Video Demo:
https://www.youtube.com/watch?v=5x76bdWU3q0
ENUMERATION
NMAP:
I run NMAP to see all port in state open are in this machine:
Kerbrute User Enum:
I use UserEnum Module from Kerbrute to Enumerate users via Kerberos Open Service
Samba:
I need to Enumerate de Shared Resources From This Domain.
And This is Interesting, when machine have SMB open and IPC$ Open with Minium Read Access it's vulnerable to other User Enumeration.
Let's Go to See The Permisions of IPC$ with smbmap:
Read Permisions!!!
Let's Go to Enumerate Users:
I put Only UserNames in the file users.txt
Now i go to see if any user don't have a good security authentication.
GetNPUsers:
User "t-skid" have UF_DONT_REQUIRE_PREAUTH set!!
John The Ripper
Samba With t-skid User:
I enter to NETLOGON:
ResetPassword.vbs
Credentials founded for a-whitehat User
Let's Go to Connect Via evil-winrm:
I found User Flag:
Secrets Dump
I have Admin Hash, Let's Go to the Pass The Hash with Admin Account:
Works!!!
Root Flag
Thanks!
Demo: