01:33 - Begin of recon
02:30 - Using SMBClient to view open shares, discover /Backups
03:00 - Mount the SMB Share
03:40 - Playing with SMBMap which is a bit more automated but write files!
05:22 - Checking out files in the /Backups share
06:30 - Using 7zip to view files in a VHD file
07:50 - Installing libguestfs-tools in order to use guestmount
09:25 - Mounting the VHD with guestmount
11:00 - Extracting local passwords from SAM and SYSTEM with secretsdump
13:30 - Cracking the hash and then using SSH to login to the box
14:30 - Viewing local adminstrators and seeing administrators is not actually disabled (backup indicated it was)
16:30 - Running JAWS
19:30 - Discovering mRemoteNG installed
20:30 - Looks like there is a way to decrypt passwords stored in mRemoteNG
21:40 - Installing mRemoteNG-Decrypt then decrypting the passwords in the config
24:30 - Using PSEXEC or SSH to remote in as administrator