I have the same problem. Tried ntpdate, rdate, clock skew still off by 25199xx. If you had this problem and were able to resolve, please share a kind.
I canât retrieve msDS-ManagedPâŚd using plain ldapsearch (authenticating with the 2nd user account). I donât understand why⌠
Dumper tool works properly! Can somebody explain me, plz?
[edit] Impacket relay tool isnât working eitherâŚ
ntpdate worked smoothly for meâŚ
Finally got the user flag after really struggling with it for way longer than I should have.
For anyone else struggling: its actually simpler than you think once you find all the files (and finding them just requires some basic scripting using the info you already know about the first two downloadable files). Once youâve got them, make sure you read them ALL. Its easy to get thrown off by the contents of the first few that you open.
Anyway, looking forward to having a go at root tomorrow
Got root 
I actually felt more comfortable with the last parts than the user flag, but yeah if youâre not that familiar with AD it would be pretty rough (if thatâs you then this video I made a while ago explaining AD basics might help you out a bit)
I really liked the first part of the root process, although initially I thought the permissions setup allowing us to create things there was unrealistic but it turns out thatâs the default setup. Wild.
There arenât really any public tips I can give but if youâre on Windows you donât need to use everyoneâs favourite âpacketâ toolset as there is a much nicer to use alternative (not sure if there are any others for linux).
If anyone wants any help or if youâve got root but donât understand why certain things worked then feel free to PM me
If you are using Virtual box, you better disable the guest utility.
Cool box. With the tips already presented above you can own the machine. You will not need shell access to the box to obtain the flags.
User: Pure web enumeration. If you see anything interesting on the application and a certain pattern, just investigate it further.
Root: There is a certain script that will show you the way to obtain another user, and after that you just need to AD enumerate.
For those who donât know nothing about AD, BloodHound is a good tool.
Rooted!!
I donât know what I was doing, but something eventually worked. Seriously, every step beyond first User was just âHuh, OK now what?â and DAYS of trying different tools, thinking about what enum Iâm missing, what info Iâd actually need, and what to do with that.
Can somebody recommend a good introduction course for AD Authentication and Authorization concepts and mechanisms? There are about two dozen different ways to log into stuff. MAD.
@NoMad I made a video explaining the basics of AD for people new to it: Active Directory Basics For CTF Players - YouTube
But for AD authentication specifically, Iâve also done an in depth one on Kerberos: Kerberos Explained (In 3 Levels Of Detail) - YouTube
Thereâs other videos on my channel which cover specific attacks but I wonât link them specifically in case that is a spoiler
Thanks but what I really need is some kind of overview of auth mechanisms, entities/principals, services/ and (default) capabilities/permissions tie together.
Like
Principals can be Domain Users, Local Users, Machine Accounts âŚ
Auth can be done via User/Pass NTLM, NTLM Hash, KRB Ticket, âŚ
Tickets can be created by x for y on z.
SMB can be accessed by These Principas using Those Auths. Leads to File Read/Write, User EnumâŚ
WMI can be accessed by âŚ
(Honestly the services part is just icing, I just need to know what exists and what it applies to. Tough to describe without giving an example).
I am not able to submit the root flag - will it require machine reset to fix this?
Just for confirmation â
815xxxxxxxxxxxxxxxc22
My resolution was to run âsudo ntpdate -B â and then I was able to get the ticket.
Could someone try this and see if it helps them too?
for those who still having issues with time sync try:
Run âtimedatectl set-ntp offâ to disable the Network Time Protocol from auto-updating
Run ârdate -n [IP of Target]â to match your date and time with the date and time of the your target machine