It’s easier than you think. Dont look forward, sometimes what you needs is in your close.
1 Like
this track helped me a lot to solve the lab, thanks
You’re welcome
I’m struggling with the ‘Attacking SAM’ section. I can’t copy the sam / security / system hives because the account used to login via RDP doesn’t have SYSTEM privileges. I’ve tried enumerating the other services and found smb running. The account that we are provided with has read/write access to two of the default shares.
It looks like I can navigate through the entire filesystem through those shares, but I’m not sure how I can use this to eventually escalate my privileges to be able to make copies of the registry hives I need.
I might be overlooking something incredibly obvious, just looking for a nudge in the right direction. Thanks!
In principle, they advise you to do it the same way they do, follow the same steps. Maybe you didn’t write something right
Yep, that was it - completely overlooked doing it remotely. Thanks.
1 Like
use ls -la
will show hidden files. Theres hidden backup copy of the shadow files
1 Like
Yeah, it really was. ls -la and so on 
My advice to anyone stuck on any of these, It might sound silly… try the DUMBEST and SIMPLEST things you can think of first. Just to rule them out. DO NOT get fancy or smart too early on. You’ll end up down a rabbit hole wasting time. If the question is rated easy, try the easy things first, REAL basic. Be a caveman to start off with, then when the task needs a genius be a genius. Have like a checklist then after these easy things fail keep going. Never give up
in the medium lab, to find Mr. D’s password, is it another one of using the mut list and waiting 4 hours?
Maybe you can look at the which services are running. Also you can check “Password Reuse / Default Passwords” part for how to find D’s password.
1 Like
stuck on PtT from linux, can’t find any LINUX01$ kerberos ticket, I’m lost here “Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01”, any ideas
Hey im on the previous section if you already finished pth pass the hash section I could use a nudge or tip on the question “Using David’s hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.” not sure how to do this or what tool I need to use.
did you figure out??
if I remember correctly. If you already got David’s hash, you have to use the hash and mimikatz connect. When you get david’s cmd you will be able to access his shared folder both to list directories “dir \dc01\david” and to read files “type \dc01\david\david.txt”. Similar to how they do it with Julio in the explanation
i got the flag.just clearly see “Note” below “identifying keytab files in cronjobs” topic
1 Like
im stuck at “password attacks” easy lab.please give me hint i tried provided user names and password list
Hello.
You should use the mutated list with the 93k passwords.
Add - t 48 to hydra.
And which service are you attacking?
I remember it was furstraiting because hydra di not catch the password from the first try.
I had to attack 2 or even 3 times with the same list.
If id doesnt work let me know
1 Like
In the PtT for linux section, if anyone can give me a hint on how to get the kerberos ticket from Linux01$ I’d really appreciate it. I can not find it.
If you look in the example output of linikatz, you’ll see a ticket cache location for LINUX01.
3 Likes