From nmap, there are several services opened.

Local Picture

I further scan all ports with nmap, and get other services opened.

Local Picture

With enumdomusers in rpcclient, I get some usernames and their id.

Local Picture

Because there is a kerberos service, I use GetNPUsers.py to see if there is any user that does not require kerberos preauthentication. Luckily, there is one, svc-alfresco.

Local Picture

I use hashcat to crack the password s3rvice, and login using evil-winrm.

Local Picture

I tried to execute SharpHound.exe.

Local Picture

Mark svc-alfresco as owned, and select Shortest Path to Domain Admins from Owned Principals

Local Picture

Local Picture

Local Picture

Here’s the information about how we get the privilege.

Local Picture

Local Picture

I create a user l3o, add him to the group Exchange Windows Permission. We can do it because svc-alfresco is a member of group Account Operators. Now, l3o can give himself a DCSync permission.

Local Picture

With this permission, I can use secretsdump.py to dump other users' hashes.

Local Picture

With psexec.py, I can get the shell as Administrator.

Local Picture

Local Picture