From nmap, there are several services opened.

Local Picture

Local Picture

Connect to its rpc, and get usernames.

Local Picture

With querydispinfo, I got a default-like password.

Local Picture

Use crackmapexec to check if this password belongs to anyone for smb, and it did. It’s melanie’s password.

Local Picture

Port 5985 is opened. Check if melanie’s credential also works in winrm. It did again.

Local Picture

Local Picture

I checked the system’s .Net version, built a custom Seatbelt.exe, and uploaded it for security checks. I found that there is a non-default group Contractors.

Local Picture

Local Picture

Local Picture

There is a log directory to check for.

Local Picture

In the log directory, I got a powershell log file and downloaded it. Check the group Contractors, there is a member ryan.

Local Picture

Local Picture

From the downloaded log, I got ryan and his password.

Local Picture

From a blog post, I found that I can do privesc with DLL Injection from group DNSAdmins.

Local Picture

Follow the blog to create a malicious dll and make a smb server for sharing.

Local Picture

Use evil-winrm with ryan’s credential, and run dns.exe with my plugin dll. Restart DNS service.

Local Picture

Local Picture

And I got a reverse shell from the administrator.

Local Picture