I've got the root/user flag but I have some questions about secretsdump.py
I found that PATHFINDER was vulnerable to zerologon, so I exploited zerologon via the risksense exploit.
I expected the password of the local Administrator account to be reset but it was the PATHFINDER$ machine account that was reset. Why ?
Then I checked via crackmapexec the privileges, PATHFINDER$ is not admin of the machine. I still tested the options --lsa --sam -ntds drsuapi and even lsassy. It did not work, normal because I'm not admin.
But then I tested impacket-secretsdumps and there, surprise, I dumped all the hashes and so I got a root access.
Can someone explain me please :
- Why the password of PATHFINDER$ was reset and not Administrator ?
- Why secretsdump is working, when I'm not admin ?
Thank you and have a nice day !