- try nxc scans against DC01 with stom's new password ![[images/Pasted image 20251015150123.png]] - lets `evil-winrm` with stom and poke around ![[images/Pasted image 20251015150340.png]] ```powershell #determine privs whoami /priv whoami /all ``` - we have all the privs we need![[images/Pasted image 20251015150407.png]] - create copies of SYSTEM and SECURITY - really we only need SYSTEM for `impacket-secretsdump` ![[images/Pasted image 20251015150915.png]] - move to Kali ![[images/Pasted image 20251015151001.png]] - create vol shadow copy and extract NTDS.dit therefrom ![[images/Pasted image 20251015151307.png]]![[images/Pasted image 20251015151319.png]] - move to Kali![[images/Pasted image 20251015151347.png]] - we have all the goodies locally![[images/Pasted image 20251015151616.png]] - run `impacket-secretsdump` ![[images/Pasted image 20251015151732.png]] - PWNED! ```bash impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL ```