88 port open, this maybe Domain Controller
no smb
name is babydc.baby.vl
ldap allow anonymouse search
we have cred BabyStart123!
BabyStart123!
baby.vl\Caroline.Robinson:BabyStart123! STATUS_PASSWORD_MUST_CHANGE which mean we must change this user password. we can use smbpasswd
after change Caroline.Robinson password, we can winrm into target
we have SeBackupPrivilege
we have use robocopy to read flag.there are many way to use SeBackupPrivilege.this is just easy way
Last updated 1 year ago
