WS01$. Since you have done your AD enumeration, you notice that the WS01$ is a member of
Domain Adminsgroup - congratulations, you are one step away from escalating from local admin to Domain Admin and a full domain compromise.
WS01$NTLM hash after the admin privileges were gained on the system:
ws01\mantvydas(local admin on ws01) cannot access the domain controller DC01 just yet:
Domain Adminsand we have extracted the machine's hash with mimikatz, we can use mimikatz to pass that hash and effectively elevate our access to Domain Admin:
/netonlyflag. Note how initially the user spotless cannot list files on the DC01, but once
runas /user:testmachine$ /netonly powershellis run and the password is provided, DC01 is no longer complaining and allows spotless listing its file system: