keep on going with enum for svc_inlaneadm. Just keep iterating over what you have learned in module
Finally done. I was enumerating only smb, thats was my mistake! Ty very much
1 Like
I am stuck with question 1. Where did you guys find a user name? What did I oversee???
does anyone can give a clue about 3 question
I found an intern user who can write in one of the shares
but when I try to use NTLMRelayx and drop-sc I just see that user named james trying to connect but doesn’t get the hash or the password
hey, can you explain how you gained the access to the DC
I found one more account n**k
and I stuck I found a vulnerability that I can use but the POC doesn’t work
can you help please
Try to use the credential gathering option with this new user creds
How did you found the n**k account? I am stuck with Jame’s credentials!
Check all options suggested during the module for enumerating with the SMB protocol without credentials!
1 Like
Got it! Thanks!
1 Like
How did you move forward when you got the creds for James? I can’t seem to be able figuring that out!
try looking for stuff using ldap options like “Options to play with Kerberos”
Thanks, I managed to find the solution after a while. I am now stuck on the last question having the creds for nick. Feel free to provide any nudge!
Did you try credential gathering options?
Every single one from the module, but this user is not an admin anywhere, so I did not expect to work!
Can someone give me a hint on the last question:
I have credentials the credentials of n…k, this supposed ccache file, where we found the user svc_inlaneadm.
I tried using the ccache file to create Kerberos loginwitj the export function, but it did not work. I tried ronuse the vulnerability módulos, but it did not successd exploiting neither potipotam nor dfscoerce.
Would that be the way?
I am trying to get access to the intern DB.
I am able to get the password/cred files for the sql*** user.
But, there are two characters in front of the sql*** username.
Are we supposed to fuzz those to figure out what those are and get the real username?
Thanks for any help.
you can get the usernames via --rid brute force.
Then do asrepraosting that gives you a user and password which you crack with hashcat.
then the second user you get via kerberoasting. crack the has and then you have a second user and password.
Now I am stuck on SQL01. I found a user sql*** with password. But there are two characters in front of the username. So I am trying to figure out what that means. If you have advanced beyond that can you give a hint to get access to the SQL01 machine.
thanks
Was able to compromise the SQL01 machine and escalate privileges using user sql*** and associated password. Used the way as described in the module to do the privilege escalation.
With escalated privileges was able to execute commands the 172,16,15,15 (SQL01) machine. One of the important rights user james has is that he can read the gMSA password of scv_de**** account.
Now I am trying to get james’s password. Any hints are appreciated.
When I do the NTLM Relay attack - did it several times - I do not get the hashes for user james.
I suspect there are supposed to be hashes for user james that then those can be cracked. So, over the last coupe of days I have been trying to find the password for user james through other means Did you find the password without the hashes or did you ultimately get the hashes viia the NTLM Relay attack?
Thanks
I spun up responder instead of ntrelayx.py