Foothold
1. nmap the target to find SMB share
2. connect anonymously to Replication share
3. pull Groups.xml that has a username and encrypted password
4. use gpp-decrypt to decrypt the password
5. connect to SMB Users share with the the username and password
2. connect anonymously to Replication share
3. pull Groups.xml that has a username and encrypted password
4. use gpp-decrypt to decrypt the password
5. connect to SMB Users share with the the username and password
PrivEsc
1.
1.
using the cracked username and password, use impacket-getuserspans to get a TGS for Administrator
2. Kerberoast - Hashcat to crack the password for the TGS to get plaintext password for Administrator
3. using the cracked password, connect to the Users share again and navigate to Administrator desktop
2. Kerberoast - Hashcat to crack the password for the TGS to get plaintext password for Administrator
3. using the cracked password, connect to the Users share again and navigate to Administrator desktop