- nxc scan ![[images/Pasted image 20251015094522.png]] - xfreerdp based on above ![[images/Pasted image 20251015095906.png]] - nothing to be found in hwilliam's folders - link to My Safes on desktop - my safes folder is empty within documents - found file at `c:\temp\unattended2.xml` with potential creds ![[images/Pasted image 20251015100003.png]] - more rdp enum with `--continue-on-success` flag ![[images/Pasted image 20251015113414.png]] - bdavid is pwned let's try xfreerdp3 with a transfer share ```bash proxychains4 xfreerdp3 /v:172.16.119.7 /u:bdavid /p:'caramel-cigars-reply1' /dynamic-resolution /drive:linux,. ``` - transfer share doesn't appear to work on rdp client due to incorrect perms on kali folder - after running a `chmod 777` on local kali folder the transfer share works - lets dump LSASS and move to Kali ![[images/Pasted image 20251015114042.png]] - getting perms errors ![[images/Pasted image 20251015115133.png]] - check perms ![[images/Pasted image 20251015115240.png]]![[images/Pasted image 20251015115257.png]] - maybe try again by run powershell as admin - this works ![[images/Pasted image 20251015120321.png]] - we are part of remote mgmt users so lets try to move files with with `evil-winrm` - initially fails because perms on kali folder were insufficient ![[images/Pasted image 20251015120554.png]] - run a chmod 777 on kali folder, then download - this works ![[images/Pasted image 20251015120618.png]] - run `pypykatz` on lsass.dmp ![[images/Pasted image 20251015121224.png]] - we have user NT hashes and one interesting new machine user account `JUMP01 ![[images/Pasted image 20251015121524.png]] - also a new password for stom? ![[images/Pasted image 20251015145326.png]]