I am working through the Skill Assessment of this course right now and am stuck on flag 2 for user Arturo. Has anyone completed this module that can help give some guidance? Don’t want to describe more details as it may give away hints to answer to first flag.
Anyone can give me some nudge with first flag? I tried enumerating all the ports but dont see a way to login.
Make sure to check through the modules about a web hosted terminal for Windows.
I’m stuck at the last flag if anyone has any nudges for me. I think I know what I have to do but I can’t get it to connect back to me.
2 Likes
The design of the lab environment, and the question itself, suggests you to use the VNC password you just got against the server from where you got it.
Now, you have to think how you’ll access that server, as it blocks all incoming connections.
Once you access it, you’ll see a program that’ll help you access the DC.
I struggled for two days for the last question, so just in case this help someone:
The VNC docs for Windows may help:
https://www.tightvnc.com/doc/win/TightVNC_2.7_for_Windows_Server_Command-Line_Options.pdf
Also, I found this post useful:
https://superuser.com/questions/1266732/tightvnc-server-not-allowing-to-use-connect-and-sharedisplay-arguments-togethe
The VNC server was connecting but it showed a black screen. A restart of the lab fixed the thing.
I’m stuck on the final question. I have got the password and have setup Metasploit to be proxy, but the CLI requests from PWNBOX to the VNC server get denied. I tried looking for the vncserver executable on the workstation, but it doesn’t exist? What exactly am I missing on this?
I’m having issues with Impacket. Mainly NetExec and CrackMapExec fail to enumerate properly by not returning any results to the terminal. Is anyone having similar issues?
I had issues with this earlier. Are you passing the domain argument?
@FlemmishTortoise, thanks for your tips.
Any Hint for 2nd question?
I got credentials for testing purposes
any hints on retrieving the VNC password?
try to reread the section on WSUS. Also try to use the clue to find a way back to your attack machine. For this, tools are missing on the hosts, you will have to transfer them. If necessary, use the SysInternals suite with tools such as TCPView to see how the connections are made.