In the nmap scan is imperative to set the option -Pn to bypass the firewall, with this, I found a SMB server.

The server allow us to connect as Administrator without password.
Here, I can see an interesting resource, C$, so, using the Administrator user, I connect to this resource.
It looks like the main disk.
Now, using psexec, Im able to gain a shell using the Administrator user without password with psexec.
Since here, I just need to find and read the flag.
