www.mail.customer.com
ank
.runas /netonly /FQDN\user cmd.exe
runas /netonly /user:customer\ank powershell
winter2017
when prompted. This query gets executed at the domain controller, and if successfull we can basically execute queries that are forwarded and executed on the DC. This is not remote code execution or any sort of vuln, just inherent functionality. We now want to make a map with Bloodhound, so if you haven't get that set up using the guide from this book. Then go ahead and load up SharpHound.ps1 and execute it. Depending on the size of the domain and activity, this should take some time. On busy daytime in a corporate office with a few thousand workstations and servers this took 30 minutes to complete.Find shortest path to domain admin
psexec_psh
to the box that has domain admins. We are not local admin on this box, so we can't do mimikatz. Luckily, there are other ways to get privileges. Rotten Potato is a privilege escalation technique that works well for this kind of scenario. Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine. We do the following in our Meterpreter: