you don’t need to do that, there were other files of interest as soon as you evil-winrm that make it way easier
Can anyone tell me how to get user? I also didn’t found the David creds
Using the credentials you have, check other people’s descriptions remotely
How to check description, there is no web?
with active directory utilities
Exclusive content is now available for Cicada
by @7eleven and @macavitysworld
What is Exclusive Content?
You can still ask for help and specific hints in this thread.
I’m trying to get the file but no success
maybe,when you using smbclient with user guest . you have to smb: \> get "Notice from HR.txt"
plz check account description,u will found it
i’ve used bloodhound to get all the informations and a custom query to view the users.
i guess there are simpler methos to do this but this was my first idea :D…
Finally rooted the machine!!
how to go from michael to david
You need to enumerate the different users info, more specifically david'
s infos. Once done, you’ll find his password. You can use nxc
or ldapdomaindump
for example.
You leveraged Michael Wrightson’s credentials to dump domain information via ldapdomaindump, found David Orelious’s password in the user descriptions, accessed the DEV share to retrieve a PowerShell backup script with Emily Oscars’ credentials, and then used her SeBackupPrivilege to exploit Windows shadow copies, extracting the SAM and SYSTEM files for offline password cracking—an approach that could be further streamlined by using automated tools like GetUserSPNs, crackmapexec, and Invoke-BackupPrivilege.ps1
Summary
-
Enumerate SMB shares, brute-force RIDs, and perform password spraying
-
Use LDAP and SMB enumeration to gather credentials
-
Exploit
SeBackupPrivilege
to dump registry hives -
Extract secrets with
secretsdump
and log in as Administrator
how to check for it?
using enum4linux with michael creds,that’s how i get it
enum4linux -a -u michael.wrightson -p <michael.wrightson creds> <ip>