Active Directory Enumeration and Attacks - Skills Assessment Part 1

all righty this one here is going to cover active directory enumeration and uh attacks the skills assessment part one um this one was a doozy it did I had to do a lot of extra research on this for the attack path this is this is just one of the attack paths that's possible I'm sure there's other ways uh this one ended up requiring a lot of Metasploit and uh reverse shell and even had a little pivoting to go from our uh Linux machine up into the network so it took a lot of extra research and looking and uh trial and error stuff and whatnot to get it all worked out this active directory stuff is a like I said this one's a doozy but we'll just Dive Right into this um and uh and get it started let me get one of these I know I'm going to need this here eventually and so this one here I know it said it start start S let's see it starts us with a uh with a webshell that was left kindly by a previous uh a previous pin tester so let's see so we got to go to that first and I know this is in with the uploads directory so if we go to the uploads directory we've got the an AK aspx so if we click click that this will bring us to the login the credentials were left for us for this uh for this webshell here so it's going to be admin and this password Here We log in we should get uh a webshell here so from this webshell is it clear to clear the screen all right um and I did notice with this webshell you uh it's better if you clear the screen after you get what you need to get it doesn't seem to scroll real well it's kind of ugly you know it's it's it's usable for certain things but I did go in and try some commands will work um like if you the dur command I noticed you can't navigate there's a lot of stuff in this in this path here but I did try to navigate around and uh I noticed you can't so if I try to go to like the config directory and if you hit enter you see this is why you want to clear the screen because it doesn't scroll but you go down and it's like okay did it did it work or not when you look again you'll notice see it didn't navigate anywhere so the Shell's usable but not not completely however for the first question it's wanting to know a uh just wanting the contents of the flag off of here and see we are the NT Authority so for this you can use type or cat I believe cat works as well um for the uh for the first flag which is sitting on the administrator's desktop so this right here uh cat or like I said you can do type it's wind windows and then the C users administrator desktop flag.txt and that'll give you the contents of the flag and from here that's about how usable this first shell is is to get that first that first flag you can it does have upload files and stuff I didn't mess with these buttons as much um functionality wise and whatnot like I said I did uh I did some looking and obviously we're going to need more access we're going to need a better shell onto the machine so that we can pass some tools up is the tools as far as I can tell there's no tools on here uh so far at least not in the folder we have access to here so I'm just going to clear that out if you run that command you get the contents of the first flag so we'll just leave that here so in my research and everything thing uh for for doing this lab um the method I'm going to go with here we're going to use uh metas sploit msf console and uh and try to get a reverse shell so we get a little more uh a more interactive shell that we can upload our tools onto the machine and uh and run some of these attacks so for this we're going to open up an msf console tell it to be quiet and then from here we're going to search for web delivery and the one we're looking for here is number one so we're going to use one let's go ahead real quick and let me check what our local IP address is we're 1489 try to remember that so now we're going to set the payload to a reverse TCP and we'll go and set some of the options real quick for this before we run it double check that IP again [Music] 1489 and we'll set the server host here both of these are just set to our our uh our local box here or the the uh home box all right we've got everything set there so we're just going to run this and that gives us our Powershell command I believe this is the base 64 but what we're going to do now is we're going to copy this this whole block of uh of text copy this whole thing and we're going to put that in here can't see it but it's it's in there um once we copy that in we'll go ahead and just hit enter and if everything works right you'll see right here that we have a interpreter session Session One opened and if when it comes up if it backgrounds the session uh you just use sessions one to bring the meterpreter shell back into Focus once it's all uh all loaded and everything and there's our meterpreter shell and um it's recommended when you do this to put yourself onto a more stable process to make sure you keep your connection and uh the the wind log on uh right here 568 this is a good one should be very stable so we just want to migrate what did I say that was 568 let's double check that 568 if everything goes well then it should migrate our process onto there and give us a nice stable shell so now what we've got to do we want to uh I'm going to go back over here and we're going to grab um the Power view from uh we're going to use W get and pull that in so that we can upload it to This Server if we got everything typed right that should grab it and put it right there for us so now what we're going to do from the pone box we're going to use Python to start up a uh an HTTP server so that we can go from the meterpreter shell and pull this file up onto the machine that we're attacking we'll just use port 88888 probably too many a but whatever and we'll go ahead and get that started so now we'll go back over to here and we want to drop into a shell so just shell and I'm going to move to oops move to the C drive and from here we're going to use a utility called cert u. exe to uh to grab this file from the pone box and go ahead and pull it up and we're basically just telling it to we're telling it to force write to file put it on Drive what were we 14 oh what was that IP address [Music] again 89 I always forget 89 and we want 8888 and if everything goes well from here that should as you can see command completed successfully so it should have it up here if we do a dur there's our power view. PS1 file right here so that we can uh go ahead and continue on with uh with our attack all right now that we've got power view up though let's go ahead and we're going to drop now into a Powers shell and from here now we can go back like you like we've done previously and I'm going to go ahead and import the uh the power viiew module so we'll import that and now we'll just do a get domain user we're going to Wild Card it so we just grab everybody and we going to use this SPN here so when we hit this this should give us a whole bunch of users and it should include the user that we're looking for for the question from the uh from the module so we let that run and it will roll through you'll get a whole bunch of output put all through um what you'll be looking for is the service principal name SPN right here like this this obviously is not the user that uh that's required for the module but it'll have that the server name and the port number and then it'll have the username right there and it should should be listed in the output up in there for that particular question so now we're going to use get domain user again now that we know who we're looking for and we'll use the identity and we'll just have our username right here and we're going to do get domain we want the SPN ticket and we're going to format it for hashcat and when we run this we should get the uh we should get our ticket that we can copy and uh and that'll just go into a uh a text file we'll pull some space out and stuff that'll go into a text file that we can then pump through hashcat to crack this password and there we go we have the hash you can see it's got a lot of spaces and stuff so we'll uh we'll go through and pull those spaces out and plop that into a uh a text file like I said and then feed it through hashcat to uh to try and crack this password so we'll come over here to uh to local desktop we're going to trim out this space with a command like this and then inside those quotes is where uh inside the the single tick here is where we're going to put um the hash that we just copied so we'll do that here in a minute this will be easier to read this way and then pipe that to trim we're just going to call the file user hash we'll p uh pipe all that out into there so then we'll go back this should uh should trim it all up for us so then we'll paste this and hit enter and then we should have the user hash right here so now we should be able to pipe this into uh or put this through hash cat and get ourselves a password we're going use mode uh 13100 for this and this will just go against the uh Rocky word list all right and if everything goes well and if we've got the file properly trimmed of Whit space and everything else then this should pump out our password all right so it looks like hashcat did crack that password and we have that right up here in the output so now let go clear that so now we'll go through so we need to get back to our uh interpreter prompt we'll just h contrl z background the channel and this will bring us back into interpreter so this is where I did in doing all of uh all of my extra research and whatnot and looking up different things this is where we're going to do a pivot because we have to run the attacks from the Linux machine to the uh into the active directory Network so there's going to be a pivot here I know there's more than one way to do this um since we're already in Metasploit with my interpreter going this is the route that I followed after I did some looking up and whatnot so from here we'll just use this to uh to set up our pivot we're going to use proxy chains and uh and set up a little socks Pro proxy through msf console here but from here we're going to run the auto rout into uh the active directory Network and yes you can see instead of a five it's a 6 so this environment is different from the other modules so it added everything that we needed right there so now we got to get out of The Interpreter prompt so you just BG that'll background session one now we can come back up here and we've got to look for it was uh so what I found it was recommended to use a port scanner and scan the network because we're trying to find another server there's I'm sure more more ways to do this to see what uh what machines are sitting out there um with the available tools and such but there again this is this is what I come up with this is what I found all right so here we're going to use the uh this uh auxiliary scanner Port scanner so now let's just set our uh we'll set the parameters or the options I guess you could say so we're going to search all the hosts that are in that range so now let's set the ports we want to look for and you can set any ports you want here um we know it's a Windows Network and uh the server that it's looking for so we're going to search for some common ports on that which are the 139 and 445 and let's set the threads to 50 once all the parameters are set then we're just going to run it and we'll let that start scanning and it will tell us the uh the machines that have both of those ports open and uh once it's finished we'll uh we'll continue on from there okay now that that's scan is done we got what hits on a350 and 100 so you can note all these machines down that it fell or fell that it found um and the Machine that we're looking for is going to be this5 so now we can drop back into here and this is where we'll go through and set up the uh the socks proxy in msf console here so we're going to use we're going to use the auxiliary server socks proxy we can look at the options [Music] um we don't need to change anything Port 1080 serves host so if you needed to change anything you could there but we don't need to so now we're just going to run it it's going to start that proxy server so now now from in here we need to go in and make an edit to the uh proxy chains.com file and then down at the bottom we're going to comment this one out the socks 4 then we're going to put the socks 5 for uh the local machine here just like that and Port 1080 and just save that so now we can go back over here so we'll use proxy chains now to run commands so that it will go through our proxy and uh and we'll be able to reach this internal Network and you can see everything's running good here so we'll go back now and the msl1 server that we're looking for we're going to use uh crack map exact against SNB using the credentials that we got from that user and the crack password and we're going to go after the flag on the administrator desktop in here all right so if we've got everything typed in right here then we'll use this against SMB and we're looking for looking for it to uh to dump the LSA and that should give us um the clear text password for uh clear text passwords and the user that's uh it's using them and such so let's give this a go and see what happens here all right so now that crack map exec has uh run against SMB and did the LSA dump here we've got you know let it run through it it's going to give a lot of output and then uh what we're looking for is uh is right here on this line that's the user and that user's password that uh that we're going to need or the clear text password that we're going to need so uh all right so now we've got that answers that question so now we'll go back into the meterpreter let me just clear this now we'll go back over to here let's pull up our interpreter session you can see that still shell still uh still sitting there or The Interpreter still sitting there so we're going to drop into a shell go back to uh the C directory and uh let's go ahead and drop into that so now let's import the module again because it is a new shell all right so now we're going to use this user do some enumer ation for how we can leverage uh there is a question for what uh what type of attacks does this user have most people probably can read that question and you can guess what they can do but we'll go ahead and uh and start setting up our variables here all right so we're going to set the Sid variable here with that username we just found and it's going to Echo the command and right here and then we're getting the object ACL against the domain and we're resolving the uh the goods and we're using uh object Ace type match and we're looking for all these uh we're using security identifier here but we're looking for Ace qualifier object DN you know a bunch of different things and like I said it'll Echo the command here and once you run it you'll get all of the uh you'll get the ace qualifier object DN active directory rights this output here and if you scroll down it's got It's got a lot to it um this here will show you everything that uh this particular user can do which you can see that they're able to uh replication get changes and and so on and so forth they're able to do a lot so they have uh they have rights for doing uh a DC sync attack so now what we can do we'll go back over to here and we're going to use secrets dump. piy and they're going to do a DC sync attack against this try and get the administrators hash we have to remember to use proxy chains of course all right so uh see this is this user at this is against the domain controller which was the three machine that we had found earlier when we did those scans so we're going to do the uh attack against the administrator and if all goes well we should get the admins hash so now we have to put in the user's password uh that we had found before the clear text password that we had found so once that's run and uh everything we should get and we did get the administrator's hash uh or hashes I guess you could say because there's a few different things here but we did get the one we're looking for which is this uh this one here it starts with the 500 and now what we're going to use we're going to use wmi exact. piy in order to connect of course we got to use proxy chains and we'll use this to connect to this machine as the admin we're going to use the hash and pass that hash so that we can uh get access to this box and capture this flag all right so we just dropped that hash in there uh after the SL the dash hases flag and this should if all goes well get us a connection as the administrator to this machine all right so we're at a prompt and you can see we are the inlane freight administrator so from here you can just do type just like before and from here you can hit this and capture that flag all right so that uh that's the flag there for um for this particular instance here so we can go ahead from here and uh we'll just kill that connection and uh clear that off there and that uh that should take care of it for this particular skill assessment like I said I'm sure there's other ways to do it but this is the way that I ended up going through and uh and accomplishing it

all righty this one here is going to cover active directory enumeration and uh attacks the skills assessment part one um this one was a doozy it did I had to do a lot of extra research on this for the attack path this is this is just one of the attack paths that&#39;s possible I&#39;m sure there&#39;s other ways uh this one ended up requiring a lot of Metasploit and uh reverse shell and even had a little pivoting to go from our uh Linux machine up into the network so it took a lot of extra research and looking and uh trial and error stuff and whatnot to get it all worked out this active directory stuff is a like I said this one&#39;s a doozy but we&#39;ll just Dive Right into this um and uh and get it started let me get one of these I know I&#39;m going to need this here eventually and so this one here I know it said it start start S let&#39;s see it starts us with a uh with a webshell that was left kindly by a previous uh a previous pin tester so let&#39;s see so we got to go to that first and I know this is in with the uploads directory so if we go to the uploads directory we&#39;ve got the an AK aspx so if we click click that this will bring us to the login the credentials were left for us for this uh for this webshell here so it&#39;s going to be admin and this password Here We log in we should get uh a webshell here so from this webshell is it clear to clear the screen all right um and I did notice with this webshell you uh it&#39;s better if you clear the screen after you get what you need to get it doesn&#39;t seem to scroll real well it&#39;s kind of ugly you know it&#39;s it&#39;s it&#39;s usable for certain things but I did go in and try some commands will work um like if you the dur command I noticed you can&#39;t navigate there&#39;s a lot of stuff in this in this path here but I did try to navigate around and uh I noticed you can&#39;t so if I try to go to like the config directory and if you hit enter you see this is why you want to clear the screen because it doesn&#39;t scroll but you go down and it&#39;s like okay did it did it work or not when you look again you&#39;ll notice see it didn&#39;t navigate anywhere so the Shell&#39;s usable but not not completely however for the first question it&#39;s wanting to know a uh just wanting the contents of the flag off of here and see we are the NT Authority so for this you can use type or cat I believe cat works as well um for the uh for the first flag which is sitting on the administrator&#39;s desktop so this right here uh cat or like I said you can do type it&#39;s wind windows and then the C users administrator desktop flag.txt and that&#39;ll give you the contents of the flag and from here that&#39;s about how usable this first shell is is to get that first that first flag you can it does have upload files and stuff I didn&#39;t mess with these buttons as much um functionality wise and whatnot like I said I did uh I did some looking and obviously we&#39;re going to need more access we&#39;re going to need a better shell onto the machine so that we can pass some tools up is the tools as far as I can tell there&#39;s no tools on here uh so far at least not in the folder we have access to here so I&#39;m just going to clear that out if you run that command you get the contents of the first flag so we&#39;ll just leave that here so in my research and everything thing uh for for doing this lab um the method I&#39;m going to go with here we&#39;re going to use uh metas sploit msf console and uh and try to get a reverse shell so we get a little more uh a more interactive shell that we can upload our tools onto the machine and uh and run some of these attacks so for this we&#39;re going to open up an msf console tell it to be quiet and then from here we&#39;re going to search for web delivery and the one we&#39;re looking for here is number one so we&#39;re going to use one let&#39;s go ahead real quick and let me check what our local IP address is we&#39;re 1489 try to remember that so now we&#39;re going to set the payload to a reverse TCP and we&#39;ll go and set some of the options real quick for this before we run it double check that IP again [Music] 1489 and we&#39;ll set the server host here both of these are just set to our our uh our local box here or the the uh home box all right we&#39;ve got everything set there so we&#39;re just going to run this and that gives us our Powershell command I believe this is the base 64 but what we&#39;re going to do now is we&#39;re going to copy this this whole block of uh of text copy this whole thing and we&#39;re going to put that in here can&#39;t see it but it&#39;s it&#39;s in there um once we copy that in we&#39;ll go ahead and just hit enter and if everything works right you&#39;ll see right here that we have a interpreter session Session One opened and if when it comes up if it backgrounds the session uh you just use sessions one to bring the meterpreter shell back into Focus once it&#39;s all uh all loaded and everything and there&#39;s our meterpreter shell and um it&#39;s recommended when you do this to put yourself onto a more stable process to make sure you keep your connection and uh the the wind log on uh right here 568 this is a good one should be very stable so we just want to migrate what did I say that was 568 let&#39;s double check that 568 if everything goes well then it should migrate our process onto there and give us a nice stable shell so now what we&#39;ve got to do we want to uh I&#39;m going to go back over here and we&#39;re going to grab um the Power view from uh we&#39;re going to use W get and pull that in so that we can upload it to This Server if we got everything typed right that should grab it and put it right there for us so now what we&#39;re going to do from the pone box we&#39;re going to use Python to start up a uh an HTTP server so that we can go from the meterpreter shell and pull this file up onto the machine that we&#39;re attacking we&#39;ll just use port 88888 probably too many a but whatever and we&#39;ll go ahead and get that started so now we&#39;ll go back over to here and we want to drop into a shell so just shell and I&#39;m going to move to oops move to the C drive and from here we&#39;re going to use a utility called cert u. exe to uh to grab this file from the pone box and go ahead and pull it up and we&#39;re basically just telling it to we&#39;re telling it to force write to file put it on Drive what were we 14 oh what was that IP address [Music] again 89 I always forget 89 and we want 8888 and if everything goes well from here that should as you can see command completed successfully so it should have it up here if we do a dur there&#39;s our power view. PS1 file right here so that we can uh go ahead and continue on with uh with our attack all right now that we&#39;ve got power view up though let&#39;s go ahead and we&#39;re going to drop now into a Powers shell and from here now we can go back like you like we&#39;ve done previously and I&#39;m going to go ahead and import the uh the power viiew module so we&#39;ll import that and now we&#39;ll just do a get domain user we&#39;re going to Wild Card it so we just grab everybody and we going to use this SPN here so when we hit this this should give us a whole bunch of users and it should include the user that we&#39;re looking for for the question from the uh from the module so we let that run and it will roll through you&#39;ll get a whole bunch of output put all through um what you&#39;ll be looking for is the service principal name SPN right here like this this obviously is not the user that uh that&#39;s required for the module but it&#39;ll have that the server name and the port number and then it&#39;ll have the username right there and it should should be listed in the output up in there for that particular question so now we&#39;re going to use get domain user again now that we know who we&#39;re looking for and we&#39;ll use the identity and we&#39;ll just have our username right here and we&#39;re going to do get domain we want the SPN ticket and we&#39;re going to format it for hashcat and when we run this we should get the uh we should get our ticket that we can copy and uh and that&#39;ll just go into a uh a text file we&#39;ll pull some space out and stuff that&#39;ll go into a text file that we can then pump through hashcat to crack this password and there we go we have the hash you can see it&#39;s got a lot of spaces and stuff so we&#39;ll uh we&#39;ll go through and pull those spaces out and plop that into a uh a text file like I said and then feed it through hashcat to uh to try and crack this password so we&#39;ll come over here to uh to local desktop we&#39;re going to trim out this space with a command like this and then inside those quotes is where uh inside the the single tick here is where we&#39;re going to put um the hash that we just copied so we&#39;ll do that here in a minute this will be easier to read this way and then pipe that to trim we&#39;re just going to call the file user hash we&#39;ll p uh pipe all that out into there so then we&#39;ll go back this should uh should trim it all up for us so then we&#39;ll paste this and hit enter and then we should have the user hash right here so now we should be able to pipe this into uh or put this through hash cat and get ourselves a password we&#39;re going use mode uh 13100 for this and this will just go against the uh Rocky word list all right and if everything goes well and if we&#39;ve got the file properly trimmed of Whit space and everything else then this should pump out our password all right so it looks like hashcat did crack that password and we have that right up here in the output so now let go clear that so now we&#39;ll go through so we need to get back to our uh interpreter prompt we&#39;ll just h contrl z background the channel and this will bring us back into interpreter so this is where I did in doing all of uh all of my extra research and whatnot and looking up different things this is where we&#39;re going to do a pivot because we have to run the attacks from the Linux machine to the uh into the active directory Network so there&#39;s going to be a pivot here I know there&#39;s more than one way to do this um since we&#39;re already in Metasploit with my interpreter going this is the route that I followed after I did some looking up and whatnot so from here we&#39;ll just use this to uh to set up our pivot we&#39;re going to use proxy chains and uh and set up a little socks Pro proxy through msf console here but from here we&#39;re going to run the auto rout into uh the active directory Network and yes you can see instead of a five it&#39;s a 6 so this environment is different from the other modules so it added everything that we needed right there so now we got to get out of The Interpreter prompt so you just BG that&#39;ll background session one now we can come back up here and we&#39;ve got to look for it was uh so what I found it was recommended to use a port scanner and scan the network because we&#39;re trying to find another server there&#39;s I&#39;m sure more more ways to do this to see what uh what machines are sitting out there um with the available tools and such but there again this is this is what I come up with this is what I found all right so here we&#39;re going to use the uh this uh auxiliary scanner Port scanner so now let&#39;s just set our uh we&#39;ll set the parameters or the options I guess you could say so we&#39;re going to search all the hosts that are in that range so now let&#39;s set the ports we want to look for and you can set any ports you want here um we know it&#39;s a Windows Network and uh the server that it&#39;s looking for so we&#39;re going to search for some common ports on that which are the 139 and 445 and let&#39;s set the threads to 50 once all the parameters are set then we&#39;re just going to run it and we&#39;ll let that start scanning and it will tell us the uh the machines that have both of those ports open and uh once it&#39;s finished we&#39;ll uh we&#39;ll continue on from there okay now that that&#39;s scan is done we got what hits on a350 and 100 so you can note all these machines down that it fell or fell that it found um and the Machine that we&#39;re looking for is going to be this5 so now we can drop back into here and this is where we&#39;ll go through and set up the uh the socks proxy in msf console here so we&#39;re going to use we&#39;re going to use the auxiliary server socks proxy we can look at the options [Music] um we don&#39;t need to change anything Port 1080 serves host so if you needed to change anything you could there but we don&#39;t need to so now we&#39;re just going to run it it&#39;s going to start that proxy server so now now from in here we need to go in and make an edit to the uh proxy chains.com file and then down at the bottom we&#39;re going to comment this one out the socks 4 then we&#39;re going to put the socks 5 for uh the local machine here just like that and Port 1080 and just save that so now we can go back over here so we&#39;ll use proxy chains now to run commands so that it will go through our proxy and uh and we&#39;ll be able to reach this internal Network and you can see everything&#39;s running good here so we&#39;ll go back now and the msl1 server that we&#39;re looking for we&#39;re going to use uh crack map exact against SNB using the credentials that we got from that user and the crack password and we&#39;re going to go after the flag on the administrator desktop in here all right so if we&#39;ve got everything typed in right here then we&#39;ll use this against SMB and we&#39;re looking for looking for it to uh to dump the LSA and that should give us um the clear text password for uh clear text passwords and the user that&#39;s uh it&#39;s using them and such so let&#39;s give this a go and see what happens here all right so now that crack map exec has uh run against SMB and did the LSA dump here we&#39;ve got you know let it run through it it&#39;s going to give a lot of output and then uh what we&#39;re looking for is uh is right here on this line that&#39;s the user and that user&#39;s password that uh that we&#39;re going to need or the clear text password that we&#39;re going to need so uh all right so now we&#39;ve got that answers that question so now we&#39;ll go back into the meterpreter let me just clear this now we&#39;ll go back over to here let&#39;s pull up our interpreter session you can see that still shell still uh still sitting there or The Interpreter still sitting there so we&#39;re going to drop into a shell go back to uh the C directory and uh let&#39;s go ahead and drop into that so now let&#39;s import the module again because it is a new shell all right so now we&#39;re going to use this user do some enumer ation for how we can leverage uh there is a question for what uh what type of attacks does this user have most people probably can read that question and you can guess what they can do but we&#39;ll go ahead and uh and start setting up our variables here all right so we&#39;re going to set the Sid variable here with that username we just found and it&#39;s going to Echo the command and right here and then we&#39;re getting the object ACL against the domain and we&#39;re resolving the uh the goods and we&#39;re using uh object Ace type match and we&#39;re looking for all these uh we&#39;re using security identifier here but we&#39;re looking for Ace qualifier object DN you know a bunch of different things and like I said it&#39;ll Echo the command here and once you run it you&#39;ll get all of the uh you&#39;ll get the ace qualifier object DN active directory rights this output here and if you scroll down it&#39;s got It&#39;s got a lot to it um this here will show you everything that uh this particular user can do which you can see that they&#39;re able to uh replication get changes and and so on and so forth they&#39;re able to do a lot so they have uh they have rights for doing uh a DC sync attack so now what we can do we&#39;ll go back over to here and we&#39;re going to use secrets dump. piy and they&#39;re going to do a DC sync attack against this try and get the administrators hash we have to remember to use proxy chains of course all right so uh see this is this user at this is against the domain controller which was the three machine that we had found earlier when we did those scans so we&#39;re going to do the uh attack against the administrator and if all goes well we should get the admins hash so now we have to put in the user&#39;s password uh that we had found before the clear text password that we had found so once that&#39;s run and uh everything we should get and we did get the administrator&#39;s hash uh or hashes I guess you could say because there&#39;s a few different things here but we did get the one we&#39;re looking for which is this uh this one here it starts with the 500 and now what we&#39;re going to use we&#39;re going to use wmi exact. piy in order to connect of course we got to use proxy chains and we&#39;ll use this to connect to this machine as the admin we&#39;re going to use the hash and pass that hash so that we can uh get access to this box and capture this flag all right so we just dropped that hash in there uh after the SL the dash hases flag and this should if all goes well get us a connection as the administrator to this machine all right so we&#39;re at a prompt and you can see we are the inlane freight administrator so from here you can just do type just like before and from here you can hit this and capture that flag all right so that uh that&#39;s the flag there for um for this particular instance here so we can go ahead from here and uh we&#39;ll just kill that connection and uh clear that off there and that uh that should take care of it for this particular skill assessment like I said I&#39;m sure there&#39;s other ways to do it but this is the way that I ended up going through and uh and accomplishing it

Transcript for:Active Directory Enumeration and Attacks - Skills Assessment Part 1

Transcript for:
Active Directory Enumeration and Attacks - Skills Assessment Part 1