldn’t connect to this machine. There are restrictions on it. You must achieve a DCSync attack to reset the hashes, take the admin hash and get the flag. Based on the job, the user carole.rose has the GenericWrite privilege

This lab isn’t meant for students to connect with via RDP. Go through the steps taught in the module, beginning with using dnstool.py all the way to the end and you have dumped the hashes. Then, think about how you can use the dumped hashes to read the flag.txt file on DC01.

Hello, I understand that you managed to reset the hashes. Here is my similar forum thread with all the steps. Can you please look with fresh eyes and tell me what I’m doing wrong?

@tigerboy, You need to take the username in quotes or double-escape the backslash (-u INLANEFREIGHT.LOCAL\\carole.rose) , otherwise the username passed to the script becomes INLANEFREIGHT.LOCALcarole.rose.

I’m stuck on the lab but having a different issue.

How are yall running the PowerView command

Get-NetUser -TrustedToAuth

I ran the bypass and added the PowerView script with the two periods (blanking on what that’s called) so that’s all good.

I can run Get-NetUser without the -TrustedToAuth flag…but once I add it, it tells me it can’t be found.

Screenshot 2023-11-07 095531

Any advice?