Blog Post

Community Blog
4 MIN READ

Human Connection Challenge: Season 1 – Active Directory Official Walkthrough Guide (Community Version)

StefanApostol's avatar
StefanApostol
Icon for Immerser rankImmerser
24 days ago
Time’s Up! Congratulations to everyone who completed Lab 7: Active Directory from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completin...
Updated 24 days ago
Version 2.0
community challenge
StefanApostol's avatar
Icon for Immerser rankImmerser
Joined February 18, 2025
View Profile
Community Blog
Here you can read the Community Guidelines, Best Practice Guide and all the latest announcements from the Community Team.
steven's avatar
steven
Icon for Silver II rankSilver II
24 days ago

Was a nice lab. I struggled quite because I got a golden ticket (pass-the-hash) but wasn't able to access \\DC\c$

But then, I've changed to another strategy and instead of psexec I used:

impacket-wmiexec -dc-ip <DC ip> -target-ip <DC ip> administrator@<DC ip> -hashes aad3b435b51404eeaad3b435b51404ee:2c9299e44ee3abcf5c6f9e7938123334

maybe to explain, why the hash has added an 'aad3b435b51404eeaad3b435b51404ee':
Most newer Windows versions do not store passwords in LM format by default, and the string aad3b435b51404eeaad3b435b51404ee, called the Null LM hash, signifies that it is empty. So we need to add it. 

StefanApostol's avatar
StefanApostol
Icon for Immerser rankImmerser
24 days ago

hi! glad you liked it. also for impacket tools, you don't need to add the empty LM hash, you can simply use :2c9299e44ee3abcf5c6f9e7938123334 (notice the ":" is still there)