im in the part where you remote in as server_adm and use the appreadiness service to gain administrator access by adding yourself to the administrators group. Ive successfully done this, but cannot access the admin directory. ive tried cracking the password to the admin account with 0 success. ive logged in and out, and even ran a gpupdate. can someone point me in the right direction?
You have likely figured it out by now from the date of this post. But if anyone else comes along and is looking for guidance. I’ll share my steps to the solution.
Follow all the steps in the module, however in the last step involving secretsdump.py the module fails to mention this is part of the impacket tool set. You can find it on github. However this is not enough. Using secretsdump.py will give you the NTLM hash of users on the server.
With this you can either try to crack it using a hash cracking tool like hascat or John, however this didn’t work for me, or you can use the Pass The Hash (PTH) exploit.
I thought Mimikatz would be a good fit, but that too didn’t work.
My second idea was to just use it directly with RDP. I found this guide Pass-The-Hash (PtH) with RDP!. If you are someone like me, you may… | by Jake McGreevy | Medium helpful in getting it to work.