Blog Post

Community Blog
4 MIN READ

Human Connection Challenge: Season 1 – Active Directory Official Walkthrough Guide (Community Version)

StefanApostol's avatar
StefanApostol
Icon for Immerser rankImmerser
3 days ago
Time’s Up! Congratulations to everyone who completed Lab 7: Active Directory from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completin...
Updated 3 days ago
Version 2.0
community challenge
StefanApostol's avatar
Icon for Immerser rankImmerser
I've been in Offensive Cyber for over 10 years now. As a lead cybersecurity engineer here at Immersive, my job is to design and build content around infrastructure hacking and CTFs. Some of my collections you may know are: Windows Basics, Active Directory Basics, Post Exploitation with Metasploit, and the KWEEN Offensive CTF.
View Profile
Community Blog
Here you can read the Community Guidelines, Best Practice Guide and all the latest announcements from the Community Team.
steven's avatar
steven
Icon for Silver II rankSilver II
3 days ago

Was a nice lab. I struggled quite because I got a golden ticket (pass-the-hash) but wasn't able to access \\DC\c$

But then, I've changed to another strategy and instead of psexec I used:

impacket-wmiexec -dc-ip <DC ip> -target-ip <DC ip> administrator@<DC ip> -hashes aad3b435b51404eeaad3b435b51404ee:2c9299e44ee3abcf5c6f9e7938123334

maybe to explain, why the hash has added an 'aad3b435b51404eeaad3b435b51404ee':
Most newer Windows versions do not store passwords in LM format by default, and the string aad3b435b51404eeaad3b435b51404ee, called the Null LM hash, signifies that it is empty. So we need to add it. 

StefanApostol's avatar
StefanApostol
Icon for Immerser rankImmerser
3 days ago

hi! glad you liked it. also for impacket tools, you don't need to add the empty LM hash, you can simply use :2c9299e44ee3abcf5c6f9e7938123334 (notice the ":" is still there)