Elevating Movement Tryhackme Answers

Investigate the second, Windows part of the Honeynet Collapse!

ACTIVE DIRECTORYOFFENSIVE SECURITYMETHODOLOGYTOOLSPASSWORD DUMPINGOFFSECPENETRATION TESTINGTECHNOLOGYCREDENTIAL DUMPINGTRYHACKME WALKTHROUGHTRYHACKME ANSWERSCYBERSECURITYETHICAL HACKINGTRYHACKMEOPEN-SOURCE TOOLS

Jawstar

10/31/20251 min read

Task 2 : The Challenge

Answer the questions below :

When did the attacker perform RDP login on the server?

Answer Format Example: 2025-01-15 19:30:45

2025-06-30 16:33:18

What is the full path to the binary that was replaced for persistence and privesc?

C:\Users\emily.ross\Documents\Coreinfo64.exe

What is the type or malware family of the replaced binary?

Meterpreter

Which full command line was used to dump the OS credentials?

pcd.exe /accepteula -ma lsass.exe text.txt

Using the stolen credentials, when did the attacker perform lateral movement?
Answer Format Example: 2025-01-15 19:30:45

2025-06-30 19:47:14

What is the NTLM hash of matthew.collins' domain password?

eb3d2de2f21b31933fb4a4fd7a7d314d

Connect

Secure your future with expert cybersecurity solutions

Support

Quick Links

contact@jawstarsec.in

Elevating Movement Tryhackme Answers

Task 2 : The Challenge

Answer the questions below :

When did the attacker perform RDP login on the server?

Answer Format Example: 2025-01-15 19:30:45

2025-06-30 16:33:18

What is the full path to the binary that was replaced for persistence and privesc?

C:\Users\emily.ross\Documents\Coreinfo64.exe

What is the type or malware family of the replaced binary?

Meterpreter

Which full command line was used to dump the OS credentials?

pcd.exe /accepteula -ma lsass.exe text.txt

Using the stolen credentials, when did the attacker perform lateral movement?
Answer Format Example: 2025-01-15 19:30:45

2025-06-30 19:47:14

What is the NTLM hash of matthew.collins' domain password?

eb3d2de2f21b31933fb4a4fd7a7d314d

Connect

Quick Links

Services

Blog

Contact Us

Homepage

Elevating Movement Tryhackme Answers

Task 2 : The Challenge

Answer the questions below :

When did the attacker perform RDP login on the server?

Answer Format Example: 2025-01-15 19:30:45

2025-06-30 16:33:18

What is the full path to the binary that was replaced for persistence and privesc?

C:\Users\emily.ross\Documents\Coreinfo64.exe

What is the type or malware family of the replaced binary?

Meterpreter

Which full command line was used to dump the OS credentials?

pcd.exe /accepteula -ma lsass.exe text.txt

Using the stolen credentials, when did the attacker perform lateral movement?Answer Format Example: 2025-01-15 19:30:45

2025-06-30 19:47:14

What is the NTLM hash of matthew.collins' domain password?

eb3d2de2f21b31933fb4a4fd7a7d314d

Connect

Quick Links

Services

Blog

Contact Us

Homepage

Using the stolen credentials, when did the attacker perform lateral movement?
Answer Format Example: 2025-01-15 19:30:45