🎫
Sizzle
  • Sizzle
    • Summary
  • Enumeration
    • TCP
    • UDP
    • Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • WhatWeb
    • Other Services
      • RPC
      • SMB
      • NetBIOs
      • LDAP
      • Kerbrute
  • Exploitation
  • Priv Escalation
  • Notes
Powered by GitBook
On this page

Priv Escalation

PreviousExploitationNextNotes

Last updated 2 years ago

In the Windows/System32 I found a file called file.txt

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c718f548c75062ada93250db208d3178:::

Domain    User  ID  Hash
------    ----  --  ----
HTB.LOCAL Guest 501 -
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrb3n:1105:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::

This contained the hashes for the administrator as well as the other users.

With those credentials I was able to do a secretsdump with mrlky hash.