I can’t figure out how I’m supposed to get access to the James account. Could somebody please give me a nudge?
I’m stuck at question 5. Can anyone help me and give me a hint. The POCs of the vulnerability scanner are not working.
How do you know that james can read the gMSA password of someone if you do not have his password? I got james password forcing him to auth to my machine, by the way
I am stuck here as well. Have you found a solution?
Module completed. No exploitation of vulnerabilities required. It’s all about config. Feel free to ask.
Whats the last step after connecting with ccache
For sure you’ve got to find out what you can do with what you find there… very special permissions
I’ve connected through --use-kcache for the kerberos authentication, but I don’t know why I can’t figure out what to do next to get into the file system. Very special permissions…I’m going to go through and try everything again, but I’m assuming like always, I’m missing something simple. Let me know if you have anymore nuggets of info that may help. Thank you!
It’s difficult to say something else without spoiling the solution. You are not domain admin but yes you are at the very last step. It’s something covered by the module and it’s not a vuln/exploit
I made it through the rest of the module so easily, I can’t believe this one question has me stumped like this. The only thing I haven’t tried is getting a remote shell, but I don’t see the point in getting a remote shell when we had to do all the work to be able to connect via Kerberos. I saw your note “its all about config”. The “getting sessions in c2 framework” sure talks a lot about config, but I’m hoping the solution is simpler than that. Still looking around to try and find something that I missed. Sure hope I can find the solution soon, I’m tired of looking!
no remote shell no c2. Simpler… and easy to overlook
Yes, I found it! Don’t know how it took me that long, I thought I had already ran the command but I guess not! Thank you very much for your help. I always expect it to be more complicated than it actually is. Thank you again!
congrats!
I created a user list with --rid-brute, but I gave up because I couldn’t find any asreproastable users.
proxychains4 -q impacket-GetNPUsers inlanefreight.local/ -dc-ip 172.16.15.3 -usersfile usersname.txt
proxychains4 -q nxc ldap 172.16.15.3 -u usersname.txt -p ' ' --asreproast asreproast.out
Any nudge on how to get the second flag? Also the SQL01?
Found 2 users J**** and A**l but seems not having any specific access on the DB so far
EDIT: NVM! Got it
I would like an assistance on question 3.
I’ve obtained j**** credentials but i am uncertain on how to proceed.