Using CrackMapExec - Skills Assessment

I didn’t see another thread on this module so I started this one.

I’m currently on the skills assessment.

I curated a username list of 931 users using --rid-brute.

So far, password spraying has been unfruitful.

Has anybody finish this module? If so, I could use a little help.


asreproast to the rescue! First flag done!




OSError: [Errno Connection error (INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused

1 Like

make sure you use --kdcHost

Usually, when I get that error, it is an /etc/hosts issue.

I would add DC01 to the domain controller line.


It was!

1 Like

Any hints with the MSSQL Server? I was able to gain five users with password or hash so far, but not able to retrieve the flag.

Do i need a user and password combination or should I use the path which exploits a vulnerability?

1 Like

I am stuck on question 2 of the Vulnerability Scan Modules section; I have checked for and tried to exploit multiple vulnerabilities but the only one I have successfully exploited was the zerologon exploit which does not allow me to read the c drive. can you point me in the right direction.

1 Like

Hi, I’m having issues connecting to the target. Nothing is connecting back to my chisel client even though the target is responding to ping. Am I doing something wrong?

I’ve tried for like 3 days now to get a connection, nothing is happening.

Can I get some help with the 3rd question?
I got that SQL flag using mssql.

Not sure how to get DEV01 and DC01. Need help completing the skill assessment


Can you please give me a hint how you got the second question?

Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt.

What I get so far:

  • Two valid users with their credentials
  • Dump the SMB, and I got another creds but didn’t work…

Any hint?

Update: I got 7 users, with one not valid password, I’m missing two questions:
2th; SQL
last one; DC01

Any hint?

If anyone comes here and can help me with the 3rd question about accessing DEV01.
feel like i tried everythings including the ms-connecter file (not LNK since it’s blocked) and i’m totally glued. The int speak about reusing somethings but all the pass i have have lead nowhere except for the inital user they were good for.
any help would be appreciated.

1 Like

Sent you a message :wink:

1 Like

could you please give me a hint to “Gain access to the DEV01”. I have tried password spraying on different services using obtained passwords (also using a --local-auth switch) but without good results. I have actually 4 users with valid pass.

You have to get a service/computer account :wink:

Thank you for tip @moayad11 . Now I am stuck to acquire credential for user that can list service/computer account. I have tried back and enumerates folders to get some interesting files, brute force with many pass combinations and use other escalation paths like null session for that user.

maybe not a cleartext password?

Player keep in mind that the version used to test the module was 5.4.0, some newer versions broke stuff