Hello, I’ve got the root/user flag but I have some questions about secretsdump.py I found that PATHFINDER was vulnerable to zerologon, so I exploited zerologon via the risksense exploit. I expected the password of the local Administrator account to be reset but it was the PATHFINDER$ machine account that was reset. Why ? Then I checked via crackmapexec the privileges, PATHFINDER$ is not admin of the machine. I still tested the options --lsa --sam -ntds drsuapi and even lsassy. It did not work, normal because I’m not admin. But then I tested impacket-secretsdumps and there, surprise, I dumped all the hashes and so I got a root access. Can someone explain me please : - Why the password of PATHFINDER$ was reset and not Administrator ? - Why secretsdump is working, when I’m not admin ? Thank you and have a nice day !