Need help for root flag !!! I’m pretty sure i have done 95% of the job but I cannot figure why this sh** don’t work.
I have a new user created and granted this with “EXCH*** WIND*** PERM***” rights. Then, abuse dacl for this user like suggested by Blood*** in order to have DCSync rights. It seems good but when i want to remotely dcsync with sec***-d***.py this don’t work…Any ideas ???
I am currently stuck on the part where you need to give a user some permissions. I walked the dog, found the w******** vulnerability and I created a new user that I want to give the replicating permissions to but I am having trouble with this.
Any help is appreciated! Thanks!
Edit: Thanks to @gverre and @sta1ker for the help! Much appreciated! If anyone needs help, feel free to PM me. Lots of little things I was missing.
Root: One hint I can give is be sure you’re authenticating with the right service and you are passing the right arguments.
What a fun ride. I felt like red teaming all along. No amount of hints will help until you do a thorough research on your own. It’s a beautiful teaching experience, so make the most of it.
Hints:
User:
Run basic windows enum tech. One impacket script can help us do a kind of roast which will help us get user.
Root:
Bloodhound + impacket + a lot of research. By no means it will be easy if you have not worked with AD priv esc.
Enjoy. Pm for nudges. I can guide you to the right reference material
Hi, I found users. And now I’am trying to understand Impacket. But right now I don’t know what I should do with this information. Any help would be perfect.
I got the user credentials but i’m stuck on root tried SH and i couldn’t find any path that would help me.
i’m sure that i’m missing something , but for the first machine i think that i did well getting the user credentials by myself. it’s been 4 days, and i really want the answer.
if can someone PM me with a hint it will be appreciated.
Can someone assist me in one of the last steps regarding granting my user rights? I cannot seem to do it to save my life. I assume it’s a syntax issue.
EDIT: Nevermind. I was using the wrong account to run the command in the context of. I think I would have figured it out had I known the version of the powerful tool mattered when running on a remote linux box. I assuming running with runas on Windows wouldn’t need it?
Any nudge after cracking the user password?
=>“Error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header.”<=
Google doesn’t help me too much…
Edit: No need anymore… I was forcing evil connection on a wrong port…