you don’t need to do that, there were other files of interest as soon as you evil-winrm that make it way easier
Can anyone tell me how to get user? I also didn’t found the David creds
1 Like
Using the credentials you have, check other people’s descriptions remotely
How to check description, there is no web?
with active directory utilities
Exclusive content is now available for Cicada by @7eleven and @macavitysworld
What is Exclusive Content?
You can still ask for help and specific hints in this thread.
2 Likes
I’m trying to get the file but no success
maybe,when you using smbclient with user guest . you have to smb: \> get "Notice from HR.txt"
plz check account description,u will found it
i’ve used bloodhound to get all the informations and a custom query to view the users.
i guess there are simpler methos to do this but this was my first idea :D…
Finally rooted the machine!!
how to go from michael to david
You need to enumerate the different users info, more specifically david's infos. Once done, you’ll find his password. You can use nxc or ldapdomaindump for example.
1 Like
You leveraged Michael Wrightson’s credentials to dump domain information via ldapdomaindump, found David Orelious’s password in the user descriptions, accessed the DEV share to retrieve a PowerShell backup script with Emily Oscars’ credentials, and then used her SeBackupPrivilege to exploit Windows shadow copies, extracting the SAM and SYSTEM files for offline password cracking—an approach that could be further streamlined by using automated tools like GetUserSPNs, crackmapexec, and Invoke-BackupPrivilege.ps1
1 Like
Summary
-
Enumerate SMB shares, brute-force RIDs, and perform password spraying
-
Use LDAP and SMB enumeration to gather credentials
-
Exploit
SeBackupPrivilegeto dump registry hives -
Extract secrets with
secretsdumpand log in as Administrator
1 Like
how to check for it?
using enum4linux with michael creds,that’s how i get it
enum4linux -a -u michael.wrightson -p <michael.wrightson creds> <ip>