Skip to content

Resourced 🔸

Enumeration

Using rpclient we can enumerate the users and descriptions

So we have v.ventz:HotelCalifornia194!

Checking smb shares we have some stuff

We can get system and ntds.dit to get lsa credentials

Put them in a text file and use hashcat

nothing, let's pass the hash to move laterally

Initial Access

Using evil-winrm

Get the flag

Privilege Escalation

Use bloodhound-python to get the zip

This user has genericall to the machine so we can perform a rbcd attack

https://github.com/tothi/rbcd-attack

Post Exploitation

Get the flag