Forum Discussion
NHS Offensive Cyber Range: Armsdon Hospital
Hi all,
Just wanted some advice on this as I am stuck. I managed to get into the intranet using SQL injection/union and extract all the usernames and passwords.
I am not sure if I am on the wrong path or doing things in the wrong order for the next part. The FTP server seems to only be active on RDP. The DC has no samba vulnerabilities.
So... I assume I try to use the credentials from the intranet to RDP to the DC/FTP (then after this elevate access using other techniques) but so far that has failed for the Armsdon users I have tried their users/passwords (from the intranet).
Any tips welcome!
2 Replies
- SamDickison
Community Manager
Hey ofield, we don't usually get Range questions on here, so I'll ask one of the team to see if they can help...
- MadelineDadamio
Community Support
Hi ofield!
You are on the right track, but the order matters. The intranet credentials are not intended to work directly against the domain controller. If RDP is available, focus first on the non DC system where that access makes sense.
If logins are failing, double-check the context rather than the technique. Confirm the correct host, domain, and username format. The intended flow is initial access on a non DC host, followed by local privilege escalation, and only then pivoting back to the domain.
You are very close. I am not able to offer exact steps or commands, but a small shift in approach should.
