- nxc rdp and smb scans on JUMP01 ![[images/Pasted image 20251015094522.png]] - `xfreerdp3` into JUMP01 with hwilliam ![[images/Pasted image 20251015095906.png]] - nothing to be found in hwilliam's folders - link to My Safes on desktop - my safes folder is empty within documents - found the below file at `c:\temp\unattended2.xml` with potential creds - tried this password as Administrator and root with nxc scans targeting DC01 but no dice - just a head fake; remember to quickly abandon these red herrings![[images/Pasted image 20251015100003.png]] - more rdp enum with `--continue-on-success` flag ![[images/Pasted image 20251015113414.png]] - bdavid is pwned - let's try to `xfreerdp3` into JUMP01 as bdavid with a shared drive for transfers ```bash proxychains4 xfreerdp3 /v:172.16.119.7 /u:bdavid /p:'<password>' /dynamic-resolution /drive:linux,. ``` - transfer share doesn't appear to work on rdp client due to incorrect perms on kali folder - after running a `chmod 777` on local kali folder the transfer share works - lets dump LSASS and move to Kali ![[images/Pasted image 20251015114042.png]] - getting perms errors ![[images/Pasted image 20251015115133.png]] - check perms ![[images/Pasted image 20251015115240.png]]![[images/Pasted image 20251015115257.png]] - maybe try again by run powershell as admin - this works ![[images/Pasted image 20251015120321.png]] - we are part of remote mgmt users so lets try to move files with `evil-winrm` - initially fails because perms on kali folder were insufficient ![[images/Pasted image 20251015120554.png]] - run a `chmod 777` on kali folder, then download - this works ![[images/Pasted image 20251015120618.png]] - run `pypykatz` on `lsass.dmp` to view local logon session cache ![[images/Pasted image 20251015121224.png]] - we have user NT hashes and one interesting new machine user account `JUMP01 - also a new password for stom? - time to spray these new potential creds