Hello Everyone. I got access to 172.16.6.25 machine via RDP with vfrank credentials. Could someone give me some hints how to proceed and move on to get access to the DC? 
what did you do to get the flag
Follow Explorer.exe to where the question is directing you to look. C:/xxxxx
There should be another drive once you logged in with the right credentials.
In the end, using ping more than twice was the key.
for /L %i in (1 1 254) do ping 172.16.5.%i -n 2 -w 100 | find "Reply"
For everyone looking for help:
Draw the network on a paper and do ping sweeps TWICE. You’ll be fine.
As a suggestion for everyone. PIVOT! Pivot as much as you can, that’s the point on this being a practice module!
I can assure you you can execute the last RDP connection from your ATTACK machine and it will follow a nice path throught all the intermediate machines.
Try your best, don’t go easy.
1 Like
Thank you for the hints! Got all the FLAGS!
I got stuck at the beginning in login to ssh webadmin for 2 hours I guess for my stupidity but I manage the research and review this forum. Thank you all!
Was RDP disabled or something??
I had to use proxychains with winrm
Hey, could you please give me a hint on how to proceed here? I know it is vfra…, but only because I bruteforced the solution. Which steps should I take to find that actually out? I read something about dumping lsass, but is that it?
How did you get into the Final second Linux?
I cannot access to that one
Who can tell me how to forward the LSASS.dump on this Windows host to Pwnbox, or upload mimikatz to mlefay? thank you
Tell me, please, was this specifically intended or did someone leave a network drive connected on the penultimate machine on the network?
That you didn’t have to connect to DC to read the last flag?
Done! Interesting module. Honestly I though it would be one of the most hardest I’ve done. It has its difficulty but there are a lot of hints in the forum! I think now I can say I understand better Port Forwarding. At final phase (172.16.10.25) a did think the way was through another forwarding bit it was not.
- I just needed to do 2 Port warding, first from SSH and second with socketsoverrdp
Hi, Pls how do I gain access to the primary ubuntu target
How do I pawn the linux machine
Have a look around the web page available when you start up the assessment. Do you see any other users on there? If so, try to see what loot you can get from their home directories. Then let us know if you came right. (That is if you haven’t already seeing that I’m about a month too late 
Just a tip for anyone that has issues getting tunnels out to all the machines, a couple of socats can go a long way, it might not be exactly what was taught, but it definitely works if you can chain them together.
+1, thanks for this. I was so confused when I only got a reply from a x.x.6.35 and a x.x.6.45 and neither accepted the vfrank creds via RDP.
You have to upload mimikatz and use it to dump information. It’s a bit silly, but I set up a simple http server in python to download the file onto the linux box and then I did again to download the file onto the Windows box. On the windows box, I went into admin powershell and used “sekurlsa::logonpassword” in mimikatz to get vf****'s password. Hope that helps and lmk if you need more help! :3
1 Like
Man, what a great explanation! Thank you very much. This truly helped me.
1 Like