Official discussion thread for EscapeTwo. Please do not post any spoilers or big hints.
1 Like
I need some help with the machine
any nudge for sql_***?
i found 2 hashes for the two service users sql_* and ca_* with GetUserSPNs.py.
But in not be able to crack that hashes…
or is there a file in the SMB shares (log in with user rose) that contains passwords etc.? I haven’t found anything useful (smbmap enumeration)
can i give a guide how to make it , same with smb research nothing usefull
u have a list of creds there
i need hint too if u help :)))
its e compress file
How are you guys getting/escalating to the user **** after getting xp_cmd?
i am new to AD testing, any hints on the initial foothold?
sql_*** creds aren’t working? Responder hash did not crack either? Unsure of how to move forward from here.
Nevermind, figured it out lol
I have shell acces with user sql_svc now…whats the next step bro? Any Hint?
2 Likes
beat the box, feel free to DM me if you need a hint.
Pwned!
Very well built AD beginner friendly machine:)
DM if you need a nudge.
2 Likes
how did you guys manage to use xp_cmdshell? mine is disabled and I don’t have permission to change config
2 Likes
Does some have a clue for me how to get the xp_cmd working?
you found hashes for this? I didn’t, maybe i am missing something. base access granted me access to files, files granted me access to other users. better question is how does the data available push you to the nudge of xp_cmd
type help