- `smbclient` with hwilliam - NEED nexura.htb preceding user![[images/Pasted image 20251015102813.png]] - once in `smbclient`, error indicating insufficient privs on local Kali host ![[images/Pasted image 20251015102748.png]] - rerun `smbclient` with sudo - that works ![[images/Pasted image 20251015102830.png]] - now we can `get` the password vault ![[images/Pasted image 20251015102919.png]] - convert to hash with `pwsafe2john` ![[images/Pasted image 20251015103931.png]] - identify hash mode and try to crack with hashcat ![[images/Pasted image 20251015104007.png]] - no dice with `hashcat` - try again with `john` - identify format ![[images/Pasted image 20251015104720.png]] - run with `--format=pswafe` and default wordlist - takes too long ![[images/Pasted image 20251015105205.png]] - run with `--format=pswafe` and rockyou.txt wordlist - much faster this time ![[images/Pasted image 20251015105230.png]] - install `passwordsafe` with `sudo apt install passwordsafe` - run `pwsafe -h` to show help menu - run `pwsafe` to pop open a GUI - enter decryption key ![[images/Pasted image 20251015110128.png]] - move to creds - create names and passwords files for spraying - enumerate bdavid - access to IT share, which wasn't available to hwilliam ![[images/Pasted image 20251015111925.png]] - connect with `smbclient` ![[images/Pasted image 20251015112119.png]] - grab interesting pcap files - reviewed in `wireshark` but looks like a red herring![[images/Pasted image 20251015112337.png]] - PS-Admin-Tools has some interesting files - pentesting scripts as explained in README.md - looks like another red herring![[images/Pasted image 20251015112322.png]] - enumerate stom and jbetty with nxc smb scans - no dice - looks like we exhausted FILE01![[images/Pasted image 20251015112934.png]]