1) `nmap` shows only ssh open on DMZ01 2) generate mutated username list with `username-anarchy` 3) brute-force DMZ01 with `hydra` 4) enumerate DMZ01 1) creds for hwilliam related to FILE01 within `.bash_history` 5) pivot into internal network with `ligolo-ng` OR `ssh -D` + `proxychains4` (tested both methods) 6) `smbclient` into FILE01 with hwilliam 1) need domain preceding username to connect 2) loot a password safe v3 vault 7) use `pwsafe2john` to generate hash and crack with `john` by specifying `--format=pwsafe` 1) loot more creds 2) note that this is an old backup 8) generate hosts, creds, names, passwords files for spraying 9) `smbclient` into FILE01 with bdavid 1) dead-end 10) `nxc rdp` scan all hosts 1) bdavid rdp PWNED on JUMP01 11) `xfreerdp3` into JUMP01 12) check privs with `whoami /all` and `whoami /priv` 1) we have local admin and remote mgmt 13) `evil-winrm` into JUMP01 with bdavid for easy file transfer 1) make local copy of `lsass.dmp` and move to Kali 14) `pypykatz` on lsass.dmp 1) NT hash for JUMP01$ (machine account): cannot crack 2) new password for stom 15) nxc scans with stom 1) stom winrm PWNED on DC01 16) `evil-winrm` into DC01 with stom for easy file transfer 17) check privs with `whoami /all` and `whoami /priv` 1) we have all privs 18) create copy of `HKLM\system` and move to Kali 19) create volume shadow copy of C:\ and extract NTDS.dit, then move to Kali 20) `impacket-secretsdump` to reveal Administrator's NTLM hash