Skip to content

Resourced 🔸

Enumeration

Using rpclient, we can enumerate the users and descriptions.

So we have v.ventz:HotelCalifornia194!

Checking smb shares, we have some stuff.

We can get system and ntds.dit to get LSA credentials.

Put them in a text file and use hashcat.

Nothing, let's pass the hash to move laterally.

Initial Access

Using evil-winrm.

Get the flag.

Privilege Escalation

Use bloodhound-python to get the zip.

This user has GenericAll to the machine, so we can perform an RBCD attack.

https://github.com/tothi/rbcd-attack

Post Exploitation

Get the flag.