{"id":313,"date":"2025-07-10T18:21:48","date_gmt":"2025-07-10T10:21:48","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=313"},"modified":"2026-01-29T16:18:33","modified_gmt":"2026-01-29T08:18:33","slug":"313","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/07\/10\/313\/","title":{"rendered":"HTB\u9776\u673a Voleur \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a10.129.20.186<\/code>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p>\n

\u9898\u76ee\u51ed\u636e\uff1aryan.naylor \/ HollowOct31Nyt<\/code><\/strong><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.129.20.186 (10.129.20.186) 56(84) bytes of data.\n64 bytes from 10.129.20.186: icmp_seq=1 ttl=127 time=317 ms\n64 bytes from 10.129.20.186: icmp_seq=2 ttl=127 time=1567 ms\n64 bytes from 10.129.20.186: icmp_seq=3 ttl=127 time=538 ms\n64 bytes from 10.129.20.186: icmp_seq=4 ttl=127 time=358 ms\n\n--- 10.129.20.186 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3031ms\nrtt min\/avg\/max\/mdev = 316.726\/694.951\/1567.160\/510.389 ms, pipe 2<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u8fde\u63a5\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.95 scan initiated Sun Jul  6 06:27:58 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.20.186\nNmap scan report for 10.129.20.186\nHost is up (0.35s latency).\nAll 65535 scanned ports on 10.129.20.186 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Sun Jul  6 06:28:45 2025 -- 1 IP address (1 host up) scanned in 47.03 seconds<\/code><\/pre>\n
\u65e0\u6cd5\u63a2\u6d4b\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/strong><\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Jul  6 06:34:02 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.20.186\nNmap scan report for 10.129.20.186\nHost is up (0.37s latency).\nNot shown: 65515 filtered tcp ports (no-response)\nPORT      STATE SERVICE       VERSION\n53\/tcp    open  domain        Simple DNS Plus\n88\/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-06 06:35:31Z)\n135\/tcp   open  msrpc         Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn\n445\/tcp   open  microsoft-ds?\n464\/tcp   open  kpasswd5?\n593\/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n636\/tcp   open  tcpwrapped\n2222\/tcp  open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)\n|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)\n|_  256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)\n3268\/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)\n3269\/tcp  open  tcpwrapped\n5985\/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n9389\/tcp  open  mc-nmf        .NET Message Framing\n49664\/tcp open  msrpc         Microsoft Windows RPC\n49667\/tcp open  msrpc         Microsoft Windows RPC\n49670\/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n49671\/tcp open  msrpc         Microsoft Windows RPC\n60401\/tcp open  msrpc         Microsoft Windows RPC\n60409\/tcp open  msrpc         Microsoft Windows RPC\n60429\/tcp open  msrpc         Microsoft Windows RPC\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)\nOS CPE: cpe:\/o:microsoft:windows_server_2022 cpe:\/o:microsoft:windows_server_2012:r2 cpe:\/o:microsoft:windows_server_2016\nAggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: Host: DC; OSs: Windows, Linux; CPE: cpe:\/o:microsoft:windows, cpe:\/o:linux:linux_kernel\n\nHost script results:\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled and required\n|_clock-skew: 7h59m59s\n| smb2-time: \n|   date: 2025-07-06T06:36:35\n|_  start_date: N\/A\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   388.68 ms 10.10.14.1\n2   388.85 ms 10.129.20.186\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Jul  6 06:37:19 2025 -- 1 IP address (1 host up) scanned in 197.54 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Jul  6 06:40:10 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.20.186\nNmap scan report for 10.129.20.186\nHost is up (0.33s latency).\nNot shown: 65531 open|filtered udp ports (no-response)\nPORT    STATE SERVICE\n53\/udp  open  domain\n88\/udp  open  kerberos-sec\n123\/udp open  ntp\n389\/udp open  ldap\n\n# Nmap done at Sun Jul  6 06:41:19 2025 -- 1 IP address (1 host up) scanned in 68.88 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aWindows Server<\/code>\uff0c\u4e3b\u57df\u540d\u4e3avoleur.htb<\/code>\uff0c\u57df\u63a7\u4e3b\u673a\u540d\u4e3adc<\/code>\uff0c\u7981\u6b62\u4e86NTLM<\/code>\u767b\u5f55\u3002\u9776\u673a\u8fd8\u8fd0\u884c\u4e00\u4e2aUbuntu Linux<\/code>\u5bb9\u5668\uff0c\u5e76\u57282222<\/code>\u7aef\u53e3\u5f00\u653e\u4e86Linux SSH<\/code>\u670d\u52a1\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
Linux SSH\u670d\u52a1\uff082222\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528ssh<\/code>\u8fde\u63a5\u5bb9\u5668\u7684root<\/code>\u7528\u6237\uff0c\u53d1\u73b0\u9700\u8981\u4f7f\u7528\u5bc6\u94a5\u767b\u5f55\uff1a<\/p>\n
\"\"<\/p>\n
Kerberos\u670d\u52a1\uff0888\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528crackmapexec<\/code>\uff0c\u901a\u8fc7\u9898\u76ee\u7ed9\u51fa\u7684\u51ed\u636e\u767b\u5f55SMB<\/code>\u670d\u52a1\uff0c\u4f46\u53d1\u73b0NTLM<\/code>\u767b\u5f55\u88ab\u7981\u6b62\uff1a<\/p>\n
\"\"<\/p>\n
\u76f4\u63a5\u4f7f\u7528impacket-getTGT<\/code>\u5de5\u5177\u7533\u8bf7\u7968\u636e\uff0c\u968f\u540e\u4f7f\u7528Kerberos<\/code>\u767b\u5f55SMB<\/code>\uff1a<\/p>\n
ntpdate -s dc.voleur.htb\nimpacket-getTGT voleur.htb\/ryan.naylor:\"HollowOct31Nyt\" -dc-ip 10.129.20.186\nexport KRB5CCNAME=\/home\/megumin\/Documents\/pentest_notes\/voleur\/ryan.naylor.ccache\ncrackmapexec smb dc.voleur.htb -d voleur.htb -u ryan.naylor -k --use-kcache<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u4f7f\u7528Kerberos<\/code>\u7968\u636e\u53ef\u6b63\u5e38\u767b\u5f55\u3002<\/p>\n
\u9996\u5148\u4f7f\u7528impacket-lookupsid<\/code>\u5de5\u5177\u7206\u7834\u57df\u5185\u7528\u6237RID<\/code>\uff1a<\/p>\n
impacket-lookupsid -domain-sid -no-pass -k voleur.htb\/ryan.naylor@dc.voleur.htb 40000<\/code><\/pre>\n
\"\"<\/p>\n
\u7ecf\u8fc7\u6574\u7406\uff0c\u5f97\u5230\u5982\u4e0b\u57df\u5185\u7528\u6237\u5217\u8868\uff1a<\/p>\n
Administrator\nGuest\nkrbtgt\nDC$\nryan.naylor\nmarie.bryant\nlacey.miller\nsvc_ldap\nsvc_backup\nsvc_iis\njeremy.combs\nsvc_winrm<\/code><\/pre>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u672a\u53d1\u73b0\u5176\u5b83\u4fe1\u606f\u3002<\/p>\n
Windows SMB\u670d\u52a1<\/h2>\n
\u4f7f\u7528impacket-smbclient<\/code>\u767b\u5f55\u9776\u673aSMB<\/code>\u670d\u52a1\uff1a<\/p>\n
impacket-smbclient voleur.htb\/ryan.naylor@dc.voleur.htb -k -no-pass<\/code><\/pre>\n
\"\"<\/p>\n
\u767b\u5f55\u6210\u529f\uff01\u53d1\u73b0SMB<\/code>\u670d\u52a1\u5185\u67093<\/code>\u4e2a\u7528\u6237\u5171\u4eab\uff1aFinance<\/code>\u3001HR<\/code>\u548cIT<\/code>\u3002\u7ecf\u6d4b\u8bd5\uff0c\u53d1\u73b0\u53ea\u6709IT<\/code>\u5171\u4eab\u53ef\u4ee5\u6b63\u5e38\u8bbf\u95ee\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u8be5\u5171\u4eab\u5185\u6709\u76ee\u5f55First Line Support<\/code>\uff0c\u76ee\u5f55\u5185\u6709Excel<\/code>\u8868\u683c\u6587\u4ef6Access_Review.xlsx<\/code>\uff0c\u4e0b\u8f7d\u540e\u6253\u5f00\uff0c\u53d1\u73b0\u4e3a\u52a0\u5bc6\u7535\u5b50\u8868\u683c\uff1a<\/p>\n
\"\"<\/p>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u672a\u53d1\u73b0\u4efb\u4f55\u4fe1\u606f\u3002<\/p>\n
\u57df\u5185\u5173\u7cfb\u6536\u96c6<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528bloodhound-python<\/code>\u5de5\u5177\u8fdb\u884c\u57df\u5185\u4fe1\u606f\u6536\u96c6\uff1a<\/p>\n
bloodhound-python -c All -d voleur.htb -u ryan.naylor -k -no-pass -ns 10.129.73.209 -dc dc.voleur.htb --zip<\/code><\/pre>\n
\"\"<\/p>\n
\u6536\u96c6\u5b8c\u6bd5\u540e\uff0c\u5c06\u6570\u636e\u96c6\u4e0a\u4f20\u81f3BloodHound<\/code>\uff0c\u9996\u5148\u67e5\u770b\u6700\u77ed\u653b\u51fb\u8def\u5f84\uff1a<\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u5982\u4e0b\u60c5\u51b5\uff1a<\/p>\n