From nmap, there are many service.
In smb, we can read the share
smbmap -R Replication --depth 8 -H 10.10.10.100, we can see a
I got a username and cpassword from it, and use
gpp-decrypt to decrypt the password.
I tried using this credential with smb again. This time, I can read even more shares.
user.txt from share
I’m going to use
BloodHound for further investigation. I test the connection first.
SharpHound to collect information.
Open the zip file with
Shortest Path from Kerberoastable Users, and we can see that Administrator is Kerberoastable.
That is, I can use
GetUserSPNs.py from impacket to get Administrator’s hash.
With hashcat, I got password
Ticketmaster1968 and use psexec to login. Now, I am administrator.