- `smbclient` with hwilliam - NEED nexura.htb preceding user![[images/Pasted image 20251015102813.png]] - once in `smbclient`, error indicating insufficient privs on local Kali host ![[images/Pasted image 20251015102748.png]] - rerun `smbclient` with sudo - that works ![[images/Pasted image 20251015102830.png]] - now we can `get` the password vault ![[images/Pasted image 20251015102919.png]] - convert to hash with pwsafe2john ![[images/Pasted image 20251015103931.png]] - identify hash mode and try to crack with hashcat ![[images/Pasted image 20251015104007.png]] - no dice with hashcat - try again with john - identify format ![[images/Pasted image 20251015104720.png]] - run with `--format=pswafe` and default wordlist - takes too long ![[images/Pasted image 20251015105205.png]] - run with `--format=pswafe` and rockyou.txt wordlist - much faster this time ![[images/Pasted image 20251015105230.png]] - install `passwordsafe` with `sudo apt install passwordsafe` - run `pwsafe -h` to show help menu - run `pwsafe` to pop open a GUI - enter decryption key ![[images/Pasted image 20251015110128.png]] - move to creds - create names and passwords files for spraying - enumerate bdavid - access to IT share ![[images/Pasted image 20251015111925.png]] - connect with smbclient ![[images/Pasted image 20251015112119.png]] - grab pcap file ![[images/Pasted image 20251015112337.png]] - PS-Admin-Tools has some interesting files - pentesting scripts as explained in README.md![[images/Pasted image 20251015112322.png]] - enumerate stom and jbetty ![[images/Pasted image 20251015112934.png]]