Port enumeration

In the nmap scan is imperative to set the option -Pn to bypass the firewall, with this, I found a SMB server. fb18fff223b663292e7b886879599ebd.png

SMB enumeration

The server allow us to connect as Administrator without password. 8e3b1e8bf1f9921f5fd480790b9dd58b.png Here, I can see an interesting resource, C$, so, using the Administrator user, I connect to this resource. a11e8734b7129d0cb038ab8d9bbf1834.png It looks like the main disk.

Impacket shell

Now, using psexec, Im able to gain a shell using the Administrator user without password with psexec. fc2d1e01f584e217f1df849b8f635af0.png Since here, I just need to find and read the flag. 6223ce02ba1d7d604f5df9bf5c81352f.png 364dd49dea7c27a232252a878563bc7c.png