Yah its DigitalG******.dll but I think I have failed to download the helper.dll in the first hand… So I would not get the key to craft the JWT… I think I have just proved to myself how dumb I am
Am using ilspy in my vscode, I could not get dnSpy to work… I have three dlls from Blazored, than means the 4th one is the one making my job harder… How do u download helper.dll after missing it in first place?
I can’t get one of the last steps working. I’m sure its the right path.
Did anyone have issues getting the payload to execute after modifying the property?
I expected some kind of automatic trigger. Any pointers would be great.
Make sure your path is relative and not direct. You can DM me the path and ill check to make sure its the correct one.
IF you directed the users path to the correct place it should execute every 1 minute. There is a job to delete your payload though after it executes so there’s only 1 chance every minute. If it doesn’t launch need to send it again.
2 Likes
Hi! Been stuck on the very last step for a while, any tips on what to do after getting to the rsa_4810 user?
If anyone is stuck anywhere - you can PM me.
Bloodhound should show you current Sessions any users may have with the DC
That user can be found in C:\Users.
Theres something special going on with that user.
Get-ADUser should show you more infomration on them. It doesnt stand out very well but theres something abusable that they are doing.
Anyone else read the message in the Admin desktop?
Was curious on how/what the automation script was doing, got GUI via RDP to the machine to enumerate some other things and just saw that I missed that upon rooting the machine. 
How should I enum for the key of LocalStorage, been stuck at here for few hours, I tried some of the common keys but not work
I found that I can change The Script Path however nothing I try to write to that property works. I tried ps1, exe and bat. It just won’t execute. I feel like I’m doing something wrong because I’m stupid or something…
You sure it won’t execute? It might be executing just you don’t know
I tried it on my home AD lab. It wont work there too. I’m assigning it the value like C:\Temp\shell.ps1. What am I doing wrong?
Read the Microsoft Docs about Scriptpath
Probably the directory… I’ve gone through the automation behind it and it’s pretty specific.
I tried a lot of directories and I’m still stuck, any other hint?
Try searching for how to hack the Web Framework the Web Server is running in YouTube. You’ll get a step by step on how to get valuable information and files in the server.
1 Like
Anyone able to provide a nudge? Currently working on root but I’m having trouble with Rubeus
Just use mimikatz. Dump the creds
Don’t we need system privs to dump creds using mimikatz?
Do you have SSA or RSA user?
SSA has something special. A certain privellage that lets them do something.